Cybersecurity — Isn’t it about hacking?

For the past couple of years I am working on building solutions in the field of cybersecurity. When I started this journey in cybersecurity, I was puzzled to understand what exactly is it. Terms which I had heard associated with cybersecurity are hacking, threat hunting etc. So is it about understanding how people hack into a system? Or is it something else which is very complex for an application developer like me to understand. Does it need deep low level system and network knowledge to get into the field?

Later I understood cybersecurity is not only about hacking or in other words ethical hacking. Ethical hacking is only a very small area in cybersecurity which definitely is also a vast and advanced area. Then what is cybersecurity?

Kaspersky defines cybersecurity as the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.

What do we defend against? We need to defend from bad actors who can take possession of our valuable digital assets and monetize it or might do something else which might be harmful for us. Our valuable digital assets can be our bank account credentials, personal details, confidential documents etc.

How can attack happen? It can be by using Malwares, Phishing, Password Attacks, Man In the Middle Attack, Rogue Software etc.

Will they only takeaway our valuable digital assets? Not exactly they can also lock some of our valuable digital assets without we not able to access it. And money can be demanded for unlocking those. These kind of attacks are done by using ransomwares. Also there are other situations like some of your applications can be flooded with requests and it becomes unusable for our intended users. This kind of attacks are known as Distributed Denial of Services or DDoS.

So how do we prevent these kind of attacks? We need to secure our assets like Network, Applications, Data and Devices. Cybersecurity deals with mechanisms which helps secure and monitor our assets against cyber attacks. In digital world or real world, security can be of two types — Proactive and Reactive. As the word implies proactive is to be prepared against attacks. Reactive is to defend any attacks which can happen. So what kind of cybersecurity mechanism is needed for you? It is both. This is because like in real world unless you have a proper security lock in place you cannot keep your belongings safe. Without a lock you will not even get time to defend against attacks. Will just having a lock or any kind of safe keeping mechanism protect our belongings? No, because nothing is 100% secure unless we keep monitoring it and make required advancements quite often.

So lets see what all are the Proactive and Reactive Cybersecurity measures.

Proactive

This is to secure our assets and to proactively validate if our assets are secure or do we need to implement any other better security controls to ensure our safety.

Following are ways to do proactive cybersecurity.

1. Protective mechanisms for our Assets — In real world we can have locks for our house and have different mechanisms to protect perimeter around our house. If we have valuables, instead of keeping in our house, we can make use of vaults/lockers provided by third parties like bank for better security. Similarly in digital world we can secure our assets like applications, internal networks, data and devices. It can be by using locks like user credentials for authentication or encryption keys to encrypt our data to make sure it is unusable even if it falls into wrong hands. Or protecting our network boundaries by using firewalls or securing our systems by using antivirus or securing applications by using Web Access Firewalls. Other ways can be by keeping most valuable secrets in vaults and ensure better safety for it. These kind of proactive ways ensure that our assets won’t fall into wrong hands so easily.
2. Cybersecurity assessments — Even after we ensure that all our belongings are securely locked, bad actors can try to break in and takeaway our assets. So we need to properly assess our security mechanisms against industry standard so that we can be confident that it is safe. This is normally done by experts in this area who can assess the security controls implemented. They will validate if this is in accordance with the security standards defined. There are several frameworks which define cyber security standards like NIST, ISO, GDPR etc which have certain controls defined. As part of the assessment, experts will assess how compliant are the process of the organizations based on each of the security controls. Recommendations based on the assessments can be used to strengthen the security.
3. Vulnerability scans- Normally cyber attacks happen by exploiting vulnerabilities in our systems, applications or security controls. A vulnerability is a weakness or flaw in the security controls implemented for our protection. In almost all cyber attacks these vulnerabilities are exploited to break into our assets. There are many organizations like MITRE which identifies the vulnerabilities for systems and solutions and update into vulnerability database. Vulnerability Scanner applications like Qualys or Nessus can read the database parse these feeds and use this information to scan systems and report vulnerabilities. These vulnerabilities can be tracked and fixed to ensure security of our assets.
4. Penetration Testing or Ethical Hacking — Penetration Testing is a simulated cyber attack by which ethical hackers try to break into our network or system. This is usually done by an external experienced person like a contractor who has less knowledge or internal systems. They help identify the vulnerabilities of our assets or environment as he would act like a hacker and try to hack into our systems. Penetration testing is normally done with the help of software tools which can produce brute force attacks, SQL injections etc.

Reactive

Whatever way we try to protect our systems, it is prone to attack. Better proactive measures means we would get more time to react to attacks. So we need to be vigilant and keep monitoring our assets, so that any attacks can identified and necessary actions can be taken before it is exploited. There are different ways to do this.

1. Threat Detection and Response — This is one of the most important area of cyber security where systems are monitored and protected. One of the most important tool in threat detection and response is Security Information and Event Management (SIEM). This tools collects logs from wide variety of sources like applications, servers, networks, firewalls, antivirus etc. All these collected logs are correlated and analyzed near real time. After analysis, alerts are created for potential threats based on correlation rules or machine learning models which looks for anomaly behaviors. These alerts are analyzed by analysts to identify if it is a potential threat which needs to be concerned about or if it is a false positive. Some of the examples of SIEM tools are Splunk Enterprise Security, Azure Sentinel, IBM QRadar, LogRythm etc.
2. Endpoint Detection and Response(EDR) — Attacks always occur through the endpoints of our network. So it is important to detect and respond to attacks happening through endpoints. These tools help on responding to the attacks through endpoints. Some of the examples are CrowdStrike and Symantec.
3. Network Detection and Response (NDR)— Even with proper endpoint detections some of the attacks may not be identifiable. NDR solutions help detect malicious activities and identify if an attacker was able to successfully break in to our environment.
4. Cyber Threat Intelligence (CTI) — Cyber Threat Intelligence feeds are sources of information, indicators and artifacts gathered by security researchers and analysts to provide information about threats and threat actors. This will helps security organizations to be better prepared for cyber attacks.
5. Threat Hunting — In digital world once adversaries had already broken into the network or system it will be difficult to identify their actions. It might be difficult to identify a malware that extracts data from systems or a ransomware that encrypts some critical data once it is in the network/system. If request for data/any other activity is arising from within our network perimeter, it is usually served without much validation as it is assumed that no bad actors had broken into our network as it was not caught on any of our security controls. Threat Hunting is the process of searching through networks to detect and isolate advanced threats that had bypassed existing security solutions. Advanced analytics and machine learning which look for anomaly scenarios or known indicators of attack from threat intelligence can be used by threat hunters to identify threats .

Having read about the proactive and reactive cybersecurity activities, one of the related term is Security Operations Center or SOC.

What is SOC?

A Security Operations Center (SOC) is a facility that houses a cybersecurity team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyse and respond to cybersecurity incidents or threats using a combination of technology solutions and a strong set of processes. SOC staff work close with organizational incident response teams to ensure security issues are addressed quickly upon discovery. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported.

With corporate networks becoming more open by the advancements in cloud and usage of internet, the attack surface is ever increasing. It become more easier for attackers to look for vulnerabilities to get into the network. Cybersecurity is now more relevant and important than before.