By Hugh Njemanze, CEO, Anomali
According to a recent report from the Online Trust Alliance, 2017 marked another “worst year ever” for cyber attacks. Businesses across every sector experienced nearly twice the amount of attacks over the previous 12 months, with major breaches hitting sectors like healthcare, heavy industry and even election and government security. At least one research report estimates that the cost associated with attacks will total more than $6 trillion by 2021.
With digital transformation well underway across numerous industries, more data than ever before is headed from behind company firewalls and into the cloud. Data that most people couldn’t imagine sharing even five years ago – credit card numbers, banking information, social security numbers, medical records, confidential documents – are being transacted over the Internet. The lucrative nature of cybercrime and the availability of tools and data continue to lure new criminals to the cyber world. Security leaders are under more pressure than ever to ensure that they have a constant view into their networks to identify when and how these bad actors strike. Breach reporting requirements make this challenge even greater. This is an immensely difficult task.
One way companies can better contend with cyber threats in their networks is to build a dynamic, thorough threat intelligence framework from which they can cast a larger cybersecurity net. In taking a page from the government’s anti-terrorism playbook, we call this the Cyber No-Fly list.
The No-Fly List
One of the government’s better-known anti-terrorism tools, the “No-Fly List,” is a list maintained by the FBI’s Terrorist Screening Center. The No-Fly List identifies individuals who are deemed too much of a national security risk to be allowed to fly. The list pulls information from several different databases to identify bad actors, their associates, backgrounds and the risk level they bring. Although the No-Fly List is only one tactic the US uses it in the fight against terrorism, since its inception, there have been no successful aircraft-focused attacks on U.S. soil. The FBI even asserted that the watch list “…is one of the most effective counterterrorism tools for the U.S. government.” The effectiveness of the No-Fly List on physical security makes this intelligence-based approach to defense worthy of consideration by all organizations that are regularly targeted by cyber threats.
As rates of cybercrime and cyber terrorism continue to rise, it only makes sense for enterprises to implement a similar system – one that identifies bad actors and their IP addresses, malware signatures, and tell-tale techniques, and then flags when they try to penetrate a network. The TSA’s machines, checkpoints, and rules work to a similar end as the tools enterprises use to detect and keep out threats, like network monitoring tools, firewalls and endpoint management systems.
The Cyber No-Fly List
Establishing a Cyber No-Fly List is no easy feat. Enterprises currently enforce checkpoints and controls to reduce the odds of being compromised, but, like any rules, they can be circumvented by a crafty interloper. To really crack down on malicious traffic, enterprises must catch threats before they even enter their systems. To do this, cybersecurity professionals need to draw from massive quantities of threat data, and more importantly, threat intelligence.
At the root of the Cyber No-Fly list is data sourced from a variety of different data feeds and arriving in disparate formats. To even begin looking for threat indicators, a company must have the infrastructure to collect, cleanse and normalize the data. This is where automation can help. Given the shortage of trained cybersecurity professionals and the exponential increase in threats, software solutions can help optimize and integrate this data into threat intelligence – the deep context that security leaders can use to make decisions.
This threat of intelligence is what drives the Cyber No-Fly list. In a typical business day, a large enterprise will easily record over 1 billion network and system events, all of which need to be checked against the list of threat indicators. Putting a Cyber No-Fly List to work means analyzing all that digital traffic in close to real-time and determining who to keep out — a major undertaking, even with today’s computing power.
Perhaps even more important than establishing the list itself are updated to the list, i.e. the newly discovered cyber threats. Every day researchers identify thousands of new malicious cyber indicators. It’s not enough to just start looking out for these new bad actors. As soon as new threat data is available, organizations need to know if their networks have already been infected.
This means looking over months or even years of historical traffic to identify breaches. To draw on the analogy of the actual No-Fly list, this would be like identifying a new terrorist and then diving into their entire life’s worth of travel records, identifying whether they have already entered the country, where they went and how they got there. Unlike humans, cyber actors can quickly and easily change “fingerprints” – using different IP addresses, domains, malware, etc. More sophisticated actors will even monitor public threat lists as well to find out if they’ve been detected.
Because all companies have unique characteristics and threat landscapes, there is no definitive or “master” cyber No-Fly List. However, for those companies who take the time to cultivate and maintain a list, it works.
A recent study of 1,000 cybersecurity experts found 80% utilize threat intelligence in their daily security operations. Recent events like the WannaCry and Petya attacks demonstrate the need for rapid intelligence. Within hours of the Petya outbreak, subscribers to threat intelligence providers began receiving specific, actionable threat indicators – the fingerprints of the attacker – so they could put in place safeguards like firewall blocking rules and network monitoring alerts.
The Cyber No-Fly List approach leverages one of the most effective tools in warfare —intelligence. The Cyber No-Fly list allows companies to proactively keep tabs on their potential and current foes, ensuring that they never get through the gates in the first place.
About the Author
Hugh Njemanze is the CEO of Anomali, the leading provider of threat management and collaboration solutions. He has had a 30-year career in the enterprise software industry, working previously at companies such as ArcSight, HP Enterprise, Verity, and Apple.