Lior Div's post in Network World: What terrorism investigations can teach us about investigating cyber attacks

Having a military background, I tend to look at all security issues with the perspective of someone who’s served in the armed forces. That means using a thorough investigation process that doesn’t treat any action as accidental or an attack as a stand-alone incident and looking for links between seemingly unconnected events.

This method is used by law enforcement agencies to investigate acts of terrorism, which, sadly, are happening more frequently. While terror attacks that have occurred in the physical world are making headlines, the virtual world is also under attack by sophisticated hackers. However, not much is said about the similarities between investigating both types of attacks or what security researchers can learn from their law enforcement counterparts. I’ve had this thought for awhile and, fearing that I’d be seen as insensitive to recent events, debated whether to write this blog. After much thought, I decided that the stakes are too high to remain silent and continue treating each breach as a one-off event without greater security implications.

The parallels between cyber and terror attacks are numerous: they involve well-coordinated adversaries who have specific goals and planned intricate campaigns months in advance. The target’s security measures are irrelevant and can always be exploited. Preventing cyber and terror attacks is difficult, given the numerous vectors an adversary can use. Discovering one component of either type of attack can lead to clues that reveal an even larger, more detailed operation. But the methods used to investigate cyber attacks often fall short at establishing links between different events and possibly preventing hackers from striking again.

Cyber attacks targeting infrastructure are happening

When a cybersecurity threat becomes public, either through the discovery of a data leak or – if an organization is lucky – early detection, the first question asked is “why.” Often, the second is “who.”To date, we haven’t experienced a cyber attack that has caused the same devastation of what’s happened in the physical world. Having your credit card number stolen doesn’t compare to lives being lost. But this doesn’t mean we won’t see cyber attacks that cause major disruptions by targeting critical infrastructure.

In fact, they’re already happening. In March, the U.S. Department of Justice accused seven Iranians of hacking the computer control system of a dam in New York and coordinating DDoS attacks against the websites of major U.S. banks. According to the DOJ, the hackers would have been able to control the flow of water through the system had a gate on the dam not been disconnected for repairs. Then in December, hackers used malware to take over the control systems of two Ukraine energy plants and cut power to 700,000 people. I’m not trying to spread fear of a cyber apocalypse by mentioning these incidents. Fear mongering isn’t applicable if the events have occurred.

When examining terror attacks, police conduct forensic investigations on evidence found at the scene. If suspects are arrested, the police confiscate their smartphones (as we’ve seen with the iPhone used by the shooter in the San Bernardino, Calif., attack) and computers and review information like call logs and browsing histories. These procedures may provide investigators with new information that could lead to other terror plots being exposed, the arrest of additional suspects and intelligence on larger terrorist networks.

Applying an IT perspective to breaches won’t reveal complete cyber attacks

Cyber attacks, on the other hand, are investigated in a manner that isn’t as effective. They’re handled as individual incidents instead of being viewed as pieces of a larger operation. I’ve found that too many security professionals are overly eager to remediate an issue. Considering the greater security picture isn’t factored into the process, nor is it culturally acceptable within most organizations to do so. Corporate security teams have been conditioned to resolve security incidents as quickly as possible, re-image the infected machine and move on to the next incident.

Cyber attacks, though, are multi-faceted and the part that’s the most obvious to detect sometimes serves as a decoy. Adversaries know security teams are trained to quickly shut down a threat so they include a component that’s easy to discover. While this allows a security professional to report that a threat has been eliminated, this sense of security is false. Shutting down one known threat means exactly that: you’re acting on a threat that was discovered. But campaigns contain other threats that are difficult to discover, allowing the attack to continue without the company’s knowledge.

Unfortunately, most companies don’t approach cyber security with either a military or law enforcement perspective. They use IT-based methods and try to block every threat and prevent every attack, approaches that are unrealistic and ineffective given the sophisticated adversaries they’re facing. The clues security teams need to discover, eliminate and mitigate the damage from advanced threats is contained in the incidents they have been resolving.

Cyber security stands to learn a lot from law enforcement when it comes to investigating attacks. Next time they’re looking into a breach, security professionals should:

  • Not treat a security incident as an individual event. Try to place it in the greater context of what else is occurring in your IT environment. View the attack as a clue that, if followed, can reveal a much larger, more complex operation.
  • Instead of immediately remediating an incident, consider letting the attack execute to gather more intelligence about the campaign and the adversary.
  • Remember the threat that’s the most obvious to detect is often used as a decoy to shield a more intricate operation.

While there will always be terrorists and hackers, remembering these points helps us stay ahead of them, minimize the impact of their attacks and regain a sense of control.

Lior Div is the CEO and Co-Founder of Cybereason. This article previously appeared in Network World.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div