This guest post was contributed by James Allman-Talbot, Head of Incident Response & Threat Intelligence, Quorum Cyber
The slow detection of a cyberattack always ends up in compromise, pure and simple. Compromise of your systems, compromise of your reputation, compromise of your financial standing, compromise of trust. But this occurs all too often. How do you prevent this from happening to you?
If you want to speed up your ability to discover a cyberattack, the best thing to do is know what “normal” looks like to your organization and educate users. People often look for technical solutions to protect them from threats and depend on that automation to protect them but take little time once they are in to understand their own environment. Users, on the other hand, typically know what normal looks like in the organization, but may lack the technical or security understanding of the importance of anomalous activities or behaviour.
This approach is effective because it’s personal to your organization and it doesn’t cost anything extra. Off-the-shelf tooling isn’t personal - it can’t be. It needs to work in multiple organizations across different verticals, so there’s always a compromise. Sure, there’s configuration to get it to integrate with your systems and infrastructure; and it’ll work and do a job, but to get the most out of the tooling you need to know how your business works. Once a threat actor gets into an environment we see them using the same tools that systems administrators use to manage the infrastructure, or even uses internal phishing or data access. These tools, communications, protocols, etc. are therefore common within the organization, and may bypass detection or alerting by tooling. It’s knowing when the tooling, communication, protocols, etc. are being used anomalously that speeds up detection and makes the approach effective.
There are many strong detection tools on the market such as Microsoft Sentinel. You can pull from all sorts of tooling and pull signals from things and then engineer detections based on Indicators of Compromise (IoCs), Tactics, Techniques and Procedures (TTPs), etc. and tune for “normal”. Ultimately though: Users - as I said before - they know normal. They are great detection tools for both technical and physical security detections. To save them the grief though, make any training that you give them relevant to them, if they can take that knowledge and apply it to their personal life and situations as opposed to “the company policy says….”, then that makes them more secure personally and they’ll bring that to work with them.
Most organizations are not doing enough to rapidly detect an attack and there are a lot of issues here depending on the organizational situation. Cybersecurity can be expensive and doesn’t provide a return on investment (ROI), so investment can be an issue. There are some cyber snake oil vendors that jump on bandwagons with their next generation artificial intelligence (AI) cross-platform jargon, that sounds impressive, but the people hearing that message don’t understand what it does, how it does it, if it’s needed, or even relevant, to their threat posture. They just want something to make their cybersecurity worries go away, and this all-encompassing, multi-tiered, always on platform, sounds like just the thing that they need….as long as the attack happened between 09:00 and 17:00, Monday to Friday, when someone’s not too busy and can take the time to check it and understand what the output it’s giving means.
Finally, it's also important to realize that detection is only one part of cybersecurity preparedness. It’s always great to catch things in the early stages, but also look at the further stages and determine how you could speed those up - the analysis, containment, eradication, and recovery. If you see how to speed those up, you’ll find ways to speed up your detection and, at the same time, improve your security posture and reduce the cost and impact of a cyberattack.
James Allman-Talbot is the Head of Incident Response and Threat Intelligence at Quorum Cyber. James has over 14 years of experience working in cybersecurity, and has worked in a variety of industries including aerospace and defense, law enforcement, and professional services. Over the years he has built and developed incident response and threat intelligence capabilities for government bodies and multinational organizations, and has worked closely with board level executives during incidents to advise on recovery and cyber risk management.