Joining the dots to deliver effective cyber security

Think like an adversary

First, let’s take a trip into the approach of the adversary. Quite often, we say you need to think like an adversary. In this case, it works to prove a point. How preposterous would it be if adversaries worked like we often do in security – with siloed initiatives that seldom join up? They’d be a lot less of a threat source, that’s for sure.

Would an adversary look up an evil Gartner for the latest insight into what they should do? What initiative is in the top right of the evil Magic Quadrant? Would they send phishing emails and then maybe realise a year or two later that an exploit included with the phishing email would take them to the next level of maturity? Alternatively, would they be a tad more joined up than that in pinning stages or initiatives to an overall strategic outcome or goal?

Adversaries are mission-oriented, and so should we be – but only if we can define the actual desired outcome, rather than some near-sighted siloed goal.

Would an adversary send a phishing email without ever considering what happens next? No, that would be utterly ridiculous. Yet, think of how we, as defenders, approach controls or initiatives. Are we as joined up as the adversary? Are we joined up at all? If not, why not?

Cyber aware

Now back to awareness. You raise awareness – great. What does that get you? Your business colleagues are now cyber aware – which means what, exactly?

In one aspect, they are maybe more likely to spot a phishing email. Super, and…? They are more likely to spot one and do what? Delete it? In which case, you need to factor in that the majority of email-borne threats are generic and mass distributed.

This means that, in all likelihood, you have more than one recipient in your organisation. Let’s say, for example, there are 10. All 10 need to make the same positive decision to delete the suspicious email for your awareness to have had any success. Also, this has to happen every time. Even then the security team is blissfully unaware, as is your risk management regime, because this is all done by the users.

What if they were to report the suspicious email? Would that be better? Maybe then you could take action before the nine remaining recipients have to make their decision. That sounds good.

However, first think about how they are going to report it and to whom. Will your analysts need to talk your user through the mechanisms of forwarding the suspicious email as an attachment so that they can investigate it? This is often easier said than done.

How will you find out if there were any other recipients? Do you have access to the mail server, or is it run by another team outside of security, maybe even a supplier? Do you have processes in place to engage and prioritise their work?

Think about this for every step of the investigation and the overhead that you have just placed onto your security operations by moving the awareness action from delete to report. Reporting is definitely better than deleting, but it comes with a cost – often a significant overhead. Also, this is just the investigation – you also need to take meaningful mitigation action.

Can you purge a suspicious email from all mailboxes? Would this require the email administration team/supplier again? Does it involve change control? Do you have authority to do it? How quickly can it be done?

Overhead costs

Already, we have links needed from awareness into operations, into IT operations and maybe other processes, such as IT infrastructure library (ITIL). That overhead is quite a cost to pay for your security operations team, who already have loads of alerts, mostly false positives, to wade through. Could you make that part of the process easier? Slicker? Could you maybe automate some of it? If so, how would you do that?

For an email-borne threat, there are some obvious tasks that any investigation completes, such as getting a copy, or certainly the headers, attachments, links and so on, as well as discovering whether there are any other recipients or variants out there. Do you need a human analyst to undertake these tasks? Maybe today, but could you aspire to use technology to undertake these repeatable tasks? What about the links and assessing those? Attachments? IP address lookups? Spam list checks? Dmarc checks?

There is a lot in an investigation such as this where you could use technology to reduce the analyst overhead, so that you present them with results and thus decision-making, rather than laborious information gathering. This doesn’t just magically happen. It requires thought, effort and collaboration.

Maybe you can see how we can mitigate the overhead of awareness moving from delete to report and have a much more meaningful outcome. We are breaking out of awareness through operations and potentially beyond, all in the same flow.

We need to remediate, of course. So, what about that? Is there a way to develop confidence levels to automate therein? Not machine learning, but a way to accelerate the ability to do something with the results of the, hopefully now automated, investigation.

SIEM and SOAR

While we’re at it, is there anything else we could do with the snippets of information that our automated investigation has uncovered? Could we perhaps send any bad URLs through to firewalls/web gateways and security information and event management (SIEM) tools to prevent any further access, and also determine whether anyone did access them? Or send IP addresses to email gateways to prevent any further correspondence? Well hang on, we’re now getting into orchestration, so again we need to consider ITIL and IT operations where we are potentially making a change.

We might have an initiative around security orchestration automation and response (SOAR), in which case we have got awareness and SOAR now linking together. Also, what if that information gathered in the investigation could be shared with partners or suppliers, as they could well have the same threat manifest in their inboxes? Now we’re getting into the realm of producing threat intelligence, which we have an initiative in place to deliver –that’s another link, this time from awareness to threat intelligence.

Maybe we could timebox things, too. Record the time to report and time to remediate, to measure our preparedness and performance with some meaningful statistics and data. We could also feed all of this into our risk management regime to manage and make decisions with tangible data. And then there’s the feedback loop back to the user to let them know the outcome of their action, to ensure you encourage more of the same.

All of the above is just one initiative, within awareness. Imagine the possibilities if we did this with everything.

Goal-oriented

If you think in a goal-oriented way, you can spider into all sorts of areas. But spider into them for a reason, because there are clear touch points between them. You can start to see knock-on effects, dependencies, building blocks, links. Only by thinking in a far more strategic way will we define effective maturity uplifts.

That is not to say they are all easy, but you can already start to see benefits and a rationale for aiming towards them and why. You’re in a much more coherent space, able to join the dots, not just between initiatives and set proper goals, but also into other areas of the business.

As an essential foundation, are your awareness and operations teams collaborating? They should be. Is your overall goal to raise awareness? Or are you aiming for something much more?