Critical success factors

7 Critical Success Factors

The following lists and details are the critical success factors that I would consider for a cyber security capability, both at the early and more mature stages. This is not a ‘tick all the boxes’ exercise to greatness, but moreover a view of what I would consider to be the critical areas of a successful capability.

7.1 Team organisation

Initial:

  • The Cyber Security capability should collaborate closely with IT and business operations (e.g. Network Operations Centre) but should remain a separate entity;
  • Dedicated Cyber Security personnel should address the organisation’s cyber security related issues and utilise existing sources of cyber intelligence from partners, OSINT (Open Source Intelligence) and vendors;
  • The Cyber Security capability’s priority should be to deploy cyber defences to protect the organisation and restore operations. An intelligence-driven organisation will greatly increase the pro-activeness, agility and efficiency of the Cyber Security capability;
  • The Cyber Security capability may initially have a Role Based organisational structure that is based on cyber security skills e.g. Incident Response, Security Operations & Compliance, Cyber Intelligence etc.
  • Initially focus should be driven towards foundational Cyber Security elements, predominantly in the SOC and Compliance arena. These areas will have the heaviest workload in the early stages of the capability build, though alongside this development of Research, Intelligence and Engineering capabilities should be initiated in order to provide the ability to build rich risk pictures and undertake all activities across the cyber risk lifecycle.

Established:

  • To effectively manage the risk from sophisticated threats, such as state sponsored cyber-attacks, a mission based Cyber Security organisational structure is recommended, that is aligned to key adversary groups targeting the organisation e.g. opportunistic cyber threats, or targeted intrusions etc. This will allow teams aligned each adversary to manage end-to-end security risks without handing them over to another team to progress analysis e.g. hand over from a monitoring team to a malware analysis team for specialist support. Only digital forensics (cyber investigations) should continue as a dedicated skills-based team due to the need for deep digital forensics support to legal, ethics and other organisational teams;
  • By assigning a 24x7 duty incident handler with secure remote access to the capability it will be possible for Cyber Security teams to work only slightly extended office hours with no shift work. It will be possible for the duty handler to mobilise others in the Cyber Security capability should the need arise. Overall quality of life for Cyber Security staff will be drastically increased by a move away from shift work contributing towards the staff recruitment and retention strategy;
  • Once established the Cyber Security capability’s organisational structure should reflect the need to create, understand and analyse cyber intelligence with the goal of pre-emptive mitigation early in a Cyber Kill Chain™ type framework;
  • The Cyber Security capability’s focus on cyber intelligence cannot be at the expense of addressing foundational security elements (e.g. identity and access management, network and host-security, secure configurations, security compliance monitoring etc.). The Cyber Security organisation should still manage these important foundational security elements via teams such as the SOC & Compliance team or Cyber Engineering Development team;
  • Distractions to the front line cyber security functions should be minimised through the organisational structure.
7.2 Network/perimeter security

Initial:

  • The Cyber Security capability should adopt a preventative posture to network security by blacklisting unwanted applications/protocols;
  • Network security policies should be enforced to block or prevent access to known or potentially malicious sites/locations. The implementation of blocking uncategorised websites will also manage security risks for ‘watering hole’ type attacks and some ‘command and control’ channels for more sophisticated adversaries;
  • Any identified blind spots in the organisation’s network should be addressed via heavily customised network intrusion detection systems (NIDS). These should be tuned according to the organisation’s network environment and cyber intelligence gained from internal and external sources. All NIDS sensors need to be introduced and positioned by the Cyber Security capability based on the organisation’s network topology and established cyber risks;
  • The Cyber Security capability should carry out at least a single level of analysis against all email attachments inbound to organisation;
  • Any remote access into the organisation’s systems should be via multi-factor authentication.

