Recently, Hold Security, a firm in Milwaukee, announced that a Russian crime ring had stolen 1.2 billion user credentials and 500 million e-mail addresses from 420,000 websites. According to an article by the New York Times, if true, the cyber-heist would be the largest in history.
Hold Security did not name the victims of the attack, citing nondisclosure agreements with victim companies.
In the face of attacks like this, it would be nice if Chief Information Security Officers (CISOs) had a crystal ball to keep their networks safe. But that's not really necessary. Attacks like this are as defendable as they are inevitable with the use of emerging tools including threat intelligence and outcome-based cybersecurity.
Outcome-based security is a management scheme that measures the success of a security program by first identifying a desired outcome. Data from automated scanning and monitoring can be tracked and evaluated to determine if results have been achieved, making security teams and asset owners accountable for these results.
The concept of outcome-based security is finding acceptance in both the public and private sectors. The Government Accountability Office, the auditing service of the U. S. Congress, has recommended that the Department of Homeland Security (DHS) and its partners develop outcome-oriented measures for the communications sector. This would provide federal decision makers with additional insight into the effectiveness of protection efforts for communications networks and the Internet.
We use outcome-based cyber security to achieve specific results. It helps us understand what inputs have to change to achieve a desired outcome. But identifying and achieving a desired outcome also requires threat intelligence.
Intelligence is the common denominator among experienced staff, detection and remediation technology and your cyber security processes and procedures. Threat intelligence helps you understand your attackers, an essential element in staying ahead of them.
Threat intelligence coupled with outcome-based cyber security can provide a “crystal ball.” Understanding your own goals and the goals of your attacker help you find the best way to stop them.
If you’re in Oil and Gas, the target might be production levels data. If you’re in healthcare, it might be access to patient records or payment information. Whatever the target, knowing the attacker’s goal helps you understand the multiple steps that an Advanced Persistent Threat can take toward it. The Cyber Kill Chain, a key ingredient in Lockheed’s Intelligence-Driven Defense (IDD), identifies the various spots at which the attacker can be stopped before reaching that goal.
When using IDD, you may want to monitor attackers in order to analyze their actions as they pass each step before stopping them as a means of gathering intelligence and understanding possible outcomes or options of the attack. This also provides situational awareness.
Situational awareness is about gathering as much information as possible about the attackers, your own systems and the environment in which they operate. Where in the world are the attackers coming from? What steps did they take to get through each level or security? What technology and methodologies are the attackers employing? What are they trying to exploit? And how can we predict their next move and control the outcome of their attack?
Outcome-based cybersecurity lets us act proactively identify our own goals regardless of where the threats are coming from.