With almost the entire world’s focus on the pandemic this past year, hackers had it easy. Unlike in previous years, they didn’t really have to create unique malware variants – COVID-19 handed the bad guys options on a platter. Put another way, the events of last year revealed the ability of malicious actors to exploit significant changes occurring in our daily lives as new opportunities to launch attacks at an unprecedented scale.
SolarWinds was the standout security event last year that wasn’t about COVID – and it’s certainly not the last of its kind. Look at the recent attacks on Microsoft Exchange servers. Security teams need to take these lessons and focus more on working together – both the private and public sectors – creating partnerships and keying in on the available intelligence. It’s become an imperative.
As with national security, counterintelligence has become vital to protecting organizations and individuals against adversaries. Cybersecurity professionals can and must better wield a strategy of counterintelligence, including advanced deception technologies, to keep their organizations safe and cyber adversaries at bay. This becomes especially important as we see the continued proliferation of nation-state attacks as well as a rise in increasingly sophisticated cybercriminal organizations.
The role of threat intelligence
As the attack surface of organizations continues to expand, the scale and the number of victims will only increase. To effectively defend against today’s cyber threats, IT security teams need to implement proactive strategies to ensure they are doing everything they can to keep their assets safe by detecting and preventing threats before they happen.
Make the best use of intelligence
Counterintelligence plays a critical role in a proactive security strategy. It’s a critical resource in the world of espionage, and it’s also the case when defending a distributed environment. Fortunately, IT security teams have a distinct advantage because they have access to the kind of threat intelligence and resources that cybercriminals generally do not. Threat intelligence feeds, augmented with machine learning and AI, can help detect and respond to threats before they can successfully compromise a system or network.
Deception technology has become critical to counterintelligence, where false network traffic and devices are generated to entice and confuse attackers, filling the environment with tripwires that can alert security systems and teams of any unexpected or unauthorized behavior. Cyber adversaries will need to differentiate between legitimate and deceptive traffic in real time, without also getting caught for simply monitoring traffic patterns.
As organizations add playbooks, behavioral analytics and more pervasive AI to their deception strategies, they will effectively tighten this proactive approach even further. This lets the IT security team create a controlled environment that allows attackers to roam freely so the team can detect how the attackers operate.
Security teams need continuous updates of good threat counterintelligence based on the latest adversaries’ playbooks. By doing so, organizations can detect and respond to any counterintelligence efforts before they happen, keeping the upper hand in the ongoing cyber war.
Forge more partnerships and coordination
With the scale, resources, and speed utilized by many current attacks, it’s also essential that organizations must not rely on a “lone wolf” approach. They cannot expect to defend against cyber adversaries on their own. They need to actively engage in threat sharing so that they can stay forewarned against emerging threats. They also need to know who to inform in the case of an attack so that the “fingerprints” of the attack are properly shared, helping to build or improve attacker playbooks, as well as to assist law enforcement in doing its work.
Threat research organizations, cybersecurity vendors, multinational organizations, and other industry groups also must partner with law enforcement and legislatures to help dismantle adversary infrastructures to prevent future attacks. There are no borders in cyberspace, so the fight against cybercrime needs to go beyond borders, as well, to include the global threat-fighting community. We need to empower law to pursue cybercriminals across borders to take down their safe havens.
Don’t think that this means going on the attack – it’s about finding ways to work together, to work smarter, to focus on partnerships, and to improve on the intelligence we have. Only by working together can we turn the tide against cybercriminals.
Events of this past year remind us what we’re up against: Very crafty, well-resourced, and patient adversaries who are continually evolving their attack strategies. Deception technologies combined with threat intelligence and playbooks are a great place to start. But no one enterprise can hope to remain successful on its own. Coordination and collaboration are critical to security success, so public and private groupings of all types must come together to share information. In this way, we’ll make the security sum much greater than its parts.
Derek Manky, chief of security insights and global threat alliances, FortiGuard Labs