teissTalk: Transforming your security operations to detect and respond to advanced attacks

On 28 November 2024, Teiss Talk host Thom Langford was joined by Mike Johnson, Global Cyber Threat & Incident Response Manager, Verifone; Alan Jenkins, CISO Team lead, Saepio; and Josh Davies, Principal Technical Manager, Fortra.

 

Views on news 

 

There is a danger that artificial intelligence “could be weaponised against us,” McFadden, the chancellor of the Duchy of Lancaster warned, arguing that the UK is already engaged in the “daily reality” of a “cyberwar,” with hacking efforts coming in particular from Russia. AI is often used inaccurately in journalism and marketing.

 

When you hear AI, you must ask whether it is ML, deductive reasoning or genuine artificial intelligence. What’s important here is that a minister of the UK is talking about cyber security in a keynote speech at a conference.

 

Currently, AI is probably used by threat actors in areas where open-source intelligence doesn’t have the best penetration. But it’s obvious that AI is already used by criminals to develop malware. The awareness of advanced attacks is a good opportunity, however, to remind ourselves to get the security basics right. But it must be noted that AI is still a nascent technology which is lowering the barrier to entry for hackers, while on the defence side, we’re still struggling with cyber basics. A US government body’s red testers, for example, could attack the system during a pen test through a back door that was left there by the previous red team.

 

Another problem is that sometimes there is too much focus on endpoint security and little on the threat surface that legacy OT devices present. 

 

Do advanced attacks require new responses?

 

Even bad actors with plenty of resources will choose the path of least resistance to attack a system. Businesses need a balanced approach to security covering end devices, IoT, the cloud, etc. It’s important to have a holistic view of these attack surfaces because attackers may circumvent any of these. If one attacker has made it through a backdoor, chances are that there are other attackers too inside or trying to infiltrate the system. Sometimes hackers patch the backdoor up behind them to prevent others from leveraging that opportunity. During incident response exercises, it’s a good idea to involve all the functions that play a role in a real attack. Instead of saying, the marketing team at this point will draft a communique, let them get it ready in a timeframe that they would have to stick to when the attack is real.

Security exercises also provide an opportunity to improve processes or add escalation where it was missing. They are also a chance to measure capability and competence both on team and individual level and quantify how the team contributes to the business’s overall resilience. It’s good to see that resilience is a central term in new cyber legislation too, such as DORA,  as it’s a sign that focus is shifting away from mitigation and prevention. SMEs are in a difficult position, as, in order to run a 24/7 SOC for 365 days, you need at least 11 professionals.

 

There is, however, a reason to be optimistic, as the automation of security operations and response is getting within reach, and it will be a game changer. However, SMEs shouldn’t think that they can “AI their way” out of poor security controls. A managed security service provider can give those who can afford it instant security maturity and implement the necessary controls. A hybrid solution can be more affordable, though, where an in-company SOC team is amended with the fresh pair of eyes of a MSP. Information security professional should learn from criminals how they specialise and co-operate. 

 

The panel’s advice

• Remember that cyber is not just the security of IT but also of OT, IoT.
• Although being in the red team is more glamorous, blue teams are equally, if not more, important – and their job comes with a high risk of burnout.
• It’s the hardest for SMEs with a staff between 10 and 100 employees to find a cost efficient security solution.