So you might say what I’ve covered so far is the basics of InfoSec and you’d be right. There is nothing particularly new in what I have said so far, but still too few organisations actually follow through on these elements. If you want to undertake cyber security in its truest form then you’ve got to get the above down to a T.
Now let’s delve a little deeper into some of the nuances of cyber security. So you’ve got the basics covered, a coherent strategy and a compelling business case. OK, so elements of the strategy and business case are in the following paragraphs, but hopefully you’ll see how this journey couples together from building strong foundations and then evolving your maturity into how analysis can deliver a much richer picture of your adversaries and the risks they pose to your organisation.
To get into this realm you need to start thinking of threat intelligence and advanced analytics. Now I’m not talking about what is usually badged as threat intelligence by most vendors. To give a simple differential, the usually badged threat intelligence is actually really cyber data or information. Why? Well to explain we need to dip into the levels of intelligence. Now true intelligence has one overriding factor and that it that it is attributable to a source, in our case a threat actor, and building an understanding of that threat actor. The main components of the threat intelligence you are being sold are Observables or Indicators that are not attributed to a specific source. They are generic MD5 hashes, IP addresses, domains etc., but offer little in the way of context or applicability to your organisation. Without that attribution they just become generic, and there is lots, and lots, and lots of generic to wade through.
These data, or information feeds have value, albeit at a tactical level. However when fused with the data and information produced from your systems and analysis you can start to find the relationships and commonality between events and data elements. These relationships allow you to make confident inferences as to the source of each event or attack. This is not to say that you will be able to identify the exact person behind the attacks, but you will be able to group attacks to a common source due to the elements of those attacks having like factors. They will have characteristics which mark them out as being from the same source, such as registration personas for example.
This is not a trivial undertaking, but by being able to correlate events to a particular source you can start to dig into the working practices of that source and gain a thorough understanding of them. Knowing the workings of your adversaries allows you to move into more of a protective stance, tailoring courses of action to a particular threat, rather than firefighting the plethora of generic threats you face on a daily basis. Your hygiene covers the majority of these and then some.
To familiarise yourselves with this premise I recommend reading up on the Structured Threat Information eXpression (STIX) framework. STIX is a community developed standardised language for building, consuming and producing threat intelligence. Essentially ensuring everyone is on the same page and talking the same language rather than interpreting or translating the various naming conventions in play. Why do all vendors categorise and label things differently? It only makes my life harder! Using common languages, such as STIX, is key to applying science to our security and because STIX is both human and machine readable it supports automation where possible.
So using a common framework and undertaking analysis to attribute events and attacks to a particular source you can start to really build a depth of understanding of what makes up that threat actor. You may have heard of things like TTPs (Tactics, Techniques and Procedures), but do you know what it means? Well going back to basics for a moment, never forget that a cyber-attack no matter how sophisticated starts with a human being. All of them! Of course all human beings, either as individuals, or as part of a team or organisation have particular ways of working, likewise those teams or organisations have particular ways of working, processes, tools etc. Patterns if you will. Well you can work out patterns or understand ways of working if you know what you are looking for, but the fundamental key to this is being able to attribute attacks and events. If you can attribute events to a single threat source you can analyse those events to identify the ways of working of that particular source. How they stand up their infrastructure, how the development capability works, how quickly they can write an exploit against a released vulnerability, what their motivation is, usual delivery methods, regularity of attack and exploit target. Think of each layer of the kill chain and what artefacts you can pull out about this threat source at each layer.
When looking at the STIX architecture you should hopefully be able to see the relationships between the different elements and how they interact. It all starts with the Observables, which are properties or events pertinent to the operation of computers or networks. Indicators being Observable patterns with contextual information, linking to TTPs which convey the behaviour of an adversary, or Threat Actor, who will identify an Exploit Target, which is a weakness or vulnerability, through which they may cause an Incident. Where the Threat Actor is pursuing an intent, a persistence, then we would label these Campaigns. Whilst in defence we undertake Courses of Action to address the threat. Obviously the more we know about the threat, the higher the fidelity of our intelligence, the greater the chance we as defenders have of mitigating that threat through appropriate defensive measures or courses of action.
For more information please visit Mitre and read up on STIX and its sister frameworks. It really is a great resource! For a primer with tremendous insight into modern threat intelligence and the use of STIX et al please read this article from former spook and internationally recognised expert Shawn Riley Insights to Modern Cyber Threat Intelligence. It does not get better than this in terms of explaining what threat intelligence is all about.
This depth of understanding will enable you to make pertinent defensive decisions, for both detective and preventative measures based on knowledge of how your adversary works. Understanding your adversaries is the next evolution in your cyber security maturity and gives you the ability to develop and deliver a truly rich risk picture for your organisation.
Taking the above, think about the information that you can glean from an attack, even in its basic form and how you can store such information and then reference against later attacks to identify any commonality or relationships.
