Sherlock Holmes, Hercule Poirot and Miss Marple, Phillip Marlowe, Sam Spade, Nancy Drew and the Hardy Boys … These great (albeit fictional) detectives had two things in common: They always got the culprit, and they did so by staying at least one step ahead.
Today, IT and security professionals are increasingly thrust into the role of detective as their organizations battle all manner of cybercrime. The goal is to identify and intercept attacks, prevent crime and, basically, save the business day. It’s a Hercule(Poirot)-ean task that never ends, but, by following the lead of some of the greats, you, too, can be the hero of your own detective story.
Step One: Build a Map of the City
London, Los Angeles, San Francisco, River Heights … Good detectives know their home turf like the backs of their hands. They know what the prime targets might be, how they are secured, and where the weak underbelly of the city can be found.
IT and security pros need to do the same with the organization’s infrastructure and applications. Yes, your knowledge of and experience with “the city” is important, but they are not enough—especially since today’s infrastructure and apps are constantly changing. It’s important to automate the task of discovering the attack surface, identifying vulnerabilities and building a comprehensive threat map. You can build or buy tools to help you do this; just don’t rely on documentation and the promise that “We scan everything in CI so we know it’s secure.” Having deep knowledge of the ever-changing threat map is key for the next part of your defense.
Step Two: Watch and Observe
Next, you wait—and watch. Look for “indicators of compromise”—clear signs that something has happened. Any good detective could spot a door that has been jimmied open or an object that has been moved. IT and security pros might spot a process that crashes unexpectedly, a file modified on disk, an unexpected API call that modifies configuration. You, as the detective, can’t overlook these signs, but essentially what you are seeing is the aftermath of the crime once the criminal has moved on.
A great detective will also look for “indicators of attack.” These are more subtle signs that something is amiss. These signals tell you if an attacker is reconnoitering a weak point from outside. Perhaps they have evaded the web application firewall (security checkpoint) and reconnaissance traffic is coming from an internal source. Maybe they are prowling the network streets, looking for an open door (port). Maybe you detect unusual SSH or C2C traffic that indicates lateral spread and the presence of a command-and-control network.
Combining both indicators of compromise and indicators of attack gives you the intel you need to stay one step ahead of the attackers’ objectives.
Step Three: Correlate and Infer
Detectives often start their work with a hunch. (Hello, Columbo!) They correlate unusual activities and a detailed understanding of the weaknesses in the city. Suspicions are raised when these two areas of practice come together.
This is the most challenging part of the security officer’s job. You are facing a firehose of signals and telemetry. Perhaps 99% of them relate to normal application and operational behavior, and 99% of the remaining signals capture attack attempts that are just noise; they will never come to anything. How do you find the 0.01% that the genius detective finds by experience and instinct?
The art is based on the three artifacts you manage—the threat map, indicators of compromise and indicators of attack—and your ability to correlate them across both time and space.
Develop or acquire tools that help you to sift through the massive volumes of data to correlate indicators of attack against known vulnerabilities and observed indicators of compromise. Now, you’re ready to raise your suspicions quickly when a sophisticated attack is unfolding.
Step 4: Act on the Intelligence
You have your suspicions based on data and well-reasoned estimates; now you have to act—fast. Your applications should be architected following cloud-native principles to be resilient and scalable. If a service or container is suspected to be compromised, quarantine it and rely on the orchestrator to start clean instances as needed. If indicators of attack originate from an internal or external IP address, block it. If C2C traffic is detected, firewall it. If an authentication token is implicated, revoke it.
It’s Elementary, My Dear IT Pros
Today’s IT and security pro detectives must live out this detective story all day, every day. But they can’t focus only on looking for open doors and mysteriously barking dogs—not if they expect to be able to think and act strategically for the business as well. That’s the reality of securing modern applications and the infrastructure they run on, day after day. Successful IT detectives have learned that staying ahead of the criminals requires a systematic, unyielding approach and that the more you can automate, the better you can keep attackers at bay.