It’s time to expand your focus from defending against known cyber threats to proactively seeking out who’s targeting your organisation right now.
Many of today's commercial security tools rely on rules-based detection systems that detect "signatures" or IOCs (indicators of compromise) from known attacks. Yet, threat actors change their tactics, techniques, and procedures all the time. Protecting against known threats isn't quite the equivalent of closing the stable door after the horse has bolted—but it’s close.
According to Alastair MacGibbon, head of the Australian Cyber Security Centre, every boardroom should be having a regular, informed conversations about cyber security. CEOs need to understand this cyber thing.
This "cyber thing", is the growing number of sophisticated cyber criminals and threat groups—not to mention disgruntled employees—currently targeting public and private organisations. Driven by an unpredictable range of personal, ideological and criminal motivations, these malicious actors are patient and persistent. When one tactic fails, they will try another, and another, until they breach your organisation’s defences and monetise their efforts—to your financial and reputational cost.
Their tenacity and capability means that any government or corporate entity with critical infrastructure, valuable Intellectual Property (IP) or sensitive political, commercial or personal information is a sitting duck.
The answer is to start asking different questions.
Today’s cyber security operations tend to focus on defending against the "How?" and "What?" of known threats.
In the global terrorism context, this is exactly what happened in 2006 when the UK government banned passengers from taking liquids, aerosols and gels through airport security. The approach was: “We know ‘how’ this threat occurred, so we’ll stop it from ever happening again.” Yet, more than a decade later, aviation experts claim such restrictions have made little difference—other than making flying more annoying.
In contrast, proactive counterintelligence efforts by national security agencies have prevented numerous terror attacks by asking "Who?" and "Why?". If we know who is planning an attack—and their (collection requirements) motivation—we have a much better chance of stopping the threat before it occurs. Australia would have experienced at least 15 terror attacks in 2014-2016 if their plots hadn’t been detected ahead of time by our counter terrorism and security agencies.
Focus on threat intelligence—not threat information
Boards and the C-suite can empower themselves by making use of threat intelligence services that take their playbook from national security agencies. These services start by identifying your key assets (high-value programs) and then use counterintelligence expertise to proactively look outside your organisation to find who poses a threat.
Threat intelligence services have been around for longer than you may think, tracking emerging vulnerabilities from thousands of technology products and vendors, identifying threat groups and individual threat actors, and enumerating adversarial infrastructure and building a knowledge base of global security intelligence.
However, until recently, they have largely focused on known threats.
But, now, threat intelligence includes a new, proactive element. Using former national security analysts proficient in multiple languages, these services will track the dark web and adversarial owned communication channels for "chatter" that suggests threat actors may be targeting your organisation—and then gain intelligence about their plans.
Less reactive; more proactive
In the new world of cyber counterintelligence, boards receive security reports and analyst briefings on a threat and its context, the adversary’s intent and target—and the business risk. Armed with this intelligence, boards can make strategic decisions about security operations and risk management approaches—with confidence.
At the same time, forensic analysts receive details of how the threat operates and any evidence they may leave behind, so they can begin threat hunting and identifying compromised machines; and security operations are briefed so they can prioritise security incidents, monitor for malicious activity, scan for threat exposure and proactively block command-and-control channels.
Get on the offensive
Organisations that simply hunker down and defend against the known are leaving themselves wide open to cyber attacks. Australian government and corporate entities need to pivot from that known threat or incident to understand what else is—or could be—out there. This means organisations generating their own threat intelligence by proactively using intelligence collection services to detect advanced persistent threats ahead of time, so catastrophic cyber attacks can be stopped before they happen.
Interested in reading more about the state of cyber resilience in Australia? See the latest.