Week 2 CYBR650 Blog - Assessing your Threats

Properly Assessing Current Threats







(Image retrieved from Kaspersky Cyber Threat Real-time Map: https://cybermap.kaspersky.com/) 
I had some great feedback on one of my initial assignments from a fellow student today. I had mentioned that the deliverable from a process step would be a “Threat List”. This is easy to handwave when writing papers or speaking about high level processes. Sure, just go grab the threat list and see what could be attacking us. Well it certainly isn’t that easy. A threat list is only as good as the date the snapshot was taken. The issue is that the landscape evolves, sometimes quickly.

When something devastating like WannaCry starts making the rounds, do you want to read about it a few days later? No chance. You need to know as soon as is possible, because your risk management could be shot if a new exploit is circling the globe and you don’t know your enterprises vulnerability to it. Many steps have to be taken, sometimes quickly and decisively. First you have to understand what the new threat is. How it works, infects, propagates. Second you have to assess if you are at risk. Do you possess the systems it is attacking? Does your current security apparatus take measures to deny its infiltration? This isn’t easy…new malware can be extremely complex. At a bare minimum you will be running around and updating your AV/HIPS/NIPS signature files if they are available from the vendor. If you have any hunt capability you will also begin looking for the known footprint, if there even is a hash or string available to search for.

So, yes, there is a lot to do. The larger point being that you have to know when to start going from security monitoring to quick reaction and/or incident handling. You can’t do this without intelligence. Without maintaining real-time situational awareness, you are looking for a looking for a needle in a stack of needles. With intelligence you at least have a chance.

A good strategy is to probably categorize how you want to receive information. I would think start at looking at long term and large-scale trends. There are many organizations that can provide this kind of snapshot, but throughout this program I have consistently went back to the Verizon Data Breach Investigations Report. This takes a look at successful attacks through the past year, giving some insights into trends and data as they actually impacted organizations. This information is important because it clues you into what is actually working for attackers, and it gives you perspective on large-scale shifts in the environment so you can prepare your defenses and update your threat lists.

From there it is good to have some daily reading. These are sites you should probably subscribe to, and read whenever able.

US-CERT: https://www.us-cert.gov/ncas/current-activity is updated multiple times daily with high impact security incidents.

https://threatpost.com/: This site is updated very often with fairly detailed analysis on the threat landscape. Each article has some insight and opinion offered, which is sometimes good to read after reviewing the same documentation when updated on the government-ran pages.

https://www.darkreading.com/vulnerabilities-threats.asp: I have used darkreading many times to read up on security concepts. It has a strong community, and is updated quite often with current threats and security concept articles.

https://www.exploit-db.com: This is another site that is updated daily with threats based on categories including remote, web application, privilege escalation, and denial of service exploits.

There are countless other resources that can be used. The idea is to find trusted resources through constant usage. You can begin to ascertain which are more useful for your situation, and which ones may be more trustworthy. A final good resource is through the organization which provides your threat prevention. For example, McAfee has a good threat center (https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard.html). Using multiple sources, such as government, security industry, and outside sources such as Threatpost or Dark Reading can give you a well rounded picture of the current threat environment.

Comments

Post a Comment

Popular posts from this blog

Week 5 CYBR 650 Blog

Image
Will Harry and Mae’s Diner Ever Listen to their Paid Consultants? This week in class we are working through the familiar (at least for Bellevue Cybersecurity students) Harry and Mae’s case study . This examines a franchise of diners, and depending on the class you are in, you examine it through the lens required…it could be risk management, secu re network design, or threat analysis. One item I got to thinking about this week is the individual franchises under a company like this, and how much leeway they have when deciding how to run their own infrastructure. This is especially important when the headquarters policies dictate an insecure implementation of the IT equipment, such as is the case with Harry and Mae's. In my specific experience with them, this will be the third time I have recommended basic security configurations without any visible action on their part. Point of Sale Security Certainly, a hot-topic over the last few years, point of sale devices a...
Read more

Week 7 CYBR 650 Blog

Week 7 Blog Its National Cybersecurity Awareness Month! October is designated as Cybersecurity Awareness Month , generally a time of the year for the Government to post some helpful guidelines for everyday people to read about how cyber security could impact their lives. Typically, these involve a good exposure of common threats and vulnerabilities to personnel without much direct cybersecurity knowledge. This year there are four themes for the four weeks of the month: Cybersecurity at home, careers in cybersecurity, workplace cybersecurity, and critical infrastructure cybersecurity.   More specifically, week 4, Oct. 22–26 will be about safeguarding the Nation’s Critical Infrastructure. When most read this they correctly assume this means energy, financial, and emergency systems or maybe centralized communications and transportation. Those are all considered critical infrastructure, and afforded enhanced protection resources through that designation. One item that many ma...
Read more

Finally Here!

Hello all, welcome to my blog covering the final course in the Bellevue Cybersecurity Master's program. This has been quite a journey, starting back in the Winter of 2014. I am fully aware that four years is kind of excessive to complete 12 classes, but I went through at a pace that allowed me to enjoy life and accomplish other goals at the same time. My original goal was to complete my MS degree before retiring from the Air Force. Well, I hit that retirement button yesterday, requesting a retirement date of next year. So pending the results of this course (and the concurrent Risk Management course), mission accomplished! A bit about me. I am 37 years old and currently residing in Anchorage, AK. I married my high school sweetheart 18 years ago, and we have three wonderful children. We love Alaska, and all of the amazing things that you can only do here. I have about a year left to enjoy it, before we retire and transition to civilian life in Colorado, my hometown. I love fishing,...
Read more