FEATURE disciplined, centralised tasking and shared tooling. Threat models need to stop being built around what you are; and start being built around who you are connected to.
If an adversary’ s attack infrastructure is pre-positioned globally and independent of their home country’ s connectivity, how can defenders move beyond simple geographic blocking to stay ahead? range does nothing when the traffic is coming from Frankfurt.
We have to shift our mindset and start thinking about how traffic is behaving and where it is coming from. For example, anomalous authentication patterns, unusual access sequences and lateral movement that doesn’ t match a human work pattern. We need to be profiling the behaviour of the session, not the flag on the packet.
If you’ re using geo-blocking as your primary defence, you’ re essentially locking the front door, but leaving the back door wide open. Attribution by geography is already a bit of a relic, despite only starting out five years ago. These actors operate through their own infrastructure in our own regions and on our own platforms. Blocking a Russian IP
We’ re fighting yesterday’ s threats with yesterday’ s tools.
Social engineering is a‘ long game’. Since technical controls can’ t easily flag a legitimate-looking conversation, how do we effectively harden the human element against such patience?
Technical controls are brilliant at spotting malicious attachments.
36
INTELLIGENT CIO MIDDLE EAST www. intelligentcio. com