To stop threats, you don’t just need the right people, processes, and technologies. You also need a mindset that helps you and your team make sense of a threat landscape where successful attacks are not just likely, but expected.
Trust in your prevention efforts but assume you have fallen victim to an attack anyway.
After all, for every cyber incident you detect, there’s probably at least one you’ve missed. Although you’ll certainly know it when you get hit with a ransomware attack, the United States Council of Economic Advisers estimates that around 71% of cybercrime occurs without the victim noticing. IBM reports that the average data breach took just under a year (287 days) to detect and contain last year.
Worms, backdoors, and silent exfiltration of sensitive IP can all do immense damage to your organisation without ever raising an alarm.
Prevention is still essential, but your network perimeter is not where your security efforts should end.
To fight the ghostly threats that target your networks, it pays to adopt a “compromised mindset.”
In a recent webinar, SenseOn’s Founder and CEO, Dave Atkinson, and Director of Technology, Brad Freeman, sat down together to discuss the importance of the compromised mindset in proactive security and threat hunting and how to adopt it.
This blog goes over some of the points Dave and Brad discussed.
However, for a more comprehensive look at how companies can embrace the compromised mindset and assume breach, plus some powerful, real-world examples from Dave’s and Brad’s careers, check out the webinar here.
Most organisations are complex—and getting more so. Legacy systems co-exist with sprawling collections of cloud assets. Trends like M&As and remote working can open up massive holes in an organisation’s security posture overnight.
Complexity is making the already hard job of reducing cyber risk and ensuring business continuity almost impossible.
In PwC’s latest 2022 Global Digital Trust Insights Survey, three-quarters of executives said that growing complexity within their businesses is leading to concerning cybersecurity risks.
The reason why: evolving attack surfaces present an opportunity for attackers. Cybercriminals love to go after assets which organisations have forgotten exist, failed to patch, or misconfigured.
As many as 70% of companies that fell victim to a cyber attack last year had a vulnerability in an asset they were unaware of.
Threat actors are also getting better at evading security controls designed to stop them. Although it might sound pessimistic, the truth is that determined and well-resourced
attackers will almost always find a path to compromise.
This is especially true for adversaries seeking long-term access to an organisation’s digital estate. Traditionally this meant nation-state actors but increasingly also includes profit-motivated criminals. Researchers have observed several cybercriminal operations using Tor-based backdoors to gain ongoing access to compromised networks.
Adopting a compromised mindset and assuming breach means starting with the point of view that your organisation has been compromised and then systematically proving or disproving this idea.
Threat hunting and being proactive about your security is a way of verifying that your controls are effective and investments are worthwhile.
Here’s how to adopt a compromised mindset and assume breach.
Know your enemy.
Figure out what the most likely threats to your organisation are, and focus on putting in place controls that can both protect against them and detect them specifically.
If you’re not sure where to start, look at your competitors and peers within your industry.
Have they suffered any attacks lately, and if so, from whom? Although not all attacks are made public, a fraction of those that are get detailed write-ups. Take advantage of these write-ups to go really technical and see if a tactic or technique that impacted your peer could also be used against you.
If an organisation you are aware of in your industry has fallen victim to a cyberattack, you almost certainly are a target for the same attacker.
Write-ups are not your only resource, though. You can also use MITRE ATT&CK, a knowledge base that documents the tactics and techniques used by threat actors in the wild, to see who your adversaries might be.
For example, if a specific nation-state is a threat to your industry, ATT&CK can help you understand what groups may be linked to it and the types of tactics and techniques these groups are known to use.
An easy way to bring together all the attack techniques that matter to your organisation is to use ATT&CK Navigator, a web-based tool that makes it easier to analyse threats and build heat maps.
In the UK, companies can also join the Cyber Security Information Sharing Partnership, or CISP, a joint government and industry initiative that lets UK organisations share cyber threat intel in real-time.
Once you have a heat map of the kinds of tactics and techniques threat groups that pose a risk to your organisation use, you can start to overlay your own security controls over it to better visualise your defensive coverage.
This is a good way to see how effective your controls would be if they were focused on preventing and detecting particular threats.
You can break down the data you end up with from the above exercise into charts and graphs, as shown below.
Doing so will allow you and other interested parties (like the board) to see the kinds of hypotheses you’ve investigated and what cyber attack techniques you’ve detected in your environment over a period of time at a glance.
Consistently observed tactics indicate a good hardening opportunity.
You can also review this data over longer periods of time to see how the improvements you make to your preventative and detective controls start to impact what you see in the real world.
For example, let’s say in August and September, you observe a significant volume of credential access and persistence tactics and techniques in your environment. However, the volume of these techniques decreases sharply in October. Instead, you notice an increase in execution techniques.
This demonstrates that whatever you’re doing to stop credential access and persistence techniques is working because threats are being stopped earlier on in the attack lifecycle.
Cybersecurity can’t be done through a simple assessment.
For example, while ATT&CK enables organisations to follow a data-driven process to develop a compromised mindset, it’s critical to remember that threat actors can use new techniques that may not yet be documented.
Each ATT&CK technique can also have multiple sub-techniques, which can be applied in different ways and different parts of your estate. You might have effective security controls in your enterprise, but will you still be protected if the threat moves to the cloud?
It’s important to be wary of blindspots, whether that’s the cloud, legacy systems, or remote endpoints, and be able to correlate data. Often, an activity that looks benign in one part of the estate (like the endpoint) can indicate an intrusion when looked at with data from other parts of the estate (like the network or the cloud).
Although you don’t need any specific tools to adopt a compromised mindset, having a tool stack that helps you take a proactive approach to security and test your hypotheses can be a massive boon.
This is where SenseOn comes in.
One of the first products to integrate the ATT&CK framework into its security platform, SenseOn:
To learn more about adopting a compromised mindset, watch the webinar here.
To try SenseOn’s for yourself, see our free demo here.