Every year, Las Vegas hosts what is colloquially referred to as “Hacker Summer Camp;” Black Hat and DEF CON are considered the premier security events for cybersecurity practitioners and the hacker community.
Security researchers presented a multitude of topics; all had a well-defined question they wanted to answer, or a specific problem to solve, and collected data and evidence within those boundaries. Organizations today have a multitude of cybersecurity problems to tackle, primarily due to the volume and variety of the cyber-attack surface. Subsequently, organizations should take the approach of addressing cybersecurity issues in a specific and targeted manner. The use of data an organization can leverage to solve cybersecurity issues may come from multiple places, but adding context and relevancy will help in prioritizing which pose the greatest risks and thus, where efforts to address these risks should be focused.
With over 100 briefings, breakout sessions, and countless vendor demonstrations, key lessons on privacy, socio/data driven topics, and threat intelligence stood out.
The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018. Since then, the United States has followed suit with the California Consumer Privacy Act (CCPA), Nevada’s Senate Bill 220 (relating to Internet privacy), and 11 other states introducing similar legislation. The current U.S. Congress is also considering drafting a first-ever federal privacy standard that would provide a uniform and consistent standard.
So why now is the focus on privacy? Privacy advocates and lawmakers attribute the Facebook/Cambridge Analytica scandal as the tipping point for the introduction of new legislation, and if we step back and look at the players involved, we can broadly group them into privacy, data, and social media buckets.
Researchers presenting at Black Hat demonstrated that these new privacy laws were highly exploitable due to the ambiguity in interpretation, the difficulty in enforcement, and as is common with security flaws, human involvement. By compromising the human element, highly sensitive data was exposed through the proscribed means that an individual (data subject) can request information (Right of Access) that an entity (controller) has on them.
Social media platforms have been instrumental in how people consume information. The speed at which it is propagated, combined with the broad and pervasive reach, has enabled entities (individuals, businesses, political parties) to use social media platforms to drive behavioral changes.
In one briefing, researchers presented evidence and data collected over a four-year period to demonstrate howsocial media platforms are manipulated through bots and malware for significant financial gain. They started with network traffic analysis of malware behavior and traced the communications to entities that monetized fake social media followers to inflate activity around social media accounts. The researchers further demonstrated that the mechanism by which these accounts communicated was through network infrastructure potentially owned by nation-state threat actors.
The researchers also presented findings on using the mechanics of social media and data patterns to alter individuals’ behaviors to improve an organization’s security posture. They showed that by using data, behavior behind frequent security incidents could be identified, and by presenting the data via a “social proof” method, they were able to enact behavioral changes to improve cybersecurity activity.
Threat intelligence is information and data that has been collected, evaluated, and analyzed in conjunction with context and reliability. It can take seemingly random points of data to tell a story. By extension, Cyber Threat Intelligence (CTI) provides information to help organizations understand risk from who the bad guys are, how the bad guys are operating, and what to look for to determine if a bad guy is planning to target or already active in an organization.
While there were demonstrations of new tools to enable security practitioners to collect and present threat intelligence data, the key lesson was that collecting good, robust data (i.e. normalized, credible sources) combined with in-depth analysis is critical to making CTI relevant and useable. Organizations that can effectively leverage CTI are much better positioned to address existing and proactive cybersecurity threats. Threat intelligence starts with good data collection and ultimately provides organizations with data-backed decision-making support to address risk.
It is not realistic to expect organizations to address every potential cyber-threat. Time, money, and personnel are limited in various capacities. To be affectively addressed, organizations need to take an inward approach to clearly define the risk, issue or threat they want to tackle. Cyber-risks can be highly complex, but it is critical to isolate a specific behavior or activity that an organization wants to improve in order to address that threat. Once the behavior is identified, collect and analyze data from a variety of sources that are needed to support and inform subsequent decisions, then look at how improvements can be communicated in a socially engaging manner.
Using this methodology, organizations can confidently address risks using a prioritized and targeted approach that is driven by tangible data.