Introduction

In the previous posts, we’ve delved into the use of predictive analysis methods for anticipating cyber threats, focusing on the development of early warning systems and techniques for forecasting changes in threat landscape. I recently had the opportunity to speak on this very topic during the SANS Threat Analysis Rundown webcast, hosted by Katie Nickels. For those who haven’t yet seen it, I highly recommend watching the webcast here:

One critical aspect to understand about predictive analysis is that its outputs are inherently estimative, not definitive. In simpler terms, this method provides us with probabilistic outcomes, such as predicting a 60% likelihood of a spear-phishing attack within the next three weeks. This probabilistic nature can be challenging, especially for cyber defenders who are traditionally more accustomed to working with concrete facts, like Indicators of Compromise.

The question then arises: how do we effectively act on these probabilistic predictions from early warning systems? To address this, I’ll introduce what I’ve termed the “Proactive Countermeasures Framework” in this post. This framework is designed to complement Early Warning Systems, translating warnings into actionable steps by integrating pre-emptive and temporary security measures.

The Proactive Countermeasure Framework (PCF): An Overview

The PCF is structured around two types of security actions: Pre-emptive Measures (PMs) and Temporary Measures (TMs). PMs are safety-oriented actions taken regularly to mitigate risks proactively. Unlike static defenses, they are dynamic and adapt to evolving circumstances, but their deployment is considered safe and routine for the organization. TMs, on the other hand, are dynamic, implemented in response to heightened threat levels indicated by the early warning and forecasting systems.

Pre-emptive Measures (PMs)

PMs are essential to the PCF, tailored to respond to the patterns revealed through security analytics. For instance, analytics may indicate a cyclical compromise of employee credentials. Here’s how PMs would proactively address this:

Example of PM Implementation:

Let’s assume that we have detected a pattern of credential compromise every six weeks. Before the anticipated time of compromise we could take the following actions:

• User Risk Profiling: Every six weeks, security teams generate a list of high-risk user accounts by analysing login behaviours, such as date/time, location, failed attempts etc.

• Forced Password Reset: For the identified users, the system enforces a password reset. This measure, while dynamic, is safe as it’s limited to users assessed as high-risk based on objective telemetry, minimising operational disruption.

This dynamic approach to PMs ensures routine security actions remain both effective and unobtrusive.

Temporary Measures (TMs)

TMs are stricter controls temporarily applied in response to elevated threat levels. These are not meant to be permanent due to potential disruptions or resource intensity. They’re designed for short-term use to counter imminent threats and are usually lifted once the threat passes.

Example of TM Activation:

Upon receiving an early warning of an imminent spear phishing campaign targeting the finance department we could take the following actions:

• Access Control Tightening: Access to critical applications is immediately restricted to essential personnel only.

• Enhanced Authentication: Multi-factor authentication requirements are intensified for those with access to sensitive data.

• Monitoring Upscale: Email traffic is scrutinised with advanced filtering techniques to intercept phishing attempts.

Executing the Proactive Countermeasure Framework

Having introduced the concept let’s now explore its practical implementation. The implementation of PCF is achieved through a Proactive Countermeasure Plan (PCP), which is essentially a repertoire of pre-emptive and temporary measures tailored to correspond with different levels of confidence in our predictive analyses.

Creating a Proactive Countermeasure Plan (PCP) means setting up a careful plan that aligns with the varying degrees of confidence associated with potential threat scenarios. Here’s how to develop an effective PCP:

Define Threat Levels Based on Confidence:

• Establish clear threat levels that correspond to different confidence thresholds in your predictive analysis.

• These thresholds will serve as triggers for executing specific countermeasures. For instance, a low confidence threshold might initiate basic PMs, while a higher threshold could trigger more intensive TMs.

List Pre-emptive and Temporary Measures for Each Level:

• For each defined threat level, enumerate the specific PMs and TMs that will be implemented.

• This list should detail what actions are to be taken and under what circumstances, ensuring a tailored response that’s proportional to the assessed threat level.

Take a look at the more detailed example below. This PCP is specifically designed to respond to early warnings regarding imminent spear phishing attacks. Pay attention to how different threat levels are defined and the specific actions associated with each of these levels becoming increasingly stringent.

To implement the PCP effectively consider the following:

• Use predictive analytics to inform when PMs should be updated or when TMs should be activated.

• Establish protocols that clearly outline when and how TMs are to be deployed in response to threats.

• Ensure staff are well-versed in PM and TM protocols through regular training and simulated exercises.

• After any PM or TM activation, conduct debriefs to refine tactics, addressing any inefficiencies or oversights.

• Keep all relevant parties informed about current security postures and any changes to routines or access.

Conclusion

The Proactive Countermeasure Framework provides organizations with a methodology to proactively counteract potential cyber threats. By combining PMs and TMs, security teams can maintain responsive defense posture, adjusting swiftly to the threat landscape’s ebb and flow. As cyber threats continue to grow in complexity, such an adaptable, predictive approach to cybersecurity is not just recommended but required to protect our organisations effectively.

I hope you enjoyed this post! Feel free to reach out to let me know your thoughts.

See you in the next one.