As Digital Transformation impacts the evolution of the global economy, how are security interests evolving to keep up? Artificial Intelligence (AI) gives rise to highly predictive systems, with access to a constantly growing base of data that feeds into and improves predictive abilities, and is one way that digital transformation is increasingly operating. As wonderful as these technologies can be, threat actors see the same benefits of leveraging AI to gain personal information and to conduct ransom activities through encryption of data and DDoS.
First, we saw botnets, large numbers of infected computers that could be remotely controlled to carry out the bidding of a bot herder-for-hire. Next were botnets comprised of the Internet of Things (IoT), much easier to exploit due to default settings and credentials being used, and a general lack of security considerations in their coding and creation.
For instance, IoT devices rarely if ever have brute force protections built in; an attacker can conduct brute force potentially forever, with as much frequency as desired, and the IoT device will never notice. Another example of how IoT is a security problem: in creating and managing a network of IP cameras for a surveillance application, applying a firmware update bricked a camera. The manufacturer advised me to not apply firmware updates. Not an optimal security solution.
Now we’re seeing the rise of hivenets and swarming malware, largely an outgrowth of the application of AI techniques to malware. No longer will the hivenet need to rely on a bot herder to issue command and control; hivenet members will communicate on a peer-to-peer basis, building and referencing huge databases of information about characteristics and vulnerabilities of the networks they discover. They’ll harvest information and conduct DDoS, even writing their own code to do so, at a rapidly increasing rate, propagating as they go. When opportunities for exploit appear, they’ll swarm to the target – potentially automatically. DDoS attacks more than 1 Tb/s already exist, so far up to 1.4 Tb/s with the recent GitHub DDoS attack.
What can cyber security do to combat these threats? Will traditional security controls, practices, and operations adequately defend against a transformation of the threat landscape, or is a security transformation needed?
The answer is Yes! However, application of traditional security practices is a really good start. It continues to surprise me how many large companies don’t really do so, and the large numbers of small and medium businesses that are really deficient in security. For instance, many small and medium medical practices employ little or no security to their environments, risking HIPAA fines. Exploiting CPA firms is rapidly increasing, as they are a one-stop-shop for all the financial information on individuals that an attacker could want, and their security efforts are often lacking.
SANS Top 20
Everyone should be aware of the SANS Top 20 Critical Security Controls and build their defenses accordingly. Let’s examine the top 5 of those carefully – being solid on these is critically important to any business’s defense.
- CSC 1: Inventory of Authorized and Unauthorized Devices — you should actively manage (inventory, track and maintain) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found. Prevent access to unauthorized devices, or simply remove them. An automated method for conducting hardware inventory and management is preferable.
- CSC 2: Inventory of Authorized and Unauthorized Software — Actively manage all software on the network so that only authorized software is installed and can execute, and unauthorized and unmanaged software is found, with installation or execution prevented. Software whitelisting is an excellent approach for business systems.
- CSC 3: Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers — Establish, implement, and actively manage the security configuration of laptops, servers, and workstations using rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and settings. Have documented build standards that include testing of new and updated deployments of ALL systems. Never deploy a system with any default configuration settings or credentials. Track any and all changes made to production systems.
- CSC 4: Continuous Vulnerability Assessment and Remediation — Continuously acquire, assess and take action on new information to identify vulnerabilities, and to remediate and minimize the window of opportunity for attackers. Utilize Vulnerability and Configuration Management (VCM) tools on all internal and Internet-facing segments. Have them be both authenticated and un-authenticated.
- CSC 5: Controlled Use of Administrative Privileges – Track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. If you have any users that have admin permissions on their work computers, you are making a huge and grave mistake. I know of development shops that continue this bad practice still, if only for the convenience of their developers. It isn’t worth the risk.
If you don’t have the SANS Top 20 well covered, make it a priority to do so.
Next Generation (NG) Security Tools
NG Tools are well worth your consideration. Automatic update of Threat Intelligence, especially when developed using AI techniques in vendor labs, is one of the biggest benefits you can gain.
- Endpoint Protection (EPP): NG tools that incorporate AI and big data, such as Carbon Black, Crowdstrike, and Cylance improve on traditional anti-virus by leaps and bounds. The best of them enable Threat Hunting, providing a platform for your team or MSSP to actively find Advanced Persistent Threats (APT) in your environment. File Integrity Monitoring (FIM) is enabled with the best of NG EPP.
- NG Firewalls: Unified Threat Management has been around for quite a while now. Especially at network perimeters, you should have UTM deployed, with not only firewalls but IDS/IPS, anti-malware, web filtering, and more. Juniper, Palo Alto, and Checkpoint are excellent examples.
- SIEM: Security Incident and Event Management is a necessary tool, really bringing everything together in recognizing what your threat landscape is and enabling you to take action on security events as they occur. LogRhythm’s AI Engine is an excellent example of current SIEM evolution, incorporating not only a baseline of system activities and network traffic, but also bringing behavioral analytics into the mix. If you don’t have a SIEM, get one; if it’s too expensive to justify to your CFO, consider using a hosted SIEM solution, such as provided by CIPHER Security.
- Deception Technology: A relatively new development in security transformation, Deception Technology uses AI to dynamically create the equivalent of honeypots throughout your enterprise, alerting on attempts to exploit fake vulnerabilities, whether by external threat actors or insiders. Coupled with SIEM, deception is another potentially effective weapon in your arsenal.
The cornerstone of any security program is user awareness and training. Have a comprehensive and documented security policy and ensure that it’s distributed and effectively consumed by your users. Give them documented processes that allow them to conduct their work — minimize and eliminate the need for users to be motivated to circumvent security controls to get their jobs done. Conduct phishing simulation training at least quarterly, if not monthly, and actively track results. Include a security briefing as part of employee on-boarding, and have an annual refresher for the security policy, with employees electronically signing off and agreeing to comply with it.
To maximize your Return on Security Investment (ROSI), consider using an MSSP to manage your security environment for you and assume 24x7x365 monitoring, escalation and alerting of security events. This will also ensure your compliance with regulatory requirements and enhance your overall security posture. Consult with CIPHER Security today!