If we look at the most recent SolarWinds breaches, the attackers evaded existing defenses for months. One of SolarWinds customers, FireEye, was the first to detect the breach, citing activity dating back to March 2020. The evasive hackers went undetected inside the victims' environments, giving them access to secure information over a long period of time. These are sophisticated actors that know the tripwires associated with simplistic rules and analytics people use to find them. The SolarWinds breach exemplifies organizations' need for effective and proactive threat hunting.
Legacy-based threat detection systems used heuristics and static signatures on a large amount of data logs to detect threats and anomalies. However, this meant that analysts needed to be aware of how normal data logs should look. The process included data being ingested and processed through the traditional extraction, transformation, and load (ETL) phase. The transformed data is read by machines and analyzed by analysts who create signatures. The signatures are then evaluated by passing more data. An error in evaluation meant rewriting the rules. Signature-based threat detection techniques, though well understood, are not robust, since signatures need to be created on-the-go for larger volumes of data.
The only path out of this quandary is to find solutions that enable threat hunters to effectively hunt faster. In order to allow hunters to do machine-assisted hunting, we need to automate the data mining process. Organizations need to allow machines to do what they are good at—mine through terabytes of data at machine speeds. With this assistance, hunters can trigger hunts based on interesting IoCs and behaviors, enabling them to effectively hunt an order of magnitude more than what they can today. Adding machine-assistance to aid human hunters will help organizations gain visibility into all of the attackers' steps, every lateral movement activity, usage of living off the land binaries, and persistence technique employed, ultimately showing the attackers' complete footprint across the entire environment.
Attackers are beginning to dynamically shift on the fly; for example, they no longer require an employee to click a phishing email to gain access to data. Next-generation attacks can execute from previews, shut off antivirus systems, escalate privileges, and even disable logs to hinder detection. Looking ahead, it is not only crucial for organizations and Managed Security Service Providers (MSSP) to prioritize the threat-hunting process in order to look for sophisticated threats, but to also equip the hunt team with machine-assisted hunting tools that will enable them to be as effective as possible.
Cybersecurity is a growth industry, and in our experience, there is a severe skills shortage in hiring cybersecurity professionals. Specifically, to single out the Security Operations Center (SOC) analysts who are tasked with analyzing the large datasets frequently on a daily basis. These SOC analysts are a “rare breed” with highly analytical skills to detect anomalies and to discard large sets of “false positives.” These false positives (i.e., estimated to be in excess of 98% of all security alerts) drain a majority of the investigative resources. It is inconceivable to achieve the preceding level of insights with just human interactions. The secret weapon is artificial intelligence (AI) and the advances in machine learning (ML) algorithms. The SOC operators use machine learning extensively to reduce manual effort, reduce wasted effort on false positives, and speed up detection combatting cybercrime.
This section discusses how threat hunting will evolve. Organizations and MSSPs can look into these technological trends and build their capabilities for more effective hunting in the future:
There are numerous definitions of AI and a simple Internet search can provide many interpretations of this. As an academic and a researcher, the following definition of AI has always resonated with me. In essence, AI is the ability to provide:
AI is also often used interchangeably with the term machine learning (ML). ML is the ability to identify objects and data, such as files, images, etc., and to get better (or learn) as more diverse datasets are provided.
Machine intelligence approaches use machine learning that adapts and learns over time to react not only to the evolving threat, but also can be tuned based on human/analyst inputs as new insights are gleaned. Because threats evolve so rapidly, it's critical not to engage in a hunt with an outdated set of tools that will miss emerging threats. Additionally, machine intelligence can be used to consolidate a great deal of human-curated intelligence into robust, simplified machine-curated intelligence. Even though expert analysis is often required for intuition-based analysis, machine intelligence can help comb through large volumes of human intelligence or use human-defined frameworks to speed up the application of expert insight. This can alleviate the labor load on the human analyst, allowing them to focus only on tasks that demand their more complex thinking.
