We need to focus on the bad guys and their methods instead of playing whack-a-mole with indicators of compromise.

Three years ago, George Tenet — the former US Director of Central Intelligence — and I participated in a fireside chat discussing advances in technology and the fact that not much had changed in cybersecurity between the then-recent WannaCry and NotPetya attacks and the ILoveYou virus 17 years earlier. While the tech world was abuzz with innovation, from self-driving cars to artificial intelligence, devastating cyberattacks still regularly brought nations and corporations to their knees, and the best we could do was pick up the pieces and clean up the mess.

During the 17 years between those two attacks, I ran a team of security developers and operators who deployed and operated one of the most advanced cybersecurity capabilities in the world, defending the largest network on the planet. These were the active defense capabilities deployed to protect the Department of Defense (DoD), and this experience proved to me that a better solution existed. The time has come for the cybersecurity community to embrace this new approach.

A Scalable Solution
While the details of those active capabilities remain classified, the concept around them is not: Rather than chasing millions of indicators of compromise (IoCs — that is, IP addresses, domain names, file hashes, etc.), we identified and neutralized the techniques employed by attackers. Our realization was that since there are far fewer bad guys than systems we want to defend, stopping the bad guys, rather than defending each system, provides a scalable solution. My team, operating this active defense capability, won the DoD CIO award in 2014 for our ability to neutralize Heartbleed for the entiredepartment within hours of the vulnerability’s disclosure.

Here’s how it works: The techniques attackers use differentiate one advanced persistent threat (APT) from another. The techniques are their DNA, if you will. The goal is to find the DNA, excise it from the network sessions, and do that as invisibly as possible. The attacks will fail, and the bad guys won’t even know it (or at least, they won’t know why). New techniques will eventually be developed, but it’s much harder for a bad guy to develop a new attack method than switch out an IoC, which is all that’s required to evade many security systems.

Coming Around Again
Today, many defenders are writing their hot wash reports on their response to the release of the Log4Shell vulnerability. It’s Heartbleed all over again. And ShellShock. And EternalBlue. And a host of others.

I am reminded of that chat with Mr. Tenet as I think about the significant technological advances since then, including quantum computing, digital assistants, and mRNA vaccines. And still, what’s changed in cybersecurity?

Many of you probably answered “zero trust.” However, zero trust isn’t new. It’s a framework to pull together the necessary cybersecurity investments that we’ve all been working on for years. And while I completely support zero-trust efforts, the calculus doesn’t fundamentally change: There are still bad guys out there, and there will always be vulnerabilities in systems for them to attack.

We need to incorporate a new approach to our zero-trust posture. We need to start focusing on the bad guys and the techniques the bad guys employ, instead of playing whack-a-mole with IoCs (even if that game of whack-a-mole is AI-enabled). The most efficient way to scale up and best use ever-scarce talent is to address adversary methods — the DNA.

This approach requires a couple of things that are simple to describe but difficult to execute. If you’re going to look for “adversary DNA,” your false-positive rate must be extremely low; otherwise, the cure will be worse than the disease. Moreover, to find adversary DNA, you’ve got to look deeper into network sessions than ever before and to look for things that are often thought to be unobservable. This accurate and deep detection must also be extremely fast — faster than what’s typical on the market today. Detection must be automatically paired with the right response mechanisms such that the adversary DNA is removed, replaced, or transformed in a way as to render it useless to the adversary and useful to the defender. And this entire process must occur inline — that is, between the adversary and whatever the adversary is going after, whether that’s data, systems, or people.

A Better Way Forward
What if there was a way to stop adversaries with extreme accuracy and speed before they enter or leave your network? This better way is possible — I’ve seen it in action. It requires a fundamentally new approach.

It’s time to stop playing this endless game of IoC whack-a-mole. The bad guys are winning because, while the cybersecurity industry continues to deliver better tools to understand and sometimes respond to threats, we have yet to see much that stops the threat, before it’s too late.

Best Practices for Fortifying Your Organization Against Cybercriminals

The connectivity of today’s employees has left executives unable to overlook the cybersecurity of their organization any longer. It’s no longer a question of if your business will be targeted by cybercriminals, it’s now a matter of if your cybersecurity precautions will fail you. Cybercriminals have reached a new level of sophistication – they can attack your infrastructure at all times of day, using automated algorithms, making it nearly impossible to keep them out all of the time. Staying current with your technology and processes is the only way to protect your business from harm.

To learn more about IT best practices for your organization, please click here!

Unsure of where to start? Begin by discussing our top 10 Cybersecurity Best Practices with your IT resource to ensure you have a solid foundation in place – and build up your defenses from there.

Top 10 Best Practices for Fortifying Your Organization Against Cyber Attack

1. Backup, Backup, Backup!

Put in place a hybrid strategy for backing up your data – ensure that you have both a local backup and a cloud solution in place in case of disaster. Backups should be tested regularly, and should be performed no less than once per day. Ideally, your organization’s backup should be performed once every hour for premium recovery.

