{"id":221899,"date":"2021-02-25T07:41:07","date_gmt":"2021-02-25T06:41:07","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=221899"},"modified":"2021-02-25T07:41:07","modified_gmt":"2021-02-25T06:41:07","slug":"detection-cyberattaque","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/detection-cyberattaque\/","title":{"rendered":"Cyberattack detection: the importance of adopting a qualitative approach"},"content":{"rendered":"<p>In macroeconomics, it is sometimes said that a crisis at least offers the advantage of putting an end to structural imbalances; while it seems complicated to call the current increase in cyberattacks a &quot;crisis,&quot; given that this development has been predicted for years, this trend has at least led to a genuine paradigm shift:<\/p>\n\n\n\n<p><strong>No organization dares to doubt its vulnerability to cyberattacks anymore.<\/strong><\/p>\n\n\n\n<p><em>No executive would be confident anymore about the risk of ransomware being deployed on their company&#039;s information system.<\/em><\/p>\n\n\n\n<p>For those who remember the days when cybersecurity specialists were all considered paranoid, the current situation is undoubtedly better. Yet, this phase of denial regarding cyber risk is followed by a new one: an inflation of services, providers, technologies\u2026 and contracts. Does this make sense from an operational standpoint? Are we better protected simply by being (quantitatively) more protected? An attempt at an answer.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-des-menaces-prot-iformes-des-attaquants-innovants-mais-des-sc-narios-anticip-s\"><strong><em>Multifaceted threats, innovative attackers\u2026 but anticipated scenarios<\/em><\/strong><\/h2>\n\n\n\n<p>In December 2020, <a href=\"https:\/\/www.lemonde.fr\/pixels\/article\/2021\/01\/27\/la-compromission-de-solarwinds-une-des-affaires-de-cyberespionnage-les-plus-longues-et-les-plus-sophistiquees-de-la-decennie_6067777_4408996.html\" target=\"_blank\" rel=\"noreferrer noopener\">the SolarWinds affair was making headlines&nbsp;<\/a>; not only that of the specialized media, such as <a href=\"https:\/\/cyberguerre.numerama.com\/219-stuxnet-lespion-qui-voulait-saboter-le-nucleaire-iranien.html\" target=\"_blank\" rel=\"noreferrer noopener\">Stuxnet<\/a> in its time, but also that of general practitioners. We will not go into the details of this attack: an American software publisher, SolarWinds, had been compromised, and revealed that\u2019<strong>a diseased version <\/strong>of one of its &quot;flagship&quot; products, Orion, had allowed the attackers to <strong>compromise a plethora of clients in a cascading fashion<\/strong> of society worldwide.<\/p>\n\n\n\n<p>While the cyberattack, now bearing its eponymous name, is impressive due to the potentially immense scope of its compromise and some of its victims (such as US government agencies), is it truly unprecedented? Was its unfolding scenario unusual?<\/p>\n\n\n\n<p>No. In fact, it has been known for years by specialists in the field as...\u2019<a href=\"https:\/\/www.ssi.gouv.fr\/actualite\/chaine-dattaque-sur-les-prestataires-de-service-et-les-bureaux-detude-un-nouveau-rapport-danalyse-de-la-menace\/\">attack on the\u00ab&nbsp;<em>supply chain<\/em>&nbsp;\u00bb<\/a>, and rests on a relatively simple assumption: it is often easier to <strong>compromising a supplier of one or more end targets<\/strong>, the latter benefiting from privileged access, rather than attacking head-on structures that are sometimes extremely well defended.<\/p>\n\n\n\n<p>So, <strong>The offensive scenario on which the SolarWinds case is based is not inherently original.<\/strong>. Would SolarWinds&#039; customers have avoided a compromise if they had used multiple security solutions, providers, and services? It&#039;s highly doubtful.<\/p>\n\n\n\n<p>However, many risk analyses have made it possible to identify the risk posed by an offensive scenario &quot;like SolarWinds&quot;, and potentially to take measures to deal with it.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-piloter-par-les-risques-plut-t-que-r-agir-la-derni-re-actualit-en-date\"><strong><em>Managing by risk, rather than reacting to the latest news<\/em><\/strong><\/h2>\n\n\n\n<p>For a customer, it is sometimes tempting to give in to the temptation of always wanting more, as this offers a certain intellectual comfort: for a <a href=\"https:\/\/www.intrinsec.com\/en\/soc-securite-operationnelle\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Security Operations Center<\/em><\/a> (SOC), this has historically resulted in a voracious appetite for detection rules deployed in a SIEM.<\/p>\n\n\n\n<p>A new cyberattack? A new detection rule. A publisher&#039;s report on a new modus operandi? A new detection rule. The same key for every new lock. But while this may be reassuring, while it gives the impression of action, the customer is actually no better protected.