An effective cyber response strategy across the internet - The First Global Cyber Security Observatory

An effective cyber response strategy across the internet

An effective cyber response strategy – The current service offerings by the industry seem to be limited when it comes to ‘course of action’ as a response to attack attributes across the internet.

The Cyber Threat landscape is continuously evolving where cyber criminals are also economising their resources. Please note that each attack has multiple attributes that the attacker assembles and makes them work together to conduct their attacks, frauds and scams. When the defending organization detects the attack, they tend to focus on the apparent visible attribute and put their efforts on taking it down.

If so, this would be an incomplete approach as it leaves many attack attributes unaddressed thus giving the attacker the opportunity and facility to reassemble a similar strike rather quickly and easily. Simply because the attacker just needs to reassemble one or two attack attributes among the multiple that constitute a single attack.

A good example is a lookalike fraud site having attack attributes of website URL, Lookalike Domain, Name Server, associated Gmail address, SSL certificate and a payment receiving money mule account. Normally the site is taken down leaving all other attributes intact.

If we explore the reason for this approach the apparent answer is that the majority of the service providers do not offer such pivoting from a single attack attribute to identify as many and applying various ‘course of actions’ as necessary.

Attempting so would make the scope of work very open ended and challenging to address especially when you come across a novel attack attribute or technique and a bespoke approach is necessary to address it.

Innovators

The providers who may offer to do so firstly have to perform extensive investigation. Hence, they tend to charge a high fee relevant to each incident and response. Moreover, the standard course of actions still are limited to takedowns only and many other attack attributes even after identification are not addressed.

Following are just a few more ‘Courses of Action’ in a non-exhaustive list that evolve with any new attack scenarios that may require a new approach to mitigate.

Not having the facility to perform incident response on EVERY suspicious or malicious attack attribute places a major burden on the CISO office.

They now have to PICK and CHOOSE on what to respond on and where to hold back. This is not an ideal fix as risks are not eliminated or minimized. As cost and capability is the main factor, CTM360 has a unique offering of Unlimited Investigations AND unlimited incident responses as a solution.

We do note leave anything to chance even if outside our scope of agreed activities — giving maximum protection is our goal.

This would require a comprehensive system with adequate tools and processes to cater for all variations of response actions and communication with relevant ISPs, Registrars, Hosts, CERTs and all major technology and security vendors.