Cyber Intelligence Crucial for Cybersecurity Plan Validation
This post is also available in: 
עברית (Hebrew)
By Or Shalom, security and cyber expert and adviser
The establishment of a work plan in the cyber field is not a simple task. Alongside the challenge, there are also budget, political, and other considerations that enforce constraints, changes, and sometimes compromise. Recognizing that a 100% security can not be achieved, requires a realistic program directed at securing the critical assets and goals vis a vis the threats, attack technologies and validated capabilities.
ROI in the security realm does not always exist, and so is the capability to prove (also as hindsight) that the measures taken have actually prevented the risk. Sometimes the assailant decides to give up and turn to other targets due to complex security arrangements and technologies. The capability and need to validate the stages and the recommendations forming the work plan are the basis of the plan, both in convincing the involved organizations in the need to invest and the capability to provide the right, realistic cybersecurity.
Interested in learning more about the latest cybersecurity technologies? Attend i-HLS’ InnoTech Expo in Tel Aviv – Israel’s largest innovation, HLS, and cyber technologies expo – on November 18-19, 2020. Meet InnoTech’s steering committee
Despite the desire to provide wide security, the resources and capabilities are limited, not all the organization’s assets can be completely secured. One of the critical stages of preparing the work plan is the asset mapping and the derivative of risk management, in order to direct the security resource allocation, security and the selection of defense controls, while taking a calculated risk focusing on defined, critical systems, infrastructures applications.
This is a cyclic, on-going process that is driven, among other causes, by technological changes in the work environment (of the defender), with consequences on defense methods and software vis a vis the attacker’s methods, tools, capabilities, and periodical changes.
The COVID-19 crisis exemplifies it. The threats in the midst of the crisis differ from the ones before the crisis, integrating the need to consider external risks and taking into account working from less secure places, e.g. from home. In some cases, the investment in response to such risk may be higher than the damage, which puts other threats on a higher priority.
In order to validate the threats and prepare, updated and varied knowledge is required in order to focus the plan designers on possible attack strategies. This knowledge can be derived from the event history of the organization and external organizations (within its sector) as well as from the import of intelligence information incorporating professional insights for cybersecurity improvement.
The importance of this process lies both in its contribution to resilience and in the fact that it enables to prepare for the shifts in attack methods and patterns. As in any other defense field, here too, it is imperative to establish a mechanism for intelligence gathering, analysis and insight sharing.
The intelligence process is important not only at the work plan stage but it also forms an important component during a routine. A consistent, frequent system for intelligence import is therefore essential, including indicators of compromise.
In addition to the classical intelligence, reports and imported intelligence from both the open and deep web, creative and active methods (active defense) should be developed in order to identify the assailant’s intent and working patterns also during a routine.
There are plenty of mechanisms and active methods for the gathering and importing of relevant intelligence. Cyber threat hunting is a concept aimed at the detection of the rival’s assault tactics on the net. Another method is the honeypot, based on building a fictitious arena in order to divert the rival from the real targets while getting the opportunity to learn about him and then applying the insight on the realistic net defense.
In 2020, Trend Micro published its insights from an experiment in a honeypot environment. The company established a fictitious environment of a production line, including computers, robots, controllers and web-connected control systems. The researchers assumed that the assailants would focus on intelligence gathering and OSINT before the attack. So they built a fictitious company website (a defense industry provider) with fake names and images of staff members, emails, a telephone line with an automatic message system, etc.
This is a classical example of a method to validate or negate assumptions or a defense approach. While the researchers assumed that the attack will focus on command and control systems and the controllers, in particular, the assailants actually focused on network scanning, active intelligence in order to learn about the adversary in controlled environments (of the defender) and concept change, cryptocurrency mining and two ransom attacks.
The relation between the different stages is crucial for a rational work plan. The threat mapping stage leads to the definition of critical assets and possible attack methods. Integrating the findings allows choosing the systems, infrastructures, or critical applications that would be the focus of our security arrangements and resource allocation, and the target to our resilience and vulnerability tests.
The process provides resolution and depth to the feasibility test, tools and realistic and validated methods. Although the test costs might be higher than a white box test (where the assailant has full information about the target system, its architecture, and security arrangements), it is recommended that the resilience test would follow a black/ grey box plan in a manner that simulates a real assailant, that is not acquainted with the security systems and arrangements. The plan’s findings should be translated into objectives in the annual work plan.
This method, which included a customized risk mapping process and risk validation through history, intelligence, capability proof, and resilience testing, enabled gaps definition and preparing a realistic, supported work plan.
Or Shalom – Security and cyber expert and adviser to government entities and defense industries. He holds a master’s degree, as well as civil and national qualifications in the realm of information security and cyber. He has experience in developing cyber risk mitigation plans for companies and organizations, as well as experience with business development in the cyber fields. Mr. Shalom has led various professional cyber programs to various entities in academia and the civilian and security industries.
Attend i-HLS’ InnoTech Expo in Tel Aviv – Israel’s largest innovation, HLS, and cyber technologies expo – on November 18-19, 2020 at Expo Tel Aviv, Pavilion 2.
