The cyber landscape is maturing at a startling velocity. An industry that barely existed 20 years ago is now projected to be worth $170 billion by 2020. As the amount of technical development has snowballed, so the need for security assurance has become a board level consideration. Assurance practices have had to evolve to remain in touch with the digital transformation that is occurring around us. Assurance has had to develop to reflect both the changes in the ways we engage with technology, whilst also staying abreast of the evolving threat landscape. Organizations that remain static in their assurance process will become increasingly vulnerable. For organizations to build effective risk management processes, they must become agile, threat lead, and focus on people, process and technology collectively.
When we look at traditional technical assurance practices, they typically revolved around penetration testing and vulnerability assessments. They were traditionally conducted as point in time exercises, and were usually delivered against defined scopes. For instance, an organization would commission a firewall security test, a black box web application test, or a white box database review. Organizations would request that security companies identify exploitable vulnerabilities that were usually technical in nature. In almost all instances, the purpose was to help the commissioning organization determine if their defensive controls were effective.
The cyber landscape has evolved significantly and individuals now consume live data around the clock. They are online through 4G and WIFI networks every waking hour. They interact with rich content through dedicated apps, and publish and consume social media content throughout the day. The boundaries between work and personal personas are becoming increasingly blurred. At the same time, the organization infrastructure has sprawled outside of the physical constraints of the office. Data now resides in the cloud, in apps and in the 3rd party supply chain. These two combined forces means that a strategy focused on 100% cyber security defence is almost certainly set up to fail.
In recent years, organizations have been encouraged to pursue an approach that was based around response in depth. The essence of this philosophy it to have multiple controls and processes that would enable an organization to detect malicious activity. This differs to an approach where the organization puts all its trust in one piece of technology to help it detect and respond to a cyber-attack.
Whether an organization choses an approach that embraces the defence in depth approach or a single device to alert them to advent of a cyber-attack, one thing is sure that many organizations assume that their approach will work. This assumption believes the hype from the technology vendor, the consultancy that installed it or the managed service provider that maintains it. To date, very few organizations conduct assurance activities on their detection and response capability and instead choose to hope that it is effective, without gaining any insight in to what it can and can’t identify.
Here at Nettitude, we believe that a lot of the assumption around detection and response are based upon the premise that most attacks look at bad traffic or behaviour originating from the Internet. Many organizations have not taken the time to understand the different types of threats. They don’t understand threat actor’s goals or motivations, their modus operandi or their techniques, tactics or procedures. They have little insight in to the types of threats that have been seen to be targeting similar types of organizations in the same industry vertical, operating in the same country, or trading with similar types of business partners. Most organizations have no understanding of the veracity or velocity of the attack and class all bad or malicious people in to the broad classification of hackers.
The different types of threat actors
The reality is that different threat actors have different goals, motivations and capabilities. Using two contrasting threat groups, as examples we can see the differing goals and motivations.
Hacktivists typically want to promote a message. They aim to either deface website content, publish embarrassing content, or issue public statements that are designed to name and shame their victims. Their goals and motivations are usually to publish a message or make some form of political statement.
Organized crime units typically focus on monetising their attack. Their goal is to either steal money or data directly, change data or deny services to data in the hope of gaining access to money. They do not try to publish a message or promote a political statement. Their goal is to monetise their attack.
Building a strategy that detects and responds to Hacktivists will need to be slightly different to that of detecting and responding to organized crime groups. Yes, there will be elements of similarity and overlap, however there will also be many elements that are completely discrete.
Detection and response assurance activities
Nettitude actively promotes the concept of conducting detection and response assurance activities that simulate a broad array of threat groups that simulate their techniques, tactics and procedures (TTPs). By sending malicious traffic to an organization that reflects a known threat group, it is possible to determine the effectiveness of an organization s detection and response strategy. If traffic is detected, then Nettitude may make small adjustments to the traffic it generates to see if the detection and response strategy is still effective. This approach is iterated through multiple times with the expectation that that it will identify areas where the organization has vulnerabilities in its detection capabilities.
As way of an illustration, we will present a common type of organization, and a common type of attack and a common expectation on how it will be detected.
How an attack will target employees
Many organizations place all of their detection and response focus around their server estate and their critical datastores. Despite this, many threat actors will initially target employees through spear phishing or social engineering activities. If the attacker can compromise the employee and get them to click on a link, or open a malicious file, their next step is to look for sensitive information or information about internal processes that resides on the users’ workstation or on shared network drives that the user has access to. Once the attacker has gained access to sensitive information it may then be used to move laterally across the network, perhaps increasing the users’ privileges and gaining access to more sensitive or critical assets. Only once the attacker has got a sufficient foothold in the network, with sufficient levels of credentials will they seek to gain access to the core asset or datastore that the organization is focused on protecting. In many stages of this attack, most organizations are unable to detect the malicious behaviour. Instead of having the ability to detect at multiple points on the attack chain, they focus their efforts on the final link in the chain and are oblivious to all of the other nodes and actions that the attacker passes through. Often the last steps of the attack generates traffic that looks like internal user behaviour. It no longer looks like an external attacker targeting an internal asset, and instead looks like a legitimate user gaining legitimate access to the core business asset.
Unless organizations conduct detection and response assurance activity within their security assurance programs, they will be uncertain as to whether they would be able to identify threats within their environment. Fortunately the security testing industry has evolved to make this an integral component of a mature security assurance strategy. Whether it is described as purple teaming, detection and response assessments or incident response maturity assessments, there are multiple types of techniques that can be deployed to help a CISO determine whether they are safe to go to sleep at night.
What Nettitude can do for your business
To find out more about how Nettitude can help you develop or assess your detection and response strategy, please get in touch with our team today.