There are number of ML algorithms, and deep learning is a further subset of AI. We will specifically concentrate on ML advances in this chapter. The following are some examples of leveraging ML in the fight against cybercrime:
As mentioned earlier, false positives are the largest roadblock to attack disruption. The majority of Security Operations Centers (SOCs) are simply overloaded with false positive security signal data preventing (or at minimum distracting) resources to combat the “real threats.” As per Figure 9.1, the traditional SOC approach has been to hand-craft rules by security professionals to combat impending threats. However, these static rules do not adapt to the changes in their environments. Specifically, they do not adapt to changing attack vectors and introduction of new malware. SOC analysts are also exposed to large volumes of data. For example, some our Azure services generate an estimated 1000+ API calls a minute. These high-dimensional data are very challenging for an SOC analyst to visualize and spot the outliers.
ML is assisting us to address these challenges. ML has the ability to retrain itself by adapting to new environments as new data is provided. Providing relevant and actionable large datasets is the key success factor here. These large datasets include industry threat-hunting research alerts, domain expert alerts, customer feedback alerts, labels from other product groups (AWS CloudTrail logs, O365, Windows Defender ATP, Azure, etc.), red team exercises, automated attack bots, and Bug Bounty programs. The combination of all these rich datasets enables us to successfully minimize the false positives and “give back more time” to SOC analysts. Hence, they can target and eradicate the real threats without getting drowned in a sea of security alerts.
Machine intelligence can identify potential malicious software by applying machine learning such as deep learning models that review and inspect the full software binaries. These models can detect actions that can be characteristic of malicious software and send them off for further review.
As the model reviews more software, the malware detection capability will continue to learn and detect other similar new attacks as well as completely new malware attacks that would be exposed as anomalies.
Those approaches have the potential to catch malware variants and zero-day attacks that traditional signature-based approaches will never detect. By no means are we suggesting eliminating a traditional antivirus from your security stack, but rather expanding your arsenal to achieve greater detection coverage.
Cyber risk scoring uses context-defined predictive analytics to provide quantitative, data-driven outputs, allowing organizations to prioritize and focus remediation activities on network areas that are exposed to the greatest risk. As information systems increase in number and connectivity, the attack surfaces in need of strategic and informed cyber defense grow exponentially. The growing connectivity among information systems creates increased opportunities for adversaries to take advantage of cyber vulnerabilities, disrupting strategic missions, key systems, and critical infrastructure. Not only are there more ways to enter and exploit an organization's systems, but adversaries are becoming increasingly creative and innovative in their attack design.
By driving cyber risk assessments with machine learning instead of domain expert interpretation, risk scores are entirely data-driven and quantitative. These scores can offer both precise point estimates of scaled risk as well as data-driven uncertainty bounds around these scores to better inform decision makers.
Additionally, models can score vulnerabilities and exploit opportunities at scale and efficiently, covering the landscape of known risk in a matter of hours, rather than days, weeks, and months.
Paul Lipman says that quantum computing is based on quantum mechanics, which governs how nature works at the smallest scales. The smallest classical computing element is a bit, which can be either 0 or 1. The quantum equivalent is a qubit, which can also be 0 or 1 or in what's called a superposition—any combination of 0 and 1. Performing a calculation on two classical bits (which can be 00, 01, 10, and 11) requires four calculations. A quantum computer can perform calculations on all four states simultaneously. This scales exponentially: 1,000 qubits would, in some respects, be more powerful than the world's most powerful supercomputer.
The promise of quantum computing, however, is not speeding up conventional computing. Rather, it will deliver an exponential advantage for certain classes of problems, such as factoring very large numbers, with profound implications for cybersecurity.
Quantum computers are predicted to solve problems that are far too complex for classical computers according to the Quantum Exchange, a leading research body. This includes solving the algorithms behind encryption keys that protect data and the Internet's infrastructure. Much of today's encryption is based on mathematical formulas that would take today's computers an impractically long time to decode. To simplify this, think of two large numbers, for example, and multiply them together. It's easy to come up with the product, but much harder to start with the large number and factor it into its two prime numbers. A quantum computer, however, can easily factor those numbers and break the code. Peter Shor developed a quantum algorithm (aptly named Shor's algorithm) that easily factors large numbers far more quickly than a classical computer. Since then, scientists have been working on developing quantum computers that can factor increasingly larger numbers.
