It seems that every second day I receive an urgent and resolute request from the cyber industry, the news, vendors, and customers about the latest hacking technique that will be used to infiltrate our environments.
Often these articles and sources come complete with the latest Indicator of Compromise (IOC) (hashes/IP’s) and seemingly frightening details about how an adversary could or would exploit this vulnerability. The news is often then repeated, and discussions held, and emails exchanged about our need to prioritise this as a detection strategy. Although there are cases whereby threats are prioritised, it is certainly not the default action nor an activity that should be undertaken weekly, or even monthly – if this is the case then we have succumbed to the noise in the Cyber Security Industry.
I take a moment now to thank the countless threat research organisations and individuals who do provide high quality and much needed information in the public domain (like our partners Microsoft, Flashpoint Intel, Beyond Binary, Carbon Black, and Palantir). These high-quality threat research sources provide a critical service to the global community by keeping us safe and letting people just get on with what ICT was designed to do – enable the digital world and provide access to information.
Where I deviate from the above comment is the countless marketing, vendors and news agencies promoting fear in the community, often unintentionally by diverting our C-Suites and ICT Manager away from the bigger picture. They repeat low quality indicators to promote their brand in the name of Threat Intel and talk about IP addresses, hashes and URL’s that threat actors originated from unknowingly causing damage to the Cyber Industry by diverting resources away from core security operations business.
Managed Detection and Response (MDR) experts needs to remain methodical in their approach to prioritising detection strategies and aligning these ‘booby traps’ to a framework such as the ATT&CK Matrix for Enterprise. What is important about frameworks is the ability to looks at widely distributed industry trends and their likelihood of breaching an environment. Through using a systematic approach a successful MDR can weight their detections across the kill chain rather than the all too common approach of targeting initial access.
As an example of the above we use the ATT&CK technique T1086 PowerShell which is widely accepted to be one of the most likely techniques that require detection strategies and playbooks in your Windows environment. Security Operations Centres (SOC) should be mapping and analysing their detection capability and if found wanting allocating resources to solving how to detect malicious use of PowerShell – not chasing the daily IOC noise in Cyber.
This now leads me to the point of allocation of resources and their relevance to Cutting Through the Noise in Cyber Security. Cyber leaders and professional will all tell you that there are insufficiently resourced to adequately cover every corner of the ICT environment all the time – the public would agree with this as they watch the continuous stream of breaches in the public arena.
Our job as cyber leaders are to make effective use of finite resources and protecting them from the noise of the day to day.
Through establishing a framework, analysing global ATT&CK trends and mapping and prioritising our resources to detection strategies we can together Cut Through the Noise In Cyber Security.