Киберсигурността в Израел

Israel’s cyber security frontier

The Israeli city of Beer Sheva is quickly becoming a global centre of cyber security technology

Warwick Ashford / Security Editor

ComputerWeekly.com

The southern Israeli city of Beer Sheva is used to protecting the frontier. During Roman times, it was a dusty outpost that formed part of the Limes Arabicus, a series of desert fortresses defending the empire from raiding tribes. Earlier, the Bible repeatedly cited Beer Sheva as the southern civilised limit of the Israelite kingdoms.

Even today, tourists in Beer Sheva can visit the remains of the fortress that guarded the borders of biblical Israel. But today the frontier is the internet and Beer Sheva offers protection of the electronic sort. The city is rapidly becoming a global centre of cyber security technology.

Israel exports more cyber security-related products and services than all other countries in the world combined, excluding the US. Reports from 2015 show the tiny country making 10% of all global sales in cyber security products and attracting 20% of global investment in the sector.

Much of that investment is centred on the desert city of Beer Sheva, where Israel has constructed a hub for cyber security research and development. Those investments are bolstered by the city’s physical proximity to Israel’s military technological intelligence units and the burgeoning Ben Gurion University, a significant research institution.  

At an early stage, Israel identified cyber security as an area of national importance. The small country’s technological skills and continuous concerns over security made cyber security a natural arena for national investment.

In 2010, Israel adopted its National Cyber Initiative, which established a National Cyber Bureau to advise the government on cyber security matters, encouraging co-operation between academia, industry and the defence community, and advancing Israel as a global centre of cyber technology.

Since then, the bureau has, in co-operation with other government agencies, allocated almost $100m to foster entrepreneurship and academic excellence in the field. The Israeli Office of the Chief Scientist, another government agency, has adopted a preferential policy for funding private initiatives in cyber security research and development.

In addition to the Beer Sheva centre, the bureau has also helped to establish a second academic cyber security centre at Tel – Aviv University. This latter centre has a broad interdisciplinary focus, which includes political science and legal issues. 

Cyber prowess

Observers typically ascribe Israel’s cyber prowess to its human capital – a cadre of technologists trained by a military that needs to retain cyber primacy. For example, the Israeli cloud security firm Adallom, which was acquired by Microsoft in 2015, was founded by alumni of military cyber units.

This trend dates back to 1993, when a veteran of the same unit established Checkpoint, one of the first commercial purveyors of network security software.

But this perspective, with its focus on highly trained individuals, perhaps overlooks the value that broader institutional structures provide to Israel’s cyber security ecosystem.

Economists have studied the role of government institutions in encouraging cyber security investment, asking why state support should be necessary to bolster cyber ventures. Security is a market good, and vulnerable entities will spend good money to obtain security goods and services. If so, why should any government intervention – and Israel’s government has certainly intervened – be needed to bolster cyber security investment? 

One answer is that good cyber security defence requires a wealth of information – about emerging threats, existing vulnerabilities and developing technologies. Private entities may not have the incentive or capability to share this information among themselves, and the government may have a role in providing sensitive information or encouraging information sharing.

Security information

This viewpoint can explain recent debates in the US concerning the sharing of cyber security information, debates that culminated in the passing of legislation that allowed companies to share threat information between themselves and with the government. The UK has also created frameworks for the public-private sharing of cyber security information, such as the Cybersecurity Information Sharing Partnership  established in 2013.

Israel may not (yet) have express legislation that allows private entities to share cyber data, but it does have government or public institutions that facilitate informal access to such information. Most obviously, the Israeli military provides a hub where individuals share high-level threat and vulnerability information under the umbrella of the state.

In a country that has compulsory military service, and where discharged soldiers regularly come back to their units to train and serve in the reserves, it is possible to see how the military could function as an informal watering hole for the exchange of cyber security information. The establishment of the Beer Sheva and Tel-Aviv centres, and the creation of the National Cyber Bureau, add more points of contact where such information can be exchanged informally between individuals active in the industry.

