Security engineers are constantly spending their time and effort managing their Host-Based Security System, Anti-Virus, Intrusion Detection Systems, etc. Security devices and applications are a significant piece of the larger security infrastructure for any organization.
That being said, how much time is spent focusing security implementation on the known threat to organizations? How many hours are actually spent parsing event logs, researching discovered phishing attacks, and looking at adversary TTP to customize and focus the security features of a network?
While “Defense in Depth” is important, it is largely reactionary and could prove ineffective in preventing exploitation and loss of proprietary data when the attack is focused. This is where proper targeting and counterintelligence could and should play a larger role in the security strategy for any organization.
Security awareness and proper defense in depth can tell security engineers if and when an attack occurred, when it was successful, and potentially what damage was done. Counterintelligence offers the missing chess piece in the strategic cyber security game. Counterintelligence asks who targeted the network, how the exploit as created, what TTP they used, and what weak aspects of the network were exploited. Even further, counterintelligence asks what can be done to prevent, deter, and even misinform the adversary. Counterintelligence may seem nebulous in the construct of cyber security, however, the information is relatively simple to determine. What TTP was used by the adversary (phishing attacks, insider attack, DLL Preloading, etc)? What information were they looking for or what damage did they intend to create? What security tools can be used to prevent and deter future attacks?
The best security in the world will not stop every attack, however, proper counterintelligence can identify the adversary, prevent future attacks, and even create havoc for the adversary that requires larger investment on their part to attempt further exploitation. No one is saying that proper network security should not be implemented and maintained, however proper counterintelligence should also be a significant element to bolster existing network security and prevent future targeted attacks.