One of the trends seen in 2021 was the continued development of cyber security into cyber resilience. Cyber protection is no longer enough, instead incident response, crisis management, and disaster recovery plans need to also be in place. In this article, CISO Ryan Weeks challenges organizations to consider whether their cyber attack plans are fit for purpose.
If you’re like the majority of today’s organizations, you’ve already digitalised most of your data and processes. While a necessity, these digital assets now present a concerted risk because they provide a larger attack surface for cyber criminals than ever seen before.
At the same time, endpoints are becoming ever more diverse and distributed and security experts are sending a clear warning that tomorrow’s attacks can include previously secure targets. There’s no doubt that the ransomware threat is now of epidemic proportions, and the rise of crypto currencies is providing cyber criminals with the ability to strike anonymously.
As has often been said over the past twelve months, it’s not a matter of ‘if’ an attack takes place but ‘when’, and organizations need to get smarter and act faster to proactively address the threats they are facing. With cyber attacks becoming increasingly difficult to recover from and having greater repercussions, investment in protection technologies is no longer enough. To this end, we’re already witnessing the dawning of organizations taking an ‘assume breach’ position – developing solid incident response, crisis management, and disaster recovery plans alongside traditional cyber security programmes.
Know your battlefield
In today’s cyber threat landscape, it has become increasingly critical that organizations have an in-depth understanding of where potential attacks may come from and how they can strike. Being prepared requires a comprehensive cyber resilience strategy that consists of five building blocks – identify, protect, detect, respond, and recover. Cyber resilience also includes reducing risk – knowing which cyber security events would have the biggest impact on your organization and prioritising your defence / defense measures accordingly. You need a good understanding of your would-be attackers, their methods, and yourself in order to develop a threat-informed, risk-based, security programme.
To start, you firstly need to evaluate which of your assets have the highest probability of being attacked and, secondly, how valuable these assets are to cyber criminals. Only then will you be able to fully appreciate your exploitable surface and the likelihood of being attacked via a particular attack vector. Carefully studying your adversaries and how they operate is a fundamental part of such a risk-based approach.
Next, organizations need to examine their own inventory – data, systems, and people; their battlefield – the network; as well as their potential attackers.
Know thy enemy
Knowing your potential enemy is by far the most difficult element. A good starting point is to understand who the threat actors are that are taking an interest in your organization, and why they are seeing you as a viable target. What are their motivation and objectives? How do they work – what tactics, techniques, and procedures (TTPs) do they use, and how are these applicable to your environment? Where would the attack most likely take place and how could it compromise your business or your customers?
Once you’ve gained these insights, you’ll be in a better position to decide on risk-adjusted priorities for the right security controls and investments. Anticipating what the attacker might do will help you to identify gaps in your defences and determine where to ramp up protection. Conversely, it’s virtually impossible to build an efficient and effective cyber resilience programme when you don’t understand the methods that attackers are going to use against you.
Pinpointing and knowing your potential attacker isn’t easy. While threat intelligence tools can play an important role in any security programme, they are often reactive solutions based on indicators of compromise. Given the dynamics of threat indicators, they tend to include an abundance of unfiltered data. But, studying an adversary’s TTPs must be a proactive and targeted process. Fortunately, there are several open-source resources to help you understand how threat actors operate.
A good starting point is the MITRE ATT&CK database, which provides a library of known adversary tactics and techniques. It includes information on cyber adversaries’ behaviour, reflecting the various phases of an attack lifecycle and the platforms they are known to target. It also provides a framework that is widely used by threat hunters, red teamers, and defenders to classify and assess attacks. The ThaiCERT is another useful encyclopaedia of threat actors. Unfortunately, there isn’t a single comprehensive inventory of all attackers – and adversaries can often operate under different guises.
To stay current on evolving attack methods, security vendors monitor threat actors, and some publish threat intelligence to help with community defence. For example, threat profiles are available, at no charge, on Datto’s Threat Management Cyber Forum. The threat management team shares openly the profiles of threat actor groups that have been observed targeting the MSP community, their SMB customers, and their vendor supply chains.
Most recently added profiles include Russian state-sponsored hacker group APT29, also known as Cozy Bear and Dark Halo; the LockBit family of ransomware; and notorious cybercrime group Wizard Spider. Each profile contains an actor overview, their motives, TTPs, possible mitigations or defences, detection opportunities, and additional resources. To make the information easily actionable, the researchers have mapped actors back to the MITRE ATT&CK framework and CIS Critical Security Safeguards.
With insights into which cyber criminals could be lurking, simulating their methods will help you in determining where your greatest risks reside and what you can do to mitigate the risk. By reverse engineering attackers’ past breaches, you’ll be able to prioritise and implement the most effective security controls to defend your organization against specific actors.
To help test your configurations, there are a number of free open-source tools that emulate specific adversaries, such as Caldera (which leverages the ATT&CK model) or Red Canary’s Atomic Red Team. It needs to be noted that adversary emulation is different from pen testing and red teaming as it uses a scenario to test a specific adversary’s TTPs. Be sure to examine technology and processes, as well as people to fully understand how your defences work in unison. This process needs to be repeated until you are confident that you’re ready to win the battle against this adversary.
Frequency of adversary emulation depends on the size of your organization: smaller organizations should do this at least once a year or whenever there is a major new threat, larger organizations and MSPs quarterly, while for enterprises, a threat-informed defence programme is an ongoing effort. In addition, at a minimum, all organizations should follow the CIS Critical Security Controls, spending time on Implementation Group 1 (IG1) controls for essential cyber hygiene.
While these tasks and processes can appear overwhelming, you can begin with a step-by-step gap assessment against CIS IG1: Even investing an hour a week on a risk- and threat-based approach will help improve your overall security. In order to make better risk-informed decisions and be better equipped to protect your business, the main thing is to begin the process.
Ryan Weeks is CISO at Datto.