As a leading scientist in the science of security core theme of attack analysis I often get asked if I have any recommendations to help organizations better defend against cyber-attacks. While my recommendations won’t make you immune from attacks, perhaps you’ll find some information of benefit. There is no silver bullet and every organization is different but I’ve selected 2 recommendations that I believe can help organizations better defend against cyber-attacks.
My first recommendation is to practice good cyber hygiene. According to the Cyber Hygiene Campaign, taking five relatively easy and inexpensive steps can prevent about 80% of known attacks.
- Inventory authorized and unauthorized devices;
- Inventory authorized and unauthorized software;
- Develop and manage secure configurations for all devices;
- Conduct continuous (automated) vulnerability assessment and remediation; and
- Actively manage and control the use of administrative privileges.
For additional information on the Cyber Hygiene Campaign see: ‘Campaign for Basic Cyber Hygiene in Support of NIST Framework Adoption’.
Once an organization has established good cyber hygiene to prevent 80% of known attacks, I recommend they consider using the cyber ecosystem attack analysis methodology for increased resiliency to targeted attacks through active defence.
The recommendation calls out using “active defence” as part the methodology and there is sometimes some confusion around this term. Active defence is about taking an active role in defending the cyber ecosystem. Active defence is not offensive as the actions of the defender is within their cyber defense ecosystem that they control.
Active defence is when organizations get proactive in their defence above and beyond good cyber hygiene. They move from reactive defence to a proactive defence and build resilience to persistent, targeted attacks. Active defence is about understanding the threat actor’s use of technology and their methods of operation as captured in threat intelligence and then using that threat intelligence to plan and implement defensive courses of action to counter the attack and mitigate the threat.
The cyber ecosystem attack analysis methodology provides an abstract visual model of the cyber ecosystem and methods for performing adaptive threat intelligence and active defence cycles.
Attack analysis should always include the three foundational elements of a good cyber security program; People, Processes and Technology. These three foundational elements are found both in the threat actor’s cyber offense ecosystem and the defender’s cyber defence ecosystem.
In my previous post on the cyber ecosystem we used the Department of Homeland Security definition of a “cyber ecosystem” to define what a cyber-ecosystem is:
“Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non-profits, governments, individuals, processes, and cyber devices (computers, software, and communication technologies) – that interact for multiple purposes.”
See Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action for further information.
The majority of organizations visualize the cyber ecosystem as different layers and we even tend to hire people based on those layers; hardware engineers, network engineers, system administrators, software engineers, IA engineers, etc.
We also tend to think of our security in layers such as physical security, infrastructure security, network security, host security, application security, identity and authentication, personnel security, organization/corporate security, government security / law enforcement.
Taking the different layers from DHS’s definition of the cyber ecosystem we can visualize these as layers of cyber “terrain” as shown below:
(See my previous post for more on the cyber terrain and examples of common attacks for different layers of the cyber terrain.)
I like using this visualization when introducing the layers of the cyber terrain because it includes the seven layer OSI Protocol Model (layers 1-7). The OSI Protocol Model has been around for 30+ years and is widely known in the IT industry. While the above cyber terrain visualization is great for learning the layers of the cyber terrain, it’s a bit busy for cyber-attack analysis visualization.
We also want to fuse the cyber terrain layers with the three foundational cyber security elements of People, Processes, and Technology. We can visualize the cyber ecosystem with terrain layers as follows:
We can see that we still have all the layers; we have just condensed the 6 upper layers of the OSI model that were shown previously into a single logical layer to represent all the communications ports and protocols. This visualization gives us what we need to visualize the cyber ecosystem using this methodology.
We also need to consider the cyber-attack lifecycle during our analysis. Attacks don’t all happen as one event but are carried out in a series of stages. In incident response circles, the cyber attack lifecycle is commonly called a “kill chain” and different organizations have cyber attack lifecycles with various numbers of stages included in them. Find one that works best for your organization. Below is the cyber-attack lifecycle that Mitre used in their Cyber Resiliency and NIST Special Publication 800-53 rev4 controls paper.
When we consider the cyber-attack lifecycle, the threat actor needs to carry out reconnaissance, follow their processes to configure the technology to support the cyber offensive operation, weaponise the file such as combining an exploit and malware into a common document format, all before they can deliver the attack to the defender’s organization. The exploit then has to fire; the malware is installed to establish control of the asset in the defender’s cyber ecosystem. Once it has control it can execute operations such as establishing command and control communications, move laterally, and maintain access.
The thinking used to be that threat actor had the advantage since they only have to find one weakness to exploit out of the many in the defender’s cyber ecosystem to be successful. Modern thinking recognizes that while the threat actor has to only find one weakness to exploit, cyber-attacks happen in stages and that the threat actor must successfully complete each stage for the attack to be successful which gives the advantage to the defender since the defender has multiple stages to detect and mitigate the attack.
A key recommendation from the NIST Guide to Cyber Threat Information Sharing (DRAFT) is:
When we combine our cyber ecosystem for attack analysis model with a cyber-attack lifecycle model and colour code the threat actor’s ecosystem as red and the defender’s ecosystem as blue we get the following.
