Without a doubt, hackers are becoming more sophisticated, well-organized and mission driven. They are increasingly using advanced persistent threats (APTs) methods and every tool at their disposal. As the digitalization of the economy and the Internet of Things (IoT) continue to advance, hackers are finding new attack vectors to exploit and it is becoming harder for us “security professionals” to defend our organizations.
APTs are sophisticated, targeted, well-organized attacks, often aimed at an organization's most valuable assets. Because of the skillfulness of these smart attackers, APTs are much more difficult to detect and prevent than traditional security threats. These advanced threats require the information security function to rethink its approach to operations.
The pressure is on! Is your organization prepared? Many enterprises have not kept pace and lack the necessary fundamentals required to prepare and plan against simple cyber attacks, let alone advanced and targeted attacks. To prepare for targeted attacks, keep these three important priorities in mind:
First, build your organization's intelligence capabilities to get a better perspective of threats, think Big Data. Most organizations recognize the need to improve analytics to combat APTs. However, many analytic programs fail because they collect vast amounts of data without a clear sense of how the data will be analyzed to produce actionable information, let alone having the adequate amount of resources to review the data. To build a successful analytics programs, your organization should be realistic about how data will be analyzed for insight into security weaknesses. At the end of the day, your analysis process helps in driving decisions about which data and how much data should be collected and reviewed.
Second, revamp your security controls. Most traditional information security controls focus on conventional threats. This makes them less-suited to defend against the specific attacks used by advanced threats. Rather, you should align controls to a threat-based framework, such as the kill chain, for example. This will allow you to easily conduct gap analysis on advanced threats and build your defense lines.
Third, develop a better approach to manage threats. This requires the information security organization to change focus from known vulnerabilities to understanding high-targeted threats. With this transition, you must integrate a new set of activities in gathering intelligence, conducting threat analysis to identify new and existing threats, and disseminating information to prevent future attacks. This requires security teams to build their capabilities that enable intelligence collection and threat detection. In certain cases, this may require you to restructure new security teams in ways that will allow them to share resources and information with other teams and, in some cases, other organizations.
A practical approach to intelligence gathering is identifying evidence of a recent attack in existing logs or identifying what kind of logs would record an element of a known attack. Then expand ways to detect it by identifying what other tools or resources could have detected the attack. Once you have identified the tools, try applying the process to other threats by using an informed approach to collect data and design search queries. The results will produce quick wins that will support further investments and allow time for staff to build expertise.