Average dwell time, where a hacker inhabits a breached system, is 200 days, said Bob Stasio of DreamIt Ventures, a cybersecurity company that hunts for intruders on organization systems. He has worked in security positions for IBM, NSA, FAA and NASA.
Addressing Cyber Security Summit 2018, Stasio said that 80 percent of hacks are stopped by Tier 1 security systems – firewalls, NIST standards, and the like. To prevent larger threats from gaining significant dwell time on your system, it’s time to go from perimeter protection to threat hunting. Stasio introduced a high-level system view of the approach he employs, the Cyber Operations and Intelligence Essentials for Leaders (COIL).
Tier 2 and Tier 3 threats come from organized crime and nation state actors who demonstrate patience and persistence in their quest to cause big breaches. They’re getting better at hacking, Stasio said, and the tools of hacking are becoming commoditized and easier for anyone to use.
“Today, we’re very reactive,” he said.
Stasio suggested we need to achieve cyber hunting and predictive capabilities. We need to be able to capture pertinent data, process it into information, and then analyze it into intelligence.
He reviewed steps in a process to gather data and gain intelligence. Most important under an overarching heading of Commander’s Critical Information Requirements (CCIR) is a body of information called the Prioritized Information Intelligence (PIR). Conceptually, he said it’s “how I see my enemy.” One PIR input may contain chatter from the Dark Web. Out of a full range of attack vectors, the system must be able to pare down the large body of possibilities to focus on the most likely three percent to give guidance to research teams on what kinds of threats they should be looking for.
The integrated process relies also on Friendly Force Intelligence Reports (FFIRs) – or how I see myself. FFIR demands that you know in detail the array and deployment of your own assets. For instance, how many servers do you defend? Where are they housed? Where is critical data stored?
Essential Elements of Friendly Information (EEFI) involves how I prevent the enemy from seeing me.
The CCIR is where questions should be refined and come from at this CEO level of an operation. (Stasio once worked for billionaire Michael Bloomberg.) He emphasized that the CEO must direct the research gathering process, seeking the critical information needed for intelligence while avoiding extraneous data.
“Collection management is most important” and must come from the top down, Stasio said, adding that only the top level can maintain needed focus in the scope of the search.
[ Photo Credit: Bruce Silcox Photography ]