Established:
In addition to initial capabilities for network/perimeter security, the Cyber Security capability will ensure that the organisation has a locked down infrastructure:

  • Permitting only required services;
  • Secure firewall and router/switch configuration management;
  • Intelligence based specific website blocks;
  • Category none website blocking – websites that do not fit into a pre-determined category e.g. news, technology etc. are blocked;
  • Blacklisting;
  • Rapid deployment of DNS black holing when necessary;
  • Unique organisational specific network mitigations based on cyber intelligence;
  • The Cyber Security capability carries out multiple levels of analysis against all email attachments inbound to the organisation.
7.3 Host/endpoint security

Initial:

  • The Cyber Security capability should implement and enforce unified host/endpoint security policies across the organisation;
  • Some user application categories may be allowed as an exception and users may have some admin rights; this should be closely monitored and managed
  • Anti-virus, anti-spyware and anti-malware tools should be in place across hosts/endpoints;
  • Hard drives containing data should be encrypted, although this may not necessarily need to be high grade encryption unless explicitly stated in the RMADS e.g. commercial grade or operating system encryption may be acceptable;
  • Security patches should be pushed out to hosts/endpoints in-line with the organisation’s Patch Management Policy. This will determine the timeframes required for completion of deployment;
  • Periodic vulnerability and application scanning should be undertaken.

Established:
In addition to the initial host/endpoint security measures a preventative posture should be adopted with protected endpoints:

  • Mechanisms should be practiced and in place to quickly deploy host/endpoint mitigations;
  • Host/endpoint protections should be enhanced by internal and external cyber intelligence;
  • An automated mechanism to apply patches and security policy updates in a timely fashion should exist. Patch management should now be a formal process which is strictly enforced by the Cyber Security capability;
  • No unauthorised applications on the organisation’s systems that do not have a legitimate business purpose are allowed;
  • Strong internal host/endpoint security policies should be in place which include secure configuration of assets;
  • Red team testing against critical hosts emulating identified adversary tactics, techniques and procedures (TTPs). This can be part of wider red team testing against the organisation’s network (see Network Security Testing);
  • Full disk encryption across the organisation’s systems;
  • Host intrusion detection system (HIDS) across all systems;
  • Restricted admin rights only to specific admin users, with enhanced monitoring.
7.4 End user application development

Initial:

  • All end user applications developed for the organisation or the Cyber Security capability (by the Engineering / Development Team) should have consistently applied secure coding practices used during their development;
  • Code reviews and analysis should be carried out prior to release of these applications. This should include a heavy focus on security vulnerabilities.
  • Secure coding and vulnerability assessments of code should be mapped to CCE, CVE, CWE, and CAPEC where possible as part of the application development and system development. If you do this while building your capability then when you start adding in intelligence the connections of TTPs and Exploit Targets will be instantly more meaningful to the organisation.

Established:
A preventative posture should be adopted for applications which include:

  • Secure code reviews;
  • Embedded security in applications;
  • Periodic application vulnerability testing;
  • Security analysis and penetration testing prior to release;
  • Continued vulnerability testing post release.
7.5 Security metrics and analysis

Initial:

  • The Cyber Security capability should capture and analyse metrics from standard commercial off the shelf (COTS) tools/technologies relating to cyber-attacks and incidents. This may be supplemented by specific custom metrics;
  • Security metrics captured should provide a general understanding of how the Cyber Security capability is performing and the scale of the threat. Metrics captured in the early phases may tend to focus on a number of times non-unique security events occur e.g. firewall2 blocked 12,500 connections.

Established:

  • Metrics captured by the Cyber Security capability should now relate to the performance of preventative security controls and security culture improvement initiatives;
  • Analysis of these metrics will provide clear insights into the effectiveness of specific defensive courses of action. This should be reported to leadership and used by analysts to improve the overall performance and resilience of the Cyber Security capability’s defences;
  • The metrics will focus on a number of unique events that occur in the organisation’s network or at the perimeter e.g. intrusion to exfiltration rate, number of active adversary campaigns targeting the organisation etc.;
  • Cyber Security captured metrics should be continually refined. The same metrics should be useful for both Cyber Security leadership and analysts e.g. a mitigation scorecard to chart performance of specific security controls against an intrusion attempt and associated adversary campaign. This metric will identify controls that are or are not performing well allowing Cyber Security leadership and analysts to take decisive action;
  • All Cyber Security staff should now be using metrics to understand how they are performing in their duties;

Cyber Security Leadership should use metrics to understand and communicate on the performance of their teams to senior leadership and generate the evidence for business cases for future investments. Business cases should become easier as the Cyber Security capability can now leverage actual evidence from cyber-attacks.

