There's a secret about cybersecurity which few people discuss; it can be depressing, and getting overwhelmed by constant threats and challenges is easy (especially with the media today constantly highlighting high-profile breaches and vulnerabilities).
But despite all this chaos, countless small victories go unnoticed, silently keeping the world safe for all users globally. In this blog, I want to shed light on these triumphs and explore why maintaining hope in cybersecurity is crucial for our collective well-being.
Threat intelligence
As a security professional, the first thing I do when I get to work is the same as everyone else–I check social media (I wish I were joking). But one of the biggest advantages of the Internet today is the crowdsourcing of threat intelligence, with X (the platform formerly known as Twitter) being my go-to for emerging threat intelligence for over a decade–and I'm not the only one. New threats emerge daily, and collaboration and threat intelligence sharing can’t be overstated. These cooperative successes help protect individual entities and fortify the digital defenses of the entire cybersecurity community.
Some have even formalized threat intelligence solutions like CrowdSec, an open-source security project that leverages crowd wisdom to detect and prevent malicious activity. By pooling data from various sources and analyzing patterns, CrowdSec identifies and blocks threats based on block-listing known malicious IP addresses, creating a collaborative defense network. But its true strength lies in its ability to share threat intelligence in real-time, allowing organizations to benefit from the collective knowledge and experiences of the community.
Finland's Transport and Communication's Agency's National Cyber Security Center also plays a part in initial threat intelligence, providing daily updates of emerging high and critical severity threats (which you can sign up to receive here).
Another valuable resource in threat intelligence sharing is standardized rules and frameworks like Sigma rules, which provide a common language for expressing cybersecurity detections. By adopting Sigma rules, organizations can easily share and exchange detection rules across different security tools and platforms.
YARA rules are also another source of threat intelligence sharing, being an open-source tool that allows cybersecurity practitioners to create custom rules for identifying and classifying malware and suspicious files. These standardized formats simplify identifying and mitigating threats, fostering collaboration and knowledge sharing among cybersecurity professionals.
The small victories in threat intelligence sharing includes:
- Timely information exchanges about new malware variants that enable organizations to update their defenses.
- Organizational collaboration that tracks and dismantles sophisticated cybercriminal operations.
- Open forums, online communities, and threat-sharing platforms that provide channels for cybersecurity professionals.
Vulnerability patching
Finding a vulnerability is only the start of a journey. When the hole has been found, we have to do something about it, and this process can be broken into 3 steps:
- The temporary fix, which is the equivalent of applying duct tape to a hole in your boat.
- A permanent fix, which is handled by the software vendors supplying updates.
- Applying the permanent fix after downloading a patch for the software.
One of the key aspects of maintaining a secure digital environment is vulnerability scanning, which involves systematically identifying vulnerabilities and weaknesses in software, networks, and systems before malicious actors can exploit them. Vulnerability scanning is all about using specialized tools and techniques to assess and evaluate the security vulnerabilities present in digital assets. These tools scan networks, applications, and systems for known vulnerabilities, misconfigurations, and weak points that cybercriminals could exploit.
In the end, each vulnerability discovered and patched represents a potential entry point closed off, reducing the attack surface for adversaries. Whether patching a software vulnerability, fixing a misconfigured firewall, or strengthening access controls, these actions reinforce the security posture of organizations and contribute to the overall resilience of the digital ecosystem.
Incident response
In cybersecurity, incidents are inevitable. Organizations face a constant battle against cyber threats, from data breaches to malware infections. But it’s important to understand that the way incidents are handled can also make a significant difference in mitigating the impact and preventing further damage. Incident response plays a crucial role in keeping the world ticking over and protecting the security and privacy of end users.
Let’s look at two different scenarios.
The bad - no incident response plan is in place
An incident happens on an IT system containing people's data. The team scrambles to react and asks, "Who's job is it to coordinate this?" At this point, they've already failed. It sounds harsh, but rapidity in the immediate response is paramount to a successful reply–even if it's just blocking an IP address.
