Hey there Bay Area health and cybersecurity folks! I’ve been thinking recently about how our industry is swimming in data and intelligence but often lacks the means to dig through it all. Who hasn’t felt overwhelmed sifting through mountains of information, right? Particularly when it comes to understanding complex cybersecurity threats.
Turns out, our buddies over at Target – yes, the very same Target of that well-publicized 2013 data breach – decided to address this exact issue. Their tech whiz, Kelsey Helms, revealed at a cybersecurity summit that they’ve been using a rather nifty tool, the WAVE matrix. What is WAVE, you ask? It’s target’s brainchild created to better predict, detect, and assign credit for tactics, techniques and procedures (cool kids call them TTPs) related to threats.
Not to confuse you with too much tech jargon, suffice to say, the WAVE matrix largely builds upon existing tools like the Diamond Model for Intrusion Analysis, MITRE ATT&CK, and Lockheed Martin’s Cyber Kill Chain Model. The aim is to take the essential parts of these established models and fashion them into an easier-to-use approach for processing threat intelligence.
Consider it this way – if a company under threat was a patient, WAVE would be the pulse oximeter on the finger; an easy, non-invasive tool to provide crucial real-time data.
So where does this data come from? Imagine a ransomware or malware threat as a bug. Each bug has its preferred set of tools and methods – basically, their M.O. When we make an effort to understand these behaviors, we can prevent such attacks on a grand scale. This is where WAVE has proven its mettle.
Helms revealed that WAVE has helped bridge the gap between threat analysis and detection. It’s a common language for cybersecurity teams to use, from documenting TTPs to querying about unfamiliar tactics. Don’t you just love it when everyone speaks the same language?
But it doesn’t just stop at being a dialect of bug-talk. WAVE has transformed piles of intel into actionable data, detecting suspicious activity both entering and leaving a network. Furthermore, it sorts through the common TTPs used either by a particular threat group or shared among groups. This enables security teams to prioritize prevention, patching, and tracking potential activity.
Post-attack investigations or even red team operations can leverage the same TTPs to shape their inquiry or testing. Because WAVE is designed to be flexible, the information gleaned can influence the creation or modification of detection rules.
While Target has definitely proven itself to be a pioneer in this regard, we understand that not all companies will have a security operations center as well-resourced as them. But fear not, WAVE has the scalability factor; it’s designed to be useful across industries and adaptable to smaller teams handling multiple security domains.
Oh, and let me share this cool bit: Target isn’t keeping this all to themselves. They are actively sharing their experiences and learnings to contribute to a broader understanding of the rapidly shifting cybersecurity landscape.
In the end, isn’t that what we all want? A safer space where we can share, learn, and grow together? As my grandmother would put it, “many hands make light work”. So, it’s amazing watching Target help load-share our collective cybersecurity responsibility!
by Morgan Phisher | HEAL Security
.webp?w=0&resize=0,0&ssl=1 "Hackers Exploit Next.js React2Shell Flaw to Steal Credentials From 766 Hosts in 24 Hours")