ICS Cyber Convergence

Return to blog
Angela Heise is President of the Civil Group at Leidos. In this capacity, she is responsible for providing solutions to US Cabinet-level civil agencies and major elements of the public sector across the globe. Focus areas include energy and the environment, utilities, manufacturing and industrial, federal infrastructure, air traffic management, exploration and mission support, cybersecurity and information technology. Prior to this role, Heise served as vice president of Commercial Markets for Lockheed Martin-Commercial Cyber, where she was responsible for delivery of a portfolio of cybersecurity and information technology solutions and services to commercial Global 1000 customers. Heise graduated from Southern Illinois University with a Bachelor of Science in computer science. She was recognized in 2012 as Aviation Week’s Top 40 under 40 and in 2013 was one of Federal Computing Week’s Top 100 Executives.

Arguably one of the most important aspects of cybersecurity is Threat Intelligence. Yet despite its importance, this particular discipline as part of a solid security posture is often underestimated in terms of importance.

The consulting company, Forrester, defines threat intelligence as the details of the motivations, intent and capabilities of internal and external threat actors. Forrester extends their definition of Threat Intelligence to include specifics on the tactics, techniques and procedures that hackers and Advanced Persistent Threats employ within their attacks. - Threat Intelligence Buyer’s Guide SANS CTI Summit, 10 February 2014.

At Lockheed Martin, we value Threat intelligence's primary purpose, which is to help the business better understand the risks and implications associated with threats in order to make better decisions regarding the safety of its customer, employees and intellectual property.

We also believe that by understanding the attributes of an APT, an organization can better build a proactive Security Operations Center (SOC). By proactivity we refer moving a SOC from a “set-it and forget-it mode” governed by reacting to threats to a predictive and agile infrastructure. This migration goes beyond blocking domains to using databases and intelligence gathered over years to understand attackers’ patterns of behavior. How do your attackers grow and change over time? What common tools do they use? What techniques do your attackers always employ after entering a network? An example of understanding the minutia concerning APT behavior includes knowing whether they send emails with a zip file on the bottom, or always start emails with “Dear Sir or Madam.” Do they always misspell a certain word or are they always asking for the same specific piece of information? Such intelligence makes future threats more identifiable and quickly categorized.

According to Forester and Lockheed Martin’s understanding of Threat Intelligence, another important aspect of this intelligence driven discipline is the sharing and collaboration of intelligence. Standardization within cybersecurity is a major challenge. The cybersecurity industry has reached a level where the sharing of information is readily available, however the struggle is now to determine and agree upon a set of standards as it relates to how we classify, validate and communicate intelligence.

In an ideal setting, the aggregation of valuable intelligence is filtered into a common set of standards and common nomenclatures, and fed to a group of trusted partners and sources.

With Threat Intelligence and Threat Intelligence sharing as core competencies, your organization can employ a centralized platform with Palisade®, which integrates into your present security infrastructures to deliver enterprise-wide visibility, awareness and alerting capability.

By focusing on Threat Intelligence and the collaboration behind such activities, your organization can go a long way to building a solid security posture where intelligence and actionable data is at the core of a proactive defense.

Read more

Recently, cybersecurity firm Darktrace announced an $18 million investment to hire new information security specialists in an effort to expand globally. According to Upstart Business Journal this investment represents a cash infusion in a woman-led cybersecurity company with a history of hiring female IT specialists. The result of this major infusion, according to the online journal, could “pave the way for a more equally representative industry.”

I have been a vocal advocate of increasing the presence of women and minorities within the cybersecurity industry throughout my career. Resources are scarce within this industry and the opportunity to tap within a market as robust, hard-working and well-educated as women and minorities highlights the potential to solve this huge resource challenge.

More importantly, cybersecurity is in large part about intelligence gathering and ingenuity. These two features blossom from a diverse infrastructure made up of varied backgrounds, educations, and cultures. It is my humble opinion that together as a heterogeneous workforce we are better equipped to solve the future challenges that APTs and hackers present.

In an industry like cybersecurity where only 11 percent of the information security workforce is female, there is plenty of room to grow. According to Virginia-based non-profit Women's Society of Cyberjutsu, 25 percent in the tech sector are women. The fact that only 11 percent are in cybersecurity presents a golden opportunity to grow this industry aggressively to meet the demands of future resources.

Make a Difference in Cybersecurity

One question that I commonly get asked in cybersecurity is, “how can we make a difference in cybersecurity and against cyber threats?” Supporting the education and hiring of women and minorities in cybersecurity is often my answer.

By flooding this sector with these groups of talented individuals, we can take larger strides as a society to bring better awareness of cyber-related issues such as insider threats, phishing campaigns, viruses, malware campaigns and denial of service attacks. All these issues require as much communication, awareness and training as we can provide. The dialog for supporting and advertising the education and hiring of women and minorities brings these cyber threats to the forefront in America, not only at the water coolers and coffee machines at work, but at the dinner tables at home, which is where this awareness of cybersecurity really needs to happen.

A common follow-up question to my answer is often “how can we make a difference in the education and hiring of women and minorities in cybersecurity?” The simplest answer is get involved.

Attend events like the National Women in Cybersecurity Conference (WiCyS) that took place in Atlanta, GA earlier this year. You can also become a member of their online community Women in Cybersecurity – WiCyS.

Another way to get involved is by working with your local high schools and universities to get cybersecurity further engrained with women and minorities in a STEM (Science, Technology, Engineering and Match) conversation. By vocally participating within these and other initiatives, you can make a big difference in thwarting the effects of cyber attacks while creating more opportunities for women and minorities within the cybersecurity field.

