Within the past year, companies Target and JP Morgan fell victim to deeply damaging attacks that slipped through their threat detection systems. Target's breach wasn't filtered properly -- no one realized it was a critical threat.
The Target hack is an example of both threat assessment failure, and how the impact of a non-transparent response hinders the security industry's ability to improve threat assessment.
David Mortman, Chief Security Architect at Dell Enstratius, has been doing Information Security for almost 20 years. Mortman told ZDNet, "The biggest challenge that most people run into is in determining what is a realistic threat for their organization."
Mortman underscored the universal ecosystem of pressures that IT teams face on a subject that's plaguing companies from startup to enterprise worldwide. "You have a limited budget for tools, services and people and need to apply it as effectively as possible."
He said, "So which threats do you worry about and which ones do you just hope for the best?"
This issue is woefully understandable to every team trying to sift actual and urgent threats out of the unending flow of security events, false positives, and the noise of intrusion detection systems/threat detection stats.
"The biggest challenge is secrecy. Imagine if you will, if when an airline crashed, all the engineers ever heard was 'it was an unusal event.' How, then, would we reduce airplane crashes?"
To this end, the field of threat detection and assessment is lucrative, and crowded with products whose range can best be described as 'the good, the bad and the ugly.'
Slowly, more and more teams are moving out of the thinking that threat detection is a single point in time.
That's good news in a threat landscape where we're seeing more attacks staged over long time periods, attacks that leverage a pick-a-mix of attack vectors, and attackers who seem to be writing new criminal playbooks that think way, way beyond the breach.
But even the most holistic approach that combines advanced automated analytics, continuous monitoring, and analysis that blends information with attack chain weaving isn't tapping into the broader problems enterprise faces when confronted with decision making around threat assessment.
Adam Shostack is one of a handful of threat modeling experts in the world and the author of "Threat Modeling: Designing for Security."
Shostack tells ZDNet, "The biggest challenge is secrecy. Imagine if you will, if when an airline crashed, all the engineers ever heard was 'it was an unusal event.' How, then, would we reduce airplane crashes?" Shostack added:
"Most breaches are not reported, as the law only requires breaches of PII to be reported. Most breach reports don't include information about what went wrong. The issues we know about are a small subset of what's happening. How can we use it to make decisions?"
Shostack makes a serious point about how combining attack information as threat intelligence could improve threat assessment by a potential order of magnitudes, and it's a point I appreciate from a different perspective.
From ZDNet's perspective, it's painfully clear that organizations are afraid to talk about attacks throughout the entire attack cycle.
It's frustrating to watch companies and consumers equally harmed by this; consumers don't get the information they need to protect ourselves, and companies don't exchange information about coordinated attacks that could mitigate damage.
Shostack wisely added,
"We are afraid to talk about problems, and we are afraid of an NTSB-like entity. We need to understand those fears and overcome them. Organizations already pay the PR price for a breach, just a little more information could really help us improve."
Mortman said that there are several things organizations can do to get started before the threat detection begins, all of which revolve around threat modeling your system.
To begin, he explained, "Identify the components of the systems, what assets they are composed of (both the systems themselves and the data they hold) and potential avenues of exposure. This allows you to start identifying risks and make assessments of what to be worried about as well as potential ranges of remediations. Combine this with a risk management tool like FAIR and then you're seriously in business."
Is it a threat -- or not?
Conventional wisdom in papers and presentations suggest that an internal 'best practice' list is a good place to start.
Even still, Sandia acknowledges that measuring the attributes of a threat comes from incident information"
"For instance, a network-based cyber-attack on an information system is directly observable if the network data are collected, but the particular size and composition of the threat is not necessarily observable through the same means.
The magnitude of a threat’s attributes must often be estimated using some indirect method, such as statistical data analysis, expert opinion, or intelligence analysis."
While helpful in describing a threat's spectrum, a list, it appears, is still just a list. Shostack concurs saying, "I don't know how anyone would assess the efficacy of the ideas on [a] list."
"Many of the elements which tend to make up such lists seem like good ideas, in the way 'start threat modeling from a list of attackers' seems like a good idea. In practice, that turns out not to work. But since we hide our failures, we can't test the ideas that might make up a checklist."
The trend suggests a better strategy can be found in a more holistic approach; combining generic threat matrix methodology with decision prompts based on critical thinking:
Analyze the threat.
Identify the target.
What's the payload?
Analyze your systems.
Can the threat impact your enterprise?
Does this impact a critical function, or a critical part of your infrastructure?
Take immediate action on the serious threats, prioritize and monitor the rest. (Mitigation; remediation.)
Experts agree that more transparency would help everyone. But since companies like Target have shown that they care more about appearances than the security environment in which they participate, Mortman provided insight for organizations who aren't afraid of getting crafty about defense.
Primarily, you'll want your team to get good at gathering intel. Mortman said,
"They can communicate with their peers in the same industry vertical to both share data and identify common threats/issues/attack types. They can leverage public reports such as the Verizon DBIR and they can also subscribe to threat intelligence services to get a better idea of what is going on in the outside world and compare that to what their own logging/auditing/monitoring devices are seeing."
Turning attacks into counter-intelligence is how to fill in the gaps.
It's also a good idea to also learn as much about the cyber black market's interests, and monitor what's of interest to buyers and sellers, as is possible.
After all, your most feared attack's end point is someone else's pot of gold.