Targeting the ‘unknown, unknown’ threat


Bob Stasio, Cyber Intelligence and Analysis Expert Senior Product Manager, IBMWe have gotten efficient at targeting known threats. Once detected, we can mitigate, respond and quarantine within minutes. Else, we scour our networks looking for unknown threats with known patterns.

But what happens if it was a threat you did not think existed and had a threat signature that you were not looking for? The so-called “unknown, unknown” threat, as IDC named it in its Intelligent-Led Security whitepaper, is an immense worry. It is also going to get worse as we face new security threat developments and the penalties of a breach soar.

Getting honest with our vulnerability

“One of the biggest issues we face today is accepting that there are a lot of commodity tool kits out there on the Dark Web. [Hackers] have commoditized the techniques for advanced hacking,” said Robert G. Stasio (photo above left), Cyber Intelligence and Analysis Expert and Senior Product Manager for IBM.

For example, the popular “BlackHole” exploit kit first emerged in 2010, and continues to evolve over the years with more advanced techniques like zero-day exploits and social engineering modules to lure victims. Hacking is now available as a service.

Recent breaches show that our security fight is asymmetric. All it takes is a single hack to penetrate a network. Still millions of dollars continue to be spent to shore up cyber defenses. Often, the weakest link is the humans, who become unwilling victims to phishing and ransomware.

Hackers are also shifting focus. In the past, many focused on the first two pillars of information security – system integrity and data availability. Now they are concentrating on the third pillar – confidentiality – through Trojan horses and backdoors that offer remote access to secret information while obscuring their existence. 

It is made worse by the pervasive use of pirated software in Asia, Stasio said. "The [installed software] do not have the ability to be updated by patches. It means that they do not have the basic hygiene to defend against threats,” he added.

Deciphering threat assessments

Threat assessment is becoming a valuable tool. “Essentially, it offers a basic understanding of risks and vulnerabilities in your network and security posture, and compares with what your most likely adversary will do,” Stasio said.

But not all threat assessments are made equal. “You can interview people to find out the threat assessment, which is faster but is less qualitative. Or you can do a qualitative threat assessment where you combine interviews with the technical assessment, but can be slow,” he added.

IBM i2 Enterprise Insight Analysis takes a different approach. It combines human-led analysis with machine learning to cover six areas that the firm believes all optimum analytics tools should have.

First, i2 Enterprise Insight Analysis offers a human-centric approach to data. It means that analysts can query using everyday terms, not difficult data structure ones. For example, a financial services firm can search for a hacker with a list of aliases or is following the latest fraud behavior.

Next, the tool allows analysts examine data visually, speeding up the investigation and focus on the main areas of interest. Analysts can also conduct multiple threat investigations at the same time, while the tool monitors, collates and tracks each data exploration work.

i2 Enterprise Insight Analysis is designed to sift through large amounts of data, making it responsive to queries of any size, while automatically resolving duplicates and highlighting non-obvious connections in the data stream when connecting with new data sets.

Lastly, the tool offers a platform for analysts to share intelligence, create new intelligence products and share them securely.

Rising importance of threat assessments

Stasio noted that the i2 Enterprise Insight Analysis approach aims to help firms facing increasing regulatory pressure to protect data better.

“I will say the big looming thing on the horizon is GDPR. While it is coming from the EU, people from Asia should know that if they do business with EU companies, their data will be subject to the same regulations. It is something everyone should be worried about. And if you are breached, the penalties are quite severe,” Stasio said.

Meanwhile, China, Singapore and more recently the Hong Kong Monetary Authority, are following similar strategies rolling out their own cybersecurity measures.

Not knowing where your "unknown, unknown" threats are lurking within your networks will be a huge liability that firms cannot afford to overlook.

This article was created in collaboration with the sponsoring company and our sales and marketing team. The editorial team does not contribute.