Intelligence in the Business World
Friday, 01 December 2017
Due to the increased security awareness in the business world, some things have changed for the better. Today,
businesses have at least a subset of the technology and methods available, once reserved for nation-sate actors like
the police, intelligence agencies and the military. Some will therefore be discussed in this article.
Organizations worldwide feel the ever increasing pressure to adapt and thus tighten their IT security. Especially within the world of finance rapid progress took place in terms of cyber security posture improvements [1]. Intelligence gathering today is often based on SIEM (Security Information and Event Management) solutions and adjacent technologies, such as traditional logging and monitoring systems. However, taking the whole spectrum of security technology into account, a sole focus on network and perimeter-centric solutions is misplaced. Monitoring and endpoint protection are not the ultimate solution to all problems. Also, though combined efforts to establish persistence across the technology landscape, efforts are often hindered due to time constraints, tight budgets and staff shortage [2].
Fortunately, there is a wide array of security technology, including often neglected ones, such as MAC (Mandatory Access Control). The NSA (National Security Agency) paved the way for MAC in GNU/Linux systems, with the help of the NSA FLASK system based on the Bell-LaPadula model. Today MAC is indeed available in the Form of a Linux Security Module for GNU/Linux systems, providing a high level of access control via TP (Targeted Policy) or MLS (Multi Level Security) [3]. In FreeBSD an improved MAC was implemented, which allows special policies (e.g. ISP or PACLP), as well as the combination of policy models (LoMAC and Biba) [4]. In addition to that, there is AppArmor for GNU/Linux, which resembles SELinux's targeted mode. Even Microsoft implemented an ACS called MIC (Mandatory Integrity Control), after a rewrite of their Windows operating system (Vista/Server 2008) [5].
Organizations worldwide feel the ever increasing pressure to adapt and thus tighten their IT security. Especially within the world of finance rapid progress took place in terms of cyber security posture improvements [1]. Intelligence gathering today is often based on SIEM (Security Information and Event Management) solutions and adjacent technologies, such as traditional logging and monitoring systems. However, taking the whole spectrum of security technology into account, a sole focus on network and perimeter-centric solutions is misplaced. Monitoring and endpoint protection are not the ultimate solution to all problems. Also, though combined efforts to establish persistence across the technology landscape, efforts are often hindered due to time constraints, tight budgets and staff shortage [2].
Fortunately, there is a wide array of security technology, including often neglected ones, such as MAC (Mandatory Access Control). The NSA (National Security Agency) paved the way for MAC in GNU/Linux systems, with the help of the NSA FLASK system based on the Bell-LaPadula model. Today MAC is indeed available in the Form of a Linux Security Module for GNU/Linux systems, providing a high level of access control via TP (Targeted Policy) or MLS (Multi Level Security) [3]. In FreeBSD an improved MAC was implemented, which allows special policies (e.g. ISP or PACLP), as well as the combination of policy models (LoMAC and Biba) [4]. In addition to that, there is AppArmor for GNU/Linux, which resembles SELinux's targeted mode. Even Microsoft implemented an ACS called MIC (Mandatory Integrity Control), after a rewrite of their Windows operating system (Vista/Server 2008) [5].
Having said that, MAC implementations also exist for operating systems like e.g. IBM AIX 7.x, optionally in
combination with IBM's LPAR technology. Beyond that, there is PaX with grsecurity für GNU/Linux systems, among
others taking advantage of PCID, which gained relevance during the Meltdown and Spectre CPU design flaw disaster.
EMET (Enhanced Mitigation Experience Toolkit) for Microsoft Windows accomplishes something similar to grsecurity and
PaX for Linux
[6].
BSD-based systems (FreeBSD, NetBSD, OpenBSD and DragonFly BSD) in turn come with out-of-the-box kernel hardening.
Decision makers who require a level of security beyond EAL 3/4 resp. ITSK S/F3 S/F4, or TCSEC B1/B2, may opt for an
OS like BAE Systems XTS-400 STOP 6/7 or IBM System z with LPAR. Both operating systems are EAL 5 certified and
provide military-grade security.