As the pace of quantum research continues to accelerate, though, the development of such a computer within the next three to five years cannot be discounted. As an example, according to MIT Technology Review, a 20 million-qubit computer could break a 2048-bit algorithm in 8 hours. What that demonstration means is that continued breakthroughs like this will keep pushing the timeline up. Quantum computing is expected to transform cybersecurity according to Paul Lipman in the following key areas:
As the future versions of quantum computers would have the power to crack passwords simultaneously, future cyber-physical systems must incorporate quantum computing–resistant designs of data security.
Quantum computing promises to transform cybersecurity, but there are substantial challenges to address and fundamental breakthroughs still required to be made.
The most immediate challenge is to achieve sufficient numbers of fault-tolerant qubits to unleash quantum computing's computational promise. Companies such as IBM, Google, Honeywell, and Amazon are investing in this problem.
Quantum computers are currently programmed from individual quantum logic gates, which may be acceptable for small quantum computers, but it's impractical once we get to thousands of qubits. Companies like IBM and Classiq are developing more abstracted layers in the programming stack, enabling developers to build powerful quantum applications to solve real-world problems.
Arguably, the key bottleneck in the quantum computing industry will be a lack of talent. While universities churn out computer science graduates at an accelerating pace, there is still too little being done to train the next generation of quantum computing professionals. It will take efforts from governments, universities, industry, and the broader technology ecosystem to enable the level of talent development required to truly capitalize on quantum computing.
The quantum revolution is upon us. Although the profound impact of large-scale fault-tolerant quantum computers may be a decade off, near-term quantum computers will still yield tremendous benefits. We are seeing substantial investment in solving the core problems around scaling qubit count, error correction, and algorithms. From a cybersecurity perspective, while quantum computing may render some existing encryption protocols obsolete, it has the promise to enable a substantially enhanced level of communication security and privacy.
Organizations must think strategically about the longer-term risks and benefits of quantum computing and technology and engage in a serious way today to be ready for the quantum revolution of tomorrow.
The recent IDC report by MacGillivray and Wright (Worldwide Internet of Things Connectivity Forecast, 2017–2021, IDC, 2017) suggest that the next decade promises the universal democratization of connectivity to every device. Significant drops in the cost of connectivity mean that every form of electrical device—every child's toy, every household's appliances, and every industry's equipment—will connect to the Internet. This Internet of Things (IoT) will drive huge economic efficiencies; it will enable countless innovations as digital transformation reaches across fields from childcare to eldercare, from hospitality to mining, from education to transportation. Although no person can foresee the full impact of universal device connectivity, anticipation of this new frontier is widespread.
The Internet of Things can be used to interconnect various physical devices as well as virtual objects that can be accessed through the Internet. IoT is rapidly growing and changing our lives. There has been a massive surge in the use of IoT devices, mainly in the homes and manufacturing sectors. IoT has penetrated every aspect of our lives and everything from your water sprinkler to your security system, which is connected to the Internet. With the overwhelming amount of new technologies popping up every day, IoT security often tends to be overlooked, which makes the users of these devices particularly vulnerable to security threats.
IoT creates a network of the physical objects, whose data is stored on the cloud. The devices connect to the surrounding objects and the extensive data around them. Since the data is being passed back and forth on thousands of devices, hackers are just one vulnerability away from exploiting all your personal data stored on the network. This may not appear as a major risk when your home automation system and other IoT devices may have negligible personal information stored on these devices. However, IoT items may consist of a camera or microphone and they may be compromised. This will enable hackers to monitor all your movements thus leading to a breach of privacy and exfiltration of personal information. Cisco analysts estimated that more than 50 billion devices were connected to the Internet in 2020. This quantity is far more than the number of people on the planet and it only emphasizes the scale of this vulnerability and the urgency needed to tackle the issue.
According to Cyberie research, nearly 70% of IoT devices are riddled with serious vulnerabilities. Protecting organizations and individuals against the increasing risks isn't going to be easy, but we can't afford to have so many exposed weaknesses waiting to be exploited. First, one needs to be aware of the threats they are facing. The Open Web Application Security Project (OWASP) has provided us with the Internet of Things Project where they highlight the key susceptible areas. The project explains the vulnerabilities as well as discusses prevention. The list is as follows:
Many good security practices have been theoretically considered. These include the use of secure protocols, using a VPN, using identity management, and by providing timely latest updates and patches for the gadgets. The Cyberie research expands on how IoT devices can impact cybersecurity:
Even though most IoT security challenges are yet to be overcome, the industry has recognized these weaknesses in the devices. Fortunately, cybersecurity professionals are already adjusting to the new demands of this widespread network.
