Learning the Enemy Perspective

Learning the Enemy Perspective

In part one of this series, we addressed the challenges of shifting from a reactive to a proactive approach by working more closely with business counterparts to bring risk management to the forefront. As this series continues, we focus on the enemy perspective in part two. We will get inside the enemy’s head to better equip organizations for any new threats.

 

Where a security leader sees complexity, the enemy sees opportunity. Where a business sees compliance requirements, the enemy sees gaps. When security teams grapple with architecture challenges, the enemy finds methods to create chaos. Many common CISO frustrations become advantages for threat actors to exploit. Understanding the enemy’s thinking and tactics, however, can help security teams gain the upper hand.

 

Rather than a program focused on alerts and troubleshooting—a reactive posture at best—CISOs should focus on identifying the weaknesses which make it easier for the enemy to attack. Also, rather than a budget spent on meeting compliance regulations, another reactive posture, they should invest in increasing a company’s overall security posture. A lack of standards around cloud configurations and updates, inadequate security policies, limitations of security technology, legacy systems and services, insecure business processes and risky user behavior could all create access points to your critical data. If your company has a secure foundation, compliance will follow.

 

Getting inside the enemy’s head

 

Threat actors aren’t all the same—they are members of organized crime or government-sponsored groups, hactivists seeking to make a point, disgruntled employees or random opportunists. In most cases, they seek to exploit financial data, Personally Identifiable Information (PII) or Intellectual Property (IP) for personal gain. In some cases, they need sensitive data to fulfill an agenda, politically or otherwise. The most dangerous and powerful of these actors are ones who can penetrate a network and dwell for an extended period of time, doing more damage by the hour.

 

Cyber-criminals look for the following vulnerabilities, ones which organizations should take extra steps to correct and avoid:

 

  • Exposed sensitive information 
  • Exposed login interfaces
  • Ineffective secure Systems Development Life Cycle (SDLC) program
  • Lack of control over exposed attack surface 
  • Outdated or unpatched software
  • Employees not trained in security awareness 
  • Insufficient password policies
  • Absence of threat hunting and forensic capabilities

 

So, what can you do to take an offensive position in the face of these multifarious tactics?

 

  1. Identify and minimize how and where attackers will target. Be aware of targets as business units stand up new solutions, as Internet of Things (IoT) devices are being connected throughout an organization, as developer apps are being launched and as cloud assets grow. 
  2. Adopt a continuous, investigative approach.  Continually review risks and gaps throughout the year, not just during an annual assessment or penetration test. A lack of effective and continuous assessments of security vulnerabilities is what enables nefarious dwellers. A recent study found that 68% of breaches in 2017 took months or longer to discover. The attack surface is regularly changing with business product launches, application updates and network and service rollouts. Threat actor tactics and known vulnerabilities change frequently, requiring that security organizations operate much differently than in the past. “Digital risk and trust are fluid, not binary and fixed, and need to be discovered and continuously assessed, alerting security and business leaders to areas of unexpected or excessive risk,” according to Gartner.
  3. Learn how to simulate enemy moves and thwart them.  Sophisticated threat intelligence programs entail war games and red teaming, where individuals or groups attempt to discover weak links in infrastructure and gain access to systems. Always-on penetration tests are another way to continually evaluate technology and personnel weaknesses, refining processes and systems to lower risk. 
  4. Boost incident management skills. Threat actors know that most companies don’t have dedicated or trained security staff who are able to run an effective Incident Response (IR) program. Research bears fruit: 65% of SANS Institute survey respondents see skills shortage as an impediment to IR efforts. Make a case for advanced training and outside resources as needed, to develop a world-class IR program.
  5. Become an expert at detection and response. As your team gets better at offensive tactics that identify weaknesses, they’ll be able to detect and respond to threats faster. Strive to deploy the necessary tools and develop processes that outline escalation trees and proper protocols for responding to different types of threats. The enemy perspective should drive priorities for which tools and services to implement. That way, you aren’t scrambling without direction when the inevitable happens. 

 

Make offensive security games and regular penetration testing part of your ongoing threat management program. Your team will gain knowledge to be more proactive and effective in incident response as well as prevention. The better security organizations can understand the enemy, and their own weaknesses, the better equipped they’ll be to fight any new threat down the road.

 

Learn more about the Enemy Perspective and why executives need to see what the bad guys see. This brings the perspective required to thwart threat actors and reduce overall security risk.  

 

Bill Young
VP/GM, Threat Management | Optiv
Bill is responsible for Optiv’s offensive testing and enterprise incident management services including breach simulations, penetration testing programs, incident response, application security and advanced product security assessments. Bill has more than 15 years of experience in Information Security consulting and leadership. He has developed and implemented multifaceted penetration testing and application security programs, delivering custom-built assessment services to meet a variety of needs, budgets and risk tolerance. He has also performed red team and security assessments for clients in all major verticals, with client sizes ranging from 30 employees to Fortune 10 corporations.