The COVID-19 pandemic has been under control the past several months in regions with high vaccination rates, but a cyber pandemic has arisen in its place revealing the increased vulnerabilities of U.S. infrastructure to cyberattacks from aggressive adversaries. The SolarWinds, Microsoft Exchange, Colonial Pipeline and JBS attacks all caused severe financial implications while underscoring the wide range of organizations susceptible to threats. The SolarWinds incident, for example, cost U.S. companies 14% of their annual revenue – equating to an average of $12 million per victim.
While advanced persistent threat (APT) groups and state-tolerated cybercriminals have been on our radar for quite some time, the detrimental effects of a meteoric rise of attacks on American companies has heightened those concerns. It’s clear there’s an imminent danger on a broader spectrum, and regardless of organization or industry, the stakes have never been higher for us to build herd immunity against the “variants” of this cyber pandemic.
We can draw inspiration from our nation’s response to the pandemic that preceded it. The development and distribution of effective COVID-19 vaccines required unprecedented collaboration among the global health community and its supply chains. In a similar realm, we can build herd immunity to cyberattacks by enhancing cross-sector collaboration through the adoption of a collective defense approach to cybersecurity.
Defending alone isn’t enough anymore
The sharing of anonymized threat intelligence data across industries serves as the foundation of collective defense. It’s a unified, strength-in-numbers approach to network detection and response, one that’s greatly needed amid the evolving nature of attacks that pose a serious threat to America’s national security.
The recent string of high-profile ransomware incidents have taught us that even the most astute analysts, hunters or best-in-class technologies cannot fully protect networks alone. It’s no longer viable to solely rely on known indicators of compromise (IoCs) as a focal point of cyber defense. The reactive, error-prone nature of signature-based detection strategies renders them easily circumventable by evasive attackers.
Organizations are beginning to understand that we must collaborate as we move forward. Sapio Research and IronNet’s 2021 Cybersecurity Impact Report found that two-thirds of companies said they were more likely to share intelligence data with industry peers as a result of SolarWinds. The report also found that 91% of U.S. executives believe their organization would share information with peers to help improve their security posture.
How to shift power away from adversaries
It’s vital for organizations to act proactively to better position themselves for staying ahead of cyberattacks. That starts by investing in the right network detection and response (NDR) solutions and joining forces with industry peers, especially fellow targets of the same attacker, to improve the clarity of the threat landscape through real-time detection visibility. As opposed to signature-based detection, the most effective NDR platforms rely on behavioral-based detection that leverages machine learning and statistical analysis. The platform identifies anomalies within an organization’s network -- meaning threats that do not yet have IoCs – and generates actionable threat intelligence data revealing the malicious activity, which gets shared across the entire “community” of defenders specific to your industry.
It can also increase awareness of IoCs that are typically susceptible to oversight by an individual organization’s cyber defense team. For example, when combined with intel from multiple companies, one DNS Tunnel to an MSFT domain becomes a cluster of beacons if others are seeing the same anomaly at the same time. If companies have the opportunity to collaborate with this data, they in turn gain a competitive advantage.
By sharing real-time threat intelligence data across industries, we are essentially collaborating to flip the script on the attacker. Operating directly on their behaviors, rather than their tools, forces adversaries to undergo the strenuous and expensive process of changing their tactics, techniques, and procedures to avoid detection. Threats can be uncovered without needing any corporate or personally identifiable information; instead focusing on the attributes of the event, such as packet size and beacon timing, as well as external entities and the potential attacker infrastructure.
All of us working together to help identify attacker behavior will better protect our own networks. That’s how we can build herd immunity against the adversaries who are running rampant in an attempt to unravel our global digital economy by stealing intellectual property, demanding ransoms, and spying on both private enterprises and public entities.
Dean Teffer, vice president, detection and analytics, IronNet Cybersecurity
