Indicators of compromise (IoC), infection, malware, hack, breach… these words all have different meanings to information security professionals that are largely unknown by the general public. Unfamiliar with the different potential risks of various events, the general consensus, even among some reporting organizations, is to assume the worst.
Take, for example, the recent news on Burlington Electric. Word of an IoC associated with the “Grizzly Steppe” exploit package being identified on an enterprise system incorrectly morphed into reports of a state-level compromise of our nation’s power grid.
The more salacious, and ultimately unfounded, portions of the story were recanted, but this highlights a new vector of risk associated with cyber-attacks: public perception.
Exercising our security infrastructure due diligence
There is a significant difference in severity between the notification of a malware package that has been installed on a given host, notification of a host attempting a conversation with an identified command and control (C&C) platform, and notification of an outbound data flow to a known compromised destination. Yet all three scenarios and alerts could easily be associated with the same attack.
Given the heightened anxiety created by a 24-hour news cycle, this creates additional pressure to unequivocally identify the extent of an incident in the shortest possible time. In the Burlington Electric example, the original news reports were retracted as the organization was able to rapidly identify exactly which indicator had been found; which systems were involved and the extent, or lack, of contact between compromised systems; and any other platforms within the organization.
Cyber threats are evolving-and so must our defenses
In the information security industry, we recognize that just hardening the perimeter is no longer adequate as cloud-based application sets, BYOD capabilities, mobile solutions and a myriad of other current and developing technologies punch additional holes in the perimeter, effectively meaning there no longer exists the traditional perimeter models we are used to.
They say, “the endpoint is the perimeter.” It is therefore our duty to build our security controls appropriately.
We recognize that our systems are persistently probed, the software we rely on is vulnerable to attack, and our users are constantly being lured into exploits we all desperately strive to prevent. We build our strongest defenses and create alerting platforms to notify us when anything abnormal happens and develop our incident response procedures.
We must recognize that expected response times are now driven by the news cycle rather than by any logical industry-established best practices. Even after a breach has been mitigated, we can no longer rest simply knowing that log sources have been captured and archived for review at our leisure.
The expectation is that answers are available now. The onus is on us to continually educate the public about the true level of risk involved in any given attacks as well as provide solid information related to any attack – regardless of severity – as quickly as possible.
About the Author: Keith Lawman is a graduate of Georgia State University with a Master’s Degree in Computer Information Systems. He has over a decade of experience in network design and deployment, telecommunications, and multi-platform systems administration. Keith is a Solutions Architect, and he joined the ReliaQuest team in March 2014.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.