In the information security space, conventional wisdom says there is a simple formula for putting controls in place to protect systems, applications, and the data that courses through them.
According to the formula, you should select a risk framework and a set of authoritative sources, like NIST 800-53, ISO 27001, or the Common Security Framework (CSF). Choose the risk framework that is most appropriate for your business. Then, align all the business and IT practices with the control standards that are identified in the control objectives of that risk framework. And finally, get a third party to come in and do an attestation of the effectiveness of the controls and declare victory.
That’s the formula, and it has been well-established in all audit circles. The stakeholder groups that bought into this model are in the dozens. Board level reviews bought into it. Audit, external auditors, internal auditors, privacy, IT leaders—nearly everyone bought into this model.
Except, there’s one stakeholder group that never bought into the formula: the criminals and threat actors that are attacking your organization.
The bad guys didn’t buy in to the formulaic model of information security. Instead, they adjust their tactics based on the controls that are in place. They understand the risk frameworks, they understand the conventional control standards, and they bypass all that. They also share information with other threat actors and trade credentials and demographic consumer information to achieve their goals.
What that forces us to do – if we want to survive as CSOs and CISOs, which is generally a good thing in our business – is adjust our controls based on changes that threat actors make in terms of their tactics. We constantly adjust our controls.
Resiliency means you must adjust your controls continuously
Today, the sign of resiliency for an enterprise is how often you’re changing your controls. Fifteen years ago, if you changed your controls frequently, it was because you were at high risk. You had a lot of volatility and a lot of risk in the business. Today, the sign of resiliency is actually the frequency of the changes in controls, because it means that you’re driving a risk-driven security program versus a compliance-driven security program.
A compliance-driven security program waits for regulations to change and then makes changes to controls. A risk-driven program changes based on threat intelligence and on what threat actor tactics are, and adjusts practices to create friction for the threat actors.
The fundamental difference between the two approaches is what launched us into an era today where more and more of the changes that we’re making are unconventional controls; they’re not tied back to a specific control standard in an authoritative source or set of standards like NIST 853.
The conventional control against phishing is only partially effective and inherently unsustainable
Take phishing, for example. It’s widely considered to be a top threat vector today. The conventional control standard that is noted by every single authoritative source is to raise user awareness—to try to teach people to recognize what phishing messages look like, and then avoid them.
Let’s examine that control. What we’re actually teaching people to do is not to trust email. In the case of phishing, people should be wary of specific emails that are engineered to misrepresent and be fraudulent and convince somebody to do something they shouldn’t want to do. At its core, this is fundamentally not a sustainable model since it extracts trust from email, part of of an enterprise culture.
The fact is, email is part of the fabric of any major enterprise. When you remove trust from that fabric, you degrade the capabilities of the enterprise. When you spend time and money and effort to teach people not to trust email, it actually does damage to the business. It’s kind of like chemotherapy—it kills some good cells while it goes after the cancer cells. It’s not really a sustainable model to defend against phishing attacks, but it happens to be widespread in usage. There’s at least one financial services firm that goes to the extreme and fires people if they fail a phishing test three times.
There are other ways that are both less intrusive and less expensive that are very effective in shutting down phishing attempts. You just have to understand the attacker’s tactics and adjust your controls for them.
Unconventional controls are very effective against phishing
The most frequently used tactic in phishing campaigns is a spoofed domain. When spoofing a domain, an attacker makes the email appear to come from a known or trusted source. Depending on the techniques used, a spoofed domain can be very convincing, sometimes even to the most discerning user. Trying to teach people to avoid messages coming from a spoofed domain will never be a failsafe control.
A more effective control is to implement the email authentication, policy and reporting protocol known as DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance. If an enterprise uses DMARC and authenticates its outbound email servers to Internet service providers (ISPs), then ISPs will not deliver any email that doesn’t come from that authenticated server. What that means is that fraudulent email coming from specific domains can be eliminated by organizations implementing DMARC.
Even though it’s an industry standard, DMARC is not referenced in any authoritative source as a conventional control because it’s unconventional. By eliminating the use of a domain for spoofing purposes, DMARC happens to be highly effective—so much so that it’s actually causing threat actors to use other tactics.
Another tactic used in phishing campaigns is called a lookalike domain. That’s when the phishing email is coming from a domain that looks a lot like a legitimate company’s domain; however, there’s one character off, so the name is close but not exact. For example, a lookalike domain might replace the lowercase letter L with the numeral 1, as in goog1e.com. Depending on the fonts in use, it can be quite difficult for people to spot a lookalike domain, especially if they are busy and not paying close attention.
Even this technique can be easily defeated if you understand that most phishing attacks utilize very fresh domains that have been registered in just the last day or so. Phishers change their domains often – typically every 24 to 48 hours – because spam and reputation filters catch up with them, so they have to move to a new domain often to prevent being filtered out.
You can use this ploy to your advantage by not delivering email from all newly registered domains for a period of 48 hours. This will block the majority of phishing attacks that come into your enterprise email server simply by not delivering them in email messages. It turns out that no legitimate email originates from domains that have been registered within the previous 48 hours because any enterprise is going to test out their capability before they go live with a legitimate new domain. The domains that are active within the first 24-48 hours of set up are almost always fraudulent. They’re the bad guys who are sending spam or phishing emails. If you drop email from them, you’re eliminating the fraudulent email.
It’s not difficult to test to see how old a domain is. Take a security intelligence feed that lists newly registered domains. Then write a script in your email gateway that identifies or flags any email coming from a domain listed by the intelligence feed. The script instructs the email server to drop flagged messages into a “do not deliver” bucket. This is not technically challenging to implement. It probably requires fewer than 20 hours of scripting and testing. It also is not referenced anywhere in conventional controls, making it another example of an unconventional control that’s highly effective.
Another technique is to use brand protection services that use web crawling technology that hunt for any domains that look like your domain and then issue a take-down once they are registered. Both of those controls are effective in combination as a layered approach. But neither one of them is mentioned anywhere as a conventional control in any risk framework. There’s no authoritative sources saying that you should do this.
It’s a chess match to shift your controls to block threat actors’ tactics
These are all examples of shifts in defense tactics that are in direct response to the shifts that threat actors take. If you study their tactics, you can identify patterns and then anticipate what threat actors are likely or beginning to do, and adjust your controls. This is an ongoing process—it never ends. It’s always a game of cat and mouse where you’re constantly adjusting your controls.
How do you keep track of the threat actor tactics? You study them, and there are various ways of doing this. Security intelligence services can keep you informed, and there are numerous sources, both public and private. You can monitor the online forums that criminals use to communicate and share their tactics. Following such forums helps you know exactly what they’re thinking and what they’re doing.
Next, join an Information Sharing and Analysis Center, or ISAC. An ISAC is where you can determine whether something you see in your environment also is impacting other people’s environments as well. If it is, then you know it’s an opportunistic and not targeted attack, so that’s helpful, useful knowledge. Plus, you can ask the other organizations, “What control are you using?” or, “What unconventional approach are you using?” and, “What works and what doesn’t work?” That information sharing allows you to operate the same way the criminals do today, which is to share information on forums on which tactics work and which ones don’t.
Basically, you have to consume intelligence through multiple sources. Some of that intelligence comes from boots on the ground, other practitioners just like yourself. You need your ISACs to share that information in a safe forum, in some cases with government entities. Then you need to adjust your controls on a regular basis as shifts in threat actor tactics occur. If you only use conventional controls, you won’t stop the unconventional attack methods.