Security Experts:

When it Comes to Securing Your Environment, Think Like an Attacker

Cybersecurity Teams Need Actionable Insight Into the Latest Techniques, Tactics and Procedures Being Used by Cyber Adversaries 

We will soon be entering a new decade of the cybersecurity battle, but many of the same challenges remain. Organizations continue to face threats from all angles, security postures haven’t evolved to be more predictive and proactive, and there are still too many underutilized point security tools that require too much manual effort from understaffed and overburdened cybersecurity teams.

This battle may be over before it begins if we don’t start thinking like an attacker. Highly sophisticated and motivated attackers research and analyze their target’s entire environment before launching an attack.

To execute an attack more effectively and efficiently, attackers use automation and machine learning (I recently read an article that noted how attackers are using AI algorithms to send spear-phishing tweets six times faster than a human and with twice the success). Once attackers gain initial access, they escalate privileges to move undetected while extracting critical data and compromising systems. Often this access is sustained through the deployment of malicious programs that allow the attacker to gain future network access at will. Tipping the scales to the defender’s advantage requires a change in the way cybersecurity teams think about securing the environment. Rapid detection and response mapped to the cyber kill chain must be augmented with predictive and proactive defenses to better control the environment.

Why the Challenge of Detecting Attackers in Your Environment Is So Great

Due to security silos, lack of resources and point security tools, Security Operation Centers (SOCs) are drowning in alerts, often lacking context and correlation. As security analysts struggle to tread water among a deluge of alerts, attackers are benefitting from slower detection and response times that allow them time to move freely about the network. While attackers have more avenues than ever before to access, steal, and destroy information, monetary equivalents and disrupt business operations, it has become harder than ever to detect them in your environment. 

When it comes to cybersecurity, every second counts. Every second lost is more time for attackers to steal sensitive data or disrupt critical business operations. From the perspective of the attacker, spear phishing, waterhole attacks, or any other malware delivery technique are all just a means to an end. Once a foothold is established the attacker will move laterally through the network. There may be one lateral step or many lateral steps for the attacker to gain access to the targeted intellectual property or control of a system. 

One common technique used by an attacker is to target user credentials, which will allow them to move throughout the network under the pretext of a legitimate user. Unfortunately, most cybersecurity teams are typically in a reactive fire drill, trying to keep up with the threats and alerts coming at them. This type of strategy will not be effective against today’s sophisticated attackers who are beginning to leverage machine learning technologies to accelerate attacks and make them even more difficult to detect. 

Shifting Your Overall Approach

Cybersecurity teams must understand that if you want to defeat an attacker, then you need to think like an attacker. Here are some recommendations for moving to a threat-driven operations approach:

1. Understand the attacker’s motives and objectives - Strengthening your security posture requires a deep understanding of the attacker’s tactics, techniques, and procedures - remember there are no legal authorities that limit how they execute their attacks. Cybersecurity teams should align post-breach detection and response actions to a cyber threat framework such as MITRE ATT&CKTM to provide full coverage of the known attack surface. Cyber threat hunters should search the network for anomalous activities that may be evidence of unknown attack sequences. 

2. Engage the attacker prior to impact - Using a military analogy, cybersecurity teams must engage the attacker “left of boom” to avoid the significant cost and impact resulting from prioritizing defensive actions too little and too late. Traditional reactive strategies must evolve to include approaches that engage the attacker much earlier in the cyber kill chain ― before malicious code is installed on its target, before devices are with the network are exploited, and before critical data is leaked outside the network boundaries. Defensive cyber operations include proactive, predictive, retrospective, and reactive technologies all within a single, coherent interface.

3. Decide and act faster than the attacker – Cyber dwell time remains a huge issue for organizations, so focusing actions on minimizing that is critical. This means limiting the attacker’s opportunity to gain a foothold within your network, achieve unrestricted lateral movement, and remove critical data or disrupt business operations. It begins with basic cybersecurity hygiene to include regular software patching, restricting administrative access, two-factor authentication, and network segmentation. Defensive cyber operations must be automated to level the playing field against attackers who have become very automated. Machine-learning algorithms should also be deployed to anticipate the movement of an attacker, which is critical to containing lateral movement and reducing cyber dwell time. 

4. Know your network better than your attacker – Holistic visibility allows for threats to be analyzed and neutralized faster, and lets organizations make confident decisions that truly affect enterprise security. Cybersecurity teams must provide real-time continuous monitoring of the network including vulnerability scanning, patch management, and risk assessment. Risk assessment requires discovery of assets and critical and sensitive content, analysis of network protections, and one to two-hop analysis of any event or anomaly to critical assets and data. The security team armed with this information can perform the necessary countermeasures to patch vulnerabilities and secure the data. Privileged access is the route to an organization’s most valuable information and assets and protecting them is paramount. However, many organizations lack visibility into where privileged accounts, credentials and secrets exist. The privilege-related attack surface is often much broader than anticipated.

5. Shape the attacker’s experience and understanding of your network – Attackers conduct recon on environments to understand breaks in the attack surface.  Dynamically altering the percentage of exploitable terrain can increase their cost, risk, and the overall complexity of their operations. Deception technology offers an alternative strategy that can shift the advantage back to the enterprise. By using decoys to capture adversary tools, to understand their techniques, and to detect their actions during early attack phases (reconnaissance, initial infiltration, and lateral movement), the security team can detect the problem early and avoid long dwell times.

Thinking like an attacker starts with having holistic visibility across your environment (network, cloud, endpoints, enterprise IoT), seeing and correlating what threats are doing, how they’re moving, what they’re using to evade defenses, and what they’re targeting.

Security operations are only as good as the intelligence that they are based on. Attackers are constantly evolving and adapting their methods in order to maintain an advantage over security teams. As such, cybersecurity teams need actionable insight into the latest techniques, tactics and procedures being used by cyber adversaries and a continuous understanding of their environment and anomalous behavior. 

view counter
Craig Harber joined Fidelis Cybersecurity as Chief Technology Officer following a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC). During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR) that provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments. He transformed Active Cyber Defense concepts into capability pilots, commercial product improvements, industry standards, and operational solutions. He also directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multi-billion dollar increase in DOD IA investments.