7.6 Log management

Initial:

  • Network device and security infrastructure logs should be captured and then analysed to determine what is occurring on the network. False positives should be filtered out and a record of pertinent events should be maintained by the Cyber Security capability;
  • Log information should be held for brief periods of time, although there may not be a consistent organisation wide Retention Policy in place;
  • It should be possible for the Cyber Security capability to review recent log history to analyse security events;
  • Log information can be stored in multiple locations or aggregated using vendor devices. Where possible related data should be centralised into buckets but it may not be possible to leverage big data storage capabilities such as data hubs in the early phases;
  • If a data hub is not accessible in the early phases, log storage capabilities and capacities are likely to be vendor specific and not ubiquitous across the enterprise.

Established:

  • Cyber Security detections should be enhanced through the use of multiple vendor solutions across multiple platforms to collect data for aggregation and correlation. Analysis should be undertaken to identify priority feeds (e.g. DNS, proxy logs, Active Directory etc.) and a rolling programme of log capture and ingestion;
  • Logs should now be stored in a centralised location such as a data hub and are readily available to the Cyber Security capability. These logs should be retained for a predetermined duration in-line with an organisational Retention Policy (90 days is a reasonable length but compliance with PCI DSS could extend this to 1 year);
  • Logs should be used for detection and reconstruction of cyber-attacks based on available cyber intelligence.
7.7 Security policy framework

Initial:

  • Cyber security policies should be in place based on business policies/requirements. Introduction of a cyber security policy orchestrator e.g. McAfee Electronic Policy Orchestrator (ePo);
  • Security controls stemming from the cyber security policies should be universally applied across the network;
  • Cyber security policies should follow industry security good practice.

Established:

  • Cyber security policies should be universally enforced across the enterprise through a series of security controls. The Cyber Security capability should have established detections in place to detect deviations of cyber security policy;
  • Where necessary some business areas may have unique cyber security policies in place to manage security risks;
  • The Cyber Security capability should now have a finely tuned cyber security policy orchestration tool in place to monitor security compliance and help to ensure that policies are consistently applied e.g. patch cycles;
  • Security policies are built upon good practice but where necessary are enhanced above this baseline to proportionately manage security risks.
7.8 Network security testing

Initial:

  • Structured penetration testing should be periodically performed by the Cyber Security capability, or trusted third parties, to identify common vulnerabilities across the network.
  • Penetration testing (pen testing) results should be mapped to what attack pattern (CAPEC) was used and what the Exploit Target of the pen-test TTP was (CCE, CVE, CWE).
  • Network security testing is generally driven by audit requirements at this phase.

Established:

  • A Red team testing function (33% pen testing, 33% intel analysis and 33% coding/development work) should be established. The Red Team should periodically carry out offensive cyber activities to improve the overall network security posture. These activities should emulate the known tactics, techniques and procedures of adversaries targeting organisation, or like entities. The activities should not just involve penetration testing to identify known vulnerabilities;
  • This Red team testing should be used as a mechanism for checking the effectiveness of the Cyber Security capability’s people, process and technology focussed defences that have been put in place;
  • The results of Red team testing should be formally fed back to other Cyber Security teams to fill gaps by providing additional protections e.g. updated detections, security policies etc.;
  • The Cyber Security capability’s ability to perform consistent network security testing should extend across organisational environments. Focus should be on critical areas.
7.9 Initiatives to harden the enterprise

Initial:

  • A Security Hardening Programme should be driven by the Cyber Security capability;
  • Security configurations should be mapped to CCE.
  • Budget that supports the phased rollout of the programme’s most critical initiatives should be secured before moving onto to important but less crucial infrastructure.

