'Think like a bad guy' to protect against hackers - HP Enterprise Security

Director of threat research for HP's Enterprise Security business unit says we are "read like an open book"

Cyber security professionals need to stop being "read like an open book "and think like hackers in order to properly defend against cyber threats.

That is according to Scott Lambert, director of threat research for HP's Enterprise Security business unit, who made the comments in the wake of the HP Security Cyber Risk Report 2013. He explained how a mindset of "thinking like a bad guy" would be beneficial to cyber security personnel.

"If you look at which vulnerabilities the bad guys are weaponising, you want to address your defence from that perspective," Lambert told Computing, and gave the example of taking Java loopholes into account.

"Java Sandbox bypass vulnerabilities were some of the most prevalently used by cyber criminals last year, so if you have Java in your network and know it was in parts of your environment that had access to sensitive data, that's certainly something you want to prioritise as soon as patches became available."

Lambert pointed to how cyber criminals use underground forums and the dark web to share information about known vulnerabilities and successful thefts and hacks. He suggested that cyber security professionals across different organisations should employ the same collaboration tactics in order to protect against the latest cyber threats.

"There's a lot of collaboration among the bad guys; they share the malicious payloads, the malicious infrastructure, they talk about standard operating procedures and the tactics and techniques they use to successfully carry out a compromise and extract data," said Lambert.

"As defenders we need to be thinking along the same lines. As defenders we should be sharing with one another – ‘We've seen this threat actor in our environment; this is the incident response process we've used to thwart the threat, to respond to the incident. This is what worked, this is what sequence of events they carried out in our network we should be aware of'," he continued.

"We want defenders to collaborate more around sharing threat intelligence and more specifically actionable threat intelligence, things you can consume and understand."

Lambert also said that cyber security professionals should employ the strategy of "continuous monitoring" employed by cyber criminals and hackers, so that if a new threat does occur, they are able to keep their organisation safe.

"Bad guys use continuous monitoring for their critical components, they understand when their malicious payloads are being detected by the anti-malware industry and they quickly deploy a new fully undetected malware payload as a result of monitoring continuously," he told Computing.

"They understand when their internet infrastructure turns up on a blacklist so they re-route traffic accordingly. They're quick to adapt to these types of things, so we need to understand the environment, deploy continuous monitoring and know what's happening. Those types of things are very important for the defender."

[Please turn to page 2]

'Think like a bad guy' to protect against hackers - HP Enterprise Security

Director of threat research for HP's Enterprise Security business unit says we are "read like an open book"

Lambert believes that for most organisations, security strategy is centred on a low bar, something which makes it easy for cyber criminals to hack into systems and steal data.

"There's a reason that our defences today are being bypassed; we're essentially read like an open book as defenders," he said. "This is especially troublesome from a compliance perspective – a bad guy simply has to read in order to understand where we're going to be weak and attack us."

That, Lambert explained, is why cyber security professionals need to "think like a bad guy" and collaborate on sharing information in order to best protect against cyber threats.

"The heart of the matter goes back to sharing information about how bad guys are successfully compromising networks; that's the key," he said.

Lambert also told Computing how misconfiguration of applications – that is, failing to apply patches or using out of data software – are also leaving "low-hanging fruits" which are ripe for the picking by cyber criminals.

"Defenders still struggle from an operational perspective and a large percentage of applications suffered from vulnerabilities due to misconfiguration – not specific to a vulnerability or code flaw, but just misconfiguration of the software once deployed – which means there's an easy avenue for the bad guys to come in," he said.

"The biggest thing is we still struggle with a lot of the basics. I think people have a good understanding of their primary data stores but when you get into secondary and tertiary where the data goes, that's what we start to fall down on.

"Bad guys focus on what matters the most, which is sensitive data."