Crises and outbreaks change us and society, with the most dramatic impact of the war against COVID-19 in recent memory. Every aspect of our existence is different, including new ways to work, communicate, do business and take care of ourselves and our families. The key is to learn from these experiences so that we can better prepare ourselves for future events.
These extreme changes have escalated another war, a war against cyber threats, exposing itself to new cybersecurity risks that threatening actors choose to exploit. The line between work and personal devices has blurred with users, switching between them fluidly. The personal and business data flow freely through Wi-Fi networks at home. When the working day ends, we seamlessly transition to virtual happy hours and binge-watching videos using a growing number of services – expanding the attack surface even further. Threat actors also use novel lures that pull our fears and inquisitive nature to entice us to click on malicious links or attachments or share data that we should not unwittingly share. It’s a situation that easily becomes untenable for many cybersecurity professionals and causes organizations to doubt their ability to react quickly.
When serving as the Supreme Allied Commander during the Second World War, Dwight D. Eisenhower said, “In preparing for the fight, I have always found that preparations are futile, but preparation is important.” Rapid response preparation would help ensure that you have a structure in place during times of crisis to work more efficiently with your colleagues to reduce risk and address questions from the company management.
I outlined three steps to help you lay the foundations for prompt response. It is important to remember that COVID-19 is not unique to these recommendations. This planning process will also improve your ability to respond quickly to future events – from a new , high-profile, global-impact ransomware campaign to opportunistic cyber attacks triggered by a natural or manmade disaster.
1. Consume. As we have seen before with global threats such as Wannacry and are seeing now with COVID-19, crises and outbreaks generate a sharp upturn in new, disparate sources of information about threats. Many commercial intelligence providers, governments, open source feeds, and frameworks, such as MITRE ATT&CK, provide valuable data specific to threats and outbreaks. Being aware of these new sources is one thing but being able to ingest all that data is another, particularly when they are in different formats and can be different types of data than you are using at the moment. To make this situation manageable you need a central repository that is ready to accept these feeds or can map them quickly – in minutes or hours if they are in non-standard formats. The agility to quickly accept new sources of threatening information for consumption is at the heart of rapid response. With aggregated and structured high-quality data, you can determine and optimize how it can applies to you.
2. Understand. Knowing the data separately offers value, but the real benefit comes from an integrated understanding of it, including incidents and related metrics from your own internal processes – from your SIEM, log management server, case management system, and security infrastructure, for example. By relaying the data to what’s actually going on in your environment, you gain context that makes it tangible. For example, an indicator that is successful , high-scoring, or mentioned in the last 24 hours may prompt further review, while others will require ongoing monitoring and will set aside those that are benign. A big picture view also helps you to see and share easily who else within the company needs to absorb and appreciate this data – the SOC team, network security team, threat analysis analysts, threat hunters, forensics and investigations, management, etc.
3. Action. Enabling the data as part of your infrastructure and operations is the final stage. Sending the related pieces of data quickly to the correct devices , systems and controls within the organization will speed up identification, response and prevention. Exporting the data to the current infrastructure , for example, allows certain systems to work more efficiently and effectively – yielding less false positives. You can also use your curated threat intelligence to predict and deter potential attacks – such as automatically sending intelligence to your sensor grid (firewalls, IPS / IDS, routers, Web and email protection, endpoint detection and response (EDR), etc.) to create and enforce updated risk mitigation policies and rules.
With the ability to easily curate and incorporate new data sources of danger in your operations, you ‘re ready for whatever the future brings. You can be assured that your security teams have laid the groundwork for swift response. You must have a framework for efficient communication with management, capable of presenting information about a particular danger and how you reduce risk in ways that resonate with business leaders. Planning now about how to deal with emerging risks caused by the next global crisis or epidemic is time well spent, and an activity that would applaud Dwight D. Eisenhower.