However, even more technology is of interest to IT security-centric departments (e.g. 1st LoD SOCs/ CSOCs). That is RBAC (Role-Based Access Control), IAM (Identity and Access Management), IDS/IPS (Intrusion Detection/Prevention Systems), AM (Anti-Malware) systems, REA (Reverse Engineering and Analysis), PM/SVM (Patch Management/Software Vulnerability Management), SSA (Systems Security Auditing) and OSINT (Open-Source Intelligence) software like MISP or Maltego [7]. 1st Line of Defenses should go even further and consider combined efforts, like participating in the »No More Ransom!« project, or even support law enforcement groups like The Shadowserver Foundation, which 2016 aided Europol in the takedown of the Avalanche botnet [8].
On these grounds, and with regard to the increasing number of data exfiltrations or similar breaches, organizations are strongly recommended to inspect the aforementioned technologies, and not only focus on fashionable SIEM solutions an the like. At the same time businesses should employ the very same techniques as the police, intelligence agencies or the military. That also involves the creation of rather offensive modes of operation and related information technology. In the recent past the NCAZ (German National Cyber Defense Center), the KdoCIR (German Federal Armed Forces Cyber- und Information Space Command) and the LKRZV (German Insurance Industry IT Emergency Operations Center) also advanced in that area and suggested the development and use of such methods [9].
Under these circumstances SOCs/CSOCs (Cyber Security Operation Centers) and CERTs (Computer Emergency Response Teams)/CSIRTs (Computer Security Incident Response Teams) should be an integral part of organizations LoD (Line of Defense) model. Managers in IT should also focus on the cooperation between these entities and law enforcement; an issue recently addressed by ENISA in 2017, which concluded with recommendations on how to accomplish such cooperation. That matter does not only affect widely-known, accredited CERTs (e.g. CERT-Bund), but also smaller non-listed ones from organizations like Siemens, Lufthansa Group or Deutsche Bank [10]. Besides, the report mentions the extensive legal and policy framework for cooperation between CERTs and law enforcement agencies.
Fraudster activities often resemble legitimate ones, thus generating massive revenue by data exfiltration or other means of illegal value generation. This is documented through various publications also written by experts like Brian Krebs, author of various IT security-related intelligence articles [11]. Even the often reluctant SWIFT (Society for Worldwide Interbank Financial Telecommunication) warned about cyber crime, with sophisticated tools and techniques, in late November 2017. Interpol (International Criminal Police Organization) also stated, that highly complex cybercriminal networks commit increasingly sophisticated cyber crimes on an unprecedented scale, with huge estimated costs to the global economy.
Thus German and European businesses need to pick up the pace, when it comes to the acquisition of talented IT specialists, or the improvement of IT security and intelligence. They should focus more on cyber security than deviating information security things like e.g. GDPR, which ignores present challenges and is thus unfit to provide organizations and end-users alike with what it takes to increase data protection [12]. Currently the (finance) industry is far from being on par with their adversaries, also due to the mentioned reservation towards hiring. Accordingly such organizations may be unable to effectively combat advanced threats in the nearer future, while their opponents tend to continuously invest in people and technology, therefore increasing the number of committed crimes every year [13].
However, even more technology is of interest to IT security-centric departments (e.g. 1st LoD SOCs/ CSOCs). That is RBAC (Role-Based Access Control), IAM (Identity and Access Management), IDS/IPS (Intrusion Detection/Prevention Systems), AM (Anti-Malware) systems, REA (Reverse Engineering and Analysis), PM/SVM (Patch Management/Software Vulnerability Management), SSA (Systems Security Auditing) and OSINT (Open-Source Intelligence) software like MISP or Maltego [7]. 1st Line of Defenses should go even further and consider combined efforts, like participating in the »No More Ransom!« project, or even support law enforcement groups like The Shadowserver Foundation, which 2016 aided Europol in the takedown of the Avalanche botnet [8].
On these grounds, and with regard to the increasing number of data exfiltrations or similar breaches, organizations are strongly recommended to inspect the aforementioned technologies, and not only focus on fashionable SIEM solutions an the like. At the same time businesses should employ the very same techniques as the police, intelligence agencies or the military. That also involves the creation of rather offensive modes of operation and related information technology. In the recent past the NCAZ (German National Cyber Defense Center), the KdoCIR (German Federal Armed Forces Cyber- und Information Space Command) and the LKRZV (German Insurance Industry IT Emergency Operations Center) also advanced in that area and suggested the development and use of such methods [9].