For example in a simple malware attack delivered through an email. You have all the data from the message headers, sender and from addresses, MX records, domain information, from which you can see who registered the sending domain, or identify if it is likely to be a compromised server used for the delivery. From IP details you can determine which domains are registered against it and again the details used to register those domains and the geolocation details.
From the malware you can identify elements such as which directories were created, files, process and services created, modified or deleted, file names, types, hashes and size, registry entries amendments or creations.
If it calls out what domain or IP address does it call to and for what purposes. Again what domains are registered against that IP address and the registrant details?
This is just absolute basics and only scratching the surface, but you can see how even from a cursory look there are several observables that could be identified from a single event.
Malware is a great example of where as an industry we’ve made life hard for ourselves. When you are desperate to compare apples with apples you have an industry with a complete vendor driven individual language and reporting construct. What is named Malware A to one vendor is Malware 5 to another, yet they are actually the same. At a base language level we have created a diversified monster. I don’t want to have to interpret someone’s naming convention to correlate against another, I want a simple, structured, common schema.
Coming back to the good people at Mitre we do have that possibility through the adoption and use of Malware Attribute Enumeration and Characterisation (MAEC). What is MAEC? MAEC is a standardised language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. The goal of the MAEC effort is to eliminate the ambiguity and inaccuracy that currently exists in malware descriptions and to reduce reliance on signatures through the leveraging of responses to previously observed malware instances. In this way MAEC seeks to improve communication about malware, reduce potential duplication of malware analysis and allow for faster development of countermeasures.
I won’t go into the full detail of MAEC here, but for more information please visit Mitreand explore the possibilities. There is a whole community that is more than willing to engage with you.
We all know the overriding theme of People, Process and Technology, but for me what makes the material difference is Data. P,P&T are the core pieces of any capability, but where Data stands out is in what it can give you in terms of richness, or high fidelity of risk. The more data you have at your disposal and the more interrogation therein the greater the picture of risk you can establish. There is no point in having data unless you analyse it, there is no point in analysis if you don’t take an action based on the analysis. Intelligence analysts analyse to produce intelligence reports, analysis of intelligence reports is used to produce courses of action. Think about all of the stages that an attacker has to go through in order to achieve a successful outcome. If you are unsure look at the attacker lifecycle, but also think about all the work that goes on before the actual reconnaissance stage. The example below is taken from the Mitre Cyber Resiliency and NIST Special Publication 800-53 rev4 controls paper.
The threat actor has to be successful at every stage of the attack lifecycle in order to achieve their goal, which actually, against commonly held belief, gives the defender the edge. Really? Yes. The defender has multiple opportunities to detect, analyse and mitigate the attack. It requires observation at all layers of the attack and analysis of all available data about the attack. From that observable indicators can be built for each stage, which can then aid determination whether this is a known actor / campaign or a potentially new threat source. There is a great article from Shawn Riley which delves into using the Observe, Orient, Decide, Act (OODA) loop for such analysis for offensive analysis.
The output from the attacker’s operation provides the defender with opportunities to develop active countermeasures to mitigate the attack. A great example of this is using the widely known Plan, Do, Check, Act (PCDA) cycle. Planning countermeasures based on the intelligence reporting of the attack analysis. Implementation of the countermeasures to increase resilience against future threats, whilst mitigating the immediate threat. Measure the effectiveness of the countermeasures and the in turn the quality of the preceding intelligence. And finally (it’s a loop so never really a final step), provide feedback and take action to continually improve resilience.
If you want to know more about this approach and methodologies Shawn’s article can be found here Cyber Hygiene and the Cyber Ecosystem Attack Analysis Methodology.
From analysis of attacks you can build a deep understanding of the threats to your organisation. Who is attacking you, their threat level based on persistence, sophistication, operational tempo, technological expertise, resources, TTPs, tooling, etc. coupled with your knowledge of your susceptibility to their attack patterns. You can understand your asset(s) and threat actor(s) risk scores, gaps and identify appropriate courses of action and enable measurement and display of their effectiveness. You can mirror your defensive capabilities against the threat actor to determine where you are under resourced, both people and skills, as well as where you have deficiencies compared to the capability of your adversaries. From such depth of knowledge you can start to predict your adversaries operations and undertake demand management to ensure the defence against those campaigns are fully resourced.
You can move beyond the Kill Chain view of attacks in operation and the tactical measures you can implement as a result to really start developing an understanding of the attacker’s lifecycle. Using time measurements to determine their operation more widely, for example how often and to what degree they alter their tools and develop their exploits against vulnerability disclosure. From this you can get a good handle on the resources at their disposal for development and engineering, which is all undertaken prior to the Kill Chain kicking in. This helps you understand how sophisticated the threat is. How often do they alter other aspects of the operation?