Long-term strategy

In other words, Israel has constructed a set of institutions that allow for the informal flow of high-level cyber security information. Although such informal sharing cannot provide a basis for real-time response to cyber attacks, it perhaps provides a fertile bed for the development of long-term strategy and the growth of commercial ventures. 

Long after its Roman garrisons had disappeared into the desert dust, Beer Sheva played a pivotal role in British military history. Towards the end of the Second World War, General Edmund Allenby and a company of parched light horsemen overpowered the Turkish battlements that were defending the city. Once again, Beer Sheva showed its critical role in defending the Holy Land – after the battle, Jerusalem and the rest of the country swiftly fell into British hands.

Today, the cyber hub of Beer Sheva is reprising its central role in military and civilian defence, but the battlefield now plays out in digital bits instead of the arid desert, and the weapons are innovation and information-sharing rather than trenches and bayonets. And Israel is hoping these digital swords can be beaten into instruments of commercial success.

Как да противодействаме на заплахите към информационната / кибер сигурност, предизвикани от "вътрешни" ("наши" хора) ? Част 3

Combating the Insider Threat

© 2015 Lancope, Inc.

Table of Contents

Chapter One

WHO IS ATTACKING YOUR NETWORK?

Chapter Two

INSIDER THREAT MOTIVES AND METHODS

Chapter Three

DETERRING INSIDER THREATS WITH TECHNOLOGY

Chapter Four

USING NETWORK LOGS TO THWART INSIDER THREATS

Chapter Five

BEYOND TECHNOLOGY

Chapter Six

SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS

Chapter Three

Deterring Insider Threats with Technology

Thankfully there are technologies that can help organizations deter or thwart insider threats.Here’s a look at which types of technologies are effective against each kind of insider threat.

Negligent Insiders

Various measures can be used to deter negligent activity and “keep honest people honest.”

Access Controls

Access controls can prevent people from obtaining sensitive data that they do not need in order to do their jobs. According to a December 2014 report by the Ponemon Institute, seventy-one percent of end users say that they have access to company data they should not be able to see.

Encryption of Data at Rest

Encryption of data at rest can also help prevent data loss by negligent insiders in the event that they lose

their laptops or other equipment.

Malicious Insiders

Access Controls

Access controls can also help prevent damage done by malicious insiders. Making it harder to access

sensitive data can keep honest people honest, but also put a wrench in the plans of malicious attackers.

Checks and Balances

Checks and balances are also extremely important in this arena. There should never be just one individual who has administrative access to a system, as this could essentially leave the person free to do whatever they want with the data or device – or even hold it hostage after leaving the company. Shared usernames/ passwords should also be avoided as they do not hold the individual users accountable, and could still be used by people who have since left the organization.

Logs from Endpoint Systems and Network Devices

Logs from endpoint systems and network devices can also be used to identify and investigate cases

of insider malice. For example, a case of financial fraud might be detected by examining database

logs from a credit card processing system, whereas a case of data theft might be noticed through

monitoring of network traffic.

Compromised Insiders

Compromised insiders are a much more challenging type of insider threat to combat since the real

attacker is on the outside, with a much lower risk of being identified. Typically, no amount of deterrence

will discourage them from carrying out their attack. Furthermore, traditional security solutions that focus on catching malware and exploits cannot identify the unauthorized use of legitimate accounts. In fact,

studies have shown that advanced attackers are on the network for a median of 243 days before being

detected. The use of network logs is really the only way to uncover and shut down this type of threat.

Как да противодействаме на заплахите към информационната / кибер сигурност, предизвикани от "вътрешни" ("наши" хора) ? Част 2

Combating the Insider Threat

© 2015 Lancope, Inc.

Table of Contents

Chapter One

WHO IS ATTACKING YOUR NETWORK?

