Self-Defence
Self-defence, or in reality, “self-protection”, is everyone’s responsibility throughout any organisation. It relates to culture and awareness. This is the area where leaders should encourage all staff to: “not be the person who clicks on the link in the phishing email”; “not be the person who finds a USB stick in the carpark and plugs it into the control system for your centrifuges (has anyone not heard of Stuxnet?)”; “consider what they are posting on social media?”; and “consider what they are you doing to keep themselves, their mates, the organisation, and their family safe in cyberspace?”.
While social media has many clear benefits in sharing information regarding your organisation, it also creates conditions that allow a malicious actor to generate actionable intelligence from aggregating and correlating multiple sources of information. Details regarding the status of business operations, including personnel information; family information; tactics, techniques and procedures; and training standards are valuable to criminal threat groups who may target an organisation.
Ultimately, it’s about an organisation’s attitude, approach and culture to security. To paraphrase a famous anonymous quote: you don’t need to be the fastest swimmer to avoid the shark – just don’t be the slowest swimmer!… Your organisation has WH&S awareness, training rhythms and a policy, it should be no different for Security.
Passive Defence – the Defence of IT and OT Systems
Passive Defence is the domain of Information Technology staff and system administrators. It is the domain where those responsible for an organisation’s information technology and operating technology think about the defence of those systems. It is the domain where leaders and managers ensure compliance with the ASD ‘Essential Eight’ (if not we’d recommend you do), and ask technical staff if systems are being patched, if applications are being whitelisted, if data is being encrypted (both at rest and in transit), and how many individuals have administrator rights to systems. Technical staff such as CIOs, CISOs, and CTOs should ensure they have sufficient situational understanding of the systems for which they are responsible so that anomalies can be detected and triaged.
Importantly, the grouping of Self Defence and Passive Defence constitute what I consider to be ‘cyber security’.
Active Defence
It follows that Active Defence and Offence, constitute what I consider to be ‘cyber operations’. Cyber operations are defensive and offensive activities conducted by smaller numbers of more highly trained people. Of note, Offensive Cyber Operations are the exclusive domain of Government, and activities such as “hack back” would be considered illegal if conducted by a commercial organisation.
Active Defence, however, is a legal and entirely appropriate contribution to any organisation’s cyber resilience. Active Defence is the domain of Defensive Cyber Operations, conducted by highly-trained individuals who form ‘hunt teams’ that work inside an organisation’s systems, and actively seek out and counter malicious threat activities.
Active Defence is a critical capability that has particular application when passive security measures have failed. The best passive defence measures will not necessarily keep all malicious actors out of an organisation’s systems, as passive defence measures target known threats. It is reported that a new piece of malware is in circulation every 13 seconds – a period that is anticipated to reduce to every seven seconds during the next few years. Additionally, with the increasing prevalence of “zero-day” attacks – that is, newly discovered software flaws that are unknown to the software vendor, but have been exploited by a malicious threat actor – it is not possible to rely on set-and-forget Passive Defence measures alone.
A high-quality Active Defence capability, in the form of Managed Detection and Response (MDR) has never been more important in Australia!