Under these circumstances SOCs/CSOCs (Cyber Security Operation Centers) and CERTs (Computer Emergency Response Teams)/CSIRTs (Computer Security Incident Response Teams) should be an integral part of organizations LoD (Line of Defense) model. Managers in IT should also focus on the cooperation between these entities and law enforcement; an issue recently addressed by ENISA in 2017, which concluded with recommendations on how to accomplish such cooperation. That matter does not only affect widely-known, accredited CERTs (e.g. CERT-Bund), but also smaller non-listed ones from organizations like Siemens, Lufthansa Group or Deutsche Bank [10]. Besides, the report mentions the extensive legal and policy framework for cooperation between CERTs and law enforcement agencies.
Fraudster activities often resemble legitimate ones, thus generating massive revenue by data exfiltration or other means of illegal value generation. This is documented through various publications also written by experts like Brian Krebs, author of various IT security-related intelligence articles [11]. Even the often reluctant SWIFT (Society for Worldwide Interbank Financial Telecommunication) warned about cyber crime, with sophisticated tools and techniques, in late November 2017. Interpol (International Criminal Police Organization) also stated, that highly complex cybercriminal networks commit increasingly sophisticated cyber crimes on an unprecedented scale, with huge estimated costs to the global economy.
Thus German and European businesses need to pick up the pace, when it comes to the acquisition of talented IT specialists, or the improvement of IT security and intelligence. They should focus more on cyber security than deviating information security things like e.g. GDPR, which ignores present challenges and is thus unfit to provide organizations and end-users alike with what it takes to increase data protection [12]. Currently the (finance) industry is far from being on par with their adversaries, also due to the mentioned reservation towards hiring. Accordingly such organizations may be unable to effectively combat advanced threats in the nearer future, while their opponents tend to continuously invest in people and technology, therefore increasing the number of committed crimes every year [13].
References:
- ↟ "10 Sea-Changing IT Security Trends Of The Last 10 Years"↗. UBM LLC / Dark Reading.com, T. Wilson. Retrieved 01 December 2017.
- ↟ "Help Net Security - Let no endpoint go dark"↗. Help Net Security. / Z. Zorz. Retrieved 01 December 2017.
- ↟ "Security-Enhanced Linux - SELinux Documentation"↗. NSA|CSS. / J. Carter, E. Walsh, et al. Retrieved 01 December 2017.
- ↟ "FreeBSD Handbook - Chapter 15.5. Available MAC Policies"↗. The FreeBSD Foundation. Retrieved 01 December 2017.
- ↟ "MSDN - Windows Integrity Mechanism Design"↗. Microsoft Corp. / MSDN. Retrieved 01 December 2017.
- ↟ "CERT/CC Blog - Taking Control of Linux Exploit Mitigations"↗. Carnegie Mellon University SEI. / W. Dormann. Retrieved 01 December 2017.
- ↟ "Subliminal Hacking | OSINT Tools Recommendations List"↗. Subliminal Hacking. / D. Pearson. Retrieved 01 December 2017.
- ↟ "Avalanche network dismantled in international cyber operation"↗. Europol (EU Agency for Law Enforcement Cooperation). Retrieved 01 December 2017.
- ↟ "Secupedia - National Cyber Defense Center"↗. Secupedia. / O. Wege, , P. Hohl, R. Eichler, A. & M. Albert. Retrieved 01 December 2017.
- ↟ "Tools and Methodologies to Support Cooperation between [..]"↗. ENISA. Retrieved 01 December 2017.
- ↟ "Happy 8th Birthday, KrebsOnSecurity!"↗. Krebs on Security / B. Krebs. Retrieved 01 December 2017.
- ↟ "Wikipedia - General Data Protection Regulation"↗. Wikipedia / A. Goldys, I. Bay, M. Carnevali, S. Perkins, et al. Retrieved 01 December 2017.
- ↟ "Rise Of The Cyber Criminals"↗. The Huffington Post. / P. Gordon. Retrieved 01 December 2017.
Last Updated (Monday, 15 January 2018)