Chapter Two

INSIDER THREAT MOTIVES AND METHODS

Chapter Three

DETERRING INSIDER THREATS WITH TECHNOLOGY

Chapter Four

USING NETWORK LOGS TO THWART INSIDER THREATS

Chapter Five

BEYOND TECHNOLOGY

Chapter Six

SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS

Chapter Two

Insider Threat Motives & Methods

What is muleware?

Unlike malware, muleware solicits the participation of the user and offers incentives to play a small

role in the attack campaign. “Up until this point, cybercriminals have attained their resources by

exploiting and compromising devices,” said Lancope CTO, TK Keanini. “But wouldn’t it be more

efficient and much more profitable to pay for these resources and turn thousands o f would-be victims into part of the attacker’s supply chain? I envision that this new form of muleware will be based on the anonymity of Tor networking, and commerce conducted via cryptocurrency such as Bitcoin. Marketplaces will connect the demand with the supply, and cybercrime will rise to an entirely new level, a level that we are not prepared to defend against.”

Negligent Insiders

Negligent insiders are insiders who accidentally expose data. They don’t mean to do anything wrong

– they are just employees who have access to sensitive data and inadvertently lose control of it. A large number of security incidents and data breaches fit this description.

Also fitting into this category are insiders who take IT shortcuts or ignore security policies simply to make their jobs easier – for example, downloading unauthorized software, using unsecured wireless networks, or the developer who decides to set up a test site on the Internet with real data.

Malicious Insiders

Malicious insiders are employees who intentionally set out to harm the organization either by stealing data or damaging systems.

Research by the CERT Insider Threat Center at Carnegie Mellon University surrounding hundreds of real-world cases of attack by malicious insiders has shown that most incidents fit into one of three categories:

• IT Sabotage - Someone destroys data or systems on the network

• Fraud - Someone is stealing confidential data from the network for financial gain

• Theft of Intellectual Property - Someone is stealing intellectual property for competitive

advantage or business gain

Motivations for Betrayal

The motivations that turn insiders against their organizations are diverse, and can include:

Job/Career Dissatisfaction

When someone is extremely dissatisfied with their current work or career situation, they may attempt to harm their employer by destroying or stealing data.

Monetary Gain

When exposed to valuable data that could make them money on the black market, some employees will be unable to resist the temptation to steal and sell it. Others will be coerced to do so by malicious outsiders.

Espionage

Both nations and corporations have been known to plant insiders within organizations for the sole purpose of stealing trade secrets and intellectual property for espionage.

Activism

Activists are associated with a particular ideological movement, and can use the theft and exposure of confidential data to bring attention to their cause. The cases of Bradley Manning and Edward Snowden likely fall into this realm.

Compromised Insiders

A compromised insider is an employee whose access credentials or computer have been compromised by an outside attacker. According to the Cisco 2014 Annual Security Report, “Threats designed to take advantage of users’ trust in systems, applications, and the people and businesses they know are now permanent fixtures in the cyber world.” And according to the Verizon 2014 Data Breach Investigations Report, two out of three breaches exploit weak or stolen passwords.

A compromised insider is really an outsider – it is someone who has access to your network as an

authorized user, but they aren’t who they are supposed to be. Today’s attackers are frequently employing social engineering tactics to infiltrate corporate networks and execute attacks under the radar, posing as legitimate users.

Lessons Learned From Manning and Snowden

Security breaches surrounding Bradley Manning and WikiLeaks, as well as Edward Snowden and the

NSA, have made it painfully obvious that even the most seemingly impenetrable networks can fall

victim to insider threats. If nothing else, these two major incidents have finally brought the issue of the

insider threat to the foreground for many businesses.

However, it is important to realize that for every Snowden or Manning out there looking to expose

confidential secrets in the name of hacktivism, there are literally hundreds of others planning to steal data from their employer’s network simply for revenge or to make a buck.

