Mike Morris, Head of IT at Energy Future Holdings, talked about intelligence strategies to counteract cyber threats.
At the outset of his keynote address at the 2016 Chief Information Leadership Forum held on February 24 in Dallas, Morris advised the audience that he was going to “get down in the weeds a little bit” in talking about intelligence, intelligence applied to cyber threats, cyber kill chains, cyber kill chain defense, and how intelligence is used in a security operations set-up.
“Hackers are going to use specific methodologies and threats against us,” stated Morris. The cyber kill chain used by hackers describes a process of accessing a system in which each step increases risk and the cost to contain and remediate the threat. A cyber kill chain proceeds as follows:
• Reconnaissance (determining who to go after)
• Weaponization (such as creating emails representing the target company with a link to something enticing—a coupon for Starbucks, for example—that launches malware on the target company’s machine)
• Delivery (the link clicked on in the above example)
• Exploitation (taking advantage of systems’ patches, outdated systems and applications, lack of applications security—any weaknesses in the target company’s systems, etc.) to establish vulnerability
• Installation (installing a tool, often a rogue-access trojan)
• Command and control (remotely accessing and navigating the environment)
• Actions on intent (“At this point, they own you,” said Morris.)
“Hackers are going to use specific methodologies and threats against us."
The defense against the cyber kill chain involves the following steps: detection, response, denying or confirming the threat, eradicating or deceiving the threat, and recovery.
“Speed is of the essence in defense, and an agile strategy is needed,” emphasized Morris. Discovery can take several months to a year, and often it comes from an external source. Detection and response times are critical, because each step in the cyber kill process costs incrementally more money than the previous one. “Stopping the threat at the recon or weaponization stage saves a lot of money,” said Morris. Doing this manually is extremely slow.
“What I’ve been pushing my DevOps group to do is to make our security faster, more automated, and more agile so we can go through the defense processes quicker,” explained Morris. He presented the following scenario to deal with a security breach:
Assume you’ve already been breached. Concentrate on detection, response, prevention, and forecasting. Utilize multi-sourced threat intelligence tactically and strategically, and proactively hunt and investigate. Utilize behavioral analytics to operationalize security intelligence—this applies to unusual behavior in systems as well as people. Automate as many routine processes as possible whenever feasible. Control BYOD with NAC and threat intel. Recognize that APIs are your friend.
“What I’ve been pushing my DevOps group to do is to make our security faster, more automated, and more agile so we can go through the defense processes quicker."
Operational cyber-intelligence includes security analytics, AV/VULN/endpoint/NexGen FW/IPS, automation, and human source. It’s generally packaged, said Morris (for example, malware analysis).
Strategic cyber-threat intelligence can be in-house or commercial. This is an expensive (labor-intensive), human strategy, observed Morris. This technology evaluates which actors and campaigns are associated to deduce the tools, techniques, and processes (TTPs) involved. This approach helps determine the motivations of the adversary.
The objectives of security-threat intelligence are to determine: Current activity implicating the threat, goals of the threat actor, conditions under which the threat is likely to successfully exploit a vulnerability, variants of and defenses against the threat, indicators that the threat is currently acting against the organization or otherwise impairing the assets of the organization, outcomes for the organization if the threat is successfully executed, and an assessment of the reliability of the information source and the information itself.
Morris offered these recommendations to optimize incidence response:
• Automate as much as possible (processes and executables, memory collection, and snapshots of activity)
• Sandboxing and automatically searching across endpoints and perimeter devices
• Signature/hash scanning and automated alert/action
ABOUT MIKE MORRIS
Mike Morris is the Director of IT Security for Energy Future Holdings (EFH), a multifaceted company with generation plants (solar, wind, gas, coal, and nuclear), transmission lines and retail sales of electricity. IT Security includes security architecture and engineering, firewall management, access management, cyber security operations center, vulnerability management, threat intelligence, incident response, and forensics. Prior to joining EFH, Mike was a manager with Price Waterhouse conducting incident response and forensic investigations. Mike is also a retired Supervisory Special Agent with the Federal Bureau of Investigation (FBI), the majority of his career was in cyber crime investigations, incident response, security operations and computer forensics. Mike holds a CISSP, CISM, and EnCe.