2. Put a Strong Firewall in Place

With your employees accessing the web day in and day out, controlling the flow of internet traffic coming in and out of your business is crucial. A strong firewall is a vital asset in your suite of cybersecurity tools to have in place to protect your business.

3. Install Antivirus Protection

Antivirus and Anti-Malware software is one of your organization’s most important lines of defense against cyber attack. Choosing the best program for your business, and monitoring the alerts as they come in will help you maintain a cyber secure environment for all users.

4. Secure Your Email

Most attacks continue to come through via email. Ensure that your organization has an email service designed to halt email spam and phishing attempts in their tracks!

5. Keep Your Technology Up to Date

All outdated technology can be a security vulnerability to your business. Keep your programs up to date on any patches or updates that are pushed out to keep your business as safe as possible. Additionally, refreshing your hardware on a regular basis will allow for greater protection as technology becomes more sophisticated.

6. Monitor the Dark Web

Did you know that your credentials (or the credentials of a team member!) could already be on the dark web? By adopting a dark web monitoring software, you can check the dark web regularly for instances of your organization’s credentials and take steps to mediate the issue before a cybercriminal uses those credentials to maliciously hack into your system!

7. Secure All Mobile Devices

Today’s workforce is as mobile as ever. The first step towards protecting your team’s mobile devices is to establish password policies, encryption software, and to enable remote wiping on the device should you need it. A Mobile Device Management plan addresses each of these issues and more. Additionally, ask your team to be mindful of where they keep their devices – never leave a laptop in a locked car, for instance, as this is a prime opportunity for thieves.

8. Assign a Resource to Monitor Your Infrastructure

Whether it’s your internal IT professional or a third party expert, it is critical to have a trusted resource to monitor all of your security software on an ongoing basis. Software protection is no good unless it’s working properly and each and every alert is dealt with in the proper manner. It only takes a small window of time to have huge consequences.

9. Apply Password Policies Across Your Organization

Implementing strong passwords across your organization is one of the most effective policies to have in place to protect your infrastructure. Always avoid using personal data, common words spelled backwards, or any sequence of letters or numbers that are close together on the keyboard (12345, QWERTY). Also urge users to never, ever write down a password!

10. Educate Your Employees!

Your employees are a cybercriminal’s best chance to breach your network. Educating your employees about the organization’s cybersecurity best practices is one of your best lines of defense against cyberattack. Users should be made of aware of the value of your data, how to spot a phishing attempt, and what your password policy entails. Revisit this tactic often, as a cyber-savvy workforce is a more effective strategy than anything else you can put in place.

To learn more about IT best practices for your organization, please click the button below!

Related Articles:

A Fully Managed IT Services Provider Can Revolutionize Your IT
Secure Your Company’s Data Anywhere With Mobile Device Management
Is Cloud Computing Right for Your Business?

If you’re a manufacturer within 50 miles of Washington D.C., your organization is probably working with the United States government in some way, shape or form. Whether you have a contract directly with the government or you provide products or materials to someone who does, your company is now responsible for ensuring that you are compliant with NIST 800-171 standards.

Are you interested in how a comprehensive IT solution could benefit your business? Click here to browse our Managed IT homepage!

WHAT IS NIST 800-171?

As of December 31^st 2017, the National Institute of Standards and Technology (NIST) has published a document stating that all manufacturers that work with the US government (Department of Defense, General Services Administration, and NASA), are now responsible for maintaining compliance with their cybersecurity standards, outlined in document NIST 800-171. The document spells out the strict data management guidelines that manufacturers must meet in order to work with the government.  And take note– just because you do not have a direct contract with the government does not mean you are not affected. Even if your organization does something as removed as supplying parts to a subcontractor of the government, it is required that your organization become compliant as well.

This document outlines the standards to which all manufacturers must update their systems in order to maintain cybersecurity best practices. With hackers attempting to breach the infrastructure of government agencies and private organizations alike, this document strives to protect both Controlled Unclassified Information (CUI) and Covered Defensive Information (CDI). Even though this information is technically unclassified, it is still sensitive data. This document strives to control the dissemination of this information.

Failure to meet these standards could mean the loss of your contract altogether.

10 Data Security Actions Your Business Should Consider Today to Work towards Compliance with NIST 800-171

While the actual document lists over 100 points that your organization will need to address, we’ve outlined 10 impactful data security changes you can make to your infrastructure to get started immediately.

