Approximately 2,500 years ago, a Chinese military strategist wrote a book entitled "The Art of War." His name was Sun Tzu, and his book has been used by military leaders in a wide range of countries since it was written. During the 20th century, business managers, entrepreneurs, negotiators and politicians began applying many of Sun Tzu's teachings to their own endeavors.
In his book, Sun Tzu declared that it is necessary to become your enemy if you are to know him. Furthermore, he states that if you do not know your enemy, you will endure a defeat for every victory, assuming that you know yourself. If you do not know your enemy and do not know yourself, you will lose every battle. Sun Tzu's advice is particularly relevant for those who must fight a war every day to keep cybercriminals from breaching their networks and stealing their organization's data.
The Advantages of Thinking Like a Hacker
With the threat level increasing by the day, it is no longer enough to merely respond to an attack. Defeating attackers requires the ability to detect anomalous behavior and anticipate what cybercriminals will do next. In short, you must be able to adopt the hacker's mindset to discover where your organization is vulnerable.
Once you develop the ability to think like a hacker, you will find several advantages that can help you keep your organization more secure.
- You can become better acquainted with your organization's threat surfaces. You can start looking for vulnerable devices, applications or procedures that a hacker could exploit.
- While thinking like a hacker, you can expand your knowledge on your organization's critical assets or which assets would provide the greatest benefit — monetary or otherwise — to a hacker. This allows you to shore up your defenses on the high-profile targets.
- After you have identified the high-profile targets, you can develop a profile of the type of hacker who would find those targets the most attractive. For example, credit card data would probably be more valuable to a criminal organization looking for financial gain than to a group of hacktivists. Proprietary data on a bid you are preparing for a military agency might be targeted by hackers working for a foreign government. Information on a company's environmental mistakes might be of interest to hacktivists. Knowing who would want to attack your organization gives you a better understanding of your risks and the steps you need to take.
- Your efforts can also help you identify whether your company has already been compromised. Unfortunately, breaches can go undetected for a long time. According to an article published by ZDNet, research revealed that it took retailers as long as 197 days to identify a breach; financial firms averaged 98 days. The longer the breach goes undetected, the more data the hackers can steal, resulting in increased remediation costs.
Incident Response Plans
Despite the media attention given to cyberattacks, not every organization is prepared to respond to an incident. The first step is to develop an incident response plan that is appropriate for the organization and the risks involved. The written plan should encompass the following components.
- Identities of members of the response team and their contact information
- Chain of command and list of tasks each person is authorized to handle
- Details of the initial response, including how the threat will be quarantined or blocked
- Steps involved in the investigation and responsible parties
- Detailed recovery plan
- Contact information for third-party suppliers, public relations officers and law enforcements
The response team will be responsible for a variety of tasks. Some tasks will need to be completed before an attack, but others will need to be handled after an incident. Because it is critical for every member of the team to know how to perform their duties properly, regular drills should be conducted so that responders react automatically.
- As part of developing an incident response plan, team members should identify possible scenarios and classify them.
- The technology and tools that will be used to detect, prevent or resolve attacks must be determined.
- Once an attack occurs, the team should determine the scope of the investigation and conduct the investigation within the time allotted.
- The team may be responsible for the promotion of security awareness within the organization.
- If a breach occurs, the team must address all issues, including any notifications that must be made.
- The plan should include a review of the effectiveness of the team's response.
- A member of the response team or another staff member may be assigned to monitor computer logs to help discover incidents.
Automation can help you strengthen your defenses, manage alerts and detect threats that are already present in your system or network. Demisto Enterprise is a comprehensive platform for incident management, automation, threat hunting and collaboration. Contact us to learn more about the many ways that we can help you keep your organization safer.