Elevating visibility: The stabilizing force in responsive cyber defense
Agencies need a threat-informed defense approach that leverages global adversary signals and early warning capabilities to defend against cyber threats.
Recently, MITRE disclosed the impact of the Ivanti Connect Secure zero-day vulnerabilities in compromising one of their virtualized networks. The cyberattack allowed session hijacking that circumvented multi-factor authentication, which eventually lead to persistence, and command and control (C2) with backdoors and webshells. This cyber effect is called “Security Control Gravity,” which is the force that pulls towards security controls from exploitable software vulnerabilities and misconfigurations that circumvent and erodes security controls over time. Improving the efficacy of security controls and how they are implemented to be resilient against cybersecurity attacks should be a key initiative of government and industry research to better understand the impact the gravity has on security controls failing.
We cannot wait for security controls to fail
What is known to be true is that security controls will fail, and that all software has vulnerabilities and known common vulnerability exposures (CVE) that can be exploited, as well as a significant amount of common weakness enumerations (CWE) that could expose vulnerabilities in software. As a result, keeping a pulse on how these security controls perform and the active threats targeting the organization with continuous monitoring is imperative for elevating visibility and being more responsive to cyberattacks. To keep pace with threat actors’ activities, organizations cannot fail in elevating their visibility around threat actors’ behaviors and activities.
Elevating visibility must be the constant and stabilizer in disrupting threat actors. This means formalizing a threat-informed defense approach that leverages global adversary signals and early warning capabilities to peer into imminent and likely threats targeting the organization. Most organizations are detecting threat activity too late in MITRE’s adversarial tactics, techniques and common knowledge (ATT&CK) lifecycle due to the lack of visibility. This reactive security posture plagues many organizations and creates ample dwell time for threat actors to gain a foothold, find sensitive data and exfiltrate it.
To the left, to the left
Now is the time to shift to responsive approaches where elevating visibility anchors disrupts threat actors. It is important to establish clear lines of visibility left of initial access and peer into reconnaissance and resource development activities performed by threat actors. To disrupt threat actors, organizations must gain visibility into reconnaissance and resource development activities before threat actors are able to gain a foothold into the environment. These activities provide signals that can be used to hunt for threat actors’ activities and establish the ability to identify warnings of attack (WoA) and warnings of compromise (WoC).
WoAs are inbound global adversary signals that indicate in near time an adversary attack or compromise on critical mission assets and resources. WoA is based on a high-fidelity machine analysis of far-space telemetry, such as covert operations, honeypots, border gateway protocol (BGP) data and threat intelligence to provide early warning detection of imminent attacks targeting an organization. Threat actors have been leveraging reconnaissance for targeted attacks into organizations (as seen with the MITRE Ivanti cyberattack) given the amount of breach data on the dark web and a wealth of personal information people share on their social media sites, as well as the rise of artificial intelligence in threat actors’ arsenal to accelerate and fine tune their offensive campaigns. Things like spear phishing can be tailored to look real and legitimate, as if it is coming from people you trust and know like family and friends. As threat actors spin up infrastructure leveraging cloud resources to mimic an organization’s domains and launch phishing attempts, gaining visibility into these activities is essential for formalizing early warnings capabilities.
WoCs are outbound signals from assets and resources that indicate suspicious communication and demonstrate compromised behaviors. WoC is based on adaptive risk profiling and contextual analysis to identify and monitor communication pathways to known infrastructure controlled by adversaries or infrastructure supporting compromised assets and resources. This allows organizations to detect C2, botnet activity, data exfiltration attempts, and ransomware behavior and activities associated with emerging threats. Using global adversary signals pinpoints threat actors’ campaigns that allow organizations to hunt for those signals without having an obvious indicator of compromise (IoC) to look for. Today’s threats are stealthier and are designed to evade cyber defenses; WoC provides a way to elevate visibility against changes and improvements in threat actors’ tradecraft.
Visibility cannot fail
While threat intelligence is good to formalize and leverage in operational environments, it is typically based on what has already happened, things that are in the wild. Responsive cyber defense calls for actionable threat intelligence, based on global adversary signals that warns of imminent and impending cyberattacks – what is happening, based on what has already happened in the past. Evolving the state of practice from hunting IoCs and indicators of attack, to hunting for signals leveraging WoA and WoC capabilities is essential for formalizing responsive cyber defense. This will put organizations in a better position to anticipate, adapt and evolve against threat actors’ capabilities.
Security controls will fail; visibility cannot. Hunt, or be hunted.
Kevin Greene is public sector expert at OpenText Cybersecurity.
