What is cyber threat intelligence?

Cyber Security, Featured, Threat Intelligence / Kiran Zachariah

Cyber threat intelligence can be defined as the evolution of cyber threat information after it has been collected, evaluated, and assessed in the context of its origin, accuracy, and reliability, and after extensive analysis through rigorous and structured tradecraft techniques. It is in fact the knowledge that enables businesses and individuals to detect and prevent and/or mitigate cyber-attacks. Cyber threat intelligence offers a significant value-add to raw cyber threat information and accurate cyber threat intelligence can mean the difference between detecting a cyberattack and missing it. Which is why you need to partner with a cyber threat intelligence vendor that can provide accurate and contextual threat intelligence to power your cyber threat detection initiatives. Without the right threat intelligence, threat vectors could slip through cyber defenses and move across networks. Threat intelligence that is relevant gives security teams much-needed visibility into threats they need to be aware of. Small wonder that it is now becoming a major tool in the fight against cybercrime and malware developers. True and contextually relevant threat intelligence should enable decisions to be taken with confidence. Accurate threat intelligence reduces the cost and time to detect cyber attacks. The cost per unit time spent in detecting cyberattacks is an underrated metric whose relevance is coming into the picture more clearly now. Early detection of a cyberattack saves cost and credibility while time saved in detecting such attacks can be used by the SecOps and SOC teams for deploying more cybersecurity measures or for improving the efficacy of existing steps. Questions to ask before selecting a cyber threat intelligence vendor Do they collect their own (organic/native) threat intelligence or are merely an aggregator? Is the threat intelligence offered contextually relevant and proven? Is the collection facility global and spread across enough cities to account for the latest and evolving threats? Can your SIEM consume the threat intelligence easily? Can it account for both IoT and OT threats? These are but some of the questions that you can ask your vendor. It is essential to sign up the right threat intelligence vendor for this move could mean the difference between deploying a strong cyber deterrent and missing some of the cyberattacks directed against your business or IoT and OT assets. Sectrio offers contextual and relevant cyber threat intelligence Only Sectrio offers rich cyber threat intelligence gathered from the largest IoT and OT honeypot in the world. Sectrio’s Threat Intelligence module can help improve your SecOps efficiency, reduce false positives and reduce SoC fatigue while improving your ability to detect existing and new cyber threats. Gain from the industry’s most trusted cyber threat intelligence product: Stay ahead of emerging threats; find Indicators of Compromise early Get curated and up-to-the-minute IoT and OT threat intelligence sourced from our vast global network of over 70 honeypots. Close posture gaps and improve SecOps efficiency with comprehensive threat intelligence Build cyber resilience, improve compliance Convey and operate with confidence and ability to ward off complex cyberattacks Analyze risks, distribute resources, and gain a deeper understanding of threats relevant to your business in terms of geography and industry Among the few threat intelligence solutions that can also detect low footprint reconissance attacks Don’t wait. To learn more about our Cyber Threat Intelligence module, reach out to us now. Learn more about our OT cybersecurity solutions. Try our curated Cyber threat intelligence feeds for free for the next 15days.

What is cyber threat intelligence? Read More »