It is not enough to think, “Well, our company isn’t doing anything wrong, so we don’t have to worry about insiders exposing our data,” or “We are just a small company so no one is after our information.” The truth is, any company’s data can be valuable when put in the right hands – whether it’s PII, credit card data, medical records or even just intellectual property – and you better believe that the attackers know this!

Как да противодействаме на заплахите към информационната / кибер сигурност, предизвикани от "вътрешни" ("наши" хора) ? Част 1

Combating the Insider Threat

© 2015 Lancope, Inc.

Table of Contents

Chapter One

WHO IS ATTACKING YOUR NETWORK?

Chapter Two

INSIDER THREAT MOTIVES AND METHODS

Chapter Three

DETERRING INSIDER THREATS WITH TECHNOLOGY

Chapter Four

USING NETWORK LOGS TO THWART INSIDER THREATS

Chapter Five

BEYOND TECHNOLOGY

Chapter Six

SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS

Chapter One

Who is attacking your network?

Many organizations today are drowning in fears and concerns surrounding sophisticated cyber-attacks

such as Advanced Persistent Threats (APTs), DDoS, ransomware and zero-day exploits. While this constant onslaught of attacks can be difficult to keep up with, businesses and government organizations also need to be mindful of perhaps the most alarming type of attack out there – the insider threat.

According to a report by Forrester Research, insiders are the top source of data breaches, with 36 percent of breaches stemming from the inadvertent misuse of data by employees. Additionally, 25 percent of respondents in the Forrester report said that abuse by a malicious insider was the most common way in

which a breach occurred over the course of one year.

What does insider threat mean?

While the insider threat can take on several different forms, the main component is that the attack is initiated

from inside your network versus outside where most security technologies are focused. The insider attacker

is already on your network, so traditional defenses such as firewalls, antivirus and IDS/IPS will not be able

to detect his or her actions. According to a recent survey by SpectorSoft, 61 percent of IT professionals said

they could not deter insider attacks, and 59 percent said they were unable to even detect one.

So who is attacking your network? There are three main types of insider threats:

Each of these types of insider attackers has his/her own motives, methods and means of being thwarted.

In order to develop an effective insider threat management program, it is critical to understand each type.

• Negligent Insiders – Insiders who accidentally expose data – such as an employee who forgets their

laptop on an airplane.

• Malicious Insiders – Insiders who intentionally steal data or destroy systems – such as a disgruntled

employee who deletes some records on his last day of work.

• Compromised Insiders – Insiders whose access credentials and/or computer have been compromised

by an outside attacker.

Various Business and IT Trends Have Increased the Likelihood of Insider Attacks for Today’s Enterprises

Bring Your Own Device (BYOD)

Now that it has become commonplace for employees to bring smartphones and laptops/tablets in and

out of the office, using them for both work and pleasure, opportunities for said employees to steal sensitive

data are greater. As a result of BYOD, the likelihood of employees having their devices, and therefore

corporate data, stolen by malicious outsiders has also risen.

More Open Networks

In today’s fast-paced business environment, the use of outsourcing, contractors, third-party technology

platforms and cloud computing has exploded as a means of fostering greater business agility. However,

this dramatically opens up our corporate networks and sensitive data to countless other parties who may

not be as trustworthy or careful with our information as we would expect.

Social Engineering

In an era of APTs, today’s attackers know that the best way to infiltrate an organization without getting

caught is through its trusted insiders. Crafty and patient attackers are creating designer attacks for specific

organizations and individuals, and they do not mind taking the time to trick or bribe employees into

divulging the confidential details they need to carry out their attacks.

In fact, according to a report by Mandiant, 100 percent of the attacks it investigated used stolen credentials,

while only 54 percent of the compromised machines it investigated contained malware. Through a new type

of attack known as muleware, attackers are now even paying end users to help them with their attacks.

Как да изградим способности за разузнаване на кибер заплахите ?

THE ROLE OF CYBER THREAT INTELLIGENCE IN SECURITY OPERATIONS

November 14, 2016 | by Jeff Berg

FireEye, Inc.

