By Phil Robinson
There was an interesting spat on Twitter during September when Rob Joyce, Cyber Security Director of the National Security Agency, disputed the notion put forward by security researcher @RayRedacted that “Defenders think in lists, attackers think in graphs”. (Presumably suggesting that defenders are preoccupied with tick lists and compliance while attackers are looking at the data to see where performance discrepancies and chinks in the armour lie). Joyce’s retort was that…
“Attackers put in the time to know the network and the devices better than the defenders. That’s how they win.”
His statement suggests that far from being just opportunists, attackers study the network and carefully craft their attacks. Time is on their side, which allows them to explore and reverse engineer at their leisure. And the implication is that, if their knowledge of the network outpaces your own, they capture the castle.
But is this really true? I’d argue that there are plenty of organisations that have a strong understanding of their IT estate and a decent awareness of their environment. They may even have implemented robust defences that have met or exceeded industry best practice across their technology stacks. They know every inch of their network and what’s running over it but this doesn’t guarantee they won’t be compromised.
What’s really happening
Security breaches occur due to a number of reasons. These can range from a lack of coverage (OS and app patching), competence (configuration weaknesses), staff awareness (password insecurity), budget (holes in defence technology), or just plain bad luck (exploiting windows of opportunity) – so it’s not just a matter of good situational awareness.
The National Cyber Security Centre (NCSC) makes the distinction that the majority of attacks are stil not targeted. Some adopt a more scatter gun approach, such as phishing, water holing, ransomware and scanning, and these by far outnumber the more time intensive targeted attacks, with 27% of businesses being attacked once a week and 83% of these suffering phishing attacks according to the Cyber Security Breaches Survey 2021 by the DDCMS.
There’s a good reason for this. Targeted attacks can take months of preparation and execution. The attacker will typically profile your business and probe the network for weaknesses to exploit using the oft quoted cyber kill chain approach. “Attacker time” tends to preoccupy the industry, which is why you’ll hear a lot about Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), which are terms used to hawk security solutions. But the truth is you need people and process – not just technology – to keep one step ahead of the attacker.
What can you do?
There is no single solution or tool that can be deployed to protect against the possibility of a security breach, however, if the organisation uses a variety of proactive approaches it can reduce the likelihood of being caught unawares. Here is my top 5 list of “common sense” practices that can be used to protect an organisation and reduce the possibility of compromise..
Taking such actions will bolster defences and take the weight off the IT/security team, allowing them to monitor and respond appropriately. And they’ll be able to mitigate attacks so that as and when they do occur you can limit incursions. This all makes logical sense but security is still being sidelined in many businesses, particularly in the wake of the pandemic.
The DDCMS 2021 survey reveals that a third of businesses took no remedial action following their most disruptive breach and it’s this inertia that then paves the way for repeat or lateral attacks. The report concludes that organisations need to “recognise that good cyber security facilitates better business resilience” and suggests many businesses have focused too much on business continuity at the expense of security due to the pandemic.
Develop your awareness
Ideally, you want to begin to look critically at your network from the perspective of the attacker and that’s where penetration testing or simulated testing comes in. There are also now frameworks that track the pattern of attacker activity. The MITRE ATT&CK (an acronym that stands for Adversarial Tactics, Techniques and Common Knowledge) framework, identifies the tactics, techniques and procedures (TTP) attackers use and contains over 245 techniques. PRE-ATT&CK looks at attacker activity that happens prior to exploitation of a target network or system, providing some idea of how attackers scope attacks. The framework is continually updated so that new approaches spotted in the wild are added.
Such frameworks can be used to help with penetration testing. This both identifies any security vulnerabilities and weaknesses and whether your controls are implemented and operating correctly and tests are configured to meet the needs of the business, so range in depth.
If you’d like to gain more visibility into your network to counter the ‘knowledge threat’ and to find out more what’s involved in pen testing your systems, email us at contact@prisminfosec.com or call +44 (0) 1242 652 100 for a quick consultation