The offensive ruling in defending cyber
Any scenario between security adversaries is a balanced offense and defense in the mind. Last decade, conventional wisdom in fields of Information Technologies, products, and services provides an enormous offensive preference for the bad guys. On the contrary, I think it is possible to decrease the risks posed by threat actors and adversaries and likely increase peacetime stability for gov’t and enterprises.
Recent researches estimates put worldwide cybersecurity investments at 130bnUSD and calculated cyber risks around 2TUSD in 2019 and analysis estimate cyber risks 5.2T USD in 2023. No business is untouched by the increasing cost of cybercrime. World Economic Forum report noted that businesses have observed security breaches increased by 67% in the past five years alone.
CISO’s think their digital assets will be immune to the cyberattacks as it improves from current investments that are currently unsecured by design. What a lie:), other people trusting on SOAR automation and CTI products have capable to paralyze much of the attacker’s TTP’s. The truth is, at the same time threat actors are looking at how they can use these gaps and current security technologies implemented as well. Some of CISO’s think the next level of cryptography solutions like QC(Quantum Computing) and Blockchain could provide unbreakable protection of their data could drive to fundamentally more secure defenses. But these approaches difficult to stop threat actor actions that don’t provide what TTP can be utilized and how.
The offensive position in the cybersecurity business is carefully shifting as the defense layer that closes the gap by understanding real-risks and simulating threats scenarios executed by red team exercises. It’s happy to see that some CISO’s begin to understand the value of what is at stake, activating this point of view provides the effectiveness of better security control and fewer breaches in the enterprise environments.
More importantly, cybersecurity problems have no single solution and defenses has no inquiry of an engineering problem to identify the specific threats. It’s more than that.
Different threat requires a different threat model
Threat Actors continually optimize the techniques and tactics they use to target organizations rather than infrastructure. As cybersecurity professionals, you’re essential to the decrease threat effectiveness but in today’s ever-evolving threat landscape — the question is: what do you prioritize?
Multiple layers of security tools from mixed vendors all generating different reports and logs? Do you have the much-needed experienced security professionals to handle the logs, notifications as well as data coming from these systems? These questions never answered correctly yet.
Security stack needs products that can adapt to continually keep pace with the ever-increasing complexity of adversarial tools, tactics, and procedures while at the same time efficacy of operational support the security teams. Nowadays, we have no method of certainly detecting what will be good and bad tomorrow.
Like a Covid-19 cure or disease, so does it take time for full security stack to develop explicit defenses against new exploits. Even with niche technologies such as ML/AI, there can take a long long gap between primary “patient zero” victim and effective risk reduction. During that time, many of the infrastructures can fall as a victim of the attack. So, we need to understand that patient zero truly represents tons of infected hosts. What better method to stop adversaries' actions than to stop it from ever happening in the first place?
Thinking like an attacker is the best advice in cybersecurity. If you think like an adversary, it becomes clear that necessary actions are going after. Lockheed Martins’s basic Killchain model, it is generally the same, it always starts with reconnaissance that might include using scanning for looking exploitable vulnerabilities in the victim area. After recon stage, an adversary needs to weaponize what they discovered to exploit the vulnerability.
In the defense, security stacks have lots of ineffectiveness due to a lack of adaptation to an adversary. Adversaries generally test against the prevention and detection layer before attacking high-value targets. That’s why security teams that have adopted the kill chain models to understand the TTP of adversarial behavior in a particular case. Organizations need to identify what tools the adversaries are using and where are the gaps in their security capabilities.
Since 2014 the MITRE’s ATTACK has evolved, it breaks down the tactics and techniques a threat actor needs to deploy so that the threat hunters can look at these signals that disrupt adversarial stages. It also feels like intelligence shares that identify well recent and past adversaries TTP’s. In a single attack campaign, adversaries exploit the same vulnerability, techniques across multiple companies. If the companies are sharing this intelligence information among them, adversarial behaviors by one mean that every company will know about it. As a result, adversaries might need to develop unique attack patterns for every target or they would have to choose a small number of targets, In either case, the efficiency of the attack would decrease.