Questioning who’s at fault is an understandable response, but it gives you nothing of value in the early part of the process. Blame is irrelevant in the response phase, as it becomes relevant in the root cause analysis at the end of the process.
A team without a plan has to figure out everything themselves–which only leads to significant delays.
The good - an incident response plan is in place
An incident happens, and the person to notice it first immediately knows who to contact. The IR team is pulled together through established protocols, and each settles into a role they’ve been assigned to and understand. Reaction time is swift, and damage is minimal.
Given the media's bleak outlook on cybersecurity, this situation sounds too good to be true. But many incidents happen this way, and the response is usually immediate and effective. It’s just that these successes aren’t seen because we tend to focus on the stuff that went wrong.
The process
Organizations must proactively develop an incident response plan tailored to their environment and risks and outline the necessary steps to be taken in the event of an incident (including roles and responsibilities, communication channels, and escalation procedures). By preparing in advance, organizations can respond swiftly when faced with a security incident–increasing the likelihood of success.
- Detection: implementing robust monitoring and detection mechanisms to generate awareness and readiness regarding potential threats.
- Advanced threat detection solutions: helping organizations identify suspicious activities and alert them when they occur.
- Analysis and containment: investigating and analyzing the nature and extent of a breach.
- Eradication: involves removing the threat and restoring affected systems to a secure state.
- Recovery: focusing on restoring normal operations and ensuring business continuity.
By embracing incident response as a crucial component of cybersecurity, organizations can achieve progress in the face of adversity, swiftly detecting and containing incidents, effectively eradicating threats, and successfully recovering from the impact. Each incident handled effectively contributes to a safer digital landscape and helps protect individuals, organizations, and critical infrastructure.
Public awareness and education
One of the biggest challenges in cybersecurity is the need for public awareness and understanding of the risks and best practices. As cybersecurity specialists, we need to recognize the importance of spreading awareness and educating the community to create a safer digital environment.
While it would be nice to just do away with security knowledge, you’ll only be marking yourself as a target for phishing and other attacks if you do. That’s why public awareness and education are crucial in enhancing cybersecurity practices. When individuals are informed about the potential threats they face and the steps they can take to mitigate those risks, they become active participants in their security.
The best way to demystify the complex world of cybersecurity and break down technical concepts is to talk about them through understandable terms and relatable stories. By sharing our experiences and insights, we could inspire individuals to pursue careers in the field. As the demand for skilled cybersecurity professionals grows, attracting new talent and developing a diverse workforce is essential.
Closing thoughts
Maintaining hope in cybersecurity isn’t just about recognizing the challenges we face. It can also be about acknowledging the small victories and appreciating the efforts of everyone involved. From the professionals who work tirelessly to protect our digital landscape to the end users who read the security guidelines and do what they can to follow them.
It's easy to get bogged down in cybersecurity. As Mikko Hyppönen (CRO of WithSecure and global security expert) wrote in If It’s Smart, It’s Vulnerable: “Cyber Security is like Tetris. Your successes disappear, but your failures do not.”
Which would be a particularly depressing place to leave what I hoped would be an optimistic blog post. So instead, I'll say that in 1996, the Amiga Power magazine ranked Tetris as the 38th best game of all time. On 12 March 2007, the New York Times reported that Tetris was named among the ten most important video games of all time in their so-called "Game Canon".
That's the thing about Tetris. We all start at the same point. We know we don't win. There is no winning. You hold on for as long as possible, then lose. You solve many problems and rack your score up as high as possible. And if you do well, you put your initials in the high score table and say, "I did this."
Then you pick yourself up, dust yourself off, and start again. Because the game may be defined by the problems you could not solve. There will always be battles to fight, and often uphill.
But that's no reason not to play. Some games are just worth playing.
Published: Aug 22, 2023
