Saturday, September 24, 2016

The Cybersecurity Triad

In the never ending argument over which source of data is more important to the defense of your
enterprise – the endpoint or the network – it’s important we don’t forget that external sources can be just as valuable in detecting compromises and combating threats.

A key construct of the Cold War was the “nuclear triad.” That is to say: our ability to deliver nuclear weapons via missiles, airplanes, and submarines. It was important that all three legs of this metaphorical atomic stool were equally strong because from both an offensive and defensive perspective, a one-two-three punch was better than a one-two punch, though we are talking about nuclear weapons here, so just one (from both sides) is more than enough.

There are many arguments in cybersecurity, not the least of which is whether you should focus more on endpoints or network traffic to better defend your enterprise. Both sides have strong arguments and powerful personalities serving as proponents. On the one hand, evil has to ask a system for cycles in order to work. If you can monitor those cycles you have a good chance of detecting evil. On the other hand, unless your attacker’s goal is destruction (rare) evil has to move through the network to exfiltrate what they’re after, which means if you can sort out good traffic from bad you also have a chance of detecting evil.

But both approaches have shortcomings. If either were perfect the market for the other would disappear overnight. When the things you cannot control fall short it pays to look to external sources. Yahoo recently found this out. In the fog-shrouded chaos that is the online underground, there is threat-related gold. As the story relates, there is also iron pyrite amongst the gems so you have to do your due diligence, but the presence of legitimate data of yours ‘in the wild’ that you didn’t know about is a sound indicator that you are sitting on a two-legged stool.

The buzz phrase for external sources is “threat intelligence,” but if you asked 10 threat intelligence vendors what they offered you’d probably get 11 different answers. The other commonality in this thread is that if you ask 10 different threat intelligence vendors, you’ll likely be overwhelmed with the vastness of information scraped from the open internet, with an opinion rendered on what the individuality of the 50 mil tea leaves collected that day actually mean.

That’s not intelligence. 

That’s data. Sometimes it’s big data. Most time just aggregation.

We do this for a living, and some of us have done it for decades, so consider this as you evaluate how to build your third leg:

Is the source credible? Data on 500M users is a pretty amazing set of data. You would be right to be skeptical if someone you didn’t know from out of the blue offered to provide you with such data.

Does the source have access? The tip that triggered the Yahoo investigation was reportedly not legitimate, which means the source didn’t have the access claimed (or implied).

Is the source reliable? People think that just because someone operates in the underground that they don’t have to deliver. Things like ransomware work because the bad guys, while being bad guys, are also professionals. The profits from ransomware dry up if the bad guys don’t provide decryption keys when they’re paid. Likewise the first time someone rips you off is the last time they have to make money off of you. Shady or not, this is how some people make a living. They live well and they want to keep it that way.

Good sources of threat intelligence must be vetted and it will take time for you to determine who you can trust. You will get ripped off, and you will be overwhelmed with meaningless information that you’ll have to wade through to find the real nuggets. That’s the price of admission to the underground. Not everyone in this business provides something worth paying for, but for those reliable, credible, trustworthy few, you have a makings of a beautiful (if wary) friendship.