Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/8/2019
02:00 PM
Craig Harber
Craig Harber
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

For Cybersecurity to Be Proactive, Terrains Must Be Mapped

As in any battle, understanding and exploiting the terrain often dictates the outcome.

The best prevention capabilities don't lead to the best cybersecurity. The trouble is, most security teams don't even have a full understanding of the terrain they're trying to defend, which makes it impossible to move to a more effective, proactive cybersecurity posture.

As more networks incorporate the cloud and an increasing number of Internet of Things devices, the challenge of understanding the full cyber terrain is only growing. That's why now is the time for security teams to focus on knowing what they have to protect, by thinking about what their adversaries are after. Patching yesterday's problems doesn't necessarily prevent tomorrow's attack. The future is a terrain and threat landscape that is continuously shifting at a rapid pace. Security teams must focus on the very, very specific things that the vast majority of cyber weapons systems are implemented to attack. And teams need the ability to definitively measure the impact of the specific assumptions, hypotheses, and decisions they make in this effort. To do any of this, they must have a complete understanding of their cyber terrain.

Understanding Cyber Terrain
The cyber terrain is the sum of all of operational assets, security controls, data assets, and overall decision-making within an organization. It's a cumulative topography of an organization's cybersecurity posture. It might sound like a basic notion, but cyber terrains are difficult to understand because they're inherently malleable, changing dramatically after new capabilities are introduced, new decisions are made or based on whether adversary approach vectors are closed or opened.

A lack of visibility across their entire terrain was reported as a major security pain point for 53% of organizations, according to Fidelis' "State of Threat Detection" report. This disconnect between recognizing the urgency of monitoring their networks and actually executing attempts to do so points to an industrywide gap in understanding how critical mapping out the cyber terrain truly is.

In real-world conflicts, people often rely on their home-field advantage, scoping out their entire terrain so that the enemy struggles for visibility. In cybersecurity, it's the enemies that too often have the "high ground" and strategically use "cover" and generally benefit from the environment, leaving the companies they're infiltrating at a disadvantage. For example, the adversary can perform active reconnaissance of the network, such as port scans, to understand terrain prior to an attack and in some cases, have a better understanding of the terrain than the network defenders.

Where real-world conflict and cyberattacks diverge greatly is in the rate of adaptability. Unlike physical battlegrounds, cyber terrains change instantaneously and so their particular advantages can too. Organizations typically understand how adversaries exploit this; however, fewer understand how to weaponize this potential liability for their own protection.

Gaining a Holistic View
An organization that cannot see its entire cyber terrain will fail to defend it properly. Over 55% of organizations report lowered confidence in their ability to identify insider threats as result of not having control over blind spots. Companies cannot defend terrain they cannot see. To correct this, enterprises must follow three key steps to gain a holistic view of their cyber terrain: discovery, mapping, and prioritizing deep visibility.

Discovery is a ballet of strategy, inventory, and evaluation. Organizations need the ability to continuously discover, classify, and assess assets — including servers, enterprise IoT, laptops, desktops, shadow IT, and legacy systems. The software installed on these individual assets must also then be identified, run through vulnerability assessments and tagged if deemed a vulnerability — data must be continuously collected and analyzed; otherwise, attackers can take advantage of the seams created between scans.

At a time when only about 7% of organizations believe they're using their security stack to its full capability, it's more important than ever to "Marie Kondo" the network infrastructure. After discovery, companies will be able to map out what their current and desired capabilities are, making redundancies clear. Security holes in their cybersecurity framework will also become increasingly clear so they can operationalize capabilities against existing threat frameworks, such as National Institute of Standards and Technology's Cybersecurity Framework, MITRE's ATT&CK framework, or the Department of Defense's DoDCAR framework. These frameworks are easily digestible for organizations struggling to inform their larger security strategy and will allow them to better assess what cyber capabilities they have and which they lack.

Companies may become complacent after gaining a thorough understanding of assets, capabilities, and vulnerabilities, but to stop here would be to forget the basic notion of how inherently malleable cyber terrains are. At this stage, enterprises must invest in deep visibility, which means they must dig through rich, indexable metadata to provide content and context around security incidents. In this way, organizations will become better able to highlight potential or existing attack vectors.

Capitalize on the Advantage
Only after understanding the basic concept of the cyber terrain and fully achieving a holistic view can organizations truly capitalize on their home-field advantage. Just as in any war, organizations can strategically set up deception techniques full of ambushes and traps to prevent threat actors from causing damage. Newly emerging strategies open up a world of possibilities, allowing organizations to set up honey pots or decoys or even leave breadcrumbs for attackers to follow. As in any battle, whether in cyberspace or not, understanding and exploiting the terrain often dictates the outcome.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Active Directory Security Tips for Your Poor, Neglected AD"

As Chief Technology Officer at Fidelis Cybersecurity, Craig Harber directs the product strategy for the organization, ensuring that the technology developments align and complement the frameworks at the forefront of the industry. This follows a distinguished career at the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
kratiw
50%
50%
kratiw,
User Rank: Strategist
10/9/2019 | 10:44:15 AM
IT Asset Management - It's Not Just About Counting Things
I would strongly encourage, no, beg, IT security departments and the executive team to adopt IT asset management. IT security continues to dance around the ITAM solution, either by relegating ITAM to inventory management, or to cherry picking ITAM responsibilities. There are way too many benefits of ITAM, for the entire company, to develop silos of ITAM implementations.

 
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5087
PUBLISHED: 2019-11-21
An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code....
CVE-2019-5509
PUBLISHED: 2019-11-21
ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use a privileged user account.
CVE-2019-6693
PUBLISHED: 2019-11-21
Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the admini...
CVE-2019-17272
PUBLISHED: 2019-11-21
All versions of ONTAP Select Deploy administration utility are susceptible to a vulnerability which when successfully exploited could allow an administrative user to escalate their privileges.
CVE-2019-17650
PUBLISHED: 2019-11-21
An Improper Neutralization of Special Elements used in a Command vulnerability in one of FortiClient for Mac OS root processes, may allow a local user of the system on which FortiClient is running to execute unauthorized code as root by bypassing a security check.