May 25, 2021 | 3 minute read
The state of the threat landscape in general, and incidents like the recent ransomware attack against Colonial Pipeline demand that we take immediate action to improve cybersecurity defenses. The recent executive order (EO) on cybersecurity from President Biden is a bold step in the right direction.
Beyond the prevention provisions in the EO, the order emphasizes the need to bolster detection and response capabilities. The key is to roll out a “government-wide Endpoint Detection and Response (EDR) deployment” that is capable of centrally monitoring federal agency endpoints for suspicious activity in real-time.
This investment, when combined with improved intra-governmental threat intelligence sharing, will empower federal entities to better detect potential digital attacks and intercept them more quickly.
The last section of the EO I also find particularly compelling: streamlining and improving incident response capabilities. The goal here is to create standard playbooks that can enable federal agencies to respond to attacks more effectively as well as introducing system log retention requirements for determining the scope of a successful incident.
This is important because only 40% of organizations globally have the technology in place to help prevent and respond to this level of attack.
The EO will require federal agencies to focus on the three “R’s” of supply chain security: response, report and reinforce capabilities. The goal, essentially, is to accelerate response, share relevant information, and apply lessons learned to prevent similar attacks in the future.
But there’s another “R” that they also need to address - Retaliation. This element is usually lost in the conversation given the technical difficulties involved in making accurate attribution for a particular attack.
Attackers can leverage compromised networks of others or untraceable proxies to launch attacks, employ a variety of obfuscation techniques to hide their true identity, and inundate investigators with misleading evidence in an attempt to cast others as the offenders.
Retaliation is also a concept that potentially stands on shaky legal ground. It can mean a lot of things from tracing and using offensive tools to rapidly backtracking the source of an attack to increasing the efforts of uncovering and arresting offenders.
It can also mean sanctions against foreign governments who actively attack you or knowingly harbor cyber attackers, as well as actively nullifying offensive tools by focusing efforts to reverse engineer, identify weaknesses and even exploit vulnerabilities in these systems to reverse the attack.
If the above seems like a lot, that’s because it’s meant to be that way. As quoted from the EO:
Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).
Statements like these are a huge step forward for federal cybersecurity—not to mention cybersecurity in general. This executive order prioritizes cyber that results in prioritizing deep and substantial improvements to defenses, and will take the lead in making these improvements happen--starting at the very top of the federal government.
There are still some unknowns, of course. Today, the government spends hundreds of billions of dollars annually on physical security, but in a world that is now run by computers, the battlefield has shifted, yet our focus for defense has not.
Modernization of the federal government’s infrastructure is a big priority, and that alone will be very costly and take years to achieve - the price tag could be in the trillions over the next decade.
Private industry also has an opportunity to contribute to solving the many challenges ahead, and a coordinated public/private joint effort is essential to strengthening our nation’s response and improving our resiliency to cyber threats.
There are no silver bullets, as the enemy is human, adaptive and intelligent. And the input the Secretary of Commerce is seeking to improve supply chain security with recommendations on new standards, protocols and tools could also be significant if the private sector steps up to the challenge.
One clear point that can’t be overlooked in the executive order is the fact that cybersecurity is now finally in the same conversation as other national critical infrastructure assets like energy and transportation, and this alone is a significant improvement spurred by the executive order that will (hopefully) be the catalyst for a more secure nation.
Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.All Posts by Lior Div