The cybersecurity arms race is a lot like the classic Mad Magazine Spy Vs. Spy cartoon series where two look-alike secret agents constantly try to one-up each other using an array of increasingly complex tools and strategies. In this case, it’s machine learning and other artificial intelligence technologies that are being used both to identify – and carry out – cyber-attacks.
With so much to protect from so many potential threats what’s a company to do?
Well, getting an idea of who the bad guys are and what they want gives companies an inkling of what to protect.
Attack techniques—such as phishing-enabled malware and command-and-control servers that direct bots and compromised devices to launch distributed denial of service (DDoS) attacks—change all the time. That means a company is better off tracking the bad actors themselves since one set of bad actors will likely launch lots of attacks.
If an organization attributes a threat activity against its networks to a known international actor, and by knowing that this actor tends to go after payment card credentials primarily — but has, on occasion, moved laterally into the finance department instead — “the company can proactively better protect those areas and focus its threat hunting efforts there,” says
Sarah Geary, a former senior cyber analyst who is now executive briefer for FireEye, a threat intelligence company, based in Milpitas, Calif.
“There are always new cyber actors emerging or threat actors veering into new fields,” Geary said. For example, it’s important to realize that Iran has been able to watch and learn from Russia’s success in how to use cyber influence for its own political aims, she noted.
Going deeper, it’s also important to know more about what these new entrants are doing in terms of tactics, techniques and procedures (that is “TTP” in cybersecurity shorthand.)
Once a big hack has been identified, the bad guys will shift tactics to attack in new ways.
Geopolitical and business interests meld
While they may not ask about it, C-level execs should also be aware of potential motivations of state-backed threat actors, which often work to further the interests of state-aligned companies in their countries.
For example, China is pushing its Belt and Road initiative, a massive plan to modernize the Silk Road, the ancient network of routes connecting it with the Middle East, Africa and Europe. Last year, the South China Morning Post estimated the budget for this infrastructure overhaul would be in the $4 trillion to $8 trillion range.
FireEye has noted an increase in cyber threat actors now targeting construction, transportation, and maritime industries along the planned route, Geary said.
It is crucial to couple geopolitical awareness with traditional cyber analysis to get a good idea of what the main threats to an organization are at that time, she added.
Don’t get hung up on job titles
Given the volume of threats and how fast they morph, the aforementioned AI/ML technologies are key to safeguarding company data. However, those technologies should be considered enhancements to, rather than replacements for human experts, said Rik Turner, principal security analyst with Ovum Research.
AI/ML help humans sort the wheat from the chaff and home in on what the most critical issues are, Turner said via email.
“There is now an overabundance of threat data available, but precious little time to actually respond to a breach. Thus, machines can be used to supplement, streamline and accelerate decision-making.”
The lack of security experts at many companies also makes use of this technology critical. Having said that, one long-time security consultant says this issue has been overhyped. His contention is that many corporate tech staffers know best practices when it comes to protecting corporate systems, even if they don’t have the word “security” in their titles.
In the view of this expert, who requested anonymity because he is not authorized to speak publicly, experienced network and systems administrators form the front lines of cybersecurity defense at many businesses. For that reason, most companies really don’t need more “cybersecurity experts” per se but should invest in continuous training for existing staff. And, they absolutely should rely on automated patching and security updates for all software and systems.