Losses from cybersecurity breaches are almost doubling each year and predicted by Cybersecurity Ventures to be $6 trillion by 2021. As the world accelerates leveraging from ever-evolving technology, this statistic is alarming and reflects a continuously losing war, where organizations spend more each year on securing their network and data. This becomes the rationale to identify a new approach to augment the current “defense in depth” that operates inside the network, mainly based on “indicators of compromise.” This is also complemented by smart (AI) anomaly detection or deception traps, also inside the network.
By analyzing the current approach, a major aspect is focused on “indicators of compromise” whereby the very word “compromise” indicates detecting an attack at the stage when the attacker has already reached or penetrated your defenses. An attack is a chain of events starting from the attacker identifying the target based on some recon, planning, and construction of his attack; detecting the attacker in any of those early stages would constitute the focus on “indicators of exposure” and “indicators of warning” as opposed to ‘compromise.’ This very aspect does not seem to have due focus and efforts, reflected by the simple fact that almost all entities in the world do not catalog their digital footprint as visible to an attacker, or what he will see in his recon about the organization when he scouts the internet. This lack of visibility about your own genuine spread on the internet also means that you are not aware of the attacker impersonating you or attack attributes that may have any form of association with your entity.
Furthermore, it is important here to note that many attacks, that target your customers or impersonate your brand to defraud individuals, may never touch your network. All the more reason for the need of a mechanism to perform the following:
- catalog your digital footprint spanning the internet.
- Identify and fix weakness (indicators of exposure) in your digital footprint.
- detect attack attributes (indicators of warnings) at an early stage.
- detect attacks that reside and execute over the internet across their full lifecycle.
The above seems to be the missing link that should be termed as “Cyber Blind Spots.”
Why the above has been neglected is understandable from the following two conditions:
- The industry has failed to get regulators’ attention on defining these mechanisms as requirements (preventive measures are only taken seriously with regulators’ intervention).
- It is very challenging to detect attack attributes at an early stage (indicators of warnings).
Pieces of the puzzle
Lockheed Martin developed a very simple concept of kill chain of seven stages where the first three stages are Recon, Weaponization and Delivery. Detecting attack attributes in these first three stages would be the primary focus of our proposed system. In addition, as the system is specific to targeted attacks, we want to consider “targeting” as the second stage in the kill chain. This is understood better when one considers a control strategy of reducing the probability of being selected as a target.
Reconnaissance: Not many organizations realize how much of their corporate information is hosted by various ISP across the internet such as domain registration, DNS, social media profiles, digital certificates, mobile apps, public IPs, etc. All such information and its relevant setup and configuration tell a lot about the organization. If the IT staff divulge about the technology and projects they are working on in their professional profile like Linkedin, the attackers simply get a head start. When a key domain reflects an individual’s name as a registrant with a Gmail contact, hijacking that domain becomes an easier target. So like an attacker, the initial strategy is to run a continuous recon on your organization in order to develop and maintain an inventory of your cyber footprint.
Targeting: ‘How to be a harder target’ should be one of the cyber risk management goals, thus discouraging attackers to consider your entity as a target of choice. A secure practice needs to be identified relevant to the cyber footprint and applied across in a continuous and comprehensive manner. If your App is hosted on App stores reflecting the developer company as the owner with their contact details, reflecting insecure practice, lures the attacker to breach the development company and upload an update of App, repackaged with malicious code.
This would also include discovering and removing confidential data being inadvertently shared across various data sharing sites.
Weaponization: An entity's cyber footprint also provides the key artifacts that would form the basis of detecting attack attributes that are being put together by the attacker. For example, a domain registered to look very similar to an entity's domain, brand or product would be detected as soon as it is registered. This detection mechanism has to happen across the surface, deep and dark web. Whereby developing real-time custom threat feeds and processing threat feeds by various threat intelligence providers, to identify attack attributes targeting an entity, would be the key of detecting an attack before it reaches your network or your customers.
Delivery: There are various delivery channels of an attack such as Email, social media posts, impersonated pages, SMS, fake news sites, etc. The same cyber footprint also provides the attributes that form the basis of detecting the attack channels relevant to a specific entity.
Focusing on the above four stages of an attack, is how an entity may address the targeted attacks is an early stage by identifying the “indicators of exposure and warnings” at each of the first four stages of a cyberattack, fraud or scam. Where the first two stages are about identifying weakness in your cyber footprint and the next two are about detecting attack attributes when the attacker is putting together the attack.
Tools and technology
Various systems, tools, and wizards in a structured manner can deliver the desired results of identifying the footprint and the attack attributes in real-time. Domain Whois data sets, DNS records, image search engines, digital certificate aggregators, compromised credential aggregators, crowd-sourced threat intelligence feeds, real-time blacklists of domains IPs and URLs, threat intelligence feeds by global security vendors and more, all play a vital role.
As the threat landscape is ever-evolving the system has to be modular and agile enough to cater and adopt any new attack scenarios. Risk scoring based on a rationale of severity and the probable impact would rationalize the priority of attention.
Similar to various security technologies deployed inside the network there are two major challenges when you monitor the cyberspace, outside your network:
- Detection of zero-day attack attributes.
- Noise (false positives).
Machine learning and artificial intelligence
When it comes to “indicators of exposure and warnings,” the current status of the industry seems to be weak with very few focused on this aspect, and furthermore they also are struggling with the wider coverage of current and new attack scenarios. The biggest challenge being how to automate the detection.
How can it be known which new domain registered just now has a high probability to be used in an attack targeting your entity? Can we predict what is the fraudulent Gmail address that the attacker would be using? How does a web hosting company know that the web page that has just now been hosted has a high probability of a scam? These and similar questions can be answered with an AI engine that would assess across various attributes by pivoting from a single attribute and determining the probability of a suspicious or a confirmation of a malicious attribute.
To build such an AI engine, it requires a big enough sample of data that accurately states the attack attributes targeting specific organizations. As the data required is outside the organization’s network in the surface, deep and dark web the initial data set can be built using automated systems where organizations can be encouraged to take access and utilize this data for their benefit. Doing so would also be in their interest to review and update the data on accuracy thus taking the onus of enhancing the quality of the data. This would be initiated initially for the vertical of the financial sector as that is one of the most targeted industries and does have a certain level of regulator’s pressure to manage the cyber risks.
The future of cybersecurity
To address this current losing war with cyberattackers, the future of cybersecurity requires augmenting the current focus of “indicators of compromise” with “indicators of exposure and warning” in real-time. Where the measure would be to gauge the shift of incident management that would tilt on managing more incidents at warning stages than on compromise stages. It is imperative to build an AI engine to perform this very task as that would be the only way to perform in real-time, scale with the growing nature of cloud as well as to cover the evolving nature to attack scenarios.