Bad actors have been seeking opportunities to take advantage of unsophisticated netizens or unprotected organizations since the dawn of the World Wide Web, but today’s bad actors are in a class by themselves. Nation-state actors, often operating through a vast network of well-funded proxies, strive to exert influence, threaten stability, and sow discord through the mechanisms of cyberspace. Hacktivist organizations seek to undermine, damage or discredit organizations whose agendas and politics they oppose.
They may not be as well funded as nation-state actors, but they are populated by technically sophisticated people who have bought into a cause — and when these people work together, they can pose serious threats to those with whom they disagree.
Enter the Professionals
The rogue hackers and the petty cybercriminals are still out there, but the nation-state actors and hacktivists approach the business of cyberattacks with a much more professional mindset than we have seen in the past. We’re no longer dealing with nerds who simply view a firewall as a challenge to which they must respond. These are sophisticated teams that plan ahead, hide their tracks, and strike when it suits them. They can play a short game as well as a long game. Fear, uncertainty and doubt — when it comes to the legitimacy of, say, an election — can be outcomes more valuable than cash.
So in this changing threat landscape, how do we combat such teams and the threats they pose? For starters, we need to approach the challenge of cybersecurity from a more offensive posture. It’s not enough to deploy a defensive network of endpoint agents and anti-virus applications. Those won’t protect anyone from a sophisticated spear-phishing campaign or a breach focused on a vulnerable class of routers in your IoT. We need a combination of better insight into the types of threats that may be in development as well as better tools for responding to those threats before they become a reality.
Think of it as a more professional response to a more professional threat.
Responding With More Intelligence
Better insight into the types of threats we’re facing arises from better threat intelligence. That’s not the same as more threat intelligence. Artificial intelligence (AI) and big data tools have been inundating us with information about this and that anomaly, and your IT professionals have grown exhausted trying to figure out which anomalies represent true threats. We need better insight into the conversations and the transactions taking place in the world where the threats are born. We need human intelligence professionals who can detect the nuances that the AI tools cannot, who can read between the lines to know what threat actors are really discussing in chat rooms on the dark web. Those human intelligence professionals can also contextualize threat intelligence in ways that AI and big data tools cannot. Just because AI and big data tools discover a vulnerability does not mean that every organization in every industry in every geography is at immediate risk. Human intelligence professionals are still better at creating what I call “finished intelligence.”
At the same time, every organization needs greater insight into its own infrastructure, policies, and processes as well as better tools for responding proactively when true threats to that infrastructure and those policies and processes are identified. Finished intelligence is going to play a more important role for every organization going forward, but if you don’t have deep insight into the current state of your infrastructure, policies, and procedures, you’re not going to be in a position to operationalize this intelligence. And “deep” is the critical qualifier here. Your security personnel need to know more than just which devices are in your infrastructure. They need to know which software and firmware releases are running, whether they’ve been properly configured or modified, and more. That’s an enormous amount of very granular detail, but without such insight, you can’t know the extent to which you are vulnerable when true threats emerge. Even if you have the tools with which to implement a defensive update effectively, you can’t implement that update if you don’t know whether your infrastructure contains those devices or software releases that need to be updated.
Becoming More Proactive
Nation-state agents, hacktivists, and other sophisticated threat actors are becoming the new normal. Novel and updated tradecraft routinely appear in the markets of the dark web, and organizations need more refined, finished threat intelligence to stay ahead of this evolving threat landscape. Organizations also need the ability to transform that intelligence — immediately — into real and meaningful action. There will always be attacks emanating from cyberspace that can do damage, but with better intelligence and tools designed to transform intelligence into a stronger protective posture, we can be very well prepared when those attacks arrive.