How understanding attackers can help keep you ahead of them

The question of capability

Given the maturing cyber security industry and increasingly sophisticated threat landscape, it is now widely accepted that detecting and responding to attacks is as important as preventing them. This has driven rising demand for sophisticated detection controls, which – compounded by the much-discussed skills shortage – has caused many to rely on the capabilities of technology alone.

But building an effective detection capability is not straightforward. Coupled with the right technology, effective detection requires expert knowledge of attacker techniques, tactics and procedures, all of which are continuously evolving according to different attacker objectives and levels of sophistication. Dependence on technology won’t help you obtain crucial contextual insight regarding a given attack or threat actor. What’s more, the type of attacks detected by automated tools tend to be small fry when compared to the types of serious attacks executed by sophisticated adversaries.

Over-reliance on technology has provided many organizations with a false sense of detective capability. As a result, many businesses under-perform in simulated offensive exercises and real incidents. MWR’s red teams routinely go undetected in environments that are well instrumented. While some attacker activities carefully evade detective controls, and monitoring coverage is typically limited, all too often it’s a lack of comprehension that leads to the overall failure to detect attacks. So, what can be done to improve knowledge and understanding?


Your people

The skills shortage remains a top concern for the cyber security industry. Organizations are hard-pressed when it comes to finding and keeping talented cyber security professionals, in this case those able to search intelligently for attacker evidence while getting the most out of tooling. As such, rapidly upskilling staff and providing them with ongoing learning opportunities are popular – and recommended – initiatives to develop and maintain talent.

In response to skills development requirements, independent cyber security firms are formulating adaptable ways in which to share their knowledge. There is now an array of training and development programs available to analysts of all experience levels to consider. Although by no means a complete list, the below table outlines several methods of learning currently observed in the industry:

attack detection methods5

In our experience, those sessions that include the dissemination of theoretical knowledge together with simulating attacks in a controlled environment will result in real, measurable improvements on the part of participating security monitoring teams. When executed in a way that is tailored to an organization’s infrastructure, assets and people, the benefits of such engagements are both tangible and relevant.

Moreover, rather than learning in the middle of a crisis, security personnel are given the opportunity to understand how specific attack methods could disrupt their organization. This knowledge gained will also assist with the implementation of correct use cases that are aligned to the given organization’s capabilities (internal) and threats (external). Increased resilience will result and can be reflected measurably by means of purple team assessments which provide a comprehensive overview of defensive capability, coupled with baselines for measuring improvement over time.

In addition to generating tangible results, training programmes should always promote an understanding of the techniques, tactics and procedures (TTPs) of modern attackers. Knowledge of attacker TTPs can help drive effective investigations, improve post-incident remediation and importantly, promote a threat hunting culture.


Working with technology

To protect business assets as quickly as possible, technology solutions are often brought into organizations without sufficient on-boarding processes or knowledgeable staff to manage them, resulting in the misinterpretation and/or neglect of critical information. For example, while many machine learning tools promise to detect and alert on anomalies that indicate genuine threats, the vast amount of data generated is often too much or too complex for most personnel to correlate and understand.

This points again to the importance of human insight and skill – detecting an attack on a single endpoint is no longer the real challenge. Rather, an analyst must determine the extent and motivation of a campaign across multiple endpoints in an environment. The technology’s functionality and data generated must be understood and considered in the context of a number of additional factors, such as the organization’s infrastructure and threat profile. Such knowledge is gained over time and as a result of extensive training, practice and dedication. Therefore, while immense value can be derived from technology, substantial learned knowledge on the part of the analyst is a vital pre-requisite.


Applying the Kill Chain

The scramble to implement detection controls can also result in deployment without prioritization based on threat profile and real world attacks. As a result, we often see biases such as large numbers of controls on the perimeters of IT infrastructure only. In a previous article, we highlighted how most organizations struggle to detect an attack once it has breached their perimeter. Often, this is due to a lack of appropriate detection controls and contextual insight inside the estate. Moreover, heavy investment in perimeter controls commonly results in gaps in analysts’ knowledge towards the latter stages of an attack. When an attack escalates beyond the perimeter, these knowledge gaps combined with insufficient technology to make detection and response almost impossible.  


Figure 1: The Cyber Kill Chain


The familiar Lockheed Martin Cyber Kill Chain, or a derivation thereof, is an effective framework for planning, implementation and testing of detection capabilities. Analysts aware of the organization’s detection capability across the full breadth of Kill Chain will have a clear understanding of where the areas of strengths and limitations exist. Such understanding can guide specific stages of the Kill Chain to focus further investment, whether it be collection of logging data for improved visibility, introduction of technologies or additional use case development for automated alerting.

When mapped to the goals of an organization’s most likely threat actor (for example, an organized crime syndicate or nation state), the Kill Chain can also help to identify the areas of greater vulnerability in an organization. Training and attack simulations of varying difficulty levels across all stages of the Kill Chain will further improve the skills of analysts.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.