Skip to main content

Learning the Enemy Perspective

February 26, 2019

In part one of this series, we addressed the challenges of shifting from a reactive to a proactive approach by working more closely with business counterparts to bring risk management to the forefront. As this series continues, we focus on the enemy perspective in part two. We will get inside the enemy’s head to better equip organizations for any new threats.

Where a security leader sees complexity, the enemy sees opportunity. Where a business sees compliance requirements, the enemy sees gaps. When security teams grapple with architecture challenges, the enemy finds methods to create chaos. Many common CISO frustrations become advantages for threat actors to exploit. Understanding the enemy’s thinking and tactics, however, can help security teams gain the upper hand.

Rather than a program focused on alerts and troubleshooting—a reactive posture at best—CISOs should focus on identifying the weaknesses which make it easier for the enemy to attack. Also, rather than a budget spent on meeting compliance regulations, another reactive posture, they should invest in increasing a company’s overall security posture. A lack of standards around cloud configurations and updates, inadequate security policies, limitations of security technology, legacy systems and services, insecure business processes and risky user behavior could all create access points to your critical data. If your company has a secure foundation, compliance will follow.

Getting inside the enemy’s head

Threat actors aren’t all the same—they are members of organized crime or government-sponsored groups, hactivists seeking to make a point, disgruntled employees or random opportunists. In most cases, they seek to exploit financial data, Personally Identifiable Information (PII) or Intellectual Property (IP) for personal gain. In some cases, they need sensitive data to fulfill an agenda, politically or otherwise. The most dangerous and powerful of these actors are ones who can penetrate a network and dwell for an extended period of time, doing more damage by the hour.

Cyber-criminals look for the following vulnerabilities, ones which organizations should take extra steps to correct and avoid:

  • Exposed sensitive information 
  • Exposed login interfaces
  • Ineffective secure Systems Development Life Cycle (SDLC) program
  • Lack of control over exposed attack surface 
  • Outdated or unpatched software
  • Employees not trained in security awareness 
  • Insufficient password policies
  • Absence of threat hunting and forensic capabilities

So, what can you do to take an offensive position in the face of these multifarious tactics?

  1. Identify and minimize how and where attackers will target. Be aware of targets as business units stand up new solutions, as Internet of Things (IoT) devices are being connected throughout an organization, as developer apps are being launched and as cloud assets grow. 
  2. Adopt a continuous, investigative approach.  Continually review risks and gaps throughout the year, not just during an annual assessment or penetration test. A lack of effective and continuous assessments of security vulnerabilities is what enables nefarious dwellers. A recent study found that 68% of breaches in 2017 took months or longer to discover. The attack surface is regularly changing with business product launches, application updates and network and service rollouts. Threat actor tactics and known vulnerabilities change frequently, requiring that security organizations operate much differently than in the past. “Digital risk and trust are fluid, not binary and fixed, and need to be discovered and continuously assessed, alerting security and business leaders to areas of unexpected or excessive risk,” according to Gartner.
  3. Learn how to simulate enemy moves and thwart them.  Sophisticated threat intelligence programs entail war games and red teaming, where individuals or groups attempt to discover weak links in infrastructure and gain access to systems. Always-on penetration tests are another way to continually evaluate technology and personnel weaknesses, refining processes and systems to lower risk. 
  4. Boost incident management skills. Threat actors know that most companies don’t have dedicated or trained security staff who are able to run an effective Incident Response (IR) program. Research bears fruit: 65% of SANS Institute survey respondents see skills shortage as an impediment to IR efforts. Make a case for advanced training and outside resources as needed, to develop a world-class IR program.
  5. Become an expert at detection and response. As your team gets better at offensive tactics that identify weaknesses, they’ll be able to detect and respond to threats faster. Strive to deploy the necessary tools and develop processes that outline escalation trees and proper protocols for responding to different types of threats. The enemy perspective should drive priorities for which tools and services to implement. That way, you aren’t scrambling without direction when the inevitable happens. 

Make offensive security games and regular penetration testing part of your ongoing threat management program. Your team will gain knowledge to be more proactive and effective in incident response as well as prevention. The better security organizations can understand the enemy, and their own weaknesses, the better equipped they’ll be to fight any new threat down the road.

Learn more about the Enemy Perspective and why executives need to see what the bad guys see. This brings the perspective required to thwart threat actors and reduce overall security risk.  
 


    Bill Young

By: Bill Young

Director, Threat Practice

See More

Related Blogs

February 07, 2019

Security in 2019: Getting Ahead of the Game

The year 2018 was not much different than recent years in the world of security: Several massive security incidents at large companies and government ...

See Details

September 21, 2018

The Necessity of Enemy Perspectives: The Enemy Gets a Vote

The enemy gets a vote. The current Secretary of Defense and retired Marine Corps General James Mattis is fond of this observation. However, in many ar...

See Details

September 28, 2018

Intro to Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™ Series)

This series is focused on the risk associated with attacks which leverage vulnerabilities that could have been mitigated through the implementation of...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.