Published on February 26th, 2023 📆 | 3492 Views ⚑
0The Best Cyber Defense Is a Good Offense
https://www.ispeech.org/text.to.speech
- Thanks to constantly evolving tactics, techniques and procedures by threat actors, cyber defense is a dynamic challenge.
- The solution is an innovation in mindset that shifts from defensive to offensive thinking.
- Keysightâs Scott Register considers this shift and offers advice on the advantages of pen testing and red teaming.
Â
Â
Security isnât static. Thereâs no silver bullet, no single magical solution that will protect all your networks, devices and digital assets from compromise. This is because the cybersecurity process is extremely dynamic, based on a never-ending stream of configuration and reconfiguration across protected environments. After all, when youâre playing a nonstop game of cat and mouse with attackers, environments that were secure yesterday may be vulnerable to attack tomorrow.
Â
Â
Hit the Weak Side with Your Security Practices
Typically, deterioration in security posture isnât the fault of cybersecurity practitioners. The main drivers are typically external. For example, modern networks rarely sit still for long. Responding to their own imperatives, business owners may drive changes in network configuration and application deployment without IT involvement â a trend exacerbated by the flexibility (and often loose governance) of cloud deployments. Moreover, the threat landscape is endlessly dynamic. Every second of every day, somewhere, well-funded hackers are finding new techniques to attack, disrupt and steal from your operations. Typically, theyâre immune from legal repercussions, better compensated than any security analyst on your team, and they never give up. And, as well-publicized events have shown us, even organizations that do everything right from a security perspective can unknowingly import malware via supply chain compromise or embedded vulnerabilities.
Â
Now, when it comes to ânetwork security,â most of us are well covered. Weâve got EDR solutions and tools to scan our servers and laptops, and weâve implemented robust mechanisms to keep those systems and their loaded applications up to date (hopefully with benign software). But what about the IoT and OT devices on our networks â the thermostats, card readers, manufacturing devices, security cameras and printers? What about the devices that operate our pipelines and electricity supplies, that monitor vehicle traffic and administer medication? Most of those devices will rarely, if ever, be updated once deployed â meaning thereâs no chance (or even access) to update insecure libraries or identify (let alone patch) critical vulnerabilities.
Â
So, in this ever-shifting world of threat evolution, how do we stay secure? By now, we know we canât simply rely on a security vendorâs claims of mystical AI-powered detection and response.
Â
Â
Huddle Up - Innovation is the Game Plan to Defeating Cyberattacks
The solution to the cybersecurity challenge is innovation, but the key isnât a radical new technology â itâs an innovation in mindset. To meet the challenge of protecting oneâs critical assets, itâs no longer enough to simply think like a defender and focus on what cyberattacks have been stopped. Rather, we must turn the tables and think like hackers. This means attacking your network and devices continuously and safely, using the very same tactics, techniques and procedures that your digital enemies will deploy against you. We all know that there may be security gaps in our networks and devices. Our focus should be on finding and filling those gaps before someone else does.
Â
So how can you do this? Two concepts useful for validation of security controls have been with us for some time. They can be quite effective in some use cases, but arenât without their drawbacks.
Â
One is penetration testing, where you hire an external firm to conduct black-box testing against your network. Pen testing can certainly be informative and is often recommended or required for compliance purposes, but itâs important to understand its role and limitations. Pen testing is particularly effective at emulating specific techniques a hacker might try to exploit personnel or the physical characteristics of your environment. This includes techniques such as spoofing an email from your CFOâs childâs soccer coach, or sitting in an unmarked van in your office parking lot to hack into your Wi-Fi network. But pen testing wonât give you an exhaustive assessment of your own security controls, and the results are limited to a specific point in time. Networks change all the time, and an attackerâs tactics could change dramatically based on relatively minor updates to your environment or security controls.
Â
Another widely used concept is red teaming, where an internal or contracted team has more familiarity with the target environment and employs the TTPs of a particular attacker. Red teaming will typically use fewer âout of the boxâ techniques than a pen tester, and itâs more comprehensive overall. Itâs a valid approach â but it canât be performed on a one-off or ad hoc basis. Since cybersecurity is always shifting, red teaming needs to be conducted continuously â and that can get expensive since it requires full-time personnel.
Â
An automated, two-step approach is best for validating your security posture. The first stage is validating all the connected devices on your network. These constitute the core of your attack surface and understanding them helps you know what protections need to be in place. Vulnerability assessments are a well-understood mechanism that mature cybersecurity organizations already budget for, and theyâre a great way to understand the potential exposure from your traditional laptops and servers. However, we often see the same results show up in scan reports for months or even years â as many of the fixes get lost in the dayâs firefighting â so exposures tend to linger and multiply.
Â
Thatâs why IT organizations need to take a closer look at the new classes of IoT and OT devices deployed on their network. These devices are connected over multiple networking interfaces but have much less well-understood (and more easily overlooked) vulnerabilities. After all, does it really make sense to pay so much attention to EDR deployments on your laptops but deploy IoT devices without at least scanning them for weaknesses?
Â
Â
Run Up the Score on Bad Actors
Moving outward, automatic, continuous validation of your perimeter and traditional endpoint security configuration is also recommended â along with the SIEM and analyst understanding of attacks. Breach and attack simulation tools are typically easy to deploy, and can safely scan and analyze your network defenses by emulating real attacks. In addition to validating enforcement policy, the simulated attacks will trigger defensive tools to generate appropriate log messages so that SIEM rules can be optimized and updated. Look for a tool that features daily malware updates so that your understanding is always up to date. Most security teams only get to see what a real attack on their network looks like in the rearview mirror, when theyâre conducting forensics after the fact. Realistic attack simulation lets them experience the real attack on their live network in a safe way, so theyâre ready for the actual event.
Â
The big change in perspective here is moving from a defensive security posture, where we focus all our attention on logs of detected and blocked security events, to an offensive one where weâre attacking our own networks. By thinking like a hacker, weâre placing less emphasis on whatâs been stopped and focusing more on what weâre missing â determining which tactics, techniques and procedures an attacker can use to penetrate our defenses and addressing them. Weâre focusing on what techniques a bad actor can use to move laterally and dwell in our networks undetected, spreading ransomware and exfiltrating data.
Â
In essence, weâre getting a sneak-peek of the next attack on our network â and arming ourselves with actionable insight to successfully stop it. And, as a security analyst, isnât that the best thing you could hope to see?
Gloss