What You Don’t Know Can Hurt You
Threat Assessment – When it comes to establishing and sustaining effective defenses in today’s enterprises, it pays to know who you’re defending against. In this post, we explore why it’s so critical to get a hacker’s perspective, and reveal some of the key requirements for gaining this kind of visibility in today’s enterprises.
“Keep your friends close and your enemies closer.” Many know this quote from a memorable scene from the movie, The Godfather Part II. However, it’s actually attributed to Sun Tzu, a military strategist who served as a general in late sixth-century BC China.
In spite of its age, this principle very much applies in the modern day, and specifically to the ongoing cyber security battles enterprise security teams are engaged in. Like it or not, this is a battle that’s never ending.
Any number of advanced security defenses may have been employed, but enterprise IT environments are evolving constantly; virtually nothing is static in today’s dynamic IT ecosystems. Further, and most critically, cyber attackers aren’t sitting still either; their tactics and strategies are evolving constantly.
The only way to ensure that the defenses in place are working as needed is by keeping a close eye on the evolving tactics and strategies of cyber attackers. Fundamentally, security teams need to be able to ascertain whether they’re exposed, and, if so, determine where the gap is and how to address it.
Teams need access to the latest threat methodologies, so they can objectively and accurately assess the range of controls implemented and ensure they’re effectively blocking a specific vulnerability or method of attack.
The Challenge: The Limitations of Traditional Threat Assessment Approaches
Today, the threat landscape constantly evolves and changes, forcing security teams to shift their focus as they search for gaps in their defenses. Teams need to ensure their security operations move as fast as cyber attackers. The problem is that the traditional approaches these teams have relied upon are falling short.
Security teams can pursue a number of approaches for doing threat assessments. Over the years, teams have elected to do penetration testing, red team exercises, vulnerability scanning, and more to assess threats. Many teams have also employed threat intelligence solutions.
However, by and large, these approaches have always presented significant limitations:
- Inconsistency. The manual, individual nature of white hat hacking and red team approaches can leave businesses exposed to inconsistency and unpredictability at best, and errors, oversights, and omissions at worst.
- Minimal, limited insights. Threat intelligence helps in understanding the attacks being executed, but it doesn’t address how and whether your organization is vulnerable to those attacks, and, if so, what the potential damage may be. The output of systems like vulnerability scanners can be a lot of “noise,” uncovering a lot of issues that may, or may not, actually represent real security risks. By surfacing a high volume of issues, these systems can create a huge backlog of tasks for overworked security teams, while offering minimal insight to guide prioritization.
- High costs. The types of experts that are needed to staff effective red teams or conduct white hat hacking are in short supply and demand high salaries.
- Constrained frequency, scope. Given the high cost and the difficulty of finding the right experts, many organizations are significantly limited in the scope, frequency, and duration of their ability to do these types of tests. Typically, penetration tests are conducted intermittently, often annually or semi-annually, which means teams only gain point-in-time insights.
The Requirement: Employing Breach and Attack Simulation to Gain a Hacker’s Perspective
To be truly effective, security teams need to start viewing their security defenses from the perspective of the hacker. They need to be able to identify specific types of attacks and determine whether those specific tactics can breach their organization, and leave critical business assets exposed to theft, being held for ransom, and so on. To this end, it’s vital to be able to track threats across the entire “kill chain” to determine whether an attacker can infiltrate, exploit hosts, move laterally, exfiltrate data, and so on.
Today, teams need to establish an efficient, programmatic way to gain a hacker’s perspective and intelligently assess threats. To be viable, a platform needs to enable this threat assessment, while enabling teams to overcome the limitations of manual, labor-intensive activities like penetration testing and red teaming. Teams need to be able to run continuous attacks automatically, without the need to hire dedicated teams to manage the platform. Teams need breach and attack simulation platforms that can safely execute real attacks in production environments to prove where security can withstand such attacks—and where it needs to be improved.
The best breach and attack simulation platforms offer the following capabilities:
- Comprehensive, current coverage. Platforms should be able to simulate attacks against a range of systems and technologies, including endpoint, network, SIEM, cloud, container, email, and DLP solutions. Platforms should simulate an extensive range of attacks against production environments, based on a comprehensive and current list of hackers’ breach methods and the approaches of specific threat groups.
- Continuous coverage. It is vital to be able simulate threats on a recurring basis, so, for example, teams can re-run an attack after remediation in order to ensure controls address the gap. In addition, this continuous testing is vital in order to ensure configuration changes haven’t introduced exposures.
- Powerful insights. Platforms should be able to gather vital intelligence, and make it easy for teams to assess and act on this information. These solutions should visually depict attack paths within infrastructure. Teams should be able to proactively report to executives on the organization’s risk posture and put a mitigation plan in place, before attackers exploit the gaps.
By establishing the capabilities above, teams can identify vulnerabilities, gaps, and errors—before cyber attackers can exploit them. Teams can do targeted assessments and continuous validation to ensure that new risks, whether due to new attack techniques or new vulnerabilities that have emerged in their enterprise environment, are quickly identified and addressed.
What You Don’t Know Can Hurt You