Know your enemy – Thinking like a hacker
- Written by Ryan Weeks, CISO at Datto
As companies are increasingly digitalising their data and processes and are now having to secure a larger diversity of distributed endpoints. However this then creates many more entry points for cyber threats to breach. Organisations need to transition from a mindset of ‘if’ an attack will take place to ‘when’.
Cyberattacks are taking place at an accelerated pace, becoming increasingly difficult to recover from and posing significant consequences. Given the frequency of attacks, the larger attack surface and the severity of attacks, investment in protection technologies is no longer enough. To be ready for an attack, companies are changing their tactics. They are now taking an ‘Assume Breach’ position, which entails combining their traditional cyber security programmes with robust incident response, crisis management and disaster recovery plans.
While the foundation of a comprehensive cyber resilience strategy encompasses the ability to identify, protect, detect, respond to and recover from threats, it is more about effective risk management. This means identifying which cyber security events would have the greatest impact on the organisation and prioritising defence measures accordingly. To achieve this level of protection, organisations need to understand the hacker, the playing field, and their defences.
Getting into the mind of a hacker
By far, gaining knowledge about the enemy is the most difficult of the three. To start, organisations need to study the threat actors and understand why they view the company as a viable target. In order to gain this level of knowledge, companies need answers to the following questions: what are the cyber criminals’ motives and goals, what are the tactics, techniques and procedures (TTPs) they use, how are the TTPs applicable to the business environment we operate, where would the attack most likely take place based on current defences, and how could it compromise the organisation, the supply chain or customers?
Pinpointing and knowing potential attackers is not easy. Fortunately, there are several open-source resources that provide insights into how cybercriminals operate. To start, the MITRE ATT&CK database provides a library of known adversary tactics and techniques. It provides information on cyber criminals’ behaviour and exposes the various phases of an attack lifecycle and the platforms these threat actors are known to target.
Understanding the playing field
Cyber resilience requires a comprehensive strategy to reduce risk. Basically, the risk is a function of the likelihood of a cyberattack and of it causing various adverse impacts. For instance, an event that is likely to happen but has minor consequences presents less overall risk than an event that is deemed likely but would cause significant consequences.
To truly understand the organisation’s exploitable surface, insight into the likelihood of being attacked via a particular attack vector is fundamental. Organisations first need to evaluate which of their assets have the highest probability of being attacked. Second, they need to determine how valuable these assets are to the company or their customers.
Prepare for battle: Ensure your organisation is cyber-attack ready
With insight into knowing which threat actors are lurking and their preferred attack surface, the organisation is ready to simulate their attack methods to determine where the greatest risks reside and take proactive measures to mitigate potential risk. This is best accomplished by reverse engineering a cyber criminal’s past breaches. The intelligence gained by this exercise enables organisations to prioritise and implement the most effective security controls against specific cybercriminals and their tactics and techniques.
It is important to note that adversary emulation is different from pen testing and red teaming in that it uses predetermined scenarios to test specific adversary TTPs. The goal of this process is to determine whether the tactics can be detected or even prevented. As part of the emulation exercises, it’s also important to examine technology, processes and people. This will provide a comprehensive understanding of how all defences work in unison. Be sure to repeat the testing until there’s a level of confidence that the organisation will prevail against the specific adversary.
How often to perform adversary emulation is dependent on the size and type of company. For instance, large organisations and MSPs should perform this exercise at least on a quarterly basis, SMEs at least once a year or whenever there is a major new threat, whereas for enterprises, a threat-informed defence programme needs to be an ongoing effort. However, there is no such thing as over testing an organisation’s cybersecurity.
While the processes may appear arduous and even overwhelming, it is impossible to build an efficient cyber resilience programme without understanding the methods attackers are going to use. Being ready to combat cyberattacks means thinking like a hacker to improve overall security.