The modern threat landscape is full of a variety of attackers, from unskilled scripted attacks to advanced persistent threat actors. While security teams may be adept at repelling low-level threats, the unfortunate reality is they still remain largely at a disadvantage against sophisticated adversaries. News of data breaches and ransomware dominate the headlines as attackers’ dwell time is measured in terms of months rather than hours or days. This lengthy dwell time gives sophisticated and motivated attackers ample time to research and analyze their target’s entire environment at their leisure before launching an attack at a time and place of their choosing. In order to increase their effectiveness against advanced threats, security organizations need to focus on proactive, rather than reactive, security strategies that seek to anticipate attacker movements before the damage is done. To do so, they must understand the targets, capabilities and techniques of the attacker before the attacker ever touches their network. They need to think like an attacker.
Know Your Adversary, Know Yourself
Creating a proactive security posture requires full understanding of the tactics, techniques, and procedures (TTPs) adversaries utilize to execute their attacks. This is relatively simple to achieve by operationalizing threat frameworks such as MITRE ATT&CK or the Lockheed Martin Cyber Kill Chain. Threat frameworks help to visualize how attackers progress through the kill chain and which tactics attackers are using at each step, or what alternative tactics they have available if a primary method fails. By leveraging internal and external threat intelligence, these threat actions can be prioritized based on the applicability, prevalence, maneuverability, and visibility of the adversary action.
Cyber threat frameworks also provide enterprises with a risk-based method of assessing defensive capabilities through the eyes of the attacker. By methodically mapping defensive capabilities to a threat framework, cyber defenders can easily see where they have coverage against specific threat actions and where they are lacking defensive depth. Although defensive capabilities are needed throughout the adversary lifecycle, some threat objectives/actions can be prioritized for additional focus based on where organizations are seeing the most activity across multiple actor and intrusion sets. This provides defenders with a clear, risk-based evaluation of their current overall security posture and enables evidence-based decision making to further improve defensive strength.
Fight on Your Terms, Not Theirs
Too many cybersecurity teams are currently in reactive fire drill mode, trying to parse through alerts and threats as they come in. This type of strategy may be effective in repelling low-level threats, but will have little effect on more sophisticated attackers, who are increasingly leveraging machine learning and automation to accelerate attacks and evade detection.
To escape the fire drill disadvantage, organizations must fight on their own terms rather than the attacker’s. Rather than waiting for the adversary to present themselves, defenders need to engage the attacker left of boom. This allows security teams to fight on the ground of their choosing, before the attack can inflict damage. Using threat-based frameworks, organizations need to evolve to their posture to be able to engage the attacker in the early stages of the cyber kill chain ― before malicious code is deployed, before network devices are compromised, and before critical data is exfiltrated.
Automation is vital here, because it allows security teams to not only scale proactive detection and response capabilities, but also establish predictive defenses. This allows cyber defenders to act faster than attackers by automatically detecting anomalous activity, assessing the likelihood of compromise, automating high-fidelity alerts and hunting for unknown threats. Automation is also useful for retroactive analysis – assessing metadata collected and stored over the past months or year to thoroughly analyze past activity, security incidents or threat actions. This can help to strengthen porous defenses, anticipate future threats and even find undetected threats by analyzing past activity against new and emerging threat intelligence.
Denying the Adversary the Advantage
In the early stages of an attack, when attackers perform recon of the environment and identify potential avenues of attack, their main objective is to be stealthy. They are looking to make initial access undetected so that they can move laterally throughout the network before gaining privilege escalations that will allow them to move closer to their intended target.
The objective for defenders, then, should be to place as many obstacles between the attacker and their target as possible. This includes preventative defenses mapped to threat-based assessments of attacker TTPs, as well as automated detection and response capabilities. However, one of the most effective ways to do this is to deploy Deception breadcrumbs and decoys. Knowing what attackers are looking for creates an opportunity for a proactive defense, helping to lure, detect and defend. Because these decoys would only ever be accessed by malicious actors, they are able to trigger high-fidelity alerts without false positives. By using decoys that anticipate adversary TTPs during early attack stages (recon, infiltration, and lateral movement), the security team can detect the problem early and avoid long dwell times.
By the time an organization realizes it is under attack, the attacker has already established the advantage. Prioritizing proactive capabilities can swing the advantage back to the defender and force the attacker to fight on your terms. By viewing the attack surface through the eyes of an attacker, you expose the attacker’s own assumptions and weaknesses. Without a thorough understanding of attacker motivations, actions and paths of movement, organizations will be unable to anticipate the adversary, and unable to escape the endless cycle of reactive fire drills. Cyber threat frameworks provide organizations with the groundwork they need to build the proactive advantage.
If you are interested in learning more about how to improve cybersecurity outcomes by looking at the environment through the eyes of an attacker, be sure to register for our Looking at Cybersecurity Through the Eyes of an Attacker webinar, taking place March 25.