[BreachExchange] Has your security evolved to counter Ocean’s Eleven of threat scenarios?

[Audrey McNeil]

https://www.helpnetsecurity.com/2018/06/25/assessing-
cyber-threat-mitigation-landscape/

In assessing how the cyber threat and mitigation landscape has evolved over
time, I often think of the ways that “cops and robbers” movies have
changed: In the old days, a typical scene would feature a bad guy walking
into a bank with a note indicating that he had a gun, and that he wanted
what was in the safe. He’d hand over the note to a teller, and then walk
out with bundles of cash.

Now fast-forward to how a more modern film like Ocean’s Eleven depicts
heists: There are no handwritten notes. George Clooney, Brad Pitt and their
crew spend weeks meticulously casing a targeted casino and develop an
intricate, multi-layered plan to get to the vault – a plan which involves
overcoming or otherwise “working around” security cameras,
biometrics-enabled locks and a formidable laser-detection system. The
gang’s countermeasures and tools include technological sabotage, disguises
and even a powerful electromagnetic machine which temporarily triggers a
massive blackout throughout the Las Vegas strip.

As in the movies, the “bad guys versus good guys” dynamic of cyber attacks
have gotten much more complicated. In the past, hackers only had to
compromise one vulnerability to gain entry, i.e., break into one “safe” and
they walk away with everything the bank has to offer. Once the enterprise
recognized the vulnerability, it came up with better “alarms and locks”
(such as monitoring tools and firewalls) to protect itself. Back then, this
sequence of events sufficed as good, basic cybersecurity hygiene.

However, over the years, hackers have grown increasingly sophisticated,
prompting cybersecurity leaders to “up their game” implementing controls
across their networks, operating systems, and applications – with public
cloud providers introducing additional safeguards – to considerably expand
the enterprise mitigation and control portfolio.

But, like our Ocean’s Eleven guys, they eventually find a way. In endless
Spy vs. Spy scenarios played out every day, enterprises invest in
countermeasures and strategies to keep cyber crooks from infiltrating
machines, apps and systems, and the cyber crooks continue to figure out how
to circumvent them.

Any network can be compromised given time and money but not every network
is worth the effort for the cybercriminals. Sadly, the largest percentage
of successful attacks are often purely “spray-and-pray” where the victim
has done nothing more than simply be connected to the Internet running
vulnerable software. In these cases, you aren’t being targeted for who you
are but simply because it was opportunistic. That being said, many times
these compromises start off with one objective – joining your computer to a
botnet; using it to mine cryptocurrency; spamming, and in some cases are
being resold as access points into your organizations network.

For this reason, adopting a risk-based approach to securing your
organization is paramount to ensuring you invest your time, money and
resources in an effective way: Understanding the balance between the
seriousness of threats to your environment and the appropriateness of the
controls you can use to thwart or mitigate them.

But there are proven best practices to help contain and minimize the
consequences:

Know your enemy

Identify what you have, and who wants it. To extend our “cops and robbers”
analogy, if you run a liquor store, you need to worry about the stick-up
men, not cat burglars. That’s why you approach security differently for an
e-commerce company, as opposed to an aerospace manufacturer. Both have data
that is appealing to attackers, but getting to the data requires various
techniques and levels of determination.

When you map your cyber assets and profile the type of adversary who would
seek to take them, you are better prepared to implement countermeasures
commensurate with the resources of your adversaries.

Identify gaps

Sweep through the entire enterprise’s cyber ecosystem to uncover all
weaknesses and gaps which exist. Ask “Where are the most likely – and
‘easy’ – attack surfaces? These will be attacked by the even the most
unsophisticated of adversaries How do we reduce these attack surfaces?”
Understand and record the technologies you use, and monitor for patch
releases. The most effective cybersecurity hygiene begins with knowing your
network and mitigating its threats.

Adopt risk-based strategies

Via a thoroughly conceived risk-based strategy, company leaders inventory
assets contained within systems, apps and devices and prioritize their
importance. With this, they devote the most time, energy and resources to
the assets of the highest value. Assets which represent an “acceptable”
level of risk/loss receive less attention.

The balance is a careful one though – at some point you need to understand
the linkage of your less critical systems to your truly critical ones… If a
non-critical server is compromised, how will you know that the cancer isn’t
spreading? Thus, you have to anticipate what is most likely to be targeted,
and reinforce against those attacks. Run the same tools against your
website that you see attackers deploying, and patch up for known
vulnerabilities.

Monitor everything

Good cyber hygiene is all about awareness. With 24/7/365 monitoring
enterprise-wide, organizations stay on top of the latest threat that has
“entered the building” and immediately and effectively respond by
containing and/or removing it. In other words, the threat may have “gotten
through one door,” but proactive monitoring and response will keep it from
getting beyond additional ones.

As demonstrated over time during robberies and cyber attacks, we realize
that bad guys will “enter the building.” They could possibly reach a
“vault” or “steal the liquor.” In the former, we’d need time-based locks
and pressure sensitive tiles to alert our 24/7 security services and the
police.

In the latter situation, the store owner needs to invest in a capable alarm
system, train employees on robbery response and even magnetically “tag”
bottles to deter shoplifters and “stick-up” men. Similarly, if we
risk-based strategy and security monitoring, we can deter adversaries from
getting in and when they bypass the controls, from escaping with a bagful
of loot – in this case, private and/or proprietary information – even if
we’re dealing with bad guys who are as clever as the Ocean’s Eleven crew.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180626/e4d0f91b/attachment.html>