[BreachExchange] Winning the Cybersecurity Contest

[Destry Winant]

https://securityboulevard.com/2021/03/winning-the-cybersecurity-contest/

Cybersecurity is a competitive endeavor. This contest is framed as ‘us
versus them,’ attackers versus defenders, and good guys versus bad
guys. Analogies to sporting contests are common, thus resulting in
similar descriptive language.  Given this view, it is natural to
wonder who is winning the contest.

The large number of organizations impacted by the SUNBURST backdoor
and Microsoft Exchange zero-day vulnerabilities imply we (team
cybersecurity professionals) are losing. Unrelenting ransomware
attacks also contribute to a sense of defeat. On the other hand, the
takedown of a Trickbot malware-as-a-service botnet, disruption by law
enforcement of the Emotet botnet, and closing of the DarkMarket dark
web marketplace, are positive scores in ‘our’ favor. These results on
both ends of the field make it difficult to determine who is winning.

Measure by Initiative

Based on recent events, it would appear the cybercriminals, cyber
privateers and threat actors are winning. However, there is no
definitive way to keep score in this competition. Maintaining a
running tally is not possible. It also is difficult to know how many
attacks are thwarted, and how many successful breaches remain
undiscovered. Determining who has the initiative is the optimum way to
calculate who is winning. To use the sports analogy, the key to
victory is establishing momentum. The “big mo” in this struggle
determines which side controls future actions.

In cybersecurity, owning the initiative makes the opponent work
harder. Initiative affords attackers freedom to act against multiple
opportunities. When the initiative is on the side of the defender, it
narrows the avenues open for raiders. Controlling the agenda allows
cybersecurity professionals to focus defenses in areas where an attack
would be most likely.

Strategic Priorities

Determining who is winning is less important than remaining engaged in
the fight. There are a number of activities organizations should adopt
to gain an advantage on the cybersecurity playing field.

- Prioritization: Entities need to have a good game plan. Focused
defenses require an understanding of what elements are most important.
“Organizations should build their cybersecurity strategy on
priorities,” explains Russell Norris, director of security studies
programs at Rivier University. “Leadership evaluates threats, asset
value, known vulnerabilities and risks,” Norris said. By basing a
defense-in-depth schema on these components, resources can be
allocated where they will have the greatest impact.

- Hand Off to MSSP: Organizations of all sizes are turning to managed
security services providers (MSSPs) to supplement their internal
cybersecurity operations. Partnering with an MSSP offers many
benefits. They provide an experienced team of seasoned technicians.
Through a 24x7x365 security operations center (SOC), the MSSP handles
monitoring and management of security devices, security event
analytics and provides comprehensive threat intelligence. By
offloading many day-to-day operations, the internal security team can
concentrate on more strategic projects.

- Run a Scout Team: In football, a scout team allows you to test your
squad against the opponent; organizations should do the same with
cybersecurity. Bryson Bort, CEO of SCYTHE believes companies must
practice both defensive and offensive security to capture the
initiative from cybercriminals. Real-world adversary emulation
exercises, using red and blue teams, provides insight on what could or
would happen during an attack. These simulations, coupled with
frameworks like MITRE ATT&CK, allows organizations to sharpen their
defensive strategy.

- Invest in People: People can be a critical component of security.
Integrating people as an element of the security strategy requires
creating a culture of safety and security. This can’t just be done
with periodic security awareness training. Instead, security education
must take into consideration how employees work, what their values are
and their behavioral patterns. Cybersecurity education is a long-term
effort that lays the foundation of knowledge, resulting in
intellectual buy-in and changed behavior. With proper awareness, users
will be much more involved in mitigating future risks.

- Left of Boom: When an attack does execute, it can be thought of like
an explosion. This is the “boom.” Getting “left of boom” means
identifying and disrupting the cyberattack chain before it reaches the
exploitation phase. A proactive risk management program is required.
Concentrating on activities that happen before an attack is successful
requires vulnerability assessments, threat intelligence, security
drills and strategic thinking.

The Contest Continues

Gaining and retaining the initiative in this battle requires constant
work. The negative news about recent successful attacks and breaches
can be demoralizing. However, organizations must continue working to
improve and not give up. In poker, there is a saying: with a chip and
a chair, you are still in the game. The cybersecurity community is
very much still in the game – it’s a matter of capturing the
initiative from the threat actors.