Working with cybersecurity can feel like fighting a losing battle. Cybercriminals can access an organization’s network in minutes, while it often takes months for cybersecurity analysts to detect a breach. The number of cyberattacks is on the rise, while the cybersecurity industry faces an ever-growing cybersecurity skills gap. And cybersecurity analysts must find all the vulnerabilities in the infrastructure to protect the perimeter, while the adversaries only need to find one to get through it.
Threat actors have the upper hand, so how can companies successfully navigate through the threat landscape?
Adversarial dominance calls for a goal-oriented approach
It is impossible to protect the entire infrastructure against cybercriminals. They are dominant, and that fact is unlikely to change. Cyberattacks are inevitable, revealing a need for analysts to switch from a preventive approach to a goal-oriented approach, introduced by SANS SEC511. Instead of trying to prevent compromise, the goal-oriented approach aims to prevent the attackers from getting what they want, which is usually data or significant system control. Ultimately, the analysts do not need to protect the entire infrastructure; they need to protect the critical assets.
The key to success with the goal-oriented approach is visibility in the network to allow the analysts to detect a breach. Cybercriminals will always make footprints, but the analysts must know the enemy to see: How they think and how they work. For example, attackers always use vulnerability assessments as a part of active or passive surveillance, so a strong security team will perform them too to get ahead. Analysts need to understand the tactics, techniques, and procedures of the threat actors.
Knowing the environment is imperative
Cybercriminals usually follow the same process during an attack. First, they try to get to know the environment and map it out. Next, they try to locate the critical assets. Finally, they will steal or exploit the assets. For a security team to successfully prevent attack, they must know their environment and critical assets.
The security team must map out the infrastructure by assessing its defenses, what information can provide an overview of it, and what level of detail is required. Also, the team needs to understand the critical applications and their location, the sensitive data and where it’s located, identify privileged users, and locate key network transitions. When the mapping is complete, it is necessary to observe the motions in the infrastructure to get an overview of what is happening in systems, applications, databases, cloud environments, and operating systems.
Context is king
Analysts need context to distinguish between expected and unexpected movement in the infrastructure. They can get context from open-source intelligence, internal directories, configuration management databases, static and dynamic lists, and tables containing the most exposed user accounts, network, and geography. The most crucial point to understand observations is logs. A strong security team will make sure that no one can move in the infrastructure without being registered.
Monitoring logs in real-time is a strong cybersecurity tool. It provides situational awareness and allows analysts to determine more confidently whether a movement in the infrastructure or particularly around a critical asset is expected or unexpected. Analysts can detect a cybercriminal breaching the perimeter and stop the attack. Additionally, they can apply machine learning to detect anomalies and increase the chances of successfully preventing the attacker from accessing critical assets.