Cyber Defense: Four Lessons from the Field

In cyberspace, as in more traditional domains, it’s essential to both understand your enemy as well as understand yourself. A comprehensive defensive strategy requires a better understanding of the motivations and intent of an adversary, but this is exceedingly difficult due to non-attribution and the complex nature of cyberspace. It’s safe to say that most organizations don’t actually have the required tools, knowledge, mission set, scalability or authority to incorporate analysis of the adversary into their cybersecurity frameworks. But as I’ve experienced, thinking like an adversary and internal analysis of your network and assets are both essential components of cyber defense.

Recently, my colleague Jason and I attended and presented at the 2014 Malware Technical Exchange Meeting (MTEM). MTEM is the annual malware technical exchange event that brings together practitioners and researchers from industry, the FFRDCs (federally funded research and development centers), academia, and government to present and discuss all things malware. MTEM presentations typically focus on malware analysis at scale, incident response, trend analysis, and research, but this year’s theme was more specific: “Evolving Adversaries: Stories from the Field”. The goal was to exchange information on technical and policy issues related to evolving threats with a focus on presenting new methods for analyzing malware more quickly and effectively and share success stories from the field. Below are four key insights that I’ve gained from my experience at conferences like MTEM and from cyber exercises:

1. Know your network: Today’s cyber defenders must know their network. They need visibility into all assets, including operating systems, users, endpoints, mobile devices as well as knowledge of normal network behavior. Unfortunately, this isn’t always the case. There are some organizations where the defenders and incident responders have extremely limited access/visibility into their own network. They are mostly blind, relying solely on anti-virus software, firewalls, and host-based detection systems. A situation like this could have detrimental consequences. For example, if the defenders only saw sensor-detected “known bads”, an attacker could leverage that by deploying low-level, easily detectable malware that would keep the defenders occupied while the attackers carried out their most nefarious acts. In order to proactively defend against the adversary in real-time, defenders must seek and obtain ubiquitous presence within their own protected cyber space.

2. Think like the adversary: Defenders must also think like an adversary, which goes above and beyond just monitoring anti-virus tools, IDS alerts, and firewall logs. To truly protect themselves, defenders must understand the aggressor tactics that adversaries will use. For example, once an attacker gains access to a victim network, they’ll most likely conduct reconnaissance to learn the lay of the land. This could reveal some of the defensive tools deployed, enabling the attacker to circumvent them. Additionally, the attackers’ recon mission could reveal additional credentials, allowing an attacker to burrow further into the network. Defenders also have to remember that an attacker is not static; the most aggressive attackers will evolve and try new methods to find the most valuable assets. To effectively defend the most critical data networks and level the playing field, defenders must truly think like the adversary. Our MTEM presentation focused on this theme of an evolving adversary and drew on experiences from a recent cyber exercise. The presentation included various network and defender techniques, demonstrating the utility of thinking like the adversary to proactively deter intrusions.

3. Prioritize: A good defense requires organizations to prioritize their most valuable assets, incorporating both what is most valuable to the organization but also what may be deemed most valuable to an adversary. Realistic defensive teams will categorize all of their assets, from the “crown jewels” all the way down to the “postcards at the checkout stand”. To set this in motion, simply put yourself in the mindset of the attacker and ask, “What do I really want or need from this organization?” The answer is most likely where the attacker will try to land. Armed with this information, efforts can be implemented to protect that data and/or alert a defender when someone (or something) tries to access it.

4. Automation & Contextualization: Automation is an essential component of defense, but alone it is not enough. At the same time, since today’s attackers use automated techniques to expedite their attacks, manual defensive measures alone will also probably prove to be an inadequate defense in most cases. Automated technologies that incorporate contextual awareness are key to maintaining situational awareness and strong cyber defense.

And before I sign off, I’d like to leave you with one more thought. It was something a LtGen told a group of us analysts 10 years ago. Regarding counterterrorism, he said, “We have to throw a strike with every pitch while terrorists only need a single hit.” I believe this same sentiment holds true in the world of cyber defense. An attacker only needs a single success to produce catastrophic results for a victimized network or organization. In cyberspace, a good defense requires the ability to anticipate the adversary and continually evolve your defense accordingly.