Established:

  • The next iteration of the Security Hardening Programme should involve the Cyber Security capability implementing a series of ongoing tactical security hardening initiatives and enhancements.
  • These activities will focus on managing adversarial security risks to the organisation’s users, applications and the networks. Gaps left from shifting adversary TTPs and newly detected threats will be filled;
  • The overall Programme should include the development of both specific and generalised custom tools to bridge gaps.
7.10 User/Security awareness training

Initial:

  • An cyber security user awareness programme should be in place and may be part of existing staff compliance training;
  • General information on security education and threat awareness should be pushed to users as part of this programme.

Established:

  • A programme of cyber security cultural improvement across the organisation should be implemented/ supported by the Cyber Security capability. This programme should consist of initiatives for training and enhancing cyber security awareness to users;
  • The programme should be based on collected metrics from targeted phishing testing, focussed education for specific high threat users and more generic initiatives for the wider organisation;
  • Targeted phishing emails of varying levels of sophistication should be sent to users to measure individual behaviour and training effectiveness. The varying levels of sophistication should be directly aligned to actual adversarial activity targeting the organisation;
  • Users should be taught to identify flags representing malicious behaviour and forward suspicious emails to the Cyber Security capability; a mechanism for rewarding good security behaviour should be established in conjunction to promote user reporting and awareness
  • Specific user awareness threat briefings, short videos or even interactive games should be provided to targeted user groups and management.
7.11 Network visibility

Initial:

  • The Cyber Security capability should have a high level understanding of the organisation’s network topology and operational environment;
  • A holistic network view may not be complete at this stage and may not include technical data on all endpoints;
  • Partial network and system logs should be captured and retained to provide some visibility for analysis.

Established:

  • The Cyber Security capability should have an accurate knowledge of the organisation’s network topology and operational environment. This should include technical details required to detect cyber threats and applicability of cyber threats;
  • The Cyber Security capability should have the ability to rapidly detect changes in the network topology;
  • The Cyber Security capability should have full network visibility across major protocols using advanced network sensors.
  • The Cyber Security capability should maintain critical network and system logs, such as full packet capture (FPC), in a central location (e.g. data hub) for an extended period of time.
  • Cyber Security staff should have direct access to the sensor(s) and security infrastructure logs.
7.12 Knowledge (intelligence) management

Initial:

  • The Cyber Security capability should have the full ability to capture incident data and potential indicators – data is securely retained;
  • Basic intelligence correlation methodologies should be implemented. If budgets are tight, accuracy is more important than speed of correlation at this stage;
  • Establishment of a common structured framework for developing, storing and sharing threat intelligence should be established.
  • In conjunction cyber intelligence sharing partners should be identified and on-boarded.
  • Through collaboration with cyber intelligence sharing partners it should be possible for the Cyber Security capability to use partner identified detections/intelligence ‘as they were shared’ to defend against what has been identified. This is acceptable in early phases but correlation and context against the organisation’s network environment for applicability will be the eventual goal.

Established:

  • Automated event correlation should be in place to save on repetitive tasks;
  • The Cyber Security capability should assimilate internal and external intelligence into a central repository (e.g. Knowledge management platform, a structured indicator database and a Cyber Security knowledge wiki). This combined infrastructure will allow the Cyber Security capability to rapidly search against vast datasets and carry out structured attack analysis in line with the Cyber Kill Chain™ or a similar intelligence framework;
  • Analyst collaboration and understanding of adversary TTPs will be accelerated through effective knowledge management;
  • The Cyber Security capability should analyse cyber intelligence obtained from internal and external sources into identifiable campaigns of malicious activity. These campaigns of activity identify patterns representing broader adversary tactics, techniques and procedures.
7.13 Analysis process

Initial:

  • Early Cyber Security analysis processes may be reactive in nature and be implemented post/during an incident. Early analysis may stop when an attack against the organisation is blocked or an incident is cleaned up;
  • Cyber Security analysts should have a basic understanding of an intelligence-driven framework for cyber security (e.g. Cyber Kill Chain™). Early processes may be unstructured, limited in their depth of analysis and understanding of cyber threats – mostly tactical attack analysis;
  • Campaign analysis is yet to be adopted and Cyber Security analysts may look at each cyber-attack from a wave of attacks in isolation with an event by event disposition.
  • Consider leveraging, as an example, the cyber ecosystem attack analysis methodology which includes the kill chain/attack lifecycle, but focuses both on a 4 step high-level process for producing threat intelligence as well as a 4 step process for developing and measuring courses of action as part of an active defence strategy.