According to SimpliLearn, Deloitte recently outlined several key industries and market segments that are excelling at IoT utilization. The growing number of use cases is an indicator of not only how broad the impact of IoT is on society, but also how many entry points exist that hackers and cybercriminals can exploit. The list includes:
A key challenge in building security protocols for IoT is that there is a lack of standards available, thanks to the complexity of the IoT ecosystem and a huge number of devices from a wide range of vendors worldwide. The Department of Homeland Security's Science and Technology (S&T) Directive has recently created a set of best practices that enterprises can follow to secure their IoT systems. The directive breaks down security into three distinct segments:
With those basic guidelines in mind, companies are learning to tackle IoT security breaches with tangible new strategies, according to a recent list of solutions. Among the most effective strategies:
These core steps provide a roadmap that cybersecurity professionals can follow to create a comprehensive IoT security framework. Researches have taken into account these concerns and attempted to create a universal framework to address IoT security. There is a current draft NIST framework being authored.
Here are a few typical attack types that can be levied against enterprise IoT systems:
MacGillivray and Wright have identified seven properties that must be shared by all highly secure, network-connected IoT devices. They are detailed here. These guidelines should be followed to reduce IoT surface attacks and minimize the attack vectors.
ForcePoint defines Operational Technology (OT) as hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprises. Gartner describes OT as common in Industrial Control Systems (ICS) such as a SCADA (Supervisory Control and Data Acquisition) System. In the world of critical infrastructure, OT may be used to control power stations or public transportation. As this technology advances and converges with networked tech, the need for OT security grows exponentially.
For many years, industrial systems relied on proprietary protocols and software, were manually managed and monitored by operators, and had no connection to the outside world. For this reason, they were a fairly insignificant target for hackers as there was no networked interface to attack and nothing to gain or destroy. The only way to infiltrate these systems was to obtain physical access to a terminal and this was no easy task. OT and IT integrated little and did not deal with the same kinds of vulnerabilities.
Today, it's a very different story as we see more industrial systems brought online to deliver big data and smart analytics as well as adopt new capabilities and efficiencies through technological integrations. Information Technology (IT) and Operational Technology (OT) convergence gives organizations a single view of industrial systems together with process management solutions that ensure accurate information is delivered to people, machines, switches, sensors, and devices at the right time and in the best format. When IT and OT systems work in harmony together, new efficiencies are discovered, systems can be remotely monitored and managed and organizations can realize the same security benefits that are used on administrative IT systems. This transition from closed to open systems has generated a slew of new security risks that need to be addressed.
As industrial systems become more connected, they also become more exposed to vulnerabilities. The high cost of industrial equipment and the devastation to communities and economies that an attack could generate are key factors for organizations looking to protect their industrial networks. Add legacy equipment, safety regulations that may prohibit any modifications being made to equipment, and compliance regulations that require sensitive data to be made available to third parties, and you have quite a challenge on your hands.
It is possible to secure industrial networks without disrupting operations or risking non-compliance. By using solutions that allow complete visibility of network control traffic and establishing the right security policies, you can put an effective OT strategy in place that will protect your processes, people, and profit and significantly reduce security vulnerabilities and incidents.
The decentralized communication system, blockchain, was implemented first to authenticate bitcoin transactions, but the technology has now emerged to be the future of cybersecurity. The most common challenges enterprises face with their existing systems include the ease to locate an availability of multiple avenues for hackers to attack and overtake the system.
A blockchain is basically a decentralized, digitized, public ledger of all cryptocurrency transactions and uses what is known as the distributed ledger technology. This could potentially help enhance cyber-defense as the platform can prevent fraudulent activities via consensus mechanisms and detect data tampering depending on its underlying characteristics of operational resilience, data encryption, auditability, transparency, and immutability.
Owing to their distributed nature, blockchains provide no “hackable” entrance or a central point of failure and, thereby, provide more security when compared with various present database-driven transactional structures.
Blockchain technology can be used for a variety of reasons across a slew of industries. It helps prevent cyberattacks, data breaches, identity theft, and unfairness in title transactions, and makes sure your data is private and safe. This is only the beginning for blockchain. As new technology, it's only going to get smarter and better.
