The “mobius strip” of cyber security

By Miles Tappin, Vice President, EMEA at ThreatConnect

Over the last few years, cyber criminals have become more agile and possess a higher quality of skill than ever before. However, these skills come at a cost to industries worldwide. According to the Allianz Risk Barometer 2020, companies now see cybercrime as the biggest threat to their business, taking the top spot for the first time and ranking above threats such as climate change, natural disasters and market developments.

With digital threats remaining front of mind for the C-suite, more needs to be done to ensure businesses are protected from the powerful effects that cyber crime can have on the bottom line, corporate reputation or day-to-day operations.

The rise of the “business savvy” hacker 

Awareness of digital threats is rapidly accelerating among businesses, but many aren’t prepared to tackle the mounting threats they now face.

According to David Ferbrache, Global Head of Cyber-Futures at KPMG and Chair of the National Cyber Resilience Board for Scotland, organised crime has become a lot less “crude” than it used to be. In essence, criminals are now becoming “business savvy” and are even undertaking reconnaissance missions to work out exactly who the best target is and how much they can extort.

Gone are the days of “hackers” being people who lurked in darkened rooms, anonymously terrorising the internet. They now want to be known as players in an evolving landscape who are taking advantage of your organisations’ pitfalls and planning far in advance to inflict the most amount of damage possible for maximum impact.

The main worry for the C-suite is that cyber criminals are getting smarter. They’re continuously learning from previous attacks, sharing insights and using this to exploit new vulnerabilities using emerging forms of technology. This continuous feedback loop is enabling them to act quicker.

For example, if a hack highlights a potential weakness, they will then target it in their next assault before organisations have a chance to respond. It becomes an ongoing cycle for the attackers. If the weakness isn’t fixed in time, then there is no doubt that it will continue to happen. Much to the dismay of organisations.

Threat intelligence informing operations

It’s long been argued that threat intelligence should inform operations when it comes to cyber security. This allows organisations to quickly identify threats and false flags, so security teams do not waste their time chasing down non-malicious communications. It should be noted that intelligence does not exist for its own sake. Intelligence, in particular threat intelligence, specifically exists to inform decisions for security operations, tactics and strategy. However, this relationship is not a one-way street.

Intelligence and operations should be cyclical and symbiotic. Intelligence informs decisions for operations resulting in actions being taken based on those decisions. Those actions, including clean-ups, further investigations, or other mitigations will create data and information in the form of artefacts. This includes lists of targeted or affected assets, identified malware, network-based indicators of compromise and newly observed attack patterns.

In turn, these artifacts can be refined into intelligence that can inform decisions for future operations. While some organisations do not have a formally defined intelligence function on their team, the concept of using what you know about the threat-space to inform your operations exists in all organisations. Regardless of whether an explicitly named threat intelligence analyst employee is on the payroll, the relationship between intelligence and operations is fundamental and present in all security teams.

Enter the “mobius strip”

With security risks and attacks set to increase year-on-year and the average annual cost to organisations ballooning, companies need to explore how they can make greater use of threat intelligence to respond to the new barrage of threats.

Threat intelligence may be the catalyst for taking an action or starting a process and informing how the process and decision making is done throughout. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. A feedback loop is created — essentially threat intelligence drives orchestration and orchestration enhances threat intelligence.  \

Increasingly, cyber security programmes are operating like a “mobius strip”, a continuous loop where intelligence informs operations and insights from these operations are fed back and form new intelligence. The “mobius strip” will prevent hackers in the long-term. By sharing important data between intelligence and operations it denies hackers the upper hand. Providing context to indicators during incident management is crucial to understanding what you might be dealing with and where it’s been seen before. At the same time, adding new intel generated from an incident or case back to your threat repository takes information that’s very relevant to your organisation and makes it available for future analysis.