Established:

  • The Cyber Security analysts should have an adversarial-focussed approach to analysis which is driven by an advanced understanding and application of the Cyber Kill Chain™ (or similar) principles;
  • The identification and gathering of cyber Intelligence should continue after an attack has been stopped or an incident cleaned up;
  • Pre-Detection analysis of what happened during an attack and post-mitigation synthesis of what could have happened play a pivotal role in the Cyber Security capability’s mission;
  • Cyber Security analysis vision and process should now take a strategic approach to managing cyber security risks targeting the organisation. This informs future detections and defensive courses of action;
  • Defensive courses of action resulting from analysis should be put in place quickly and precisely, and monitored for effectiveness supporting the metrics displaying how the Cyber Security capability is performing.
  • With regards to persistent adversary campaigns – The Cyber Security capability now looks at waves of an attack from the same adversary as a single incident; finding commonality and relationships in previously disparate security events.
  • An intelligence feedback loop should be in place to strengthen overall defence and Cyber Security analysts are empowered to make real-time mitigation decisions;
7.14 Analyst skills

Initial:

  • Cyber Security analysts should understand and can follow a defined analysis process. In early phases this may be more of a checklist in lieu of adaption to specific situations or attacks;
  • When evaluating cyber intelligence relating to linked attacks the team may have minimal experience in collaborating with other analysts. This is an important skill to develop to avoid duplication of analysis and missing the campaign analysis picture;
  • The Cyber Security capability may have a top heavy analysis structure in the early days (team leads);
  • Access and visibility to data may be limited as tuning/development work takes place to address blind spots in the Cyber Security capability’s detections. Without access to data relating to attacks the development of analysis skills will prove difficult.

Established:

  • The Cyber Security capability should have a thorough understanding of the tactics, techniques and procedures (TTPs) of the range of adversaries attacking the organisation;
  • The Cyber Security capability understands and can apply Cyber Kill Chain™ analysis (or a similar methodology);
  • Cyber Security analytical processes should be dynamic to the risk situation. The Cyber Security capability should have a strong understanding of the level of threat that particular TTPs place on the network;
  • The Cyber Security capability contains the diverse skill sets needed to provide analytical completeness for the range of adversaries targeting the organisation.
  • An intelligence-driven strategic approach to analysis is adopted that builds towards the future and seeks to remain two-steps ahead of the adversaries targeting the organisation;
  • Cyber Security analysts should have the ability to create reports and brief on cyber incidents to a diverse audience including senior leadership; they should be able to dynamically alter the pitch dependant on the target audience, mixing between technical and business languages.
  • Intelligence derived from the analysis process is used to enhance the organisation’s defensive posture;
  • Cyber Security capability should have in place a programme of ongoing analytical development for Cyber Security analysts that is derived from knowledge share, coaching and external commercial classes.
  • A robust attack analysis process should be in place with campaign analysis and intelligence fusion skills being developed and used depending on the persistence of adversaries.
7.15 Collaboration

Includes a Cyber Security Intelligence Fusion function to enrich external/internal cyber intelligence and represent the organisation with partners/working groups.
Initial:

  • During early phases the Cyber Security capability is likely be heavily reliant on vendor, partner and open source detections. Open source tools should be directed to identify threats targeting the organisation and new indicators and detections to mitigate these threats;
  • Early information sharing agreements should be put in place so collaboration can begin; these should include, but not be limited to like sector organisations
  • Once the organisation is established in these sharing partnerships, Cyber Security opinions and analysis should start to be known, shared and respected across industry;
  • Internal collaboration with the other IT and business operations teams should evolve into highly productive partnerships. Cyber Security leadership should pay particular attention to the development of strong and lasting relationships with other organisational teams.

