Sep 27, 2016 - 10:45am

Why the First Line of Defense Against Cyberattacks Is Good Offense

Retired U.S. General (USMC)

Note: General James L. Jones (USMC Ret.) has served as National Security Advisor to the President of the United States, Supreme Allied Commander Europe and Combatant Commander USEUCOM. He will deliver a keynote address at the 5th annual Cybersecurity Summit at the U.S. Chamber of Commerce.

On any given day, nation-states, non-state actors, criminal syndicates, and activists seek to compromise U.S. corporate and government computer networks. High- profile attacks such as the breach of 500 million Yahoo accounts disclosed last week, are well reported. Hundreds of other attacks do not garner the same press, but the consequences are just as serious. According to The New York Times, the FBI now ranks cybercrime as one of its top law enforcement priorities. In 2012, annual industry report M-Trends said it took more than a year to detect that a cyber incident had occurred. In 2015, the time lag had dropped to about five months. Awareness and involvement of government officials have contributed to this improvement.

Cyberattacks are frequently planned and executed with military-like precision. The attackers conduct extensive reconnaissance and explore and map networks over many months before they initiate an attack. Such information gathering requires great effort. The attack itself usually takes minimal time and effort. Once the information is collected, the attackers do not need to man, train, equip, and deploy to the United States to launch their attack—instead, they can do their work from a long distance.

Cyberattacks are frequently planned and executed with military-like precision. The attackers conduct extensive reconnaissance and explore and map networks over many months before they initiate an attack

An example of reconnaissance includes spear-phishing attacks, which occur when workers are tricked into clicking on a tainted web link that loads malware onto their computers and subsequently onto corporate networks. Senior leadership are often the targets of similar schemes, called whaling attacks, in which spear phishing is aimed at individuals with access to valuable or competitive information.   

Your first line of defense against these attacks is good offense. Training workers to recognize suspicious messages and efforts to test internal processes are important and should be continuous and ongoing.

Additionally, chief information officers (CIOs) and chief information security officers (CISOs) should report attempts made to gain unauthorized access to corporate systems (either failed or successful) to the Department of Homeland Security through the United States Computer Emergency Readiness Team (US-CERT) incident reporting system.

US-CERT provides anonymized alerts to Information Sharing and Analysis Centers (ISACs), the government-industry coordination groups that provide information on security threats to owners and operators of critical infrastructure across North America. Leaders should also proactively reach out to the local FBI field office, which is the federal entity responsible for investigating cyberattacks. Investigators are assigned from the field office closest to corporate headquarters, so it is advantageous to know the lead agents in your area before you need them.

Understanding that the point of greatest risk and opportunity occurs when actors first attempt to break into your computer systems means that you must develop plans for preventing and responding to attacks. A good place to start is the Cybersecurity Information Sharing Act of 2015 (CISA), which urges protected, automated information sharing between government and industry.  

The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is also a valuable document, as it standardizes the governance of cybersecurity and sets a baseline for voluntary corporate compliance.

Further, I suggest that there is a need to focus on cyber resilience, a concept that requires a change in the way we currently do business. I define cyber resilience as the ability to anticipate cyberattacks and minimize potential damage, allowing business to return to normal with minimal disruption. 

Cyber resilience starts with awareness at the CEO and board levels of its corporate security posture, awareness and implementation of security best practices, and a security strategy that balances security costs versus benefits. Building effective cyber resilience involves implementing technical processes and tools as well as focusing on the human side of digital threats. Although people are the most significant part of the technology value chain, they are also its weakest link. Specifically, companies should identify not just the “how” of networks and technology but he equally important “who” or “why” of potential threats. This includes employees who have privileged access inside your perimeter and who may knowingly or unknowingly compromise your network security.

Cyber resilience entails tightening IT systems security and addressing the human element by closing gaps that create vulnerabilities such as identification of insider threats. A study by the Computer Emergency Response Team (CERT) Program at Carnegie Mellon University and Deloitte found that proactively identifying employees who show elevated risk of insider threat has two benefits: avoiding unnecessary costs to the employer, and helping the employee before a bad situation turns worse. This proactive approach can significantly reduce organizational risk.

The implementation of multiple integrated applications that provide cyber resilience exemplifies the future of cybersecurity: proactive, continuous, and actionable. The challenge is to ensure that deployment is layered and addresses a multidiscipline set of technologies and processes that together more holistically manage risk. FBI Director James Comey captured this when he said:

Our work is very challenging. We are looking for needles in a nationwide haystack, but we’re also called upon to figure out which pieces of hay might someday become needles.

There is widespread agreement among experts that a resilient approach to security at the enterprise level improves today’s reactive and fragmented approach to security. Industry needs to play its role by broadening its horizon to include enterprisewide visibility and a global perspective. With a playbook based on cyber resilience, we can become proactive in identifying current threats, anticipating future threats, and, in turn, lowering the risk of cyberattack for all of us.

More Articles On: 

About the Author

About the Author

Retired U.S. General (USMC)

General James L. Jones has served as National Security Advisor to the President of the United States, Supreme Allied Commander Europe and Combatant Commander USEUCOM.