3 min

Knowledge means security – but how to develop a more proactive strategy to information security?

Operational security - September 29, 2014

Prior to the application of technological solutions, the security of information systems requires a precise knowledge of the threats and an evaluation of their possible impact on our systems. In recent years, the proliferation of open source intelligence (OSINT), such as CERTs, has made it necessary to dig deeper and especially with greater speed in detecting probable new cyber threats. Consequently, today’s businesses must shed their passive stance in favour of greater responsibility in ensuring their cyber security in this ever-changing and increasingly complex online environment.

Information security is standard practice today; however, it relies primarily on open-source information that favours fixing breaches rather than preventing them.

Confronted with a myriad of threats associated with new technologies, companies have implemented procedures to determine where their information systems might be vulnerable to attack. This trend has made network security more widespread and encouraged the sharing of cyber strategies to improve security. As a result, it isn’t difficult to imagine taking a more proactive approach that anticipates cyber attacks rather than reacting to an already compromised system.

The cornerstone of today’s network security system is CERT (Computer Emergency Response Team) [1], which shares the most up-to-date public information on security issues. Yet, it isn’t feasible for mid-sized companies to subscribe to all these surveillance and warning systems. As such, the CERT and more generally OSINT are a luxury at the disposal of only a minority, though their goal is to serve all IT professionals.

By definition, network security means being aware of changes in the global cyber landscape and recognizing incidents. As CERT or other information security agencies expose vulnerabilities, these flaws are struck from hackers’ capabilities, yet this does not guarantee immunity from future attacks. Moreover, a delay still persists between the moment a breach is discovered and when the fix is made available, which offers attackers an added window of opportunity. [3]

With this in mind, a proactive strategy that anticipates future attacks is indispensable. This tactic must call upon sources closest to the threat.

Use of the deep web and other repositories of pertinent information will play a crucial role in minimising incident response times and preventing new attacks.

The deep web classifies Internet content that is not indexed by standard search engines, such as dynamically generated sites or password-protected sites [8]. This “invisible” web is a vast warehouse of information not least of which are hacker sites accessible by invitation only. These networks are the crossroads of communication between hackers. They discuss past and present activity, recently discovered system flaws and their plans to exploit them.

Accessing the deep web presents a number of technical challenges since the number of sources is too high for human review. A semantic analysis approach is therefore imperative to assess the latest threats. This method’s core component is the retrieval of semantic data based on the entirety of a source or hacker’s reputation. A human audit is then required to corroborate the existence of risk. The goal of this mechanism is to inform businesses about the risks for their infrastructure and to prepare them to update their IT platforms to reduce their exposure to security threats.

Chronologie de l’infection

Infection’s timeline

Mining the deep web puts companies on a more aggressive footing, shifting from a “passive” to a “proactive” posture to improve the security of their networks. The ultimate objective is not simply to pinpoint today’s attacks but to determine tomorrow’s targets and vulnerabilities, from a hacker’s point of view. With access to the same sources as the hackers, it will take companies less time to fix breaches. The technological advances in semantic analysis have set the stage for companies such as Argaus to develop new tools and techniques to improve network security. The addition of this technology to the already considerable arsenal of the OSINT and law enforcement communities will further buttress security capabilities and improve communication for greater business security.

Maxime Alay-Eddine, President and Technical Director, Argaus
Florian Wininger, IT Security Consultant, Argaus

Bibliographie :

[1]          https://observatoire-fic.com/cybersecurite-2014-tendances-et-certitudes-par-guillaume-arcas-et-sebastien-larinier-cert-sekoia/

[2]          http://www.symantec.com/region/fr/resources/veille_secu.html

[3]          http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

[4]          https://observatoire-fic.com/detecter-les-signaux-faibles-des-cyberattaques-ou-pourquoi-vous-devriez-analyser-vos-logs-par-charles-ibrahim-bull/

[5]          Humbert Lesca, Nicolas Lesca, Les signaux faibles et la veille anticipative pour les décideurs, Méthodes et applications, EAN13: 9782746231405

[6]          Philippe Cahen, Signaux Faibles, mode d’emploi, éditions Eyrolle, 2010

[7]          Philippe Cahen, Le marketing de l’incertain. Méthode agile de prospective par les signaux faibles et les scénarios dynamiques, édition Kawa 2011.

[8]          http://www.brightplanet.com/deep-web-university-2/deep-web-a-primer/

[9]          http://www.cert.ssi.gouv.fr/site/CERTFR-2014-ALE-003.pdf

Send this to a friend