Established:

  • Strong collaboration should now be facilitated through a structured framework for analysis and knowledge management to ensure that only pertinent indicators and information is shared;
  • The Cyber Security capability should be involved in significant internal and external collaboration work to facilitate new cyber intelligence. Successful collaboration should be measured against the intake of new cyber intelligence relating to adversaries targeting the organisation. Collaboration should result in increased situational awareness and an improved enterprise defensive posture;
  • Established collaboration agreements and personal relationships should result in external intelligence that can be correlated against internal datasets to fuse and enrich;
  • The Cyber Security capability will begin to be acknowledged as an industry leader that is sought out for opinion on adversary TTPs and analysis techniques;
  • The Cyber Security capability should have in place analytics, tools, technologies and secure facilities that facilitate efficient collaboration across the organisation and other trusted cyber intelligence partners;
7.16 Detections

Initial:

  • The Cyber Security capabilities should include a wide range of major detection infrastructure e.g. intrusion detection system (IDS)/ intrusion prevention system (IPS), SIEM, web proxies, email AV, host AV, network intrusion prevention system (NIPS), host intrusion prevention system (HIPS), Spam filter etc.;
  • The Cyber Security capability is likely to be reliant on vendor, partner and open source detections. The team should begin to develop custom detections to supplement these;
  • The Cyber Security capability should have basic correlation tools and at least a limited understanding of how the security events seen over time are (or are not) related to each other. At this stage it may not always be possible to correlate events that are detected on one part of the network with those happening on another part of the network;
  • The majority of effective Cyber Security detections are likely based on opportunistic adversary threat alerts (not specifically targeted at the organisation). Minimal effective detections may be in place for more sophisticated and persistent adversaries.

Established:

  • The Cyber Security capability should have advanced correlations based on intelligence gained from a range of security tools and analytics. A mature indicator database will allow rapid correlation to take place to understand how cyber-attacks may be related to one another;
  • Known traffic from adversaries is captured and directed to a safe environment within the Cyber Security capability (sandbox servers etc.) for subsequent analysis instead of denying it. Denying traffic at the perimeter may tip off the adversaries that their attack has failed prompting a sequel or series of follow up attacks;
  • Externally provided detections (vendors, partners and OSINT) are evaluated for applicability to the network environment before incorporation;
  • An indicator maturity framework should be in place rating the fidelity of indicators/detections e.g. Stable indicators (deployed operationally), functional indicators (operational but further refinement is required due to false positives created) or experimental indicators (test indicators based on analysis work – too early for operational deployment) etc.;
  • The Cyber Security capability now has the ability to create and apply customised high fidelity detections based on internally and externally generated intelligence;
  • The organisation’s security infrastructure, SIEM and other security tools are configured and optimised specifically for the enterprise. This maximises situational awareness and minimises false detections;
  • The Cyber Security capability should now be in a position to create and apply detections against campaigns of advanced persistent threat targeting the enterprise. Customised detections may be shared and received from trusted partners. Detections received from external sources should be vetted before being deployed by the Cyber Security capability.
7.17 Digital forensics

Initial:

  • During earlier phases of the Cyber Security capability, analyst’s capabilities (tradecraft, analytic processes, tools and technologies) may not be developed enough to perform intelligence-driven digital forensics;
  • Early Cyber Security digital forensics capabilities may be relatively basic with the focus on performing post-compromise host-based digital forensics on systems;
  • Early Cyber Security capabilities may have a limited head count resulting in the provision of digital forensics by Cyber Security teams performing security operations work (SOC & Compliance and Cyber Intelligence teams). Support may also need to be leveraged from other digital forensics experts.

