This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » The Incident Response Approach to Cybersecurity
Cyber Security NewsSecurity Leadership and Management

The Incident Response Approach to Cybersecurity

biology
March 5, 2019
Megan Berkowitz
KEYWORDS artificial intelligence / cyberattack / cybersecurity / hackers / machine learning / ransomware
Reprints
No Comments

In 2017, Merck, a pharmaceutical company, was one of many companies targeted by a ransomware attack, known as “WannaCry.” Reuters reported that this attack “disrupted production of some Merck medicines and vaccines,” at a high cost for the company.  In addition, work was disrupted for a huge number of the company’s employees, many of whom rely on computers for the vast majority of their work.

The WannaCry ransomware attack that successfully targeted Merck is not the only cyberattack to which the pharmaceutical industry has fallen victim. As pharmaceutical and biotechnology companies move toward greater digitalization and the storage of more valuable data, their digital security practices become more and more critical. Many such manufacturing facilities rely on Internet of Things-connected technology in order to automate their very precise, sensitive manufacturing processes. This connectivity makes the facilities more susceptible to attack by dramatically increasing the number of internet-connected endpoints that must be protected. Additionally, the proprietary information behind drugs and other biopharmaceutical advances are valuable, and thus a prime target for cyberattackers. Finally, with the extremely sensitive nature of data collected and used by pharmaceutical and biotechnology companies, security measures are particularly important for these firms, especially those looking to gain and keep trust with consumers and patients.

As a result, cybersecurity has become an essential part of doing business in the biopharmaceutical industry. Across the industry firms are stepping up their game when it comes to cybersecurity. These companies are deploying more and more resources towards cutting-edge technologies like machine learning, artificial intelligence, and orchestration.

An important question to consider, though, is to what strategic ends are these cutting-edge technologies being put. Are they simply bolstering traditional methods of cybersecurity, or are they being used for methods of cybersecurity that are new and innovative, instead of simply faster or more efficient versions of the same product?

 

The Incident Response Approach to Cybersecurity

Traditional cybersecurity approaches are focused on reporting about intrusions after the fact, in what is known as an “incident response.” What this means is that an adversary – commonly referred to as a “hacker” – finds some way to gain access to a target and compromises it. The target can be accessed through vulnerabilities in web frameworks, internet browsers, or internet infrastructure such as routers and modems. Regardless of how they gain access, once an attacker is discovered, the forensics about the attack, including basic information known as Indicators of Compromise (IOCs) like IP addresses, domain names, or malware hashes, are shared across the cybersecurity community. These IOCs are then used broadly to thwart future attacks.

The problems with this approach are twofold: like a canary in a coalmine, someone has to be a victim first so that IOCs can be derived and shared with others; additionally, blocking IOCs has a very short half-life. Most adversaries subscribe to the very feeds that companies subscribe to in order to quickly learn if they have been exposed. All an adversary has to do is come from a new IP address or recompile their malware so that it has a new hash value (both of which are extremely trivial) and their attacks will sail through defenses that depend on IOCs. This after-the-fact methodology consumes a lot of resources and generates a lot of seemingly valuable metrics, but it is ultimately flawed.

Cybersecurity teams and adversaries are trapped in an endless loop where the adversary always has the advantage. As hackers repeatedly gain access to valuable systems and data using the same methods, cybersecurity teams continue to chase after them to secure compromised systems. While a great deal of effort is put towards understanding as much as possible about the adversary and his methods, only a small amount of that understanding is used, and only to perform the very basic actions described above. Adversaries continue to play chess, strategizing about how to slip past cybersecurity teams unnoticed, while those same teams act as though the game is more like tic-tac-toe. Very little cybersecurity effort is put towards addressing the methods used by adversaries; instead, security teams are locked in a pattern of waiting for inevitable attacks, trying to minimize the damage they cause, ensuring that remediation occurs as quickly as possible and blocking only exactly identical attacks.

 

Planning for the Future of Cybersecurity

As is readily apparent, these current, standard methods of cybersecurity are fundamentally flawed. Incident response only helps prevent attacks that exactly replicate past ones. To stem the flow of cyberattacks and to truly protect against them, the cybersecurity industry needs to embrace a paradigm shift. Rather than rely solely on the incident response and recovery methods that have been used for many years, a more proactive, sophisticated approach is needed. It will need to be designed to successfully recognize adversary methodology (and all the manners in which an adversary attempts to obfuscate their methodology) before attacks occur and at a meaningful scale. This kind of approach, when paired with incident response tactics, could provide true security to vulnerable, critical networks.

If the cybersecurity world wants to halt dangerous, costly attacks, there is a great need to shift attention towards prevention. Instead of seeking discrete, static IoCs based solely on what has already occurred, proactive cybersecurity analysts can instead use the intelligence they have derived about adversaries’ methodologies – commonly referred to as tactics, techniques and procedures (TTP).  From these TTPs, analysts can identify the general form and components of an adversary campaign. In addition, they can determine abstract indicators like how the adversary is attempting to hide his actions.  A proactive cybersecurity tool would be able to recognize possible adversary TTPs and indicators that describe a threat (or threatening behavior) in general terms.  The system would then act on any traffic which met this pattern before it reaches inside a network, as the attack occurs, and do so in a way invisible to adversaries. Using this basic model, a cybersecurity tool could truly prevent common exploits before they were executed, and could even predict and protect against future, not yet seen exploits. In addition, this prevention plus response method of cybersecurity enables teams to truly take advantage of new, cutting-edge technologies in ways that change the game, instead of simply adding speed (and cost).

A TTP-based cybersecurity tool would work in concert with existing incident response, internally-focused cybersecurity efforts, adding a layer of prevention over the top of this vital but flawed process.

With these two methods employed hand-in-hand, cybersecurity teams can make headway in reducing the number of attacks, and can more quickly and productively respond to attacks that do prove effective.

 

Subscribe to Security Magazine

Meganberkheadshot-003
Megan Berkowitz is a writer and researcher based in the United States. She holds a Bachelor of Science in Biology and English from Tufts University.

Related Articles

More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them

Game Time: The Role of Special Teams in Incident Response

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

cybersecurity breach

The Top 12 Data Breaches of 2019

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

SEC1219-Cover-Feat-slide1_900px

Contracted vs. In-House Guarding: No Universal Right Answer

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe. Organizations need to be prepared through a unified and rapid response to these events.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing