Are you exhausted chasing rabbits?

There’s an ancient Chinese proverb that goes, ‘the man who chases two rabbits catches neither’. Right now, this is an excellent philosophy for cybersecurity specialists.

As economies slowly open up, many organizations face an even broader threat landscape rather than fewer cybersecurity challenges. On the one hand, CIOs are managing complex new risks relating to employees’ working locations, patterns, endpoint security and authentication. On the other hand, many have reduced resources and increased gaps in their threat intelligence – potentially affecting their ability to tackle existing vulnerabilities within both their digital and operational technology (OT) networks.

The urgency to tackle known vulnerabilities has become front-page news since the beginning of the year. Cyberactors were first detected exploiting zero-day vulnerabilities in MES software – infecting networks with web shells and accessing email accounts on unpatched computers across the globe. Just a few weeks ago, Microsoft and other industry specialists shared detection tools, patches and other information to help organizations identify and mitigate the impact of these intrusions.

By mid-March, national government action was added to the global firefight to remove web shells from as many systems as possible. Although much has been written about the action taken by the FBI, it’s not only the US government that has become directly involved in remediation. The Australian Cyber Security Centre and the UK's National Cyber Security Centre are also collaborating with local organizations to remove malware from infected servers. That’s a lot of necessary and arduous rabbit-chasing.

Cybersecurity leaders are faced with a choice: continue the exhausting firefighting or regain control with a renewed focus on proactive, layered defense built on actionable intelligence. So, what’s happening to take the fight back to the cybercriminals and state actors threatening our global resilience?

Be the hunter, not the prey

Step 1: Identify the rabbit

As these recent events demonstrate, in our cyberworld ‘chasing the rabbit’ is a good description of how it feels when we find ourselves relentlessly responding to threats. For security teams, a proactive approach is more efficient and effective than constantly reacting to incidents on a case-by-case basis – which is frustrating, affects decision-making and, perhaps most significantly, keeps specialists from being strategic partners within the business.

As cyberprofessionals, we know where the crown jewels are within our data, applications, devices and systems that we need to defend. This knowledge will inform our understanding of how an attacker will potentially go about gaining access to that asset, and it will guide our actions – whether we’re facing zero-day threats or prioritizing essential system updates and patch management.

Understanding attackers and the tools, procedures and tactics being used within their cyber-kill chain is fundamental to designing a monitoring and response plan. This forms part of the actionable intelligence of an organization.

Step 2: Change the traps

Unlike some of the underlying technology within an organization’s infrastructure, cyberthreats don’t become obsolete or irrelevant. Futureproofing systems in the main require cyberprofessionals to inject resilience based on learnings about both relevant historic and current threats. This can be particularly difficult at one end for legacy OT systems and at the other for new IoT devices, due to a lack of transparency within the software on which they rely.

Understanding attackers and their targets will allow security teams to re-examine their network from cyberactors’ point of view and work out how to make life as difficult as possible for them. By making changes to an organization’s infrastructure, based on gathered intelligence, they can deflect an attacker by forcing them to adapt their tools. The chances are that nine out of ten actors won’t try again.

Many organizations are also implementing (micro) segmentation across their network, making it more difficult for cyberactors to move laterally – minimizing disruption and costs to remediate systems.

Step 3: Stop chasing rabbits with actionable intelligence

There’s no shortage of threat intelligence. There’s so much intelligence out there that it can be challenging for organizations to decide what’s relevant to their specific environment and circumstances. In other words, how do they decide who’s attacking them and then define that footprint?

What do we mean by actionable intelligence? Simply put, it’s the output of collected information, leading to a set of data that, following analysis, can be used in defense and the contextualization of events on the network. In other words, actionable intelligence means that you can stop chasing rabbits and focus resources on a more proactive mission.

To focus on the value of actionable intelligence, organizations need to define:

• Business and risk alignment: Understand the objective, scope and authority needed to mitigate risk.
• Visibility: Define the visibility required to achieve mission readiness.
• Content: Build enablement for detection — including use cases, situational awareness and baselines.
• Applied intelligence and analytics: Analyse, attribute and predict the threat to refocus the goal.

Step 4: When the rabbit’s out of the hat

When the worst happens, it can feel as if an organization is invaded by rabbits. An effective incident response plan is the best way to ensure any incident is handled quickly – reducing the costs and impact on cyber- and business confidence. Having a clear focus on what to do when an incident occurs and who to talk to is critical for an effective response.

Most importantly, test your plan. We test fire evacuation plans, and incident responses shouldn’t be any different. Ideally, the tests would be hosted by external organizations that create test scenarios and review the plan to ensure all team members are responding appropriately. This external team can then identify gaps and provide additional assistance and training.

No one enjoys chasing rabbits. The pressure on cyberleaders to retain specialist skills requires a clear, proactive purpose to keep teams engaged. Automate whatever is possible to ensure that effort, investment and confidence aren’t undermined by a failure to maintain the resilience of ever more complex infrastructure, and use actionable intelligence to make the right decisions.