I was delighted to speak to the Inverness branch of the IET on 5th December 2018. The following is an extract of what I covered:

Cyber security is a fast moving business. Threats emerge and threat actors evolve at pace, so as security professionals it is essential to learn lessons in real time to stay ahead of the game. That is why cyber intelligence is such an important discipline; it provides the edge that transforms a reactive approach to a more valuable proactive model.

Of the threat actors, criminal groups pose the greatest threat to business security. However most criminal organisations have neither the means nor the resource to be as surgically effective as state actors. In recent years cyber has become increasingly critical as a weapon of war. The tools and processes used at this level are often the best there is, so it makes sense to learn all we can from such operations. Even if we only examine detail available in open source reporting there is much we can learn from case studies including:

·       The consistent targetting of the ‘soft underbelly’. It is striking how often access is achieved by using a vector overlooked or considered unimportant by defenders.

·       Human weakness – almost all successful attacks at some point take advantage of the human in the process, who is often much more porous than the technology.

·       Unexpected indicators of compromise. We can’t always anticipate the indicators of malign activity and therefore traditional ‘signature sniffing’ approaches become increasingly ineffective. The future lies in anomaly detection; by highlighting outlier activity to experienced analysts we stand a much better chance of effective detection.

Learning from case studies is tremendously valuable, but learning from theory is useful too. Many authors have used the UK military Principles of Defence to extrapolate lessons for cyber security, indeed there is at least one security business that uses the principles to structure their consultancy. There is good reason for doing so; defence is defence, whether in the physical world or in cyber space and the six principles are equally valuable in each:

·       Depth – Any cyber security solution must be multi-layered to frustrate, delay and deter an attacker. It must also incorporate physical, technical, procedural and cultural elements.

·       All round Defence – There is no point locking the front door if the back door is left open.

·       Mutual Support – Aggregating our monitoring from multiple sources, and combining with threat intelligence in a Security Incident and Event Management (SIEM) system gives a more coherent and holistic view of what is happening in our networks.

·       Reserves – Any organisation must be capable of business continuity (resilience is key) and disaster recover (backup is key).

·       Offensive Spirit – Taking or gaining the initiative by ‘hacking back’ or ‘hacking first’ may be off the agenda for commercial organisations (at least within current law) but that doesn’t mean that offensive thinking can’t help us defend. This is most easily brought to bear by aggressively pursuing intelligence.

·       Deception – Using honeypots or dummy networks can be effective in identifying breaches and gathering information about attackers.

As information develops as our most valuable resource it is imperative that we take every opportunity to develop our understanding of how best to to defend it.