<\/p>\n\n\n\n<p>In the case of SolarWinds, a &quot;classic&quot; approach responds as follows:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2021\/02\/matrice-detection-1-1024x229.png\" alt=\"\" class=\"wp-image-221911\"\/><\/figure><\/div>\n\n\n\n<p>If reacting only allows us to deal with the incident in question, what about similar scenarios, but targeting another service provider and\/or presenting different technical characteristics?<\/p>\n\n\n\n<p>Some actions within the quantitative approach to cyberattack detection may, potentially, detect and perhaps block these other incidents, but this is far from certain, because what is being addressed is less the risks of a comprehensive offensive scenario than its latest manifestation after its emergence. Even worse: <strong>Piling up detection rules developed hastily and based on current events risks saturating the detection capabilities of a SOC.<\/strong> (more alerts, more false positives, less time for analysis).<\/p>\n\n\n\n<p>A qualitative approach to cyberattack detection, such as the one practiced daily by Intrinsec, does not present this operational hemiplegia; indeed, by leveraging existing methodological tools, such as\u2019<a href=\"https:\/\/www.ssi.gouv.fr\/guide\/la-methode-ebios-risk-manager-le-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">EBIOS Risk Manager<\/a>, The system ensures that cyberattack detection is based on offensive scenarios, which are translated into feared technical events. Once these are defined and prioritized, it is possible to answer the question &quot;Am I adequately protected?&quot; by assessing the coverage of the associated risk.<\/p>\n\n\n\n<p>In the case of SolarWinds, a qualitative approach provides the following answer:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2021\/02\/matrice-detection-2-1024x300.png\" alt=\"\" class=\"wp-image-221912\"\/><\/figure><\/div>\n\n\n\n<p>Offensive vendor compromise scenario: Identification of related feared events (e.g., malicious use of existing access, dissemination of malicious code); Assessment of feared event coverage; Development or improvement of existing detection rules and\/or advice on integrating new detection sensors<\/p>\n\n\n\n<p><strong>The advantages of this qualitative approach to cyberattack detection are that it does not depend on the irruption of news to ensure that the right questions are asked, and that it allows the strategic to feed the operational, and the detection to anticipation.<\/strong><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-et-maintenant\"><strong><em>And now ?<\/em><\/strong><\/h2>\n\n\n\n<p>It is clear that decision-makers with a global vision, and\/or CISOs, faced with this risk-based approach to cyberattack detection, very quickly perceive its benefits, if they have not already adopted it.<\/p>\n\n\n\n<p>However, the temptation remains significant to see a new technology or solution monopolize the attention of even the most seasoned cybersecurity experts. <strong>A taste for tools<\/strong> (especially new!) combined with a certain <strong>technological solutionism<\/strong> is almost inherent to the cybersecurity sector!<\/p>\n\n\n\n<p>This bias, combined with the tendency to compartmentalize activities, both operationally and strategically, undermines cybersecurity.<\/p>\n\n\n\n<p>However, many fictitious boundaries between professions tend to disappear,<strong>Qualitative analysis is gradually replacing quantitative analysis, and anticipation improves detection, which in turn enables a rapid response.<\/strong>. So, while the future is certainly not rosy, at least it looks exciting!<\/p>","protected":false},"excerpt":{"rendered":"<p>In macroeconomics, it is sometimes said that a crisis at least offers the advantage of putting an end [\u2026]<\/p>","protected":false},"author":35,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[],"class_list":["post-221899","post","type-post","status-publish","format-standard","hentry","category-soc-securite-operationnelle"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>D\u00e9tection de cyberattaques - INTRINSEC<\/title>\n<meta name=\"description\" content=\"En macro\u00e9conomie, il est parfois dit qu\u2019une crise offre au moins l\u2019avantage de mettre fin \u00e0 des d\u00e9s\u00e9quilibres structurels...\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/detection-cyberattaque\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"D\u00e9tection de cyberattaques : de l&#039;int\u00e9r\u00eat d&#039;adopter une approche qualitative\" \/>\n<meta property=\"og:description\" content=\"En macro\u00e9conomie, il est parfois dit qu\u2019une crise offre au moins l\u2019avantage de mettre fin \u00e0 des d\u00e9s\u00e9quilibres structurels...