It is evident that organisations are struggling to prevent cyber attacks, despite significant investment. There is also growing realization that reliably detecting attacks is extremely difficult, with only one in five attacks being detected within a week after compromise (Verizon DBIR).
Effective detection is critical to establishing your cyber resilience. Responding to and recovering from an attack is largely contingent on the reliable, timely detection of a range of threats. We believe many organisations face the following detection challenges:
Modern attack techniques such as phishing are routinely successful at bypassing perimeter controls. If the attack isn’t detected at the perimeter, or by the user, most organisations struggle to prevent an attacker’s subsequent actions. It is therefore imperative that organisations turn their focus to post-exploitation detection; hunting for the steps an attacker within their environment must take to achieve their objectives.
While attention is shifting from the perimeter, to network level detection, to endpoint visibility, most organisations’ approaches remain over-reliant on automated technology. They expect the deployed technology to detect threats and serve them with alerts, using increasingly sophisticated analysis techniques, from event correlation and heuristics to machine learning.
Yet monitoring technology can be manipulated, and blindspots in coverage can be exploited. It is therefore not surprising that technology can be defeated or evaded by attackers skilled in breaking it.
Many organisations have codified procedures for detecting attacks against their infrastructure, based on a short list of expected attack activity. However, the threat landscape and the actors within it evolve at such a rapid pace that many detection processes quickly become obsolete.
So, how can organisations get better at detecting advanced threats, especially considering the skills shortage that many are facing?
Until recently the opportunities to assess detection capability were limited. Clearly organisations do not want to wait for an incident to learn of control failures. Red team exercises do provide a safer learning opportunity, yet they typically focus on a narrow set of activities, and fail to provide a broader appraisal of detection capability. And conventional assessments of security monitoring teams tend to focus on operational efficiency rather than effectiveness; doing things well, without necessarily doing the right things.
There are increasing opportunities to apply technological solutions to the challenges above, in different and more useful ways. One area is offensive security skills, a scarce yet integral part of building an effective detection capability.
In a post-exploitation situation, one needs to understand the stage an attacker is at, and crucially what their next move might be. This allows you as a defender not only to anticipate and intervene, while offering you the opportunity to go back and search in the right places for further information. Decisive action based on a clear understanding of the situation is more likely to result.
Organisations have slowly woken up to this and are trying to bring the attacker mindset into their monitoring teams, either in the form of ‘purple teams’, where red team testers collaborate with the blue team, or through automated red teaming. At the heart of both approaches is the appetite to expose the monitoring team to more attacker tactics, techniques and procedures, including post-exploitation strategies. Maximising the learning opportunities here is key for development.
MWR’s experience and technical research has resulted in specific detection tools that have the potential to provide a much broader and more complete picture of the possible attack paths in your estate. In addition, your organisation’s ability to detect a range of attacker activities across the lifecycle of a modern attack is revealed, allowing you to properly equip your team with the capabilities and tools required.
Automated red-teaming forms part of our detection toolset. However, as with many tools, it has to be deployed in the right way to be really useful. It’s a technological solution to a human problem and it’s not possible to completely emulate a creative, unpredictable human adversary with technology. But, by supplementing your human red-teams with these automated tools, you can give yourself an even broader view of the weaknesses in your estate.
It’s no longer about simply understanding whether or not it’s possible to infiltrate your organisation. Rather, it’s about using every weapon in your armoury to understand as complete a picture as possible of all the ways an attacker might attempt to get in.
There are two key questions to ask yourself about possible attacks and your ability to detect them:
To accurately detect and respond to attacks you need both the possibility and the ability to see what’s happening. Only with both of these factors in place can you get true visibility across your estate. Possibility can be supplemented with automation, but ability only comes from highly skilled human intervention.
It’s right to take a broad view of your detection capability and to leverage opportunities presented by automation wherever possible. However, it’s important not to fall in the trap of thinking that automation alone is enough or that your problems can be solved in an automated way.
Automation provides excellent opportunities for testing your detection capability, but skilled human intervention is still indispensable to be truly effective at both detection and response.