How to Think Like a HackerFidelis Strategist: Key to Defense is to Understand Attackers
Jim Jaeger, chief cyber services strategist at Fidelis Cybersecurity, has worked on various security incident projects, and he has led cyber forensics investigations into some of the largest network breaches impacting the industry. He has come to see that professional cyber criminals are so adept at cloaking their activities that they routinely go undetected for months, even years.
How should security practitioners handle such stealth? Jaeger believes that even before contemplating which security solutions to deploy, CISOs must gain insights into how hackers plan their attacks.
"Hackers conduct detailed reconnaissance activities and develop custom-tailored campaigns to penetrate into the network to steal corporate sensitive data, intellectual property, business plans and personal information," Jaeger says.
One way to tackle the situation, he says, is for CISOs to ensure an integrated approach is taken to drive a solution that includes technologies and threat intelligence to enable the discovery, investigation and containment of an attack across all phases of the threat lifecycle.
In this interview with Information Security Media Group, conducted at the GISEC event in Dubai, Jaeger discusses:
- Using threat intelligence in the right context;
- Judiciously leveraging vendor tools;
- Planning security investment in technologies to prevent breaches.
Jaeger previously managed the Network Defense and Forensics business area at Fidelis Cybersecurity, including the Digital Forensics Lab, leading investigations into some of the largest network breaches impacting the industry. Jaeger has also held a leadership role for cyber programs including General Dynamics' support for the DoD Cyber Crime Center (DC3), the Defense Computer Forensics Lab and the Defense Cyber Crime Institute.
Jaeger is a former Brigadier General in the United States Air Force; his military service includes stints as Director of Intelligence (J2) for the U.S. Atlantic Command, Assistant Deputy Director of Operations at the National Security Agency, and Commander of the Air Force Technical Applications Center, where Jaeger was responsible for the collection and reporting of intelligence to Theater Commanders and the National Command Authority.
GEETHA NANDIKOTKUR: What kind of research and innovations are taking place as part of threat intelligence?
JIM JAEGER: More than technological innovations, I see a major evolution in consumer mind-set. Enterprises now don't want to wait for a breach or attack to occur. As part of threat intelligence, organizations intend to conduct threat research on the Internet and share the information with stakeholders, indeed a big change. The research is about finding the nature of threats and how hackers penetrate into the networks.
NANDIKOTKUR: So, what are the cybersecurity concerns for enterprises in this region?
JAEGER: Security practitioners face many challenges, given that hackers never stop evolving, and have always been using sophisticated tools and tactics to find prey. Their key concern is that they cannot rest upon yesterday's success. While tools and technologies help practitioners defend attacks, the huge challenge is to integrate their tools in such a fashion that they can detect and mitigate attacks.
NANDIKOTKUR: With the proliferation of security tools and technologies, how do you suggest CISOs judiciously use them?
JAEGER: There's no one-size-fits-all solutions. I'd recommend looking at comprehensive tools that can enable advance threat defence mechanisms. For instance, CISOs can use three layers of defense--advanced malware protection, data theft protection and network security analytics - in a single, tightly integrated system for continuous protection and response.
CISOs should ensure that any solution includes technologies and threat intelligence which enable the discovery, investigation and containment of attacks across all phases of the threat lifecycle.
There are four stages of a threat lifecycle:
- Attack phase involving infiltration where data is compromised;
- Command and control communication phase;
- Lateral propagation phase;
- Data theft and exfiltration phase and the cycle repeats.
It's proved that antivirus and basic forms of security are ineffective. What's needed is an advanced threat detection technology that can seamlessly integrate into a single system under a unified management framework, and have a higher probability of detecting or preventing threats before they create serious damage. The integration is critical to maximise the outcome, as CISOs are able to derive just 20 percent of the value of tools used or money spent.
The reason is lack of knowledge and going for low-hanging fruit. Access to cyber services is vital, besides using products.
NANDIKOTKUR: Can you elaborate on cybersecurity investments CISOs must plan on?
JAEGER: More than technologies, the investment in acquiring skilled resources is high. For instance, investigation and incident response teams may be very expensive. Building incident response capabilities with subject matter experts and forensic experts doesn't come cheap.
The cost is based on the size and complexity of the network. Breach prevention assessment on the network costs more. Proactive prevention services are cheap; incident response is not. Call the best people. Support services are expensive, as the teams have to assess how hackers got in, how long they were around and the intensity of the breach.
Breaches may vary ... Sometimes, forensic investigation alone can run into a few million dollars. Besides, the cost of settling legal, financial and regulatory claims is huge.
Securing the Networks
NANDIKOTKUR: Given the situation, how do enterprises secure their networks?
JAEGER: I'd suggest a few imperative steps for securing the networks:
- Ensuring a robust network model which has tools to monitor and gain network visibility, control and prevention;
- Finding a way to prevent hackers from entering into the network;
- Lowering operational cost with automated rules and real-time threat intelligence;
- Gaining situational awareness and real-time prevention capability;
- Seeking unbiased expert opinions or witness testimony;
- Adopting open source and social media monitoring to spot potential cyber-threats,