By Ryan Weeks, CISO at Datto
Across the globe, companies have made great strides in digitalising their data and processes. Unfortunately, these digital assets provide a larger attack surface than ever before, proving to be extremely attractive to cybercriminals.
In conjunction, endpoints are becoming increasingly more diverse and distributed, prompting security experts to issue warnings that in the not-too-distant future, attacks may extend beyond PCs and servers to include everyday items such as phones, watches, cameras, printers, HVAC solutions etc, as well as insulin pumps, pacemakers and connected cars. With foreseeable cyberattacks on items that were previously thought to be secure and the rise of cryptocurrencies that provide cybercriminals with the ability to strike with complete anonymity, organisations need to transition from a mindset of ‘if’ an attack will take place to ‘when’.
Cyberattacks are taking place at an accelerated pace, becoming increasingly difficult to recover from and posing significant consequences. Given the frequency of attacks, the larger attack surface and the severity of attacks, investment in protection technologies is no longer enough. To be ready for an attack, companies are changing their tactics. They are now taking an ‘Assume Breach’ position, which entails combining their traditional cyber security programmes with robust incident response, crisis management and disaster recovery plans.
While the foundation of a comprehensive cyber resilience strategy encompasses the ability to identify, protect, detect, respond to and recover from threats, it is more about effective risk management. This means identifying which cyber security events would have the greatest impact on the organisation and prioritising defence measures accordingly. To achieve this level of protection, organisations require detailed knowledge of the ‘enemy’, ‘battlefield’ and ‘themselves’.
Know the enemy
By far, gaining knowledge about the enemy is the most difficult of the three. To start, organisations need to study the threat actors and understand why they view the company as a viable target. In order to gain this level of knowledge, companies need answers to the following questions: what are the cyber criminals’ motives and goals, what are the tactics, techniques and procedures (TTPs) they use, how are the TTPs applicable to the business environment we operate, where would the attack most likely take place based on current defences, and how could it compromise the organisation, the supply chain or customers?
Pinpointing and knowing potential attackers is not easy. Fortunately, there are several open-source resources that provide insights into how cybercriminals operate. To start, the MITRE ATT&CK database provides a library of known adversary tactics and techniques. It provides information on cyber criminals’ behaviour and exposes the various phases of an attack lifecycle and the platforms these threat actors are known to target.
Another encyclopaedia of threat actors can be found in the ThaiCERT. Finally, security vendors monitor cybercriminals and frequently publish their insights and findings. For example, Datto’s Threat Management Cyber Forum provides threat briefs for known threat actors targeting the MSP community and their SME customers.
Know the battlefield
Cyber resilience requires a comprehensive strategy to reduce risk. Basically, the risk is a function of the likelihood of a cyberattack and of it causing various adverse impacts. For instance, an event that is likely to happen but has minor consequences presents less overall risk than an event that is deemed likely but would cause significant consequences.
To truly understand the organisation’s exploitable surface, insight into the likelihood of being attacked via a particular attack vector is fundamental. Organisations first need to evaluate which of their assets have the highest probability of being attacked. Second, they need to determine how valuable these assets are to the company or their customers.
Know your organisation
With insight into knowing which threat actors are lurking and their preferred battleground, the organisation is ready to simulate their attack methods to determine where the greatest risks reside and take proactive measures to mitigate potential risk. This is best accomplished by reverse engineering a cyber criminal’s past breaches. The intelligence gained by this exercise enables organisations to prioritise and implement the most effective security controls against specific cybercriminals and their tactics and techniques. To adequately test the configurations, open-source tools are available to emulate specific adversaries, such as Caldera (which leverages the ATT&CK model) or Red Canary’s Atomic Red Team.
It is important to note that adversary emulation is different from pen testing and red teaming in that it uses predetermined scenarios to test specific adversary TTPs. The goal of this process is to determine whether the tactics can be detected or even prevented. As part of the emulation exercises, it’s also important to examine technology, processes and people. This will provide a comprehensive understanding of how all defences work in unison. Be sure to repeat the testing until there’s a level of confidence that the organisation will prevail against the specific adversary.
How often to perform adversary emulation is dependent on the size and type of company. For instance, large organisations and MSPs should perform this exercise on a quarterly basis, SMEs at least once a year or whenever there is a major new threat, whereas for enterprises, a threat-informed defence programme needs to be an ongoing effort.
Be cyberattack ready
While the processes may appear arduous and even overwhelming, it is impossible to build an efficient cyber resilience programme without understanding the methods attackers are going to use. Being ready to combat cyberattacks means thinking like a hacker to improve overall security.
Regardless of the size of the company, cyber resilience needs to be given the highest priority, and at a minimum, all organisations should follow the CIS Critical Security Controls. Many businesses begin the process with a step-by-step gap assessment against CIS Group 1 (IG1). To make better risk-informed decisions and be better prepared to protect the organisation, investing even an hour a week on a risk- and threat-based approach will improve overall cyber security. The main thing is to simply get started.