Modern organizations have seen a massive expansion of their cyber terrain with the integration of business systems, information technology, and operational technology that is fundamentally transforming the effectiveness and efficiencies of business operations. Unfortunately, this integration of business systems and technologies that are enablers of digital transformation will expand the attack surface and potentially accelerate the speed and damage of attacks.
As part of Fidelis Cybersecurity’s ongoing research efforts, we are asking cybersecurity practitioners to participate in our 2020 State of Threat Detection and Response Survey.
Correlation between cyber terrain and exploitable attack surface is leading many organizations to question whether they have the right cybersecurity tools deployed to provide visibility of their network traffic. This is consistent with key findings of Fidelis Cybersecurity’s State of Threat Detection and Response 2019 report, which found that 69% of respondents believe their attack surface grew as a result of additional cloud applications, higher levels of network traffic, and a higher number of endpoints (especially with the rise in BYOD devices), enterprise IoT and mergers & acquisitions. This same report also found 49% of respondents did not have holistic visibility, while only 12% strongly agreed that they had full visibility of their cyber terrain.
A key takeaway: As the cyber terrain continues to grow, organizations must evolve their defensive strategies, moving from perimeter-focused security to more comprehensive strategies that emphasize holistic visibility, detection, and response of attacks across the cyber terrain. This can be accomplished by operationalizing cyber threat frameworks such as MITRE ATT&CKTM.
As cyber attackers continue to innovate and evolve their capabilities (increasingly with the help of adversarial machine learning), early detection and response remains one of the most effective strategies for defending enterprises against malicious actors. Unfortunately, the dwell time of a cyberattack is currently measured in terms of months instead of hours or days, providing attackers with ample time to collect information, move throughout the network and damage or exfiltrate enterprise data. To effectively detect and respond to threats early in the attack kill chain, organizations must have holistic visibility of their terrain.
Cyber attackers will use a variety of tactics, techniques and procedures (TTPs) to remain undetected by security tools, but these actions also create opportunities for analysts to find them. For this, security organizations rely upon network traffic analysis (NTA) technology which can capture, process, and analyze network traffic to detect and investigate data that may indicate a cyberattack. Modern network traffic analysis solutions must use a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities and sophisticated attackers on enterprise networks.
Operationalizing Threat Frameworks
Operationalizing capabilities against cyber threat frameworks provide organizations with a concrete method for assessing what defensive capabilities they possess and which ones they need. The framework is effectively a decision support tool to assist organizations in the acquisition of new capabilities and/or the rationalization of existing capabilities. Cybersecurity teams should align their day-to-day post-breach detection and response actions to a cyber threat framework such as the MITRE ATT&CK framework. Intelligence derived from this approach will help cybersecurity teams identify where and how attackers will seek to exploit defenses, and provides organizations with a valuable starting point in how to position their defensive capabilities to proactively guard against attacks.
In addition to using cyber threat frameworks that map threat actors to known attack methodologies, organizations also need to continuously use detection capabilities to hunt for emerging or unknown threats using both automated and manual approaches. Reducing cyber dwell time is a critical metric for all cybersecurity teams that will benefit from improvements in visibility of their cyber terrain. Not surprisingly, visibility trailed automation as the second leading overall concern for organizations according to the 2019 State of Threat Detection report, with 53% of respondents identifying their lack of visibility as a high priority.
This forces many organizations into a reactive security posture, forcing analysts to scramble to react in a timely manner to new and evolving attacks. In order to shift security postures from reactive to proactive positioning, organizations will need to re-evaluate their security strategy in order to shape the attack surface to their advantage and make network traffic analysis solutions the cornerstone of their SOC operations. Ideal network traffic analysis solutions should provide organizations with deep visibility into their own cyber terrain, as well as all the tactics and techniques that attackers use to infiltrate networks, expand control, and entrench themselves.
Like detecting threats, responding to threats effectively ultimately boils down to how much information you have at your disposal. Network traffic analysis solutions should therefore prioritize giving incident responders the critical information needed to quickly make risk-based decisions. Having visibility from the network and cloud traffic to endpoint activity is a must to understand the who, what, when, where, and how — in addition to possessing the tools and automation needed to resolve issues as quickly as possible.
SOC teams are increasingly overwhelmed with more responsibility, more alerts and more tools than ever. Even with full visibility, keeping up with these challenges is next to impossible when analysts must constantly chase down threats and alerts. In order to overcome this, organizations need to use their visibility and mapping to transition to truly threat-driven operations that will fortify reactive capabilities with proactive, predictive, and retrospective capabilities.
To accomplish this, organizations must overlay an understanding of the operational threat on top of the full visibility they have gained. This allows analysts and operators to weigh several courses of action, informed by full knowledge of their terrain and detailed options for uncovering or responding to threats against their organization. These courses of action can be fully automated or require human intervention to choose from one of several recommended best courses of action.
State of Threat Detection and Response 2020
If you would like to contribute your viewpoint on the current state of detection and response, we welcome you to participate in our ongoing survey for the Fidelis State of Threat Detection and Response 2020.
About the Author: Craig Harber, Chief Operating Officer, Fidelis
Craig Harber is Fidelis’ Chief Operating Officer, with responsibilities for product strategy, services and customer delivery. Harber had a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC).
During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR) that provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments. He transformed Active Cyber Defense concepts into capability pilots, commercial product improvements, industry standards, and operational solutions. He also directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multi-billion dollar increase in DOD IA investments.
At Fidelis, Harber will be directing the product strategy for the organization, ensuring that the technology developments align and complement the frameworks at the forefront of the industry.