Established:

  • The Cyber Security capability should now be implementing both host and network-based digital forensics.
  • The Cyber Kill Chain™ (or a similar framework) should be used as a framework for structured forensics analysis and to drive an investigation;
  • Once the Cyber Investigations Team is established and the wider Cyber Security is more accomplished with digital forensics, full packet capture, e.g. RSA NetWitness, and host-based forensics tools, e.g. Encase should provide catalytic platforms for detailed forensic capabilities;
  • Digital forensics should be used to reconstruct the timeline of a cyber incident to support Cyber Security analysis;
  • The Cyber Security capability should have the ability to determine an adversary’s intended Action on Objectives (final adversary phase of the Cyber Kill Chain™);
  • The Cyber Investigations Team should now be supporting other Cyber Security operational teams with specialist forensics support. Other Cyber Security operational teams should still be involved in the overall digital forensics process when related to a specific incident within their remit e.g. Cyber Intel Team responding to APT related incident.
7.18 Malware analysis

Initial:

  • The Cyber Security capability may have limited in-house malware analysis capabilities. Complex malware may be sent to partners/suppliers for support. The Cyber Security capability should invest considerable time and resource in understanding the analysis steps carried out by the external partner/supplier (to identify the indicators) and then should replicate the analysis to develop in-house capabilities;
  • The Cyber Security capability may have an over reliance on dynamic malware analysis due to the lower complexity. Static analysis should still be attempted where possible to develop this critical skill set;
  • Cyber Intelligence analysts should be seconded to external partner organisations or sent on extensive training courses to develop attack analysis skills and experience (to include static and dynamic malware analysis);
  • The Cyber Security capability should focus on ways to leverage indicators extracted from malware analysis to identify defensive courses of action. These should be to pre-empt sequel attacks;
  • Early phase Cyber Security capabilities are likely to be focussed on historical malware analysis relating to what has already happened to the organisation. Synthesis of successfully stopped attacks for operational purposes will come later. Synthesis should still be practiced in the early phases to develop skill sets for proactive detections and mitigations;
  • A secure and isolated environment (‘sandbox’) should be available for the analysis. From this sandbox environment attack analysis tools can be utilised to identify actionable intelligence and synthesise later phases of the Cyber Kill Chain™;
  • The Cyber Security capability should be developing a solid appreciation of the critical role malware analysis plays into the overall Cyber Kill Chain™ framework and an intelligence-driven organisation.
  • Remember the reference to Malware Attribute Enumeration and Characterisation (MAEC) earlier in this paper? This is where it fits in perfectly, providing that common language and construct for malware analysis and definition. It really is worthwhile investigating its use in the journey, especially with the ease that it integrates with the overarching STIX framework and families.

Established:

  • The Cyber Security capability now has mature static and dynamic malware analysis capabilities (tradecraft, process, tools and technologies) to synthesise and analyse the forward and backwards steps of the malware in the Cyber Kill Chain™;
  • Indicators that are identified from malware analysis should be used to develop additional detections and defensive courses of action;
  • The Sandbox environment should now be further developed or replicated to safely perform malware analysis and reverse engineering on captured malware from classified sources;
  • The Cyber Security capability should have the ability to analyse, determine and communicate an adversary’s TTP and intended Action on Objectives.
7.19 Mitigations

Capabilities to take appropriate and effective defensive courses of action:
Initial:

  • Cyber Security defensive mitigations should be centred on numerous indicators from multiple sources. In the early capability phases these mitigations are unlikely to protect across all of the phases of an adversary’s Cyber Kill Chain™;
  • Early mitigations may not be specifically tailored to the network environment and may stem from OSINT, partners or vendors.

Established:

  • The Cyber Security capability should now have intelligence-driven defence in depth across the phases of the Cyber Kill Chain™. For persistent cyber threats this is likely to be a series of mitigations per campaign. It is unlikely that all mitigations that defend against one campaign will be pertinent to other campaigns;
  • The Cyber Security capability always seeks out additional mitigations to fill identified defensive gaps against an adversary’s Cyber Kill Chain™. New mitigations should not inhibit the Cyber Security capability’s ability to capture additional cyber intelligence;
  • All mitigations created by the Cyber Security capability should now be tailored specifically for the network environment.
7.20 Cyber investigations

Initial:

  • The majority of cyber investigation work should be performed internally by internal Cyber Security staff. External support is still likely to be used in an ad-hoc fashion to supplement internal analysis;
  • Any external support leveraged should be used as a blueprint to address gaps in internal cyber investigations capabilities in (a) digital forensics, (b) e-Discovery and (c) cyber incident damage assessments;
  • Cyber investigations support may be requested by multiple business areas across the organisation and not always originated from the Cyber Security capability.