Securing water and wastewater treatment plants with defense-in-depth

OT, Cybersecurity awareness month, Utilities / Kiran Zachariah

In April this year, the intelligence community in the US issued a warning that adversarial entities were planning to target the country using cyberspace. States were wielding cyber operations as a means to achieve nefarious goals including causing destruction and disruption. Just 5 months down, we are already seeing a significant rise in the rate of background cyberattacks as well.Attacks on critical infrastructure related to public services is a problem that governments around the world are trying to manage. This problem is even more pronounced in the US, thanks to the number of adversarial entities that are targeting critical infrastructure in the country. In addition to over 7 evolved APT groups, there are over 39 documented hacker groups and malware developers that are working together or in isolation to target critical infrastructure in the US. Along with power plants and grids, it’s the water and wastewater management and treatment industry that is now bearing the brunt of sophisticated and persistent cyberattacks. A mix of existing vulnerabilities, lack of cyber hygiene practices, and visibility into network activity are among the key contributing factors. The infrastructure components that are most vulnerable to cyberattacks are valve stations, pumping stations, operations control centers, and treatment plant controllers. PLCs and SCADA systems along with switches and HMI are the specific components that are vulnerable. The addition of new devices to manage pumps and IoT devices that monitor flow and pressure are also vulnerable. Securing water and wastewater facilities This needs a multi-phase defense-in-depth approach that addresses vulnerabilities, detects rogue or unauthorized devices, shrinks threat surfaces, and prevents lateral movement of malware. Defense-in-depth involves fortifying infrastructure at various levels including intrusion detection, vulnerability scanning, micro segmentation, and threat lifecycle management.To detect cyberattacks, plant operators need rich and contextual threat intelligence. Each of these steps will help deter hackers and minimize threats to plant personnel and assets. Plant operators also need to invest in training their employees to prevent phishing attacks from succeeding. Defense-in-depth also requires visibility into supply chains to ensure integrity. Finally, by adopting the zero-trust framework, plant operators can prevent unauthorized activity.

Securing water and wastewater treatment plants with defense-in-depth Read More »

Impove your critical infrstructure cybersecurity

Recommendations for improving critical infrastructure security

Cyber Security, Cybersecurity awareness month, Threat Intelligence / Kiran Zachariah

As cyberattacks on critical infrastructure continue to rise it is important for operators connected with managing such infrastructure to adopt measures to improve the overall cybersecurity posture and plug gaps. Presented below are some of the interventions that Sectrio recommends. (We are referencing NIST OT/ICS and Singapore Cybersecurity Act, IEC 62443 for this exercise). Segregate devices and networks: Segregate OT/ IoT and IT networks from each other. Discover all devices and their communication patterns. While firewalls can be used to segregate the networks, firewalls themselves can be vulnerable. Hence it suggested to use physical segregation (air gapping), if there is a need to transfer data between the networks, restrict the data IN/OUT points to minimum, monitor it continuously and ensure the data transfer must be one way and should preferably use data diodes. Continuous monitoring of east-west traffic of the payload within network segments are equally important, minimizing the spread of internal attacks Vulnerability and Patch Management: Identify all assets on the network (discover rogue and unauthorized devices). Cross reference the device details and services running on the devices with known vulnerabilities and patches available for those vulnerabilities. Proactively patch the systems and assets. If patching is not possible, create mitigation plans and a monitoring framework for these vulnerabilities. Create and implement a Vulnerability Assessment plan in a continual and iterative mode. Even when systems / assets are patched, they may be susceptible to cyberattacks that exploit new attack surfaces that were previously not present. Threat detection: The OT and IoT networks should be monitored with systems capable of monitoring Layer 7 (OSI stack) protocol information. OT typically have numerous proprietary protocols with associated vulnerabilities, the ability to decode the protocol and look for the exploitation of the vulnerabilities is a critical functionality of the OT threat detection system. As new threats are identified regularly the vendor of such a system must have rich threat intelligence related to OT and IoT (preferably sourced through local honeypots to provide geo political context). The threat detection system should be able to integrate to SOCs so that information is not siloed and threat evolution and lateral movements across the different networks can be tracked. Threats should ideally map to the Mitre’s ICS ATT&CK framework (KA: to depict real world scenarios and in long run minimize false positives. Threat detection process should be real-time, even when there are limited options to do so within OT networks. relying on logs and post facto analysis may create latency in the system’s effectiveness to identify threats as they appear. Data modification restrictions: Securing systems should be able to restrict certain OT and IoT commands (relative to the protocol) that modify the state or data within key infrastructure. These restrictions should be applicable at the user, asset, and network level. A zero trust framework using micro segmentation must be implemented to restrict communication between assets and services to reduce the attack surface and possibilityof lateral movement of threats. It must be started at the the segregation level between IOT/OT and IT networks, and drill down inside OT/IoT as much as feasible from the implementation standpoint. Logging: Centralized repository of systems logs and network traffic must be maintained for at least one month with events and alerts being maintained for a period of a year. OT and IoT attacks have very protracted kill chains and this information will be critical for any forensic investigation. Redundancy and Business continuity: All systems should be evaluated for their criticality and the need for redundancy should be assessed. If the systems need redundancy, fallbacks must be triggered not just for operational issues but also for cybersecurity issues. It must be possible for OT and IoT cybersecurity systems to automatically trigger fallback if a threat is identified and must be contained. Local and Remote Access management: With the advent of the pandemic OT and IoT systems are increasingly being managed remotely. MFA must be established for all remote workers and technicians. Secure VPNs must be established, and restrictions placed on the assets the technician can connect to. If feasible, this should be done through a jump host or VDI to restrict threats arising from unsecured remote endpoints. Least privilege access principle must be enforced by default. The default access to OT systems and underlying assets must always be denied. Accesses to remote technicians, engineers and analysts are only granted with proper approval process and revoked when no longer needed. Response and Containment: OT and IoT specific responses tend to differ substantially from IT responses. Playbooks must be devised for threat responses and automated as much as possible. Playbooks must be customizable to cater to the specific OT/IoT deployment. All OT and IoT networks must be further segmented into zones and each zone segregated using industrial firewalls (capable of discerning OT/IoT layer 7 traffic). Training: OT and IoT security are quite different from IT security. IT security is focused on data breaches (Confidentiality-Integrity-Availability) whereas in OT/Networks the emphasis is on control breaches (Availability-Integrity-Confidentiality). The difference in paradigm is typically difficult for traditional IT security personnel to comprehend, hence it is of the utmost importance that specific OT/IoT security training is imparted to folks that are monitoring the OT/IoT network. The existing risk management framework used in IT systems may not be feasible for OT networks. Training stakeholders to perform OT-specific risk and threat assessments must be incorporated. Intelligence Sharing: Most governments have CERTs that share IT specific threat intelligence. The mandates of these CERTs must be expanded to OT and IoT and a TIPS platform be implemented for agencies, organizations, and sectors to share OT/IoT threat intelligence. Join me and the Sectrio team at GITEX 2021

