February 20th, at the Idaho Technology Council's SPARK series, James McCarter explained the challenge of having companies play whack-a-mole against malicious hackers, and the importance of knowing your enemy. James treated us to an action packed dive into cyber threats and how to position your company to have the best possible defense against cyber threats.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
-The Art of War by Sun Tzu
Factoring in security is a constantly changing world, with national threats and international groups gaining traction, now is the time to focus on defense using adversary focused frameworks,such as MITRE ATTACKTM, top-down threat based defenses, and focusing on stopping “the hack” first to determine how best to posture an organization's defenses. Building cyber hygiene through academic approaches and checking odd boxes is not enough. “We need to be focusing on stopping the attack”.
It’s important to approach the cyber adversary with a similar scrutiny as any other criminal. Understanding their motives and assessing their opportunities.
When we get into the attack motives, adversaries start with assessing a company and looking for initial access, most commonly through a form of social engineering. Once they are in, they will execute their attack that is either financially driven, politically motivated or simply exploitation of targets of opportunity.
Understanding your company's weaknesses is critical to be able to know how the latest threats and trends apply to your gaps in coverage. One of the main issues in cyber security preparedness is going through and mitigating risks. When posing one example, Drive by Compromise, McCarter talked about assessing gaps in coverage. “Consider with your team, are we doing any application isolation and sandboxing? Are we updating our software, patch management, vulnerability management? Rate them." says McCarter. Document capabilities, evaluate credential access, what your anti-virus solution is capable of catching. Do you track passwords of current and former employees, how many admins do you have on your networks? Ask your team, are you logging into a site using your admin access, when what you’re doing does not require admin access? Have two different accounts, only use admin when absolutely necessary. James suggests companies identify the most pervasive threats, undertones, common tactics, and methods of the adversary. Then tailor your defense to focus on your weak points and easily solvable gaps and finally matching them to the adversary’s strong points. Understand your own network, and structure your networks’ environment to widen the OODA loop of your adversary.
"The adversary is human” James explains. "Human's will take the path of least resistance—they will take the low hanging fruit. If we keep that in mind when we are playing defense, we will start with the upper hand.”
"Use intelligence to inform how to posture your network defenses. A hack is a campaign. It’s not that we see in the movies, *click*click*click*, I'm in.” It doesn’t work that way. It is a process. They have to get initial access. They have to move laterally, execute privileges. Clean up the tracks, etc. There’s a lot of opportunity to find the adversary within their campaign. The average adversary lives not the network for an average of 200 days before anyone finds them,” according to McCarter.
Risks must be catalogued! When dealing with adversary threats, the defenders of a company need a common conduit to communicate and defend against adversary tactics and methodology. If your customer database could be compromised, what would you do to protect it? How much would a breach cost your company? Assessing these costs and making changes could make it easy to justify an investment into cyber security. “Map it out.” says McCarter.
As you go through and make improvements to asset management, we see our risk profile improve across the board. The likelihood of an attack is lowered with every risk assessment you take on. A threat intelligence team can report on areas we need to be searching for, assessing high target, high risk areas. Make these configuration changes and cross-functional teams now have a common project.
McCarter suggests to send executives a message that there is a level of risk to the entire organization. Over time you can show the risk profile ‘went from here to there’ in a way that executives can see that you are making progress. You can show over time that you are making improvements. ”As you are making improvements, the threat environment changes. With a risk profile, we can show how impactful the new tactics are as the threat landscape changes and gets more scary. Impact analysis, and risk assessments give us a way to prioritize and triage the important information," says McCarter.
For More Information:
To Contact James McCarter: firstname.lastname@example.org
To Contact The Idaho Technology Council for membership inquiries: email@example.com