Orchestration

One of the pain points in cybersecurity is the protections are always choosing the "best of breed" technology. This is fine except each technology has its own protection management tool, GUI, dashboard. As as result, SOC or IR personnel will need to dive into each cyber protection solution and analyze time of sequence event. Orchestration technology is available to consolidate logs from various log sources to make life easier. However, cautions must be exercised: Are extra investment or recurring operating costs properly funded and ready? The ROI might result into workforce reduction to justify the deployment. That means some one might lose the job. How are the integration done? Will this breach network zoning? Last but not the least, how to validate the solution is successfully deployed as a means of acceptance criteria. ...
Read More

Proper Usage #2

Security Boundary Every system has its own weakness and limitation. We can't build a total secure system practically unless it is on the shelve without any usage value. There is always the need to assess the risks to opt for optimal security controls. The key part is the "users" that they are expected to behave within the security boundary. Don't try to address ALL vulnerabilities because it is unwise and a never-ending story. Even if this is achievable, it is just a snapshot at a particular point in time. The proper approach is that Understand what are the inherent vulnerabilitiesWhat are the compensating controls surrounding the core system to reduce the likelihoodIf there are any alternate facilities to maintain the minimal business operations should bad things happen ...
Read More

Discovery

This is widely adopted in various process like: Asset discovery: to scan the network and take inventory of the components connected in the networkElectronic document discovery: to scan the network resources for automatic information classification and privacy complianceForensic eDiscovery: to collect cyber activities from the designated equipment uncovering the sequence of events No matter which application, the essential aspect is the correct use of the tool. Otherwise, incorrect or inaccurate information is captured that could incur undesirable consequence where decision will base upon. Training or certification for the competent person running the process will be the key. ...
Read More

Suspicious

It is common to see such directive in subway, airport, key facilities, incident respond playbook etc. The problem is different people have different interpretation of "suspicious". Take phishing attack as an example. Email is apparently sent from the one you know. Should it be suspicious? If so, there won't be so many successful cyber attacks originated from phishing to launch ransomware, data exfiltration or remote access trojan (RAT). Therefore, more needs to be done to elaborate what is "suspicious" to raise situational awareness. Of course, it is a challenge to include so many information in a sign board. If the facility is so critical, each personnel (staff, visitor, contractor) should be briefed the threat scenario (like the safety rules before the aircraft departure) while the signage is just a reminder of what has been briefed. ...
Read More

Visibility #2

Placing a warning sign will avoid facilities being damanged by mistake. But what about the info is misused by threat actor to launch attack? Sometime, deceptions or decoys are used to understand the behaviors of threat actors so that appropriate counter-measures are effectively developed and applied. Ultimately, it is then all about judgment. This is from both attacker and defender perspective Whether the accessed resources are traps, orWhether the unusual activities are camouflage covering other malicious intend. Life becomes harder and harder. ...
Read More

Policies #3 (From Directive to Enforcement)

1. Use case Authenticate the user of parking is "Aliens" status, a yes/no decisionGrant usage durationDisclaim loss/damage responsibilities 2. Enforcement If yes: allowIf not: rejectIf violate: consequence 3. Somehow, vulnerabilities exist: Identity provider is compromised Method of authentication is circumventedResult of authentication is manipulatedBarrier to the authorized resource (parking lot) fails and being bypassed without authentication 4. Consequence: False negative: non-alien is mistaken as alien for fraudulent useFalse positive: genuine alien is mistaken as non-alien resulting into denial of service 5. Counter-measure: Protect identity providerSecure communication from end point to identity providerEnsure authentication result integrityConduct periodic system health-checkPerform regular patrol of parking lotPost terms of use and consequence of violation (e.g. tow away at vehicle owner's expense) ...
Read More

Preparedness

No doubt, we do have deployed and sustained protection as counter-measure against cyber threats.  However, the cyber threat landscape is always evolving - new trick, zero-day exploit, Advanced Persistent Threat (APT) are there and we don't know what we don't know. In this regard, we must assume our system or infrastructure shall be compromised.  It is just a matter at what time this happens. To deal with the worst scenario, we have to get well prepared beforehand.   Things like: Establish directive to trade off between service resumption or digital evidence preservation Determine dependency of resuming service in alternate facility though in degraded level Streamline philosophy of containment to minimize damage due to cyber attack Maintain contact info as well as reliable and trusted communication channel among key personnel during emergency situation Prepare Line-To-Take templates to simplify the job for PR Most importantly, Human safety and environment protection should be the first priority Regular drill to validate the readiness and find ways to improve ...
Read More

Mistaken Identity

This is to attack trust based on some one you know. In physical world, this is harder as you will recognize the person by appearance unless via impersonation like those in "Mission Impossible". In cyber world, email and social network ID are easier for spoofing, not-to-mention compromised identity are on sales in the dark web. Therefore, Part-1: protect your cyber identity.  Even if you consider such cyber identity doesn't harm yourself, it could cause collateral damage to those who know you Part-2: now, you are cautious about your cyber identity.  Establish preparedness to manage the situation when you suspect your cyber identity is compromised for malicious intention Part-3: from a 3rd party perspective, when you receive "unusual" request(s) from cyber identity for those you know or appeared as legitimate, validate their request(s) via other trusted communication channels (like phone call, or official web link) ...
Read More

Incident Respond #2

Respond is 1 of the 5 domains under the NIST CyberSecurity Framework along with Identify, Protect, Detect and Recover. It is also generally understood the importance of IR in the industry because "it is not a matter of if but when your system is compromised".  Promptly respond to incident could trigger the required recovery actions to minimize business interruption. The hard part is that you'll never know if the response will work in real life even though there are regular drills to opt for continuous improvement.  This is like the air-bag in your car - you only know if it serves the purpose when triggered....
Read More

Incident Respond

Organizations usually invest substantially to manage and mitigate cyber attack with the detection technologies like log correlation and SOC (Security Operation Center) establishment plus comprehensive process of detailed respond to cyber threat scenarios with surprised drills etc. Not doubt, this will uplift the organization capacity and demonstrate due diligence has been exercised to deal with cyber attacks to stakeholders. On the other hand, cyber is just one of the failure or attack scenarios.  Like fire incident, it might be due to human negligence (left burning cigarette unattended), natural disaster (strike by lightning) or cyber attack (S01E04 Fire Code - vulnerable printer firmware).  No matter how, isolation to contain threat and promptly recovery to resume are required whether cyber or not. Resource (both skill set and manpower) in real life is always limited and should be put on recovery then drive from this end what is required for service resumption meeting recovery time objective.  And don't forget the TCO (Total Cost Ownership) involved to sustain...
Read More