All this is predicated on being able to attribute attacks and event data to a particular threat actor, which as I have discussed earlier is all born out of analysing the data at your disposal, both internal and external and finding the patterns therein. With this development of knowledge regarding that threat actor you have significant value to offer in terms of sharing, and the possibility of gaining greater understanding from the intelligence you consume from others. For example what other sectors and organisations is this threat actor targeting and when, giving you more of an insight into their strategy and motivation.
Data really is the key to unlocking your operational cyber knowledge. Taking Shawn Riley’s Pyramid of Cyber Intelligence you should be able to see the flow from Data and Information and reactive defence through to Intelligence and ultimately Knowledge for the purposes of active (proactive and predictive) defence. Remembering at the start the volume of generic cyber and other domain data, which will remain constant, will be high, but the ability to distil that and draw out the commonalities to identify threat actors and their behaviour is a massive step forward for any organisation.
Of course to undertake the above requires a certain skills range across your cyber security capability. Now if you read the majority of job adverts for cyber security leaders, analysts or consultants you’d generally think they all need a degree, be CISSP or CISM and ISO27001 certified. Really? I don’t think so. When I am thinking of a cyber security capability I am thinking of far reaching skills.
It depends on the role, but at a senior level I’d want to see things like:
- Cyber strategy development and implementation
- Experience of developing proactive intelligence driven countermeasures.
- Development of capabilities to both consume and produce applicable threat intelligence using standard frameworks such as, STIX/TAXII, and CYBOX, with extensions supporting TTPs in MAEC and CAPEC, and exploit targets in CCE, CVE, and CWE formats.
- Developing adversarial understanding through attribution; identifying commonality and relationships between security events, grouping these by source / actor.
- Through understanding of Incident Recording frameworks, such as IODEF or VERIS.
- Developing capabilities to utilise OSINT, HUMINT and SIGINT to inform defensive countermeasures.
Working knowledge of the following:
- Network security;
- Malware analysis;
- Cyber incident response;
- Digital forensics (host and network based);
- Configuring and using SIEM and security infrastructure (e.g. IDS/IPS, AV, Firewalls etc.);
- Command-line operating system e.g. Linux, Unix etc.;
- Systems administration for both Windows and Linux;
- Writing custom signatures for IDS/IPS;
- Log correlation and aggregators/connectors.
For a SOC / Analyst type role I’d want to see:
- Working knowledge of host and network based digital forensics and associated tools;
- Proven experience performing analysis of security events to determine root cause and provide resolution;
- Working knowledge of network protocols, TCP/IP fundamentals and operating systems (Windows, Linux or OS X);
- Working knowledge of security tools such as firewalls, IDS/IPS, A/V, anti-spam, content management, server and network device hardening;
- Understanding of malware analysis and reverse engineering;
- Understanding of network based services and client/server applications;
- Understanding of enterprise systems and infrastructure;
- Understanding of e-Discovery process and related tools;
- Understanding of network architecture and security infrastructure placement;
- Familiarity with security tools such as Anti-Virus, Anti-Spam/Email security systems and Data Loss Prevention Tools;
- Understanding of legal/regulatory aspects of cyber-incident response processes and methodologies;
- Previous experience in troubleshooting day-to-day operational processes such as report generation, data verification, data correlation, etc.;
- Excellent oral, written and documentation skills;
- Methodical and creative approach to problem-solving;
- Superior time management and prioritising ability.
This is quite generic, but what I’d be looking for which would tell me that an organisation is mature, or at least mature in its thinking. Now I know these skills and people don’t grow on trees, but this is where the skills of your cyber security team should be focussed.
You cannot just buy in this resource across the board for two simple reasons, 1) there is not a huge amount of truly experienced talent to pick from and 2) if you all did it that resource percentage gets smaller and smaller. You will need to develop these skills alongside experienced hires. Training is paramount, but moreover the aptitude of your recruitment should hold primacy. There are hundreds of courses to choose from alongside knowledge share and practical experience. You should build a programme of talent progression, whilst also bearing in mind that you will have a natural churn in a competitive skills market place, and as such should also have a programme to match that churn. I would recommend running at 2/3 people above your notionally allotted headcount to factor in that churn and knowledge build. You do not become an expert overnight, nor do you even become competent.
Where training is concerned investigate and identify your training needs at all levels and build a maturity path for your team. Do not just focus on generic security qualifications; they only get you so far. Think wider and more far reaching, for example advanced Excel skills can prove very useful. Is that a security qualification? Think analytics, programming / coding, operating systems, architecture, networking, malware and forensic analysis, tooling specific etc.
Hopefully you can appreciate the science involved when it comes to a seriously mature capability that works in the intelligence and knowledge layers. You will not be there from day one and need to build and evolve towards that level of capability, but if you keep it in mind when looking at your required skill-sets you should be able to identify key skills requirements to bring you forwards more rapidly.