Established:

  • The Cyber Security capability should now provide all specialist digital forensics, e-Discovery and incident damage assessments for cyber investigations. Rare exceptions might include when multiple incidents or cases occur simultaneously overloading the Cyber Investigations Team or supporting analysts;
  • Intelligence gained through cyber investigations is captured in the Cyber Security capability’s knowledge management system and used to enhance existing detections and mitigations.
7.21 Opportunistic threats

This area includes opportunistic (non-focussed) threats such as most cyber-crime, hacktivism, P2P communications and security compliance monitoring etc.
Initial:

  • Cyber Security capabilities to manage security risks from opportunistic threats should include active real-time and some passive monitoring;
  • Cyber security policies should be enforced (through people, process and technologies) and based on identified security risk. For example Peer-to-Peer (P2P) applications may be restricted and access to social media sites such as Facebook /LinkedIn should be monitored;
  • The Cyber Security capability should leverage open source intelligence (OSINT) to monitor the cyber threat landscape for opportunistic adversary’s TTPs. This should include monitoring specific public forums using automated OSINT collection tools;
  • Malware analysis of opportunistic and self-replicating malware may be limited in the early phases. More effective analysis will be carried out once the team is established in its tradecraft, processes, tools and technologies. External suppliers should supplement internal malware analysis where necessary.

Established:

  • The Cyber Security capability should now have proactive, highly tuned and automated opportunistic threat monitoring in place. Tuned vendor technologies should be in place to manage security risks from the majority of opportunistic threats;
  • The Cyber Security capability should have the ability to rapidly adapt existing detection techniques to meet emerging opportunistic threat trends;
  • The Cyber Security capability now has a common skill set that is used for defending against opportunistic and targeted adversary groups;
  • Opportunistic threat focus should include the detection and analysis of self-replicating and other broad-based malware;
  • The Cyber Security capability uses a combination of network (e.g. routers and firewalls), internet service provider (upstream protections) and vendor provided protections to manage the risks from DDoS;
  • The Cyber Security capability understands the distinction between managing opportunistic and persistent threats.
7.22 Insider threats

Initial:

  • Focus on insider threats is likely come in later phases so that the Cyber Security capability is not attempting too much in parallel. Earlier experience on developing and tuning SIEM, IDS/IPS, and other security infrastructure should now be leveraged. New rules/detections should be written by the Cyber Security capability to detect internal network and end-user violations (network visibility and end-user visibility).
  • The Cyber Security capability has active real-time and passive monitoring capabilities to detect internal violations of cyber security policies;
  • Security policies that are relevant to insider threats (e.g. computing use, internet usage, access control etc.) should be enforced based on identified risk levels;
  • The Cyber Security capability should lockdown security circumvention avenues that exist on the network e.g. SSH tunnels (allow but monitor), tools for proxy avoidance etc.;
  • All infrastructure and systems that contribute to detecting internal violations of IT policies should be leveraged and data should be normalised and brought into central storage e.g. data hub;

Established:

  • Cyber Security leadership should establish effective collaboration processes between the Cyber Security capability and Personnel/Physical Security. Opportunities to leverage insider threat indicators alongside personnel, physical and HR indicators should be explored e.g. indicators could tip personnel or HR investigation and vice versa;
  • The Cyber Security capability should now be carrying out proactive automated monitoring capabilities to detect internal violations of IT policies. This should begin to leverage indicators from non-Cyber Security teams (e.g. personnel security) and cyber indicators where staff stray outside of their usual IT usage behaviours.
  • Monitoring for insider threats is primarily accomplished through inward focus into what is being requested from IT assets e.g. access to sensitive files, unauthorised systems or unusual print outs of sensitive documents.
  • A successful proactive Insider Threat Programme should be focussed on early warning detections more than digital forensics and after-the-fact work.

Continue reading ‘In Summary’ »