Another traditional weakness is eliminated through blockchain's collaborative consensus algorithm. It can watch for malicious actions, anomalies, and false positives without the need for a central authority. One pair of eyes can be fooled, but not all of them. That strengthens authentication and secures data communications and record management.
Cybersecurity is one of the most versatile industries in which businesses are witnessing a new breed of threat almost every other day. Although the future of cybersecurity will always be unpredictable for global leaders, it is critical to prepare an assessment of possible threats and potential security innovation to keep consistent customer and stakeholder trust.
The combination of block-building algorithms and hashing makes blockchain a great solution in the cybersecurity portfolio, by enhancing data security when transactions of any kind of value are being processed in the distributed network. Blockchain is changing the cybersecurity solution in several ways. After cloud computing and several other digital evolutions, it is obvious that organizations should use hundreds of applications (internal and cloud-based) for their business needs. This also gives rise to the level of data breaches for end users and organizations.
As per the new Breach Level Index (BLI) in 2017, more than 2.5 billion data records were compromised. As a result, it is expected that in the current digital age, comfort and flexibility will be overtaken by privacy and security. As has been clearly demonstrated, blockchain is all about providing data security and privacy for confidential information, and blockchain is likely to be a great attraction for several business applications to provide better security and privacy.
As discussed in the first chapter, the human element in threat hunting is foundational and one of the critical success factors. Threat hunting will continue to demand highly skilled and very experienced resources. And since these resources are hard to find, it seems like a lucrative upsell for managed services providers to offer “Threat Hunting as a Service.” Today there are many players in the market that provide Threat Hunting as a Service.
More services providers are getting ready to capitalize the market potentials. Some of them offer Endpoint Detection and Response (EDR) products have great overlap with threat hunting tools, since they can detect and analyze whatever happens on the endpoint. As such, EDR companies that are under great stress to differentiate likely offer “hunting modules” to complement “regular” EDR functions.
SIEM (Security Information and Event Management) is likely the reason that customers need threat-hunting tools in the first place. As a centralized platform, SIEM should have all information logs “hiding” indicators of compromise. Yet regular SIEM systems are not flexible enough to conduct true hunting operations. Product vendors will add incremental capability to their existing SIEM automation platform, which will allow analysts to build any type of complex query from any data source.
If threat hunting will become a product category of its own, do hunters really need dedicated tools to conduct their operations?
Since threat hunting is mostly about sifting through communication data, it will be no surprise that network traffic analysis tools are offered as threat-hunting tools. Product vendors and services providers with a deep understanding of network traffic behavior can offer threat hunting as a by-product of their platform.
39Policymakers and authorities may consider providing threat-hunting guidelines for organizations to set forth a structured and a cyclic program of monitoring the organizational activity longitudinally (from organization to the outside world) and laterally (inside the organization). They can provide guidelines to leverage external intelligence, best practices to analyze and correlate information, and a consistent approach to responding to the threats, whether they were actually spotted in the context of the threat-hunting activity or as a preparatory measure for blocking even before it occurred.
Imagine having visibility into threats across all your resources, AI that stitches signals together and tells you what's most important, and the ability to respond swiftly across the organization. With SIEM and extended detection and response (XDR), defenders can be armed with all the context and automation needed to stop even the most sophisticated, cross-domain attacks.
https://www.linkedin.com/pulse/how-artificial-intelligence-advances-prevents-dr-chris-peiris/
)https://www.forbes.com/sites/forbestechcouncil/2021/01/04/how-quantum-computing-will-transform-cybersecurity/?sh=5353b6a7d3fb
)https://www.marketresearch.com/IDC-v2477/Worldwide-Internet-Things-Connectivity-Forecast-10730165/
)https://www.businessinsider.com/iot-business-opportunities-models?r=AU&IR=T
)https://www.cybervie.com/blog/cybersecurity-challenges-iot/
)https://www.simplilearn.com/iot-cybersecurity-article
)https://www.phishingbox.com/news/phishing-news/internet-security-threat-report-irst-2019
)https://www.securitymagazine.com/articles/90793-cybersecurity-and-the-internet-of-things
)https://www.forcepoint.com/cyber-edu/ot-operational-technology-security
)