The Best Cyber Defense Is a Good Offense

• Thanks to constantly evolving tactics, techniques and procedures by threat actors, cyber defense is a dynamic challenge.
• The solution is an innovation in mindset that shifts from defensive to offensive thinking.
• Keysight’s Scott Register considers this shift and offers advice on the advantages of pen testing and red teaming.

Security isn’t static. There’s no silver bullet, no single magical solution that will protect all your networks, devices and digital assets from compromise. This is because the cybersecurity process is extremely dynamic, based on a never-ending stream of configuration and reconfiguration across protected environments. After all, when you’re playing a nonstop game of cat and mouse with attackers, environments that were secure yesterday may be vulnerable to attack tomorrow.

Hit the Weak Side with Your Security Practices

Typically, deterioration in security posture isn’t the fault of cybersecurity practitioners. The main drivers are typically external. For example, modern networks rarely sit still for long. Responding to their own imperatives, business owners may drive changes in network configuration and application deployment without IT involvement — a trend exacerbated by the flexibility (and often loose governance) of cloud deployments. Moreover, the threat landscape is endlessly dynamic. Every second of every day, somewhere, well-funded hackers are finding new techniques to attack, disrupt and steal from your operations. Typically, they’re immune from legal repercussions, better compensated than any security analyst on your team, and they never give up. And, as well-publicized events have shown us, even organizations that do everything right from a security perspective can unknowingly import malware via supply chain compromise or embedded vulnerabilities.

Now, when it comes to “network security,” most of us are well covered. We’ve got EDR solutions and tools to scan our servers and laptops, and we’ve implemented robust mechanisms to keep those systems and their loaded applications up to date (hopefully with benign software). But what about the IoT and OT devices on our networks — the thermostats, card readers, manufacturing devices, security cameras and printers? What about the devices that operate our pipelines and electricity supplies, that monitor vehicle traffic and administer medication? Most of those devices will rarely, if ever, be updated once deployed — meaning there’s no chance (or even access) to update insecure libraries or identify (let alone patch) critical vulnerabilities.

So, in this ever-shifting world of threat evolution, how do we stay secure? By now, we know we can’t simply rely on a security vendor’s claims of mystical AI-powered detection and response.

Huddle Up - Innovation is the Game Plan to Defeating Cyberattacks

The solution to the cybersecurity challenge is innovation, but the key isn’t a radical new technology – it’s an innovation in mindset. To meet the challenge of protecting one’s critical assets, it’s no longer enough to simply think like a defender and focus on what cyberattacks have been stopped. Rather, we must turn the tables and think like hackers. This means attacking your network and devices continuously and safely, using the very same tactics, techniques and procedures that your digital enemies will deploy against you. We all know that there may be security gaps in our networks and devices. Our focus should be on finding and filling those gaps before someone else does.

So how can you do this? Two concepts useful for validation of security controls have been with us for some time. They can be quite effective in some use cases, but aren’t without their drawbacks.

One is penetration testing, where you hire an external firm to conduct black-box testing against your network. Pen testing can certainly be informative and is often recommended or required for compliance purposes, but it’s important to understand its role and limitations. Pen testing is particularly effective at emulating specific techniques a hacker might try to exploit personnel or the physical characteristics of your environment. This includes techniques such as spoofing an email from your CFO’s child’s soccer coach, or sitting in an unmarked van in your office parking lot to hack into your Wi-Fi network. But pen testing won’t give you an exhaustive assessment of your own security controls, and the results are limited to a specific point in time. Networks change all the time, and an attacker’s tactics could change dramatically based on relatively minor updates to your environment or security controls.

Another widely used concept is red teaming, where an internal or contracted team has more familiarity with the target environment and employs the TTPs of a particular attacker. Red teaming will typically use fewer “out of the box” techniques than a pen tester, and it’s more comprehensive overall. It’s a valid approach — but it can’t be performed on a one-off or ad hoc basis. Since cybersecurity is always shifting, red teaming needs to be conducted continuously — and that can get expensive since it requires full-time personnel.

An automated, two-step approach is best for validating your security posture. The first stage is validating all the connected devices on your network. These constitute the core of your attack surface and understanding them helps you know what protections need to be in place. Vulnerability assessments are a well-understood mechanism that mature cybersecurity organizations already budget for, and they’re a great way to understand the potential exposure from your traditional laptops and servers. However, we often see the same results show up in scan reports for months or even years — as many of the fixes get lost in the day’s firefighting — so exposures tend to linger and multiply.

That’s why IT organizations need to take a closer look at the new classes of IoT and OT devices deployed on their network. These devices are connected over multiple networking interfaces but have much less well-understood (and more easily overlooked) vulnerabilities. After all, does it really make sense to pay so much attention to EDR deployments on your laptops but deploy IoT devices without at least scanning them for weaknesses?

Run Up the Score on Bad Actors

Moving outward, automatic, continuous validation of your perimeter and traditional endpoint security configuration is also recommended — along with the SIEM and analyst understanding of attacks. Breach and attack simulation tools are typically easy to deploy, and can safely scan and analyze your network defenses by emulating real attacks. In addition to validating enforcement policy, the simulated attacks will trigger defensive tools to generate appropriate log messages so that SIEM rules can be optimized and updated. Look for a tool that features daily malware updates so that your understanding is always up to date. Most security teams only get to see what a real attack on their network looks like in the rearview mirror, when they’re conducting forensics after the fact. Realistic attack simulation lets them experience the real attack on their live network in a safe way, so they’re ready for the actual event.

The big change in perspective here is moving from a defensive security posture, where we focus all our attention on logs of detected and blocked security events, to an offensive one where we’re attacking our own networks. By thinking like a hacker, we’re placing less emphasis on what’s been stopped and focusing more on what we’re missing — determining which tactics, techniques and procedures an attacker can use to penetrate our defenses and addressing them. We’re focusing on what techniques a bad actor can use to move laterally and dwell in our networks undetected, spreading ransomware and exfiltrating data.

In essence, we’re getting a sneak-peek of the next attack on our network — and arming ourselves with actionable insight to successfully stop it. And, as a security analyst, isn’t that the best thing you could hope to see?

Comments are closed.