To understand risk exposure, security pros gather and digest intelligence feeds about vulnerabilities, indications of compromise (IOCs) and other machine-readable data all the time. But real-time insight into what adversaries are seeing in underground forums, the dark web, social media and other sharing sites is hard to come by. Yet it is precisely this attacker’s eye view you need to gain a clear picture of your risk profile, to prioritize which threats are likely – even imminent – versus others.
With 411 breaches so far this year exposing 17,678,050 records, according to the Identity Theft Resource Center report, there is a growing need to use this insight to better inform and tune defenses. However, it takes more than downloading the TOR browser bundle or devising a good underground cover identity to access these sources and gather actionable intelligence. What can you do to avoid wasting time, keep your employers out of trouble with the law and make a difference in anticipating risk? It starts with understanding the intelligence gap that exists between you and your adversaries.
Today, most organizations rely on penetration testing and CVE/exploit feeds to understand their risk profile. While these methods provide important data about vulnerabilities, bad IP addresses and domain names, they also have limitations. Pen testing provides information at a specific point in time. If suspicious activity happens the day after the pen test and the next test isn’t scheduled for six months, by the time security team gets the information it is too late to be actionable. CVE/exploit feeds are closer to real-time, but are still limited to generic data that isn’t necessarily relevant and just creates noise.
By gaining an attacker’s eye view, security pros can supplement the threat intelligence they are already using with data about what their organization actually looks like online – key assets, employee passwords, mobile app activity, etc. With this cyber situational awareness, they can understand “who” is mostly likely to attack them, “why,” “how,” and which assets they most need to protect.
Small, yet detailed pieces of intelligence specific to an organization come to the forefront and can be used to prioritize defenses. For example, finding your proprietary engineering designs or employee user names and passwords available for purchase on the dark web reveals defensive actions that must be taken immediately. By knowing what attackers are seeing, organizations can do damage control and close gaps, like resetting passwords and generating takedown requests from sites like Facebook.
Discovering what attackers see can be scary and requires significant resource investment to gain valuable insights since this type of information isn’t indexed by search engines and information is in multiple languages. Tapping into the TOR network can take considerable time, expertise and manual effort, which limits the amount of coverage. Even skilled IT security staff can inadvertently expose their organization to greater security risk when connecting to this portion of the Internet because of unknown malicious files that can infiltrate the corporate network.
Legal risk is also introduced. Interacting with criminals on forums requires specific training and years of experience to navigate regulations which vary by country. Creating false profiles to log into forums, engaging in different definitions of “hacking,” or handling stolen goods in an effort to retrieve their own data can potentially expose the organization to legal action.
In light of these risks, organizations must be aware of missteps and reach the attacker’s eye view carefully. Start out by defining your most important data assets and the kind of online behaviors and relationships - necessitated by the business - place them at risk. An international law firm or business consultancy may need to study how attackers view its Web site, social media presence and collaboration tools, for example, whereas a manufacturing firm will have to look for information visible via supply chain partners, distributors and others.
Because few organizations have available resources to approximate an attacker’s viewpoint from every corner of the Web and underground, it is crucial to focus on areas where study can have the greatest effect. Ultimately, you have to reconcile the reach of your programs with corporate policies and might decide to engage with industry groups and other third-parties to help survey where hackers ply their trade. This can insulate security teams from direct legal risk and help limited resources.
Most companies struggle to analyze huge volumes of generic data to gain relevant insights. It’s not surprising that the average time-to-detection as measured by Ponemon stands at 170 days. When it comes to gaining a better return on security investments and ultimately more effective defenses, it’s not about adding more data, but rather adding data that is directly relevant to the organization and the sector or industry.
This is where true cyber situational awareness honed with the attacker’s eye view comes into play, giving customers another useful lens to look through for even greater awareness and understanding of how to gauge their online exposure and defend against targeted cyber attacks. By investing even incrementally in the means to stand-up a view of their assets and defenses from the outside, every organization can gain otherwise overlooked insights and analysis sharpening their cyber defenses that much further.
Paterson is Co-Founder and CEO of Digital Shadows and previously served as International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He has more than a decade of experience advising government, Fortune 500 and FTSE 100 organizations on large-scale data analytics for risk and intelligence.