Article

Cyber attack detection challenges and how to meet them.

It is evident that organisations are struggling to prevent cyber attacks, despite significant investment. There is also growing realization that reliably detecting attacks is extremely difficult, with only one in five attacks being detected within a week after compromise (Verizon DBIR).

Effective detection is critical to establishing your cyber resilience. Responding to and recovering from an attack is largely contingent on the reliable, timely detection of a range of threats. We believe many organisations face the following detection challenges:

Excessive focus at the perimeter

Modern attack techniques such as phishing are routinely successful at bypassing perimeter controls. If the attack isn’t detected at the perimeter, or by the user, most organisations struggle to prevent an attacker’s subsequent actions. It is therefore imperative that organisations turn their focus to post-exploitation detection; hunting for the steps an attacker within their environment must take to achieve their objectives.

Over reliance on technology

While attention is shifting from the perimeter, to network level detection, to endpoint visibility, most organisations’ approaches remain over-reliant on automated technology. They expect the deployed technology to detect threats and serve them with alerts, using increasingly sophisticated analysis techniques, from event correlation and heuristics to machine learning.

Yet monitoring technology can be manipulated, and blindspots in coverage can be exploited. It is therefore not surprising that technology can be defeated or evaded by attackers skilled in breaking it.

Obsolete detection processes

Many organisations have codified procedures for detecting attacks against their infrastructure, based on a short list of expected attack activity. However, the threat landscape and the actors within it evolve at such a rapid pace that many detection processes quickly become obsolete.

So, how can organisations get better at detecting advanced threats, especially considering the skills shortage that many are facing?

The opportunity to assess your detection capability

Until recently the opportunities to assess detection capability were limited. Clearly organisations do not want to wait for an incident to learn of control failures. Red team exercises do provide a safer learning opportunity, yet they typically focus on a narrow set of activities, and fail to provide a broader appraisal of detection capability. And conventional assessments of security monitoring teams tend to focus on operational efficiency rather than effectiveness; doing things well, without necessarily doing the right things.

There are increasing opportunities to apply technological solutions to the challenges above, in different and more useful ways. One area is offensive security skills, a scarce yet integral part of building an effective detection capability.

In a post-exploitation situation, one needs to understand the stage an attacker is at, and crucially what their next move might be. This allows you as a defender not only to anticipate and intervene, while offering you the opportunity to go back and search in the right places for further information. Decisive action based on a clear understanding of the situation is more likely to result.

Specific detection tools

Organisations have slowly woken up to this and are trying to bring the attacker mindset into their monitoring teams, either in the form of ‘purple teams’, where red team testers collaborate with the blue team, or through automated red teaming. At the heart of both approaches is the appetite to expose the monitoring team to more attacker tactics, techniques and procedures, including post-exploitation strategies. Maximising the learning opportunities here is key for development. 

MWR’s experience and technical research has resulted in specific detection tools that have the potential to provide a much broader and more complete picture of the possible attack paths in your estate. In addition, your organisation’s ability to detect a range of attacker activities across the lifecycle of a modern attack is revealed, allowing you to properly equip your team with the capabilities and tools required.

Automated red-teaming forms part of our detection toolset. However, as with many tools, it has to be deployed in the right way to be really useful. It’s a technological solution to a human problem and it’s not possible to completely emulate a creative, unpredictable human adversary with technology. But, by supplementing your human red-teams with these automated tools, you can give yourself an even broader view of the weaknesses in your estate.

It’s no longer about simply understanding whether or not it’s possible to infiltrate your organisation. Rather, it’s about using every weapon in your armoury to understand as complete a picture as possible of all the ways an attacker might attempt to get in.  

Our recommendation

There are two key questions to ask yourself about possible attacks and your ability to detect them:

  1. Can you see a potential attack? Do you have the right telemetry? (POSSIBILITY)
  2. Would you see it? Do you have the right skills and resources to use the telemetry to understand what is happening on your estate? (ABILITY)

To accurately detect and respond to attacks you need both the possibility and the ability to see what’s happening. Only with both of these factors in place can you get true visibility across your estate. Possibility can be supplemented with automation, but ability only comes from highly skilled human intervention.

It’s right to take a broad view of your detection capability and to leverage opportunities presented by automation wherever possible. However, it’s important not to fall in the trap of thinking that automation alone is enough or that your problems can be solved in an automated way.

Automation provides excellent opportunities for testing your detection capability, but skilled human intervention is still indispensable to be truly effective at both detection and response. 

 

 

Accreditations

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.