The inevitability of cyberattacks does not need to be an inevitable disaster to a business, but it does call for precision in data collection and structuring. Precise data enables precise outcomes — and gives security teams a chance to beat the bad guys.
Precision in security requires the data to be integrated in order to produce context, correlation and causation. We call it the "Three C’s of Security."
What do we mean by precision?
Consider the effectiveness of “intelligence” telling you that there’s a malicious green car in your area. All of a sudden your radar is up and on the lookout for a green car. Now when a green car drives by you think — there’s the criminal! However, it turns out it’s just a friend dropping off food at the neighbor’s house. You see another green car and your radar is back up. Green car! Ah, actually it’s the babysitter at the house across the street.
Precision would provide us additional details, such as “green Ford sedan, bumper sticker on rear passenger side, horizontal dent in the driver’s side door, and Texas license plate.” With this information we aren’t thrown off by a bunch of benign data points coinciding with the intelligence — the equivalent of false positive alerts.
And realistically, by the time that “green car” alert gets out, the criminal has most likely changed vehicles, but they still exist. What we need to be looking for is something that simply shouldn’t be there — for example, any car that appears a few too many times without stopping. Heck, it may even be a bike or pedestrian. We search until we are assured the threat no longer lingers in our space (i.e. defense controls have proven effective). A view into an effective model for that can be found in the Pyramid of Pain.
Let's talk about the Three C's of Security:
1. Context: In setting context to uncover an attack, an analyst would want visibility into attributes such as:
- Location and time of the suspicious activity
- What was accessed
- Who is allowed access
- How, if at all, the behavior in question differs from normal behavior
Detection tools and policy drive most of this. Ideally, all of this information is available in a centralized operations tool to enhance the speed of response.
2. Correlation serves to narrow the focus of the investigation; to utilize all information to form a hypothesis to test. “For a given input, a certain output is sometimes observed.”
In testing many variables of car color and shape, it appears that when “green cars” are introduced to the neighborhood, there is a crime.
But this is not always true — there are innocent green cars on the roads. That is ok, because correlation doesn’t provide the same output for each input. Therefore, with sufficient data available we can narrow the hypothesis further until we find pay dirt.
Correlation is constructed through intelligence created by well-integrated tools, vendors, controls and the experts managing them.
3. Causation is about having all the details from every vector to grant a high degree of certainty — it knows not only the green car, the criminals in the green car, and what they stole, but would also know why they stole it, where their base of operations is most likely at, how they were able to bypass your security.
It's good to know whether you were a strategic or opportunistic target before responding. Causation is what allows us to know if we have successfully mitigated the threat and then have the information to put in controls to remediate the threat moving forward.
We can respect the capabilities and determination of attackers without lionizing them, after all, they have the same tendencies towards routine and observable “tells” as anyone else with a pulse. They want the most bounty for the least investment.
A system that is able to produce context, correlation and causation around activity on infrastructure serves as a strong benchmark for defense. It may require more tooling and investment, but will help provide assurance that all risk is known and capable of being addressed.