To successfully defend against a cyber intrusion, you need to take away what a malicious actor needs to launch and prosecute an attack by identifying and illuminating them at speed. In essence, you need to illuminate the ecosystem the malicious actor lives and thrives in.
That hacker ecosystem is vast and extensive but, simplified, it falls into five main categories that can be globally surveilled: geography, infrastructure, cyber, persona, and history. By focusing on the ecosystem, organizations can take away malicious actors’ critical capabilities, and disrupt and block their attacks. That focus is what we call the “illumination of the hacker ecosystem”.
This illumination happens by employing advanced cyber analytics to, first, contextualize an organization’s unique cyber environment and, second, attribute nefarious actions to an event or internet protocol (IP).
That first step is of paramount importance, as context is king. Organizations are drowning in threat intelligence, cyber intelligence, and numerous feeds and services to the point of data overload and redundancy. Every organization has a unique cyber environment that includes both the legitimate individuals and entities and those that are seeking harm to the organization.
It’s important to note that contextualization is different than threat intelligence. Threat intelligence is generalized; there are lions loose in your state. Contextualization is specific; there is a lion attempting to get in your building. The lion at your front door is the lion you care about, and that thought also applies to malicious actors.
A contextualized external cyber environment is manageable and, most importantly, measurable. The globe (and the entirety of the internet) is not a manageable environment for organizations. The power of advanced cyber analytics lies in its ability to index and capture nefarious activity across the globe and provide actionable, contextualized intelligence for organizations.
Attribution, the second step I mentioned, is the engine of illumination. Malicious actors have thrived in the hacker ecosystem because they have been given freedom of movement. In essence, if your defense depends on an intrusion detection system (IDS) or intrusion prevention system (IPS) that is only updated with what has previously occurred, the malicious actor is free to employ time and space up to the point of the organization’s static defense. Additionally, sophisticated actors have the plans to all commercially-available cyber defense systems and receive the same updates that you subscribe to. The current state of cyber defense is underprepared, static, and updated based upon lagging indicators.
To take away the hacker ecosystem, the organization’s perimeter needs to be pushed out to the farthest limits of its external environment, so decisions can be made quickly at the point of intercept. There is a large gap between what the malicious actor wants you to see and what is truly occurring. In our numerous studies and data evaluations for our clients, a consistent pattern exists: relatively unsophisticated actors are getting past traditional cyber defenses. The systems are working as designed, but they have significant limitations. The wolf in sheep’s clothing gets past current systems.
For example, an organization we recently worked with had accepted traffic from a data center in the US with no flags for obfuscation or malware. When advanced cyber analytics was applied, the IP was illuminated. The IP was attributed with a true country code from a sanctioned country that has a history of harboring and sponsoring malicious cyber actors, fact of obfuscation (to include TOR usage), and a historical hit on transporting malware within the last 30 days. The organization, with our near-real time actionable intelligence, was able to automatically update their existing IPS to block the malicious IP.
The lesson of the story? If a malicious actor can no longer operate unimpeded in their ecosystem, their equilibrium is shaken and, most importantly, their ability to prosecute a successful cyber attack is taken away. Illuminate the bad actors before they attack you.
Learn more in Col. Stephen P. Corcoran USMC (Ret)’s recent webinar, “Illuminating Hacker Ecosystems With New Cybersecurity Tools and Services” with Eric Nester, Director of Intelligence, Enterprise Solutions at Telos Corporation.