Coping in a 'Code Yellow' World with Threat Intelligence

Written by

The Cooper Colour Code was a system invented in the 1980s by a former US Marine to classify awareness to danger. Today, Jeff Cooper’s Code is taught to the military, police and private security forces worldwide, with white, yellow, orange and red used to describe four different combat mindsets.

Code Yellow has been defined as a “relaxed alertness” and essentially means being aware of both the people around you and your surroundings. While there’s no specific threat identified, your mindset should be “the world is a potentially unfriendly place, I have to be on the lookout for potential threats”. Today, you could argue every organization lives in a Code Yellow world when it comes to cybersecurity. 

It’s an exhausting place to be. We know the threats are out there, we know we’re perpetually at risk, and we know it’s not a question of if we’re compromised, but how we respond when it happens. This dangerous environment makes gathering threat intelligence more important than ever. When we don’t know who’s sneaking up on us, it becomes crucial to peek over the top of our trench to spot what’s coming our way.

There’s an unwritten rule in cybersecurity: when attackers understand something better than defenders, they can exploit it most. As our understanding of a threat increases, it becomes harder for attackers to use it. Eventually, the danger becomes no more than a background, residual risk.

Unfortunately for the organizations relying on a plethora of security devices to keep them secure, outdated approaches no longer cut it in a Code Yellow world. There are most certainly people out there who know things we don’t and they’re using technologies we have no defense against.

A peek over the top

Today’s cyber-attackers are out-competing defenders. Unfortunately for any organization clinging to a defensive mindset, offensive security capabilities are skyrocketing ahead, becoming ever more industrialized and professional.

Consider Zerodium, a premium exploit acquisition platform for high-end zero-days and advanced vulnerability research. The company recently paid out $1,000,000 to hackers who were able to create a browser-based jailbreak for iOS 9. It is unlikely Zerodium reported this vulnerability to Apple, but very likely the company sold the hack to its customers, which include major technology, finance, and defense firms, as well as government agencies.

This isn’t a one-off example. Increasingly, we’re seeing the industrialization of the cyber kill chain, with organizations paying large sums for reliable ways to compromise devices. Skilled hackers are needed to create these ‘exploits à la carte’, but once created they become relatively easy to use. 

This means we’re not just facing the creation of new threats on an industrial scale, but the professionalization of hacking. Armies of people (literally in some cases) can be drafted in and taught to compromise devices by rote, leading to an enormous and rapid escalation in the number of attacks happening each day.

Now consider something else: Who watches the watchers? What happens to these armies of professionally trained hackers? Where do those zero-day exploits end up after they’re released into the wild? If you’re a digital business with something to lose, questions like these should worry you. 

Right now, there’s every incentive for groups to build zero-day exploits and keep them under wraps and there’s no incentive to share them. If you think you have the right to stay secure in today’s world, you’re wrong.

Get Smart

If your business wants to stay secure, it’s time to rethink your approach. In a Code Yellow world, you need to be actively seeking out the latest threats, uncovering hidden activity and intercepting unusual behavior.

So, how does your ability to detect and intercept threats measure up in terms of maturity? At the lowest level of threat detection are signatures, typically uploaded to firewalls and intrusion prevention systems. Today, these are still somewhat useful, but have limited effectiveness. They can only determine what’s been seen before as good or bad. Malicious actors are constantly finding new ways to initiate attacks, meaning they’ll go completely undetected by these devices.

Next you have rule-based detection that blocks certain known bad behaviors, such as access to specific types of content. Again, this is a fairly static approach that tries to sort the good from bad –meaning you have to know what bad looks like in advance.

The next level up is to apply correlation to these rules to detect bad behavior. For instance, you might correlate your CIO accessing the corporate network remotely with him passing through the door entry system at your offices three minutes later. Now you have a time correlation between two data points that indicates abnormal behavior and you’re on the scent of something bad happening.

Going up another level, a SIEM platform provides real-time or behavioral correlation between data points, but struggles with historical data and probability-based algorithms that analysts or machines can run to gain a true picture of what’s ‘normal’ for a specific organization.

To do this, you need a big data analytics capability and tools that enable you to visualize and spot patterns and probabilities rather than signatures, rules, or correlations. Only this capability and the intelligence it creates can truly unlock the dark secrets hiding inside enterprise networks today.

The Importance of Intelligence 

2014 was dubbed ‘the year of the breach’, yet the number and size of breaches continue to grow, along with the names involved. To fight back in a game stacked against the defenders, there is a big argument for organizations’ adopting big data analytics and employing data scientists in a bid to understand what ‘normal’ looks like and decipher the patterns that signify the threats that matter to them.

This intelligence-led approach is critical to staying secure in this Code Yellow world, so don’t be afraid to raise your head above the parapet and take a peek at the road ahead.

What’s hot on Infosecurity Magazine?