Relationships in the Cyber Era
The advanced persistent threat (APT) era is here. Attacks are becoming more common and the level of damage is increasing in severity. As CISOs, we must prepare for the APT era. We must commit to changing our attitude and not adopting only advanced technological tools.
The current awareness is not sufficient for this era, and in this article I will share my experience in increasing the ability of APT containment from a tactical strategic relationship (TSR) perspective.
“As CISOs, we must prepare for the APT era.”
Lateral Move has become an art form adopted by attackers. They work according to a regulated Play Book and every action is carefully calculated to stay under the radar. Using obfuscation tools and the fast deletion of traces of any operation make it very difficult for cybersecurity systems to detect.
Some of the goals in Lateral Move are to gain control over privileged accounts but, like any human, the attackers sometimes make mistakes. A random, irregular action can raise general (but insufficient) suspicion that links the incident to a hostile cyberattack.
Unfortunately, the current awareness plans applied by an enterprise with a global presence and thousands of employees are ineffective in the event of such an attack. Professional, ongoing relationships with strategic partners in and outside your organization should be created in order to link abnormal activity to an APT attack and contain the cyber event quickly.
Despite my extensive experience, I am not a great relationship expert and will probably still be in the learning stage for the rest of my life. But I do know however that there are a number of basic elements in any relationship that are mandatory for success.
“There are a number of basic elements in any relationship that are mandatory for success.”
Choosing a Partner
I give first priority to choosing the partner to build a relationship with. Time is precious; we cannot build many relationships, and certainly not in an enterprise that has tens of thousands of employees, hundreds of departments, and is located in numerous places around the globe.
We need to carefully select the relationships we want. I would choose them based on their criticality to the organization and their proximity to the areas we know are most vulnerable to attack. Sometimes, these partners sit outside the organization.
Major consideration, for example, is given to vendors who we need to drop in to the Battle Zone. IR teams and Threat Hunting teams rely on these deep, professional relationships, otherwise they suffer from the long curve of ineffectiveness.
When we want a relationship to succeed, we must invest in it. If we decide to invest, we will of course need the appropriate resources. First, create a dialogue with the department’s management. Make an effort to understand their business and build relationships with key employees.
Participate in and create joint meetings to ensure a continuous, mutual understanding of a common goal: protecting the organization. Stress the importance of paying attention to things that seem unusual. Become an advisor to help decrease the number of false positives. And keep at it. Without regular cultivation, assume that even a strong, well-built relationship will fail to identify and contain an APT event.
Routine is the enemy of every relationship. Falling into a routine creates a kind of numbness that breeds apathy and ill preparedness. As a result, keep relationships fresh. Cyberattacks are reported almost every day and are a source of interest to people.
We as CISOs can educate employees and give them the tools to avoid a cyberattack in the home or office. Schedule “Lunch and Learn” sessions. Invite your vendors to present. These activities create mutual added value and help you reach your ultimate goal: maintain a workplace that provides security for the organization, its employees, and their families.
There are very few indications that you’re under attack by an APT. When you do discover it, you need to react fast and smart. By maintaining a tactical strategic relationship with key players, you can alert and mobilize them quickly.
And when you “drop” an IR professional vendor into the Battle Zone, they will be more effective in a shorter period of time. The end result is containment and it’s attributable to the TSRs you’ve built and maintained.
“By maintaining a tactical strategic relationship with key players, you can alert and mobilize them quickly.”
Today, more than ever, the CISO’s role is complex; we are required to create a resilient and fast recovery system in the event of a cyberattack. A cyberattack’s impact is significant in terms of money and time. If we look around, we will see that organizations today lose tens of millions of dollars and more to these events.
Recovery times are prolonged, which drive costs up further. Sustained investment therefore in tactical strategic relationships with specific IT/Business teams and vendors will help us to act faster and contain the damage from these next-generation attacks.