Now that we have built and explained the cyber ecosystem attack analysis model to visualize the ecosystem, we can introduce the individual methods for threat intelligence and active defence that enable resiliency and quality improvement over time through adaptive cycles.
Just as the cyber terrain model leveraged the existing OSI model, the threat intelligence and active defence models will leverage existing, well understood methods customized to support this methodology. This should spur increased understanding for those familiar with the methods already and allow organizations to find additional resources and information online to learn more about the methods used in this methodology.
For analysing the cyber offense ecosystem, we will leverage the Observe, Orient, Decide, Act (OODA) loop or Boyd Cycle. This is a 4 step cycle that was developed by USAF Colonel John Boyd who applied it to combat operations. In addition to the military application of the OODA Loop, it’s often applied to understand commercial operations and learning processes. More information on the OODA loop can be found on the Wikipedia OODA loop article.
When we apply the OODA Loop we get a 4 step method for attack analysis and production of threat intelligence. I like this method because it really shows the continuous feed forward and feedback that is critical for continuous improvement and common in traditional intelligence analysis and production.
Observe – Observe each stage of the attack, collect and process available data and information about the attack from internal and external sources for each layer of the cyber ecosystem.
Orient – Analyse and synthesize the attack data and information for each stage of attack and layer of terrain. Orient on the Threat Actor’s methods of operation and use of technology to identify observable indicators in the attack data for each stage across one or more layers of terrain in the cyber ecosystem.
Decide – Based on the Threat Actor’s modus operandi identify observables and indicators, decide if this attack is from a new threat actor or if the attack is part of a larger campaign from a known threat actor. Produce threat intelligence report.
Act – Disseminate the threat intelligence report.
It’s important to keep in mind that we not only want to identify observables to detect the attack but also identify observables to distinguish attacks coming from this threat actor from attacks carried out by other threat actors. By pivoting on each observable, we can look to see if that observable was part of any previous attacks and chain those attacks over time into campaigns. By identifying the threat actor’s use of technology and modus operandi we can get proactive in our defence of the cyber ecosystem and if we learn enough over time, we can even predict his behaviour based on indications and warnings.
Threat intelligence should provide actionable information on the threat actor’s use of the cyber offense ecosystem and what the defender should look for in the cyber defence ecosystem. Context is important. Simply saying an IP or domain is bad doesn't really give much context. Help others understand the information provided. Consider information such as what stage of the cyber-attack lifecycle was the IP or domain used in (delivery, command and control, malware update server, exfil server, etc.), who is the registered owner of the domain or IP, what networks does it belong to, and where is the geographic location?
To counter this intelligence based active defence approach, the threat actor would have to spend more resources to change the methods of operations they are using which in turn could require chances to the technology they are using, which might require additional training of personnel to learn the new processes and technology.
The earlier in the cyber-attack lifecycle the defender stops the threat actor’s attack the lower it will cost the defending organization.
For analysing the cyber defence ecosystem, we are going to leverage the Plan, Do, Check, Act (PDCA) Cycle. This is an iterative four-step management method used in business for the control and continuous improvement of processes and products. It’s also known as the Deming circle/cycle/wheel, the Shewhart cycle, or as used in ISO-9001. More information on the PDCA four-step management method is available on Wikipedia.
I think this is a perfect method for active defence since we want to control the attack within the cyber defence ecosystem and to enable continuous improvement of an organization’s defences and increased resiliency to future attacks. When we apply PDCA in this methodology we get a four step method for active defence.
Plan – Plan active defence courses of action based on threat intelligence for each stage of the Threat Actor’s attack, consider both technical and process based mitigations and countermeasures for each layer of the Defender’s cyber defence ecosystem.
Do – Implement the intelligence based courses of action to mitigate and counter the Threat Actor’s attack and to increase the defender’s resilience to future attacks by this threat actor.
Check – Measure the quality of the threat intelligence and effectiveness of the mitigations and countermeasures over time. Track campaign detections, use measurement results to drive change for improvement across the people, processes, and technology areas that make up the cyber defence ecosystem.
Act – Provide feedback on the quality of the threat intelligence and effectiveness of the mitigations and countermeasures; take action to continuously improve the security and resilience of the cyber defence ecosystem.
Keeping with our colour coded visualizations, we can visualize the OODA loop combined with the PDCA cycle as follows:
We can visualize the complete cyber ecosystem attack analysis methodology together as a high-level overview as seen below. This also makes a great visual tool for discussing cyber threats and cyber-attacks as a group to help ensure a common understanding of the activity and use of the ecosystem.
The key benefits of the cyber ecosystem attack analysis methodology are:
- Takes a more holistic approach by considering the attack across both the threat actor’s cyber offense ecosystem and the defender’s cyber defence ecosystem
- Enables the defender to better identify, chain, and track threat actors and campaigns over time
- Enables a more resilient cyber defence ecosystem by having multiple chances to mitigate the attack as it processes from stage to stage across different layers of the ecosystem
- Costs the threat actor considerable more to defeat layered intelligence based mitigations and countermeasures
Practicing good cyber hygiene and using the cyber ecosystem attack analysis methodology will reduce the defender’s cost per attack while increasing the threat actor’s cost to overcome it while helping organisations mature from a reactive, passive defence posture to a more resilient, proactive, active defence posture.