Organizations’ security postures are growing increasingly complex, contending with expanding networks, a growing number of security solutions to manage, and an ever-increasing variety of threats to battle. As a result, it is sometimes difficult to gauge just how effective specific defensibility decisions will be at deterring cyber adversaries’ behaviors, strategies and outcomes. Each decision must consider current knowledge about both the attacker and the security controls that are tasked with stopping them, even with attackers constantly changing their tactics, techniques and procedures (TTPs) and solutions advancing through different stages of technical maturity. In the face of this continuously shifting landscape, from both an attack and defense perspective, security teams need a way to definitively measure the impact of specific assumptions, hypotheses, and decisions. To do this, they will need to begin by first gaining a complete understanding of their cyber terrain.
What is Cyber Terrain?
The concept of cyber terrain is a basic one, but among the most important concepts that we deal with on a regular basis. Your cyber terrain is the cumulative topography of your cybersecurity posture – the sum of all of your operational assets, security controls, data assets, and overall decision making. This is so critical because the structure of your cyber terrain is inherently malleable, capable of changing instantly as new decisions are made, new capabilities introduced, and adversary approach vectors are consequently closed or opened.
In any battle, whether in cyberspace or the real world, terrain is often what will dictate your victory outcomes. For traditional engagements, this means holding key physical terrain to give yourself an advantage over your adversary – maintaining control of high ground, strategic use of cover and visibility, and denying those advantages to your enemy. It’s not so different in concept for cyber terrain.
What is different is the execution of strategy and the rate of adaptability required. Unlike the real world, changes to cyber terrain and cyber terrain advantage can happen virtually instantaneously. While almost every organization understands that enemies can and will use this fact to their advantage, fewer know how to turn this potential liability into yet another advantage to wield against their attackers.
The key to transforming a continuously shifting cyber terrain from a liability to an advantage boils down to terrain visibility. To shape the terrain to your advantage, you first need a complete and total understanding of what your terrain looks like. You need to be able to map that terrain – all its capabilities, defenses and vulnerabilities included – against a desired state or victory outcome.
Ultimately, you cannot defend terrain that you cannot see. To begin taking advantage of the cyber terrain and actively shaping it to your advantage, you need holistic visibility of the terrain. Achieving complete visibility over your cyber terrain requires a blend of strategy, inventory, and evaluation. To achieve visibility, organizations need the ability to continuously discover, classify, and assess assets, including laptops, desktops, servers, enterprise IoT, shadow IT, and legacy systems. Organizations need to then discover all software installed on these assets, while continually running vulnerability assessments and alerts on any installed vulnerability.
With the discovery phase complete, organizations should have a complete understanding of both current and desired capabilities and vulnerabilities. Often this is where organizations will find redundancies in their security stack, uncovering a multitude of overlapping or redundant solutions that are not being utilized to their full capability. It is also where they will be able to find what capabilities they are lacking by mapping their existing state to a cyber threat framework. Operationalizing capabilities against threat frameworks like MITRE’s ATT&CK framework, NIST’s Cybersecurity Framework or the Department of Defense’s DoDCAR framework provide organizations with accessible avenues for assessing what cyber capabilities they have already – and which ones they lack. This valuably informs their larger security strategy going forward.
Once they have mapped their assets, capabilities and vulnerabilities against a framework, organizations work is still not done. As previously stated, the cyber terrain is malleable and constantly changing – that means visibility is a constant and ongoing priority. However, simply collecting logs, events, and alerts is not enough – and, when done improperly, can actively harm organizations’ ability to detect, hunt and respond. This is often the case when excessive false positives generate an unmanageable deluge of alerts, resulting in alert fatigue. What organizations should prioritize is deep visibility, i.e., visibility generated through rich, indexable metadata that can provide content and context around security incidents. This allows organizations to see how different pieces of the overall cyber terrain are communicating with one another, enabling them to highlight potential or existing attack vectors.
Capitalizing on the Advantage
By emphasizing the importance of cyber terrain visibility, especially in the context of a threat framework, organizations will have gained an important advantage over their adversaries. The visibility advantage is not to be underestimated, as it sets up a multitude of future-state improvements. For example, once organizations have gained a holistic understanding of their cyber terrain, the assets that comprise that terrain, and both the lateral and north/south movements of their adversaries, they can begin setting ambushes and traps to further impede attackers’ progress. New and emerging technologies like Deception are now viable, allowing security teams to leverage their understanding of valuable assets and likely attack vectors. This allows them to intelligently shift the terrain to their advantage by strategically deploying breadcrumbs, honey pots and decoys designed to lure attackers into digital alert tripwires and pitfalls (for more on that topic, see Deception Affinity and the Moving Target Defense).
To learn more about achieving total visibility over your cyber terrain, schedule a meeting or demo with Fidelis at Black Hat 2019 in Las Vegas: https://fidelissecurity.com/event/black-hat-2019/