Cybersecurity vendor Stormshield has warned that identifying unknown and future threats has become increasingly crucial for effective enterprise defences.
The company’s cybersecurity product director Sébastien Viou reinforced in a new blog that strong control and protection methodologies should be seeking out the blind spots in advance.
“Can we anticipate tomorrow’s cyberattacks today?” Viou said. “Anticipating tomorrow’s threats is not only a question of relying on tools and algorithms, but of developing a control and protection methodology that adapts to the working environment.”
Proactive cyberthreat hunting should incorporate a mix of continual audits alongside data analysis and refinement. Consistently combining knowledge of the attacker, threat hunting and systematic use of security operations forms a “solid foundation”, he said.
Protection engines and rules should be continually adjusted and able to provide real-time data flows to help fend off identified threats.
Using tactics, techniques and procedures, indicators of attack and indicators of compromise from similar cyberattacks, problematic areas and new malware might be identified beyond the usual alerts.
“However, recruiting ‘hunters’ is not an easy task in these times of tight labour markets, and is a luxury that most companies cannot afford,” Viou said.
This has become more crucial with ongoing IT/OT convergence and the emergence of Industry 5.0 — “which puts the human being back at the centre of the factory“, increasing individuals’ dependence on their computer environments.
“The systematic application of compliance audits of production machines and security audits of IT and OT infrastructures need to ensure that networks are segmented and that good cybersecurity practices are being applied,” Viou said.
Having more detection probes in IT and OT environments should make it possible to provide secops analysts with indicators of attacks. Data can be correlated, contextualised and shared as a cyber threat intelligence (CTI) stream.
He said that future CTI analysts will require specific knowledge of industrial environments. They will need to understand how operational network and its components function versus those of an IT network, and particular challenges such as the focus on system availability as well as the security in place.
Vincent Nicaise, head of ecosystem and industrial partnerships at Stormshield, said this isn’t simple, as it involves working with existing equipment, perhaps based on decades-old designs.
“If CTI analysts have no understanding of the communications being exchanged on the industrial network, and therefore no understanding of how the industrial protocols work, they will not be able to analyse them and identify legitimate or suspicious behaviour,” Nicaise confirmed.
In the most critical environments, security should be disconnected, such that any computer intrusion from the outside is prevented. This means infrastructures don’t communicate to the internet and are updated only manually, case by case.
“Even in such remote environments, the Stuxnet episode demonstrated that direct attacks on machines can happen,” added Viou.
Vicaise said the European Commission addresses “Industry 5.0” in its 2022 report Industry 5.0 – Towards a sustainable, human-centric and resilient European industry. Rather than a completely new concept, it aims to improve industrial approaches to better achieve current goals.
“The work is the result of broad consultation and aims to take the measure of the emerging societal challenges that will have a decisive impact on the industry of the future,” he said.
“Industry is the biggest contributor to the European economy, accounting for 20% of the EU’s GDP.”