September 23, 2020

Preparing to Use New Information: Rapid Response in a Crisis

Written by Leon Ward, VP Product Management, ThreatQuotient

Society has experienced a phase of extreme change, with individuals and companies still being introduced to new ways of working, communicating, and conducting business. These changes also bring with them exposure to new cybersecurity risks that threat actors choose to exploit, along with novel lures that pull on our fears and inquisitive nature. And if we have learned anything over the past few months, I argue it is this: effective rapid response is required for any crisis.

 

To me, effective rapid response means being able to quickly understand and act on newly available information that will protect your business.

 

Most organisations today connect to a wide variety of security tools and commercial threat intelligence sources to achieve this level of security daily. However, one common thread during challenging – or as we have heard countless times, “unprecedented” – times is that from a data perspective, there is a strong uptick in new, disparate sources of threat information organisations are consuming.

 

In the face of COVID-19, many commercial threat intelligence providers are kindly providing freely available packages of threat data to help the wider community outside of their existing customer base. Governments at all levels share threat and outbreak-specific data. Data sharing via open source feeds expands greatly. This is a great thing to see to happen, because when we all work together and collaborate, we can all better defend ourselves.

 

This has happened before as well, when other specific threats gained global attention (e.g. Mirai, Wannacry, and NotPetya) but obviously not to such a scale as we experienced early on with COVID-19. I assume that this trend will continue in the future, we just don’t know yet what the next trigger will be.

 

As a result of upticks in available data to address a crisis, security teams are forced to think about three things, all at the same time: “There is new data available that may help my organisation in our mission; we need access to it now; and we need to assess how and if it can help to defend us.”

 

Becoming aware of new sources of information is one thing but understanding the data and enabling it as part of an organisation’s infrastructure and operations is a more interesting challenge. Especially since these sources look very different: Government provided advice and data; Lists of new ‘potential’ domains that could be used for malicious activity (but are yet to be observed to be malicious); Known good and clean sources of COVID-19 data, nobody wants to block access to something clean; Observed malicious content and infrastructure used in actual campaigns; Aggregated and interpolated datasets; etc.

 

There are three key capabilities a security operations team must consider to achieving successful rapid response:

 

  • Agility: Are the tools the organisation is using able to reliably consume and use new sources of threat data as quickly as possible?
  • Sustainability: Can their integrations be made in such a way that they are robust and stand up to long term wide scale use?
  • Accessibility: Are non-expert developers being empowered to create robust integrations, with integrated services for handling common external API error conditions, safe authentication, health alerts, detailed data logging, etc.?

 

COVID-19 has been one of the most unique security challenges in years, and it will not be the last. Successful rapid response is critical for defending against cyber-attacks during a crisis, and when preparing to respond to any future crisis, an organisation must be able to do so quickly. This will require having the right people, processes, and technologies in place to make fast use of new information that becomes available.