Cliff Stoll’s The Cuckoo’s Egg was one of the major influences in my early career. The tale of a lone astronomer doggedly pursuing an accounting error on the mainframe to discover a nefarious hacker with international spook connections combined elements of things I loved: the hard-nosed detective embodied by Sam Spade, the international intrigue of James Bond, and the technology conundrums of the early networked world. Ok – Cliff Stoll isn’t exactly Sam Spade or James Bond but you get the point. The story was a fascinating epic journey that led its protagonist to places he never expected. Other similar stories highlight the fundamental personality types associated with “hacker hunters”: They are relentless, passionate and ultimately, take these security breaches personally.
I have already talked about giving better Visibility and <em style="color: #fb1e00;">Context</em> to help response teams with uncovering the rocks during a security incident. First responders assigned to analyze, triage and resolve a security incident must also have the right skills to enable their digging. If you read analysis of how today’s advanced threats need to be approached (See RSA First Watch’s excellent paper on “Stalking the Kill Chain”), there are multiple facets of Expertise needed:
1) The responders need to be up-to-date and connected to current threat attack vectors. It isn’t sufficient to just know or understand security vulnerabilities. Responders need to understand HOW attackers are utilizing the large global catalog of vulnerabilities at that point in time.
2) The responders need to have a clear understanding of what is normal and abnormal activity on the network.
3) The responders need to be able to imagine other channels and vectors that haven’t been seen before.
There are few tangible elements of building this Expertise:
Gather and organize a clear picture of current adversaries, attack vectors and threat scenarios. Some of this can be gained through external services such as RSA Live. Other elements will need to be sourced internally. One company I have worked with is maintaining a “persons of interest” database cataloging shadowy but known adversaries, their favorite attack vectors, known affiliations and other pertinent information. This information, alongside incoming indicators of compromise, intel from shared information groups and other sources, helps them keep an eye out for specific activity that are known threat scenarios.
Enable the technical infrastructure. Intel flowing into the security function should impact controls design and implementation downstream. If intel points to a set of known bad IP addresses, enable protection at multiple layers – perimeter defenses, IDS, etc. This seems like just common sense but the critical point is how fast is that intel acted upon. Barriers that may slow down the process (such as change control) should be optimized to ensure the flow is as accelerated based on risk.
Don’t rely solely on internal resources. This doesn’t mean that you shouldn’t trust or use your internal resources. It just means that sometimes you should level set your processes, technology infrastructure or threat intelligence with a trusted outside party. Attack scenarios are so varied today that it is good to get experiences outside your own world to validate your approaches.
RSA’s First Watch paper mentioned above states ‘the success of a modern attack often depends on the activities of the carbon based unit between the keyboard and the chair’. I wholeheartedly agree with this statement. Technologies can fill many voids except the void between the ears of the person staring at the screen. Security analysts are extremely talented people and when given the right tools and processes pose a solid opponent for today’s adversaries. Security organizations must embrace that Expertise and view it as an imperative to optimize and leverage it in managing today’s security threats.