How to flip the cyberthreat paradigm

By thinking like an adversary, federal agencies can find and fix organizational weaknesses before the bad guys can exploit them.

Shutterstock image (by igor.stevanovic): anonymous computer hacker.
 

The cyber landscape is often described as asymmetric. Defenders are constantly reacting, trying to plug every security gap in their complex, ever-changing environments while attackers only need a single successful exploit to achieve their "win." But what if federal agencies could flip the scenario and start thinking like an adversary to find and fix those gaps before they are exploited?

Agencies can do just that by performing a diagnostic and preventive "health check" with the goal of gaining a better understanding of adversaries' vantage point into their agency environment and thereby improving the agency's ability to detect and observe anomalous and suspicious activity in a preemptive and proactive fashion.

When thinking about an adversarial approach to viewing cyberthreats, agency leaders should consider four key questions that go above and beyond the status quo when it comes to threat analytics. They are:

  • What does my organization look like to an adversary?
  • How can public information (e.g., employees' social media profiles) be used against us?
  • What vulnerabilities exist that an adversary could use to exploit my organization?
  • Who is putting us at risk?

The alarming increase in the frequency and scale of cyber incidents is fueled by two forces. The first is the external threat of cybercriminals and other malicious actors. The second -- and less well-known -- force is the internal risk created by an agency's ever-evolving and expanding cyber footprint. The threats to an agency increase as it pursues operational improvement and innovation by adopting new technologies and processes.

Cloud services, mobile technology, big data, smart devices and other means of organizational transformation have led to explosive increases in data, geometrically expanding points of entry and, therefore, significantly more vulnerabilities in terms of both impact and complexity.

Leaders have become more aware of those forces and the reality that "bad guys" likely will get in because having a completely secure perimeter around a hyper-extended organization is virtually impossible. In response, leaders are allocating more resources to monitoring their enterprises and improving early threat detection.

However, traditional monitoring methods are not a match for today's advanced cyberthreats. The typical program is designed to monitor as many of the agency's assets as possible and trigger alerts when it identifies known malware or cyberthreat indicators. Unfortunately, that approach is extremely limited because it can only detect threats that are already known and defined.

So what happens when an agency becomes a target? A person or group wanting to cause harm might first probe the organization, looking for system vulnerabilities and weak links. Once those "holes" are identified, the hackers design and implant various tools and malware to enable their exploits.

By using cyber reconnaissance and analytics, agencies can collect and analyze vast amounts of data and create a high-resolution "picture" of an agency's environment from the outside looking in. Developing a better understanding of the agency's exposed surface area from the attacker's perspective will enable leaders to take a more proactive approach to addressing vulnerabilities or deploying other preemptive actions.

To take this adversarial approach and generate actionable cyberthreat insights in a complex environment, agencies should consider these three core elements:

  • Defining and collecting the breadth of data needed to create a comprehensive view of the cyberthreat landscape.
  • Using high-performance computing methods to process that information in dynamic situations.
  • Integrating individuals knowledgeable about the threat and risk landscape to design and apply the most useful analytics and mitigation strategies to resolve and/or reduce the impact of the threats.

Together, those three components of cyber reconnaissance and analytics -- data, computing and people -- can help federal agencies turn the tables on their attackers by finding and fixing organizational vulnerabilities and weaknesses before the bad guys can exploit them.