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/detection-cyberattaque\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-25T06:41:07+00:00\" \/>\n<meta name=\"author\" content=\"Adrien Gevaudan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adrien Gevaudan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/\"},\"author\":{\"name\":\"Adrien Gevaudan\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/7df6ca1ce09cbb1523507d87e2cf99a4\"},\"headline\":\"D\u00e9tection de cyberattaques : de l&rsquo;int\u00e9r\u00eat d&rsquo;adopter une approche qualitative\",\"datePublished\":\"2021-02-25T06:41:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/\"},\"wordCount\":1203,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/matrice-detection-1-1024x229.png\",\"articleSection\":[\"SOC S\u00e9curit\u00e9 Op\u00e9rationnelle\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/\",\"name\":\"D\u00e9tection de cyberattaques - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/matrice-detection-1-1024x229.png\",\"datePublished\":\"2021-02-25T06:41:07+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/7df6ca1ce09cbb1523507d87e2cf99a4\"},\"description\":\"En macro\u00e9conomie, il est parfois dit qu\u2019une crise offre au moins l\u2019avantage de mettre fin \u00e0 des d\u00e9s\u00e9quilibres structurels...\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/matrice-detection-1-1024x229.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/matrice-detection-1-1024x229.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/detection-cyberattaque\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"D\u00e9tection de cyberattaques : de l&rsquo;int\u00e9r\u00eat d&rsquo;adopter une approche qualitative\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/7df6ca1ce09cbb1523507d87e2cf99a4\",\"name\":\"Adrien Gevaudan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"caption\":\"Adrien Gevaudan\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/adrien-gevaudan\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cyberattack detection - INTRINSEC","description":"In macroeconomics, it is sometimes said that a crisis at least offers the advantage of putting an end to structural imbalances...","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/detection-cyberattaque\/","og_locale":"en_US","og_type":"article","og_title":"D\u00e9tection de cyberattaques : de l'int\u00e9r\u00eat d'adopter une approche qualitative","og_description":"En macro\u00e9conomie, il est parfois dit qu\u2019une crise offre au moins l\u2019avantage de mettre fin \u00e0 des d\u00e9s\u00e9quilibres structurels...","og_url":"https:\/\/www.intrinsec.com\/en\/detection-cyberattaque\/","og_site_name":"INTRINSEC","article_published_time":"2021-02-25T06:41:07+00:00","author":"Adrien Gevaudan","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Adrien Gevaudan","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/"},"author":{"name":"Adrien Gevaudan","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/7df6ca1ce09cbb1523507d87e2cf99a4"},"headline":"D\u00e9tection de cyberattaques : de l&rsquo;int\u00e9r\u00eat d&rsquo;adopter une approche qualitative","datePublished":"2021-02-25T06:41:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/"},"wordCount":1203,"image":{"@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2021\/02\/matrice-detection-1-1024x229.png","articleSection":["SOC S\u00e9curit\u00e9 Op\u00e9rationnelle"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/","url":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/","name":"Cyberattack detection - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2021\/02\/matrice-detection-1-1024x229.png","datePublished":"2021-02-25T06:41:07+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/7df6ca1ce09cbb1523507d87e2cf99a4"},"description":"In macroeconomics, it is sometimes said that a crisis at least offers the advantage of putting an end to structural imbalances...","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/detection-cyberattaque\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2021\/02\/matrice-detection-1-1024x229.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2021\/02\/matrice-detection-1-1024x229.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/detection-cyberattaque\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"D\u00e9tection de cyberattaques : de l&rsquo;int\u00e9r\u00eat d&rsquo;adopter une approche qualitative"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/7df6ca1ce09cbb1523507d87e2cf99a4","name":"Adrien Gevaudan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","caption":"Adrien Gevaudan"},"url":"https:\/\/www.intrinsec.com\/en\/author\/adrien-gevaudan\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/221899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=221899"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/221899\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=221899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=221899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=221899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}