Read more

Ever get the feeling that your business-as-usual (BAU) mentality might get you into trouble? If you do and you’re in cybersecurity, you’re not alone. This feeling is not without good cause; organizations are not prepared to deal with severe and frequent cyber-attacks.

Lockheed Martin recently sponsored a Ponemon Institute survey of 678 US IT and IT security practitioners who are familiar with their organizations’ defense against cybersecurity attacks, and have responsibility in directing cybersecurity activities. When asked about the challenges to achieving a strong cyber defense, 75 percent of respondents say they see an increase in the severity of cyber attacks experienced by their organizations and 68 percent of respondents say they are more frequent. However, a smaller percentage of respondents (53 percent) say launching a strong offensive against hackers and other cyber criminals is very important to their organizations’ security strategy.

These survey results beckon the question that has evolved as the conversation has become within our organizations, are the investments we’re making in corporate America truly protecting us against today’s sophisticated adversaries? Another way to look at it is to ask “how can we be sure that the measures in place will protect us, or only provide a false sense of cybersecurity?”

In order to answer these questions, organizations need to avoid three common BAU-associated pitfalls.

#1: Alerts equal security:

“Things that go bing” is another way of phrasing this common pitfall. Security Operation Centers often seem packed with technology that are meant to alert us when bad things are happening. Traditionally organizations have bought (literally bought) into the idea that there is a mix of technologies that can be plugged into the network to find all the potential issues. So they invest heavily in tools “that go bing” to defend their network. This is what we call a vendor-driven response model.

To avoid this pitfall, understand that there’s no such thing as a silver bullet for cybersecurity, you can’t buy your way out of insecurity, and the traditional set-it-and-forget-it approach doesn’t work.

#2: Nightlight equals security

A short disclaimer: your staffing plan is up to you, and we’re not saying that you need 24x7 staffing. In fact, 24x7 staffing doesn’t always mean you’re covered. Often paying a person to stare at glass overnight can cause an organization to overestimate their security maturity. In avoiding this pitfall, ask yourself:

a) Do we have enough skilled cyber analysts to fill a 24x7 staffing plan?
b) Is the staff manning each shift equipped and qualified to react and mitigate threats, or are they serving as a manual escalation trigger to alert key staff?
c) Can technology be tuned and customized to alert and escalate when key events are detected?

#3: The pre-existing framework equals security

Some organizations believe that the process of reacting to alerts is a framework. Essentially they wait for something bad to happen and then react. So whether this is a planned strategy or just the reality of your current operations – not having an evolved, sustainable and scalable framework is a pitfall that plagues many organizations.

In mitigating this process, make sure you flesh out the processes behind how the technology and people aspect of your security will function. Map your tech environment, document roles and relationships, research and mirror other frameworks, and educate and train your staff to follow and understand your framework.

Most importantly, acknowledge that a framework in and of itself does not equate to security. It should be merely seen as a map that leads to a more secure posture. Your job should be to ensure that you’re map is as detailed and robust as possible so that you’re cybersecurity approach doesn’t get lost in the woods.

In many ways we can never fully avoid the feelings associated with a business-as-usual (BAU) mentality. But by following these tips, we can avoid three common pitfalls associated with BAU thinking and remove much of the threat of cyber-insecurity.

Read more

Advanced Persistent Threat (APT), as a term, is perhaps over-used in cybersecurity. Like the Boogie-Man that strikes fear into the minds and hearts of children at night, APTs work just as hard to ensure that CISOs and CIOs never rest easily. But just like the Boogie-Man, the trick to not being afraid of APTs is to understand them. Unfortunately, understanding APTs isn’t as simple as a bed time story.

The first signs of APTs came from targeted, socially-engineered emails dropping Trojans designed for exfiltration of sensitive information. They were identified by UK and US CIRT organizations in 2005. Although the name "APT" was not used, the attackers met the criteria that determines an APT. The term "advanced persistent threat" is cited as originating from the Air Force in 2006 with Colonel Greg Rattray.

Another complexity to understanding APTs are their definition and identifiable characteristics. The internet is filled with different definitions and varying character-traits that can often make this step confusing and ambiguous. One popular definition on the Internet of an APT sums up the definition of an APT nicely is:

“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration of information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” –National Institute of Standards and Technology

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies and political activists. The use of the term APT seems to be growing with the rising number of APT-related attacks, which according to a PC World story from a couple of years ago, noted 81 percent increase from 2010 to 2011 of APT attacks.

In a book released a couple of years ago called Reverse Deception: Organized Cyber Threat Counter-Exploitation, the authors define the following APT criteria:

  • Objectives – The end goal of the threat, your adversary
  • Timeliness – The time spent probing and accessing your system 
  • Resources – The level of knowledge and tools used in the event (skills and methods will weigh on this point) 
  • Risk tolerance – The extent the threat will go to remain undetected 
  • Skills and methods – The tools and techniques used throughout the event 
  • Actions – The precise actions of a threat or numerous threats 
  • Attack origination points – The number of points where the event originated
  • Numbers involved in the attack – How many internal and external systems were involved in the event, and how many people's systems have different influence/importance weights
  • Knowledge source – The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive)

Even though Advanced Persistent Threats play a strong role in cybersecurity planning, especially for large organizations, a lot of the fear and feeling of uncertainty about them can be eliminated by a simple understanding of what they are and what their pattern of attack typically looks like. Although the solution to removing the fear is never as simple as checking your closet, or server, at night before leaving, understanding the threat and partnering with an organization like Lockheed Martin can make your networks more secure.

Read more