Automating Security With Intelligence
By Karen Levy
Automation is part and parcel of modern society. From chatbots on websites to self-parking vehicles, more or less anything can be automated — including cybercrime. Threat actors use automation for a whole range of activities necessary for the cyber kill chain, from reconnaissance to exfiltration. The efficiency that automation affords cyber-criminals enables them to put more resources into either attacking one particular target, or trying to hit as many as possible in attempts to find vulnerabilities.
As a result, businesses are witnessing an unprecedented volume and intensity of attacks, with 61 percent of firms experiencing a cyber incident in 2019 — up from 45 percent the year before, according to the latest Hiscox Cyber Readiness Report. To combat this, businesses need to similarly automate their defenses. Security Orchestration, Automation, and Response (SOAR) is gaining popularity as a form of defense against sophisticated cyberattacks. However, to be truly effective, organizations must consider automating other elements of their security operations including decision making, intelligence, blocking, and alerting.
Illicit Use of Automation
Cyber-criminals are always on the lookout for the easiest and fastest route to a big pay out. They frequently rely on automation because it enables them to gather information and perform tasks at far greater speeds and in far greater numbers than they could ever hope to achieve manually. In the past, such capabilities were only available to the most skilled hackers who were able to create and run their own automated tools, which itself took up more of their time and resources. Now, a simple internet search can provide even an untrained script kiddie with everything required to carry out any stage of the cyber kill chain.
For instance, the time-consuming and often resource-heavy operation of recon can now be as simple as clicking a couple of buttons. Shodan, for example, lets a user discover every IoT device on a network, whether it’s a printer, smart speaker, or webcam. Using this information, threat actors can hack into individual devices and harvest the information stored there. Then there is ZMAP, which lets a user scan the entire internet in less than an hour. In nefarious hands, this can quickly identify vulnerable servers, network devices, IoT devices, and anything else that might be connected to the internet. Being privy to such intelligence gives threat actors an accurate understanding of potential targets with minimal time and effort.
It doesn’t end there, though. Legitimate pen testing tools, such as Metasploit Pro enable threat actors to automatically match exploits to vulnerabilities, reducing a task that would have previously taken days to execute to just a few minutes. There are also checkers and brute forcers, such as John the Ripper that automatically tries thousands of different combinations in a matter of seconds to break into protected accounts.
With so many automation tools at cybercriminals’ fingertips, it’s no wonder that businesses are finding themselves subject to an ever-increasing number of attacks.
The Automatic Choice
Businesses need to fight automation with automation as manual processes cannot hope to outmatch the speed and power of those run by machines. While SOAR, which brings together security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP), has been seen as a response to this problem. Yet it only provides part of the solution. For comprehensive defense, automation needs to be extended to every aspect of security.
This includes having security intelligence about potential threats that exist beyond the organization, so the security team can deal with them before they impact the network. Like it or not, password re-use is a fact of life, knowing when personal accounts of key employees have been exposed online allows security teams to quickly take action to force password changes. Researching these manually is resource-heavy, and often produces results that are incomplete and out of date.
Automating the collection and analysis of data gives organizations a comprehensive and timely view of all the threats that might affect them or their vendors (which, ultimately, could affect them). In the case where the organization’s name or products are mentioned on specific sites indicative of potential threats, security teams can be alerted and take appropriate action.
With all of this information, however, IT security teams are facing data overload — receiving alerts on a daily basis both from external and internal sources. To avoid alert-fatigue and ensure IT security teams can focus on the most pressing matters, automation, curated to an organization’s unique profile and ecosystem, should be used to flag high-priority alerts while filtering out false positives.
Further time and resources can be saved by integrating high-confidence threat indicators directly into security controls, such as endpoint solutions to block threats. IT security teams employ a range of powerful tools to protect their networks, yet valuable time is wasted when they have to go and check security intelligence on another system. By automatically integrating this intelligence into existing workflows and tools, there is no need to swivel-chair between systems to get the information needed for decision making, creating a more accurate and timely process.
If they are to ensure they are properly defended, organizations need to employ solutions that are more advanced than the tools cybercriminals have access to. Automation is now ubiquitous in the cyber-criminal world, and it is time for the business world to follow suit.