Collective Defense to Battle a Collective Offense: Tactics and Takeaways From a New IronNet Survey

In a previous post, we shared some results from a new IronNet survey of more than 200 US security IT decision makers from industries including technology, telecoms, retail, financial services, government, media, utilities and many other sectors (download the white paper and the complete survey here).

As we argued in that post, cybersecurity executives are struggling against a growing threat of collective offense — criminals sharing expertise, tools and troves from previous breaches. That makes the mandate for better collective defense among the key priorities to win at cybersecurity. Let’s take a closer at that and a few other priorities our survey uncovered:

A Learning Curve on Collective Defense

Our survey found that, despite most IT decision makers’ reported confidence that their cybersecurity capabilities are advanced and in better shape than others in their industry (55%), they nonetheless experienced an average of 4 attacks on their organization over a 12 month period, with 20% of respondents being hit 6 or more times. Part of the problem is that many of the “collective defense” measures organizations deploy are inadequate.

The notion of collective defense is certainly nothing new. Indeed, the vast majority (94%) of respondents’ organizations currently subscribe to or invest in some form of collective defense — including threat sharing of IPs, file hashes, domains and other signature-based indicators. However, the continued high incidence of successful attacks lays bare the fact that most collective defense strategies in use today simply aren’t achieving the cybersecurity objectives they were designed for.

Traditional collective defense measures typically focus on the sharing of indicators for extant threats and cannot detect variations of similar attacks or unknown attacks where no indicators exist. This means insights from after-the-fact forensics or patches are of limited use. They’re essentially snapshots and Band Aids covering yesterday’s attacks, and which don’t fully protect you from tomorrow’s threats.

Thankfully, organizations are increasingly grasping the need for better threat information sharing. Half of decision makers surveyed noted that their threat sharing tool could be improved upon, and 46% identified a need for enhanced sharing of cyber attacker tools, tactics and procedures (TTPs) and faster sharing of raw intelligence at network speed.

Tips for Stronger Collective Defense, and a More Proactive Approach Overall

More generally, our survey clarified some actionable insights or takeaways that cybersecurity practitioners can use to be more proactive and effective overall in their approach to cybersecurity:

  • C-Suite and Board-level visibility and buy-in are key — There’s a silver lining to one survey finding that 8 in ten respondents had a cybersecurity incident so severe, it required a C-level/Board meeting afterward: Some organizations were able to leverage that attention proactively, driving their organizations to redesign systems to better protect data, IP and finances (44%), conduct internal cybersecurity training for employees (40%) and review policies or create new ones (40%).  The lesson is that C-suite attention can be leveraged proactively to make cybersecurity investments more strategic and effective.
  • Cyber defenses must continue to improve — C-level respondents were more likely to rate the aspects of their organization’s cybersecurity as more advanced and mature than their non C-level peers. That suggests companies are doing a good job investing in cyber defenses but they must continue to improve by adopting new cyber defense strategies to mitigate risk from both within and outside the organization.
  • Practice defense in breadth, not just defense in depth — Given the frequency of attacks that successfully penetrate systems, it’s not surprising to see that organizations reported deploying an average of at least 4 types of security solutions. That’s a sign that variety is needed at every layer of your system; otherwise, your defense in depth will be no more imposing to threat actors than a series of doors with the exact same lock.
  • The forcing function to embrace Collective Defense should be proactive, not just reactive In all of the major cyber attacks such as NotPetya, once the problem has reached the mainstream awareness, the cyber security community quickly works together to share information and mitigation techniques. Proactively sharing threat insights — at machine speed and as anomalies are discovered — with industry peers will help accelerate and scale up collective defenses for all members, limiting future outbreaks before they get out of hand.

As we mentioned, there’s a trove of other insights and context from the IronNet survey. But even this cursory look at some of the findings shows that organizations need to get more strategic and collaborative to create better collective defense — proactively and in real time — against an adversary community that, itself, is collaborating more fully and dangerously around a collective offense.

Get all of the latest info and insights on today’s advanced threats.