1. Limit access to your internal systems to authorized users and devices
2. Apply a limit to the number of unsuccessful log in attempts for each user
3. Automatically log off of devices after a certain amount of inactivity
4. Provide security-awareness training to employees
5. Restrict employees from self-installing software on their devices
6. Require users to sign in to all systems before accessing any internal systems
7. Prohibit password reuse for a specified number of generations
8. Enforce a minimum password complexity when creating new passwords
9. Restrict the use of portable storage devices if they do not have an identifiable owner
10. Only allow physical access to organizational systems and equipment to authorized individuals

How Can I Become Fully Compliant with NIST 800-171?

Clocking in at 110 standards that your organization must meet in order to maintain compliance, it is clear that you will need to seek the help of an expert to get these updates underway. Due to the complexity of some of the requirements and what is at risk you don’t comply, we recommend utilizing an internal IT team or partnering with a resource that you trust to apply these changes. Equally as important, is establishing a process or resource to ensure you remain compliant!

If you do not have the capacity or expertise to apply these updates internally, seek the help of a dedicated 3^rd Party IT company that understands the complexities of maintaining compliance in the manufacturing industry. With a third-party resource, you can stick to running your business while your third party handles the rest.

We are a connected, digital society that depends heavily on networks, databases and other digital systems to operate. Almost every aspect of our lives, from the most basic tasks at the workplace to our personal communication and social interactions, to the way we shop and the tools we use to study and learn, depends on some form of electronic interaction or data exchange. These digital environments are practical, useful and fast, but in our excitement to use, leverage and widely deploy them, we have forgotten to secure them.

The spree continues

Last year, the national fast food restaurant chain, Arby’s, acknowledged that malware installed on payment systems inside specific corporate stores might have compromised more than 355,000 credit and debit card numbers. A few months later, personal information and the medical diagnoses of at least 7,000 patients at the Bronx Lebanon Hospital Center in New York had leaked. By the end of the summer, Kmart and Verizon had revealed malware infections and data leaks, all leading to the Equifax compromise, a breach potentially affecting up to 143 million customers. Even Uber suffered a data breach allegedly exposing personal information of 57 million users and drivers. Even companies in cybersecurity can be affected. Take Deloitte for example, a company once named by Gartner Research as the “best cybersecurity consultant in the world,” which had its email system hacked. The naive justification of all these compromises can be attributed to profit-driven “corporate irresponsibility”—companies and organizations minding their bottom lines rather than exercising care about securing their data.

Not my problem

Terms like breach, data leak, attack, hack, exploit and malware have become common in our vernacular, and they are immediately associated with malicious intent. For most individuals, cybersecurity incidents remain distant acts of socially awkward—but brilliant—teenagers or nefarious hackers in far-away countries. That’s until someone’s financial or health records become available on the Internet.

Companies on the other hand are aware of the impact of breaches, but for many, they are only identified as risks that are hedged against with the cost of actively protecting digital assets and that of inaction. For small businesses, a hacking attack may be detrimental, with 60 percent of small companies being unable to sustain more than six months after a compromise. For large organizations, cybersecurity insurance policies give a sense of safety from financial risk, yet there is no policy that could ever recover the reputational cost and loss of trust.

Cybersecurity compromises are not always the product of malicious intent and unauthorized access. Data breaches are also caused by unintentional omissions, software errors, poor maintenance of systems and software operator negligence or misplaced trust in careless third parties. In all cases and at all levels, dealing with cybersecurity incidents, whether malicious or inadvertent, will not be reduced until all stakeholders, from organizations to individuals, assume their share of responsibility.

The hunt for cybersecurity talent

The need for qualified cybersecurity staff has become a mainstay discussion. Cybersecurity professionals are expected to have specific, technical, specialized skills that match each organization’s technology mix. The result has been the springing up of an entire industry of cybersecurity certifications that existing information technology professionals flock to obtain. These are good options to meet current demand, but their value is often as short-lived as the product or technology they are based on.

Unlike other fields, specific technology skills are required in cybersecurity, but they are not sufficient to succeed. The field is highly technical and requires professionals to continuously cross the lines between computer science, information technology and mathematics. It also requires many important skills such as problem solving and critical thinking. These skills can’t be obtained by a weeklong vendor training or series or set of professional certifications. These are skills that are cultivated with formal education, enriched with technical training and further enhanced with on-the-job work experience.

For information on our cybersecurity program, click here.

As a strategy, attacking one’s enemies as a way to protect oneself has been promoted  throughout history as the best kind of defense. This doctrine has been suggested by Machiavelli, Sun Tzu and even Abraham Lincoln when he referred to “…offensive operations, being the surest, if not the only means of defence…” [1].

The problem is this doctrine of counter-attack doesn’t work well in cyberspace. When a company’s assets are hacked, all a company can do is endure the reputation damage, attempt a quick recovery of compromised assets, address vulnerabilities, harden security and move forward.

Options such as attacking the hackers, “hacking back”, counter-hacking,  or the more eloquent “active defense” surely go through the minds of every person dealing with a compromise.

