Given the recent deluge of malicious cyberactivity, this year’s RSA Conference panel on the Five Most Dangerous New Attack Techniques could easily be an all-day discussion.
Katie Nickels, who is on the panel and will help provide an authoritative briefing on the topic, has plenty to say about what organizations can do to prepare for what’s next. Nickels’ CV is long and impressive. She is a certified instructor at the SANS Institute. She is the director of intelligence for security operations solutions provider Red Canary. She has worked in government (at the U.S. Department of Defense) and in the private sector at places like Mitre, Raytheon, and ManTech.
As such, Nickels believes the gold standard for cyber protection in the U.S. lies in the strength of public-private collaboration. She is also on the frontline of advancing that goal and has emphasized it in her SANS course on cyber threat intelligence and in her monthly “SANS Threat Analysis Rundown (STAR)” webcast.
Nickels took time to speak to Endpoint before her conference panel to share her unique perspective on crucial issues like cyber threat intelligence, network defense, and incident response.
With so many threats to choose from, which techniques caught your attention this year?
What struck me about the most dangerous techniques this year is how diverse they were. When thinking about all the threats we’ve dealt with, ranging from Microsoft Exchange exploitation to SolarWinds, I kept coming back to ransomware.
People need to be aware of extortion threats and change their calculus.
It isn’t new, and the panel is supposed to focus on new, forward-looking threats. But what is new is the addition of extortion into the ransomware mix. We’ve seen a major shift where even smaller cybercriminal groups are not just encrypting data, but also exfiltrating it and extorting their victims by threatening to make it public unless they get paid.
What does that mean for defenders?
Not everyone has thought about extortion. But it’s crucial to be aware of it so you change your prevention, detection, and response to ransomware incidents. People need to change their calculus.
Countering these attacks depends on understanding what you need to protect. Why are organizations still struggling with that?
Having visibility and an asset inventory is always the foundation of a good security program. That’s becoming tougher as organizations rely on more third-party solutions to operate their networks. For example, as we saw with the SolarWinds breach, many organizations rely on SolarWinds Orion for network performance monitoring.
Many organizations have visibility…but an almost bigger challenge is finding what’s bad in that visibility.
Many organizations have visibility, and they collect logs over a lot of their network. But an almost bigger challenge is finding what’s bad in that visibility. Many organizations use an endpoint product, and they receive all of these threat alerts. But they don’t know what’s good or bad. A lot of security tools have overwhelming false positives. It takes a lot of work, once you have visibility, to figure out what’s bad.
To what extent does the cloud complicate visibility?
This is particularly tough because some cloud products require you to pay for different logging levels. Logging is crucial to security—being able to see events, activities on networks and systems, that might prove to be suspicious or dangerous.
I’ve seen organizations that are moving assets to the cloud but fail to bake in the appropriate logging levels into their contracts. So organizations implement a cloud infrastructure but don’t understand their visibility or logging, and then they’re locked into a contract that makes them pay more for additional logging.
Another challenge is making sure you have visibility into cloud assets and understanding what to do if something happens on these assets. There are many levels of cloud services, from infrastructure as a service (IaaS) to software as a service (SaaS), and each of these requires a different level of monitoring by customers versus cloud providers. Whose responsibility is it to respond? That shared responsibility is another challenge in terms of incident response.
Are organizations turning to automation to meet that challenge?
Automation is becoming a mainstay of any security operations program. I think it’s positive because, for years, security operations analysts have burned out by doing the same thing over and over: “I click on this thing in my SIEM [Security Information Event Management tool], I click on this log source, I export here.”
Smart security programs are going to automate wherever possible. We’ve seen the rise of security orchestration and automation response (SOAR) tools, but the challenge with all these tools is you have to have a human first telling them what they should automate. A lot of people lose track of that.
I am also often asked if you can automate intelligence. Threat intelligence is a human discipline, with human analysts making a decision. Of course, we can use tools to automate data collection and gathering. Automation is something any security operations program should be looking at, but they should automate in a smart way.
Any security operations program should be looking at automation, but organizations should automate in a smart way.
You could have the greatest tools in the world, but you have to have humans to tune them and operate them. Every environment is different. Just because something off the shelf from one vendor works in their environment does not mean it will work in yours. A lot of tuning is needed.
How can informal channels of information sharing be scaled to something much larger?
That’s the challenge. What’s working right now is informal. It’s people from public and private who know each other and can say, “I met you virtually or in person,” or, “We’ve built trust by sharing something small. Okay, let’s build that relationship.” Then, when one of you sees a threat, or if you spot a breach early, you’re both more likely to share it with each other through informal channels.
Lessons from that informal sharing can be adopted by government agencies. Information from both sides can be shared, without the private sector having to reveal customer names or other sensitive information.
That concept of “asking not tasking” is going to be key to sharing information. I’ve seen a lot of positive steps in informal sharing. It’s tough to codify these lessons. But I’m hoping they get put into policy.