by Ben Levitan
In mid-March 2018, federal law enforcement warned of a multi-stage attack on U.S. energy sector grids. The analysis triggered a Joint Technical Alert (JTA) by the U.S. Computer Emergency Response Team (US-CERT).
“The Department of Homeland Security has warned that Russian operators successfully intruded into electrical grid industrial control systems, albeit without working damage in this first stage of their campaign. Unofficial warnings go back to last autumn at least, when Symantec produced research on the activities of Energetic Bear. Some of the operations are thought to go back to 2015.”
That same briefing included a link to an article published by The Hill newspaper, which noted that “Russians had accessed information on Industrial Control Systems.”
Reporter Morgan Chalfant elaborated in her story:
“Once inside energy sector networks, the hackers moved laterally to ultimately gain information on Industrial Control Systems and supervisory control and data acquisition systems outputted from energy generation facilities.
These systems are used to operate critical facilities and make them run more efficiently. The files accessed by the Russians would provide information that could ultimately be used to stage destructive or disruptive attacks on energy systems, experts say.
With the release & reminder by DHS and the FBI (last week) that the U.S. energy grid is under attack from nation-state actors, many cybersecurity and risk managers have been reminded again about the persistent threats their organizations and systems face.”
There are two important themes here:
a) the persistence of threats; and
b) the progression of technical capacity to spread laterally.
In light of these themes, government-issued alerts are useful because the seriousness often prompts cybersecurity professionals to immediately follow the guidance. Typically this results in the implementation of new signatures, modified procedures, and similar activities all geared to mitigate future risks.
But this is not enough anymore.
Current Limits to the Capacity to Respond
When new cyber threat intel is published, security professionals need the ability to compare new threats against existing, or previously recorded, data. This is because threats may have slipped into the infrastructure long before being identified.
What concerns me the most is that many organizations in the mid-market still lack the tools to do just that. Cyber threat intelligence, even actionable intelligence, is of diminishing value if an organization lacks the composition or capacity to act on it beyond merely monitoring for new indicators.
These tools are typically made available to larger or information-intensive companies, such as financial services organizations. Such institutions use this type of technology to record, study and hunt for threats in the metadata that underpins their systems environment.
Why doesn’t the mid-market have access to such tools? Historically, deploying security solutions to record and analyze metadata has been too costly for most mid-sized organizations.
For those fortunate few with the budget to actually invest, they find they face another conundrum: lean cybersecurity teams juggling competing priorities without the time to learn and master the nuances of these complex and proprietary tools properly.
For the smaller organizations that believe they are unlikely to face a direct attack, the evolution of the threat environment is what makes this such a risky perspective. As my colleague Druce MacFarlane wrote for CSO Online, the unfettered lateral movement of malware at the very least intensifies the risk of being collateral damage and at worst, puts nation-state capabilities in the hands of a casual adversary.
Democratizing Access to Cybersecurity Metadata
What the cybersecurity community needs are security technologies that democratize access to complex metadata analysis. Specifically, this means technologies that have the following characteristics:
- Automate security processes and are also easy-to-use;
- Automatically capture network metadata around incidents and events;
- Indexes relevant metadata and enables security to immediately hunt for threats;
- Is flexible, extensible and provides a means to share such data with other tools; and
- Provides the capacity to replay older data recordings against new threat intelligence – much like the JTA issued by US-CERT in this example.
Clearly, it’s important to monitor for new indicators when such alerts are issued, but we also need the ability to compare what we’ve learned against what we thought we knew. As noted above some of these activities are traced to operations that are already three years old at the time of this writing. It brings new meaning to the notion of persistent threats.
If these threats have already slipped by the monitoring systems, then the best way to identify them is to hunt for them. The way to do that is to apply new intelligence against previously recorded data. Without this capacity, we are left with new cyber threat intelligence and absent a practical way to act on it.
* * *
Mr. Levitan an investor, tech executive and four-time-CEO. He currently serves as President of Cedalion Partners and is a member of the Bricata Board of Directors. He can be reached via email at email@example.com.
If you enjoyed this post, you might also like:
Threat Hunting is an Imperative Despite Challenges in Definitions, Data and Skills