Doing so in the U.S. is illegal. The Computer Fraud and Abuse Act (CFAA) [2] makes most forms of counter-hacking unlawful. Also retaliation significantly increases the risk of putting the company in the cross-hairs of more hackers and becoming subject to more attacks.

The legal aspect and increased risk notwithstanding, the ability, effectiveness and value of hacking back is questionable.

A key factor is attribution, the ability to identify the attacker with a degree of confidence that doesn’t turn the victimized company into a reckless villain. Even during naive cyber attacks, hackers attempt to hide their tracks either by spoofing their IP addresses or using intermediate, often compromised systems of other organizations as staging platforms to launch their attacks. Counter-hacking the wrong network, IP or another innocent company’s systems would not accomplish anything.

The effectiveness of counter-hacking should be evaluated against the type and might of the adversary. Starting from the least to the most powerful, the first category are opportunistic hackers, individuals that hunt for technological vulnerabilities. Their motivations range from asserting bragging rights in subversive online forums to asking for ransom in bitcoin to return deleted data and restore defaced websites. Their methods are based on blunt attack instruments that scan thousands of networks and system for vulnerabilities, using code and instructions found on the internet. For a company attempting to retaliate against these hackers, it resembles an infinite game of whack-a-mole.  And typically the hackers have no assets to attack — launching a cyber attack doesn’t require more infrastructure than a computer and an internet connection.

The second category are professional hackers, or hired guns. These freelancers operate with surgical precision. Their targets are specific companies and their motivation can be industrial espionage or disrupting operations to reduce capability and provide competitive advantage for the hacker’s “employer”. Attribution in this case is very hard as a company attempting to retaliate must distinguish between the attack executioner and the party that paid them.

The third category is state-sponsored hackers. These are literal armies of hackers that deploy coordinated hacking campaigns on a variety of targets and may range from industrial espionage against a country’s entire business sector to the disruption of power plants and electrical grids. The asymmetry of power in this case is so pronounced that companies have little or no chance to accomplish anything by launching a counter-attack against a state ,other than becoming a prime target.

It is clear from the above that hacking back is a lost cause. Yet companies are becoming increasingly frustrated and continue to discuss options for retaliation. If not active counter attacks, perhaps baiting hackers and planting software that operates either as a timebomb or a beacon in fake but sensitive-looking documents. In the first case, the planted software “explodes” after being stolen, infecting the hacker’s files and network similar to dye packs planted in bags of money in banks. In the second case, a beacon software generates location signals, revealing the location of the perpetrator.

While these methods may make potential hackers think twice about conducting operations, they will do very little to thwart their activities.

It is safe to say that a state-to-state adversarial engagement in cyberspace is a completely different matter. The balance of power is different and its resemblance to military combat lends itself to applying more traditional engagement doctrines such as the strategic offensive principle of war. The number of stories of clandestine sabotage as a counter or preemptive attack are increasing.

The unconfirmed release from US and Israel of Stuxnet [3-5], a virus released to impede Iran’s nuclear plants by destroying centrifuges is a case of a preemptive attack.   Another, borderline funny, retaliation example is the outing of a hacker by the country of Georgia. Frustrated by continuous Russian cyber attacks, they baited a hacker with software that once stolen by the hacker, took photos of him using his webcam.

While these and many other similar stories are newsworthy and often have political implications, vigilantism has no place in industry. Companies should focus on excelling in their domains of operation.  Organizations in all sectors, manufacturing, banking, health and technology should act legally and maintain an ethical advantage against hacking attacks, while acting to harden their cyber defenses and make it as hard as possible for hackers to profile, attack and profit from their crimes.

REFERENCES

1. “From George Washington to John Trumbull, 25 June 1799,” Founders Online, National Archives, last modified February 1, 2018, http://founders.archives.gov/documents/Washington/06-04-02-0120. [Original source: The Papers of George Washington, Retirement Series, vol. 4, 20 April 1799 – 13 December 1799, ed. W. W. Abbot. Charlottesville: University Press of Virginia, 1999, pp. 156–159.]
2. Computer Fraud and Abuse Act of 1986, U.S. Code, Title 18, Part I, Chapter 47, § 1030
3. Ellen Nakashima, Greg Miller, and Julie Tate; June 19, 2012; “U.S. Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say;” The Washington Post; http://www.washingtonpost.com/world/national-security/us-israeldeveloped-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html.
4. David E. Sanger, June 1, 2012, “Obama Order Sped Up Wave of Cyber Attacks Against Iran,” New York Times, http://www.nytimes.com/2012/06/01/world/middleeast/ obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=0
5. Joby Warrick; February 16, 2011; “Iran’s Nuclear Natanz Facility Recovered Quickly From Stuxnet Cyber Attack;” The Washington Post Online; http://www.washingtonpost.com/wp-dyn/content/article/2011/02/15/AR2011021505395.html