In today’s world, computer hackers have evolved from the typical freelance basement computer programmer stereo type. They are now well paid IT subject matter experts and are being hired by various organizations and governments for defensive/offensive agendas that are both politically and commercially motivated. Some of them may even work for your company or your service providers.
So what are CIOs and CISOs supposed to report to the leadership team about the state of information security attacks and breaches in your organization? Well the most suitable reporting metrics result from the common reasons for this dilemma. They are essentially not knowing the following:
- Who – Who is trying to breach your perimeter defences?
- Where – Where in the world are these attacks coming from?
- How – How they are trying to breaching your defences?
- Why – Why are they targeting your organization?
- What – What are they after?
- When – When are cyber attacks happening?
Other reasons that seemed to have improved over the years but still lack efficient processes include:
- Not having proper security incident handling and remediation processes defined so that the Security Operations Centre (SOC) can properly classify, act, track and report on the events
- Not having a proper Computer Security Incident Response Team (CSIRT) defined and trained
Suggestions for reporting on the WHO
Organizations like the SANS Internet Storm Centre make voluntarily attempts at monitoring and publishing IP address that should be on your SIEM watch lists or block lists. This can be a useful start for your initial SIEM tuning. However since every organization is different it is up to your own security analysts to constantly monitor and evolve your watch-list to target more specific malicious IP addresses.
Security analysts should also look at the organization’s public facing websites and run analytics to see who their viewers are, where in the world they are coming from and what pages they are looking at. IP addresses that have repeat failed attempts at login pages should be added to your SIEM watch-lists and monitored closely for security event correlations. This may lead to a decision to block these addresses or domain from even accessing your website.
Suggestions for reporting on the WHERE
Depending on the business or service your organization provides, where in the world Cyber attacks are coming from may not be too important but for some business and government organizations that provides services to a global customer or user base, this is a real concern. An example of wanting to know where Cyber attacks are comming from was in the 2016 US presidential election. Security analysts identified Cyber attacks on the electoral system with source IPs that were apparently registered to Russia.
This may have been possible since Internet addresses have been allocated and recorded by country and region so unless the hacker(s) are spoofing their source IP addresses, it is relatively easy to lookup where they are coming from. Knowing this can probably shed more light on why your organization is being attacked.
Suggestions for reporting on the HOW
Firewalls, routing/switching devices and servers can log everything that knocks or attempts to get through them. Many of these events can be viewed as informational and as such your SIEM system should be tuned to address only the events from your log files that are considered worth monitoring. This type of tuning takes time and will require your security analysts to have a solid understanding of your organization security policies, standards, critical assets, technology architectures and designs.
Once tuned, your SIEM will be a very useful tool in determining how attackers are trying to penetrate your systems from outside and inside your perimeter defences. Typical SIEM use case examples include:
- Detection of Possible Brute Force Attacks (Password cracking)
- Detection of Insider Threat (i.e. acceptable use monitoring)
- Application Defense Check
- Top Web application Attacks per server
- Malicious SQL commands issued by administrator.
- Applications suspicious performance indicator, resource utilization vector.
- Application Platform (OS) patch-related status.
- Web attacks post configuration changed on applications
- Suspicious Behavior of Log Sources (e.g. expected host/log source not reporting and unexpected events per second (EPS) from log sources
- Correlation logic For example, a SIEM can correlate various security events to detect a potential threat. Examples of these events include unusual port activities in firewalls, suspicious DNS requests, warnings from a Web Application firewall and IDS/IPS, threats recognized from antivirus, HIPS, etc.
- Detection of Anomalous Ports, Services and Unpatched Hosts/Network Devices
Suggestions for dealing with the WHY & WHAT
Why is your organization being subjected to cyber attacks? To answer this question organizations need to sober up and put themselves in the shoes of the attacker. For instance here are some examples of questions and possible answers that your leadership team should already be aware of:
- What do you have that someone will want to steal?
- Personally identifiable information (PII) of your customers (e.g. name, addresses, social insurance numbers, telephone numbers, drivers license numbers etc,). Examples of organizations that have been breached and PII stolen include Yahoo and their affiliates that use them to host email aliases. Other organizations that have had their customer information stolen include most Social Media sites. Stolen PII information can result in identity theft.
- Credit card information. Credit card fraud has been around for years before but online merchants have been targeted as well as large department stores like Target and others that hold credit card information in local databases.
- Intellectual property (e.g. strategic marketing plans, product engineering specs and designs).
- What have you done that could be upsetting to your competitors, other countries, religious organizations, racial groups, human rights organizations, environmentalists etc.?
- Political Positioning. Examples include supporting specific government political parties, International trade agreements, War (in the case of government organizations)
- Marketing Advertisements. Examples include Ads that are promoting a specific racial culture, ethnic group, lifestyle, chauvinism, political candidate etc.
- Animal testing for pharmaceutical products
- Inferior products being rolled out to the consumers
- Etc.
Suggestions for reporting on the WHEN
Unfortunately determining “when” a Cyber attack will happen is near impossible because a proper organized cyber attack needs good planning. For example to launch a DoS storm against your organization that would cripple your online services, would require the attacking organization to have all their Internet “weapons” (e.g. servers and appliances) and attack vectors ready to launch at the same time or at their designated times. These “weapons” could also be located in many regions or even countries around the globe.
However, know that some cyber hacker organizations have these tools/”weapons” already in place. So be ready, because survival from some Cyber attacks going forward may be dependent on proper business continuity and IT recovery planning.