Cyber threat intelligence (CTI) and its place within security operations – as well as the broader business – is growing. A recent SANS study found that 93 percent of respondents are at least partially aware of the benefits of cyber threat intelligence. However, only 41 percent have begun to integrate CTI into their security programs and only 27 percent have full integration. While these numbers highlight a trend toward adoption of intelligence-led security programs as a widely accepted best practice, for many companies there is still a long way to go.

Good CTI enables organizations to anticipate, respond to and remediate threats. There is plenty of content out there on what makes for good intelligence; however, organizations cannot rely solely on the content received to drive value across operations. There needs to be a focus on positioning teams for success. Rich contextual intelligence is something that requires some preparation and a base level of capability in order to maximize the value received. Ultimately, it’s not a plug and play type of product.

Organizations should be able to answer three questions to begin establishing the foundation of a cyber threat intelligence capability:

1.       What is the organizational mission?

A clear mission statement will define the role the cyber threat intelligence team plays, serves to aid in clearly communicating the team’s purpose, provides justification for supporting and resourcing the team appropriately, and sets expectations of what to expect from the team.  

2.       Who is the cyber threat intelligence going to serve?

The key stakeholders and their specific role within the business, business concerns, and cyber threat concerns should be understood. This serves as a driver for data, and the observations that are collected, analysis prioritization and resulting intelligence communications should be provided to the stakeholder. From a content perspective, understanding how the information will be presented to the stakeholder is just as important. A CISO will certainly be interested in different content than a SOC analyst, though the work of the latter has an impact on content delivered to the former.

3.       What is the organization’s threat profile?

It is critical to have a baseline understanding of adversaries that may target the organization, their capabilities and their supporting operations. Understanding motives and intent helps to clarify risk and assists in a number of key conversations, such as anticipating threat activity and strategically planning to protect, identify and respond to relevant activity.

Answers to these questions will contribute to forming additional basic components of the program, including definition of intelligence requirements, threat-led communications and establishing intelligence sources. The ability to enhance security operations and deliver value across the organization is predicated upon this basis of understanding. Without these core components, an intelligence program will not function properly regardless of the expertise, process sophistication and advanced technology put in place.

A Lifecycle

After establishing a solid foundation, organizations must focus on program maintenance and upkeep – ensuring that the program put in place is continuously assessed, enhanced and, where necessary, refreshed. Intelligence programs are not “set it and forget it” operations. Consider two factors:

1. Your threat landscape changes…

The threat environment that your organization is exposed to is subject to shifting motivations, intents, capabilities and operations. All of this can impact your risk profile as an organization, which could impact tactical, operational and strategic concerns. Depending on how dramatic the shift, it could even impact the mission of your intelligence function.

2. Your organization changes…

Your organization is in a state of flux as well, with turnover in people and technology. Skillsets and technology can become obsolete. Knowledge of the threat and the ability of processes to efficiently stand up during crisis situations can grow stale.

As a result, we’ve identified a high-level cycle that organizations can follow to help maintain and advance cyber threat intelligence capability.

Ø  Assess

Periodically updating your threat profile, as well as assessing your intelligence capabilities, will keep you informed of the changes impacting your program and on what level. For example, a shift in threat actor targeting methodology and tools may result in prioritizing responses to an older malware family if it’s being used in campaigns affecting your sector, or your organization specifically.

Ø  Expose and Train

Exposing organizational resources to relevant attacker tactics, techniques and procedures will help them stay knowledgeable of threats that relate to their specific roles. More advanced exercises can test processes and cross team coordination – especially the ability of threat intelligence personnel to effectively serve an investigations or response team – which in turn helps to identify gaps.

Ø  Integrate

The results of the two aforementioned activities should be considered in evaluating the current strategic roadmap for the overall intelligence program, making modifications where necessary. This roadmap guides tactical efforts to build and update components within the program, including process, technology and related resources.

This cycle can be applied in an order and at a frequency that makes sense for your organization and its current state.