Headline
When CISOs Are Ready to Hunt
This is what happens when a CISO gets tired of reacting to attacks and goes on the offensive.
Like a member of any profession, a chief information security officer (CISO) grows into their role. They exhibit a maturity curve that can be roughly split into five attitudes:
- Protection: When a CISO first steps into their role, they look to perfect the basics and build a fortress for themselves in the form of firewalls, server hardening, and the like.
- Detection: Once they determine how the framework is built, the CISO moves on to more and more sophisticated monitoring tools, incorporating in-depth monitoring and packet filtering.
- Response: The journeyman CISO will start crafting detailed response plans to various scenarios, weaving them into the overall BC/DR planning and making sure that the team is ready for anything.
- Automation: Next they’ll focus on making everyone’s life easier by incorporating automation, AI/ML learning, and third party intelligence into their already-robust defenses.
You may have seen or experienced this kind of four stage evolution yourself. But there’s a much rarer fifth stage that is reached much later in a CISO’s career. Upon seeing the multitude of annoyances buzzing around them, probing, trying to gain access to their territory … they become restless. They get tired of waiting for their enemies to strike.
The fifth and final stage is proactivity. And it’s at this stage that CISOs go on the hunt, using techniques of modern defense.
Leaving the Comfort Zone
The demarcation point is traditionally where everything becomes “somebody else’s problem.” If anything breaks or gets hacked, it isn’t on the company’s dime.
At least, that’s how it used to be. Veteran CISOs know that in the era of the cloud and heavy federation, nothing could be further from the truth. Every hack has ripples. Every DDoS has collateral damage. An attack on your ISP, on a federated partner, on your supply chain, on the company’s bank, or on utility providers might as well be an attack on your turf.
Most importantly, social engineering and fraud ignore internal demarcations entirely! They don’t respect traditional boundaries. If they need to use your federated partner to get in, they will. If they need to infiltrate your employees’ social media to gain leverage, they won’t hesitate.
But what can be done? Your tools, your monitoring … absolutely everything you’ve built is designed to cover your own territory. How can you have an impact on the other side of the demarcation?
Part of the proactivity that comes with stage five of a CISO’s career is the ability to process threats that have the potential to impact your business. This means combining the resources that are available to the entire cybersecurity community and the intelligence gleaned from your own monitoring efforts.
Now you’re in what Tom Petty once called “The Great Wide Open.” The bad news is that your activities are more exposed out here. The good news? You aren’t alone.
Resources for Fraud Prevention Beyond the Demarcation
In order to get ahead of the curve, you need to work with others and assess emerging threats. Two traditional resources are still effective here: CERT and OWASP. These two organizations have been tirelessly tracking cybersecurity trends for over a generation.
But there are some newer kids on the block that can help you on your hunt. PortSwigger’s BURP suite can help you to perform intelligent Web application and network analysis (just make sure you get permission from your business partners before you go full white-hat on their infrastructure). Some subscription advisory services like Black Duck can be worth their weight in gold.
But those are all solutions on the technical side, and fraud isn’t always technical. To hit fraudsters where it hurts, you need to embrace the human element.
A Global Defense Effort
One of the advantages of using an antifraud suite such as that made by Human Security is that the breach information it gathers is shared anonymously across Human’s entire client base. That means when a new fraud attempt is registered with any customer, updates to combat it are shared with all customers across every impacted system: training, automated scans, spam rejection, firewall rules, and packet filtering, to name a few.
Additionally, internal and external attempts to misuse or compromise corporate resources are compared to events taking place elsewhere on the Human network. If there’s a pattern, the cybersecurity team is informed, and additional resources can be dedicated to monitoring the situation. MediaGuard can do the same for impersonation attempts or attacks on brand integrity.
What Do You Do When You Catch Something?
All of these resources allow you to hunt well beyond the demarcation point. But what do you do when you actually track something down?
When you find vulnerabilities in your supply chain or within a federated resource, you need to share them with your counterpart at the company in question. Assuming you’ve done everything above board and with their permission, this isn’t a problem. If you accidentally hunted outside your domain without permission, see if the impacted business has an anonymous tip line for fraud or security.
Then, make sure your own detection and filtering process is adapted to deal with the new threat before the fraudsters or hackers can even make the attempt. Report any new technical vulnerabilities to your preferred advisory service, and then start planning your next hunt.