Recommendations for improving critical infrastructure security Read More »

Privilege mining: 2021’s single biggest cybersecurity threat for enterprises

Cyber Security / Kiran Zachariah

With hackers deploying sophisticated breach tactics, the traditional way of keeping hackers outside the perimeter is no longer a viable strategy to prevent breachers. In the year 2020, based on the data we saw on the Dark Web, we were able to ascertain that stolen credentials and privileges were not just used but were being mined to maximize the footprint of a breach as well. In June last year, a leading heavy equipment manufacturer in Europe was breached. Hackers used the stolen credentials to skim more credentials and finally access the Intellectual Property (IP) vault of this company which didn’t just have critical IP data but also credentials for other vaults holding joint IP with vendors. Needless to say, most of this information made its way into shady market places trading such information. Privilege mining, wherein the hackers move horizontally and vertically across digital infrastructures using a series of credentials stolen on the go is now the biggest cyber threat out there. Tons of credentials and network information from previous breaches have created opportunities for hackers like never before. Even at a conservative scale, this information could be enough to sustain cyberattacks well into 2023. It is therefore prudent to exercise diligence and caution and take the following steps immediately irrespective of your threat perception: Reset passwords across the enterprise and accounts Use multi-factor authentication Segregate networks, deeply monitor zones of convergence between tech streams such IoT, Operational Technology and IT Use a solution such as Subex Secure to protect all components of your infrastructure including devices, networks, and systems Talk to us now to learn more about improving your cybersecurity posture to deter hackers Schedule a demo

Privilege mining: 2021’s single biggest cybersecurity threat for enterprises Read More »

By Industry

By Compliance

Business Needs

Services

Contact Us