As in any battle, understanding and exploiting the terrain often dictates the outcome.

Craig Harber, Chief Technology Officer at Fidelis Cybersecurity

October 8, 2019

5 Min Read

The best prevention capabilities don't lead to the best cybersecurity. The trouble is, most security teams don't even have a full understanding of the terrain they're trying to defend, which makes it impossible to move to a more effective, proactive cybersecurity posture.

As more networks incorporate the cloud and an increasing number of Internet of Things devices, the challenge of understanding the full cyber terrain is only growing. That's why now is the time for security teams to focus on knowing what they have to protect, by thinking about what their adversaries are after. Patching yesterday's problems doesn't necessarily prevent tomorrow's attack. The future is a terrain and threat landscape that is continuously shifting at a rapid pace. Security teams must focus on the very, very specific things that the vast majority of cyber weapons systems are implemented to attack. And teams need the ability to definitively measure the impact of the specific assumptions, hypotheses, and decisions they make in this effort. To do any of this, they must have a complete understanding of their cyber terrain.

Understanding Cyber Terrain
The cyber terrain is the sum of all of operational assets, security controls, data assets, and overall decision-making within an organization. It's a cumulative topography of an organization's cybersecurity posture. It might sound like a basic notion, but cyber terrains are difficult to understand because they're inherently malleable, changing dramatically after new capabilities are introduced, new decisions are made or based on whether adversary approach vectors are closed or opened.

A lack of visibility across their entire terrain was reported as a major security pain point for 53% of organizations, according to Fidelis' "State of Threat Detection" report. This disconnect between recognizing the urgency of monitoring their networks and actually executing attempts to do so points to an industrywide gap in understanding how critical mapping out the cyber terrain truly is.

In real-world conflicts, people often rely on their home-field advantage, scoping out their entire terrain so that the enemy struggles for visibility. In cybersecurity, it's the enemies that too often have the "high ground" and strategically use "cover" and generally benefit from the environment, leaving the companies they're infiltrating at a disadvantage. For example, the adversary can perform active reconnaissance of the network, such as port scans, to understand terrain prior to an attack and in some cases, have a better understanding of the terrain than the network defenders.

Where real-world conflict and cyberattacks diverge greatly is in the rate of adaptability. Unlike physical battlegrounds, cyber terrains change instantaneously and so their particular advantages can too. Organizations typically understand how adversaries exploit this; however, fewer understand how to weaponize this potential liability for their own protection.

Gaining a Holistic View
An organization that cannot see its entire cyber terrain will fail to defend it properly. Over 55% of organizations report lowered confidence in their ability to identify insider threats as result of not having control over blind spots. Companies cannot defend terrain they cannot see. To correct this, enterprises must follow three key steps to gain a holistic view of their cyber terrain: discovery, mapping, and prioritizing deep visibility.

Discovery is a ballet of strategy, inventory, and evaluation. Organizations need the ability to continuously discover, classify, and assess assets — including servers, enterprise IoT, laptops, desktops, shadow IT, and legacy systems. The software installed on these individual assets must also then be identified, run through vulnerability assessments and tagged if deemed a vulnerability — data must be continuously collected and analyzed; otherwise, attackers can take advantage of the seams created between scans.

At a time when only about 7% of organizations believe they're using their security stack to its full capability, it's more important than ever to "Marie Kondo" the network infrastructure. After discovery, companies will be able to map out what their current and desired capabilities are, making redundancies clear. Security holes in their cybersecurity framework will also become increasingly clear so they can operationalize capabilities against existing threat frameworks, such as National Institute of Standards and Technology's Cybersecurity Framework, MITRE's ATT&CK framework, or the Department of Defense's DoDCAR framework. These frameworks are easily digestible for organizations struggling to inform their larger security strategy and will allow them to better assess what cyber capabilities they have and which they lack.

Companies may become complacent after gaining a thorough understanding of assets, capabilities, and vulnerabilities, but to stop here would be to forget the basic notion of how inherently malleable cyber terrains are. At this stage, enterprises must invest in deep visibility, which means they must dig through rich, indexable metadata to provide content and context around security incidents. In this way, organizations will become better able to highlight potential or existing attack vectors.

Capitalize on the Advantage
Only after understanding the basic concept of the cyber terrain and fully achieving a holistic view can organizations truly capitalize on their home-field advantage. Just as in any war, organizations can strategically set up deception techniques full of ambushes and traps to prevent threat actors from causing damage. Newly emerging strategies open up a world of possibilities, allowing organizations to set up honey pots or decoys or even leave breadcrumbs for attackers to follow. As in any battle, whether in cyberspace or not, understanding and exploiting the terrain often dictates the outcome.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Active Directory Security Tips for Your Poor, Neglected AD"

About the Author(s)

Craig Harber

Chief Technology Officer at Fidelis Cybersecurity

As Chief Technology Officer at Fidelis Cybersecurity, Craig Harber directs the product strategy for the organization, ensuring that the technology developments align and complement the frameworks at the forefront of the industry. This follows a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DoD) and Intelligence Community (IC).

During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR), transformed Active Cyber Defense concepts, and directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multibillion-dollar increase in DoD IA investments.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights