Engaging Attackers Prior to Impact Will Significantly Reduce the Overall Operational Risk of Your Networks
Let me start off by saying I’m not big on doom and gloom when it comes to cybersecurity. However, the reality we face is that despite best efforts by cybersecurity professionals, breaches continue to happen.
Maybe not so surprising is that according to recent research on threat detection, confidence is low in the ability to detect and respond to attacks, with lack of visibility a critical factor. Why? Often the low confidence is around uncertainty about whether the right set of tools were deployed and properly configured within the network AND whether significant skilled expertise is available to operate these cybersecurity tools. Even as security efforts and tools have evolved, attackers are almost always ahead of the game. Traditional defensive measures are often bypassed by attackers, who not only share information with other threat actors, but also use AI to speed and scale their attacks.
Cybersecurity professionals face a major challenge of reducing dwell time – the time it takes to identify an attacker inside your network, establishing a foothold, escalating privileges, moving laterally, and even exfiltrating data or locking down your machines in a ransomware attack. According to the latest research from the Ponemon Institute, the average data breach costs on average more than $8 million in the US. With an average time to identify a threat being 197 days, and 97 days to contain it, it’s no wonder that if you can reduce that dwell time in half, you could save more than $1 million (2019 Cost of a Data Breach, Ponemon Institute).
As attacks progress, system risk increases, and cost to contain and remediate increases. In order to decrease system risk and network costs, every effort should be made to identify the attacker earlier in the timeline. In military terms this is called “left of boom.”
So where to begin?
First, organizations must broaden their security posture beyond traditional cyber defenses that primarily focus on protective and reactive capabilities. No matter how many best-of-breed protective solutions you use to defend your network, the unfortunate reality is eventually an attacker is going to get past them. When that happens, organizations need defensive depth that allows them to deal with the threat in cyber-relevant time. To do so, protective and reactive cybersecurity tools must be fortified with predictive, proactive, and retrospective capabilities.
The first proactive capability organizations should focus on is cyber terrain mapping. Before an attacker makes their initial access attempt, they are going to try to find out everything about your network that they possibly can. It only stands to reason that you should know more about the terrain you are defending than they do. Gaining a comprehensive understanding of your cyber terrain also enables further proactive capabilities, such as improved threat hunting as well as implementing deception to catch attackers lurking undetected in the network. Both of these capabilities rely heavily on understanding likely paths and techniques attackers will use to gain privilege escalation or access crown jewels.
Automation also plays an important part in any security stack, allowing security teams to scale proactive capabilities like detection and response, as well as implement predictive capabilities using machine learning and artificial intelligence. This helps to automatically detect any anomalous activity on the network, determine the probability of compromise, automatically generate high-fidelity alerts and analyze metadata in search of the unknown. Automation can also be used retrospectively, assessing metadata collected and stored over the past months or year to thoroughly analyze past activity, security incidents or threat actions. This can help to bolster current defenses, predictive capabilities and even find new threats by reassessing past metadata against new threat intelligence.
Cybersecurity developers and analysts must also develop an understanding of attacker tradecraft in order to anticipate and counter attackers in cyber-relevant time. One approach gaining momentum amongst cyber security professionals is to operationalize their networks using cyber threat frameworks to maintain a continuous, real-time understanding of attackers’ motives, objectives, and how they execute their attacks.
The most common frameworks in use today are MITRE ATT&CK and DODCAR (DoD Cybersecurity Analysis & Review). These frameworks enable consistent characterization and categorization of cyber threat events, and help analysts identify trends or changes in the activities of cyber attackers. It provides focus for product development, parameters for operational planning, and enables threat-driven operations across the government and industry.
Modern malware uses a combination of techniques to hide its operation, stage its exploits, evade detection, and leverage network weaknesses. By classifying attacks into discreet techniques or actions:
• Threat hunters can rapidly identify underlying technique sequences of known attacks and develop an understanding of how a piece of malware has evolved as new features and attack techniques are added
• Intelligence analysts can gain critical insights to track down those responsible, whether person, group or country
Having a capability that automatically detects – in real-time – individual attack techniques (or actions) and alerts on critical technique sequences, allows threat hunters to proactively respond to attacks in-progress, and most importantly prior to impact. These critical technique sequences provide analysts strong indications of both known advanced persistence threats (APTs) and potential zero-day attacks. This is a core capability of any modern threat hunting platform because it provides the ability to detect and remediate attacks earlier in the attack lifecycle saving millions in remediation costs.
Artificial Intelligence capability is also critical (remember that attackers are now leveraging AI against us!) with machine-learning algorithms able to assist not only in the detection of attackers, but also proposing response actions.
As a final reminder, engaging the attacker prior to impact will significantly reduce the overall operational risk of your networks, protect critical information and systems from attackers, and protect lives of the men and women who serve this country every day.