Elevating visibility: The stabilizing force in responsive cyber defense
Agencies need a threat-informed defense approach that leverages global adversary signals and early warning capabilities to defend against cyber threats.
Recently, MITRE disclosed the impact of the Ivanti Connect Secure zero-day vulnerabilities in compromising one of their virtualized networks. The cyberattack allowed session hijacking that circumvented multi-factor authentication, which eventually lead to persistence, and command and control (C2) with backdoors and webshells. This cyber effect is called “Security Control Gravity,” which is the force that pulls towards security controls from exploitable software vulnerabilities and misconfigurations that circumvent and erodes security controls over time. Improving the efficacy of security controls and how they are implemented to be resilient against cybersecurity attacks should be a key initiative of government and industry research to better understand the impact the gravity has on security controls failing.
We cannot wait for security controls to fail
What is known to be true is that security controls will fail, and that all software has vulnerabilities and known common vulnerability exposures (CVE) that can be exploited, as well as a significant amount of common weakness enumerations (CWE) that could expose vulnerabilities in software. As a result, keeping a pulse on how these security controls perform and the active threats targeting the organization with continuous monitoring is imperative for elevating visibility and being more responsive to cyberattacks. To keep pace with threat actors’ activities, organizations cannot fail in elevating their visibility around threat actors’ behaviors and activities.
Elevating visibility must be the constant and stabilizer in disrupting threat actors. This means formalizing a threat-informed defense approach that leverages global adversary signals and early warning capabilities to peer into imminent and likely threats targeting the organization. Most organizations are detecting threat activity too late in MITRE’s adversarial tactics, techniques and common knowledge (ATT&CK) lifecycle due to the lack of visibility. This reactive security posture plagues many organizations and creates ample dwell time for threat actors to gain a foothold, find sensitive data and exfiltrate it.
To the left, to the left
Now is the time to shift to responsive approaches where elevating visibility anchors disrupts threat actors. It is important to establish clear lines of visibility left of initial access and peer into reconnaissance and resource development activities performed by threat actors. To disrupt threat actors, organizations must gain visibility into reconnaissance and resource development activities before threat actors are able to gain a foothold into the environment. These activities provide signals that can be used to hunt for threat actors’ activities and establish the ability to identify warnings of attack (WoA) and warnings of compromise (WoC).
Learn how DLA, GSA’s Federal Acquisition Service and the State Department are modernizing their contract and acquisition processes to make procurement an all-around better experience for everyone involved.
Active and actionable threat intelligence
WoAs are inbound global adversary signals that indicate in near time an adversary attack or compromise on critical mission assets and resources. WoA is based on a high-fidelity machine analysis of far-space telemetry, such as covert operations, honeypots, border gateway protocol (BGP) data and threat intelligence to provide early warning detection of imminent attacks targeting an organization. Threat actors have been leveraging reconnaissance for targeted attacks into organizations (as seen with the MITRE Ivanti cyberattack) given the amount of breach data on the dark web and a wealth of personal information people share on their social media sites, as well as the rise of artificial intelligence in threat actors’ arsenal to accelerate and fine tune their offensive campaigns. Things like spear phishing can be tailored to look real and legitimate, as if it is coming from people you trust and know like family and friends. As threat actors spin up infrastructure leveraging cloud resources to mimic an organization’s domains and launch phishing attempts, gaining visibility into these activities is essential for formalizing early warnings capabilities.
WoCs are outbound signals from assets and resources that indicate suspicious communication and demonstrate compromised behaviors. WoC is based on adaptive risk profiling and contextual analysis to identify and monitor communication pathways to known infrastructure controlled by adversaries or infrastructure supporting compromised assets and resources. This allows organizations to detect C2, botnet activity, data exfiltration attempts, and ransomware behavior and activities associated with emerging threats. Using global adversary signals pinpoints threat actors’ campaigns that allow organizations to hunt for those signals without having an obvious indicator of compromise (IoC) to look for. Today’s threats are stealthier and are designed to evade cyber defenses; WoC provides a way to elevate visibility against changes and improvements in threat actors’ tradecraft.
Visibility cannot fail
While threat intelligence is good to formalize and leverage in operational environments, it is typically based on what has already happened, things that are in the wild. Responsive cyber defense calls for actionable threat intelligence, based on global adversary signals that warns of imminent and impending cyberattacks – what is happening, based on what has already happened in the past. Evolving the state of practice from hunting IoCs and indicators of attack, to hunting for signals leveraging WoA and WoC capabilities is essential for formalizing responsive cyber defense. This will put organizations in a better position to anticipate, adapt and evolve against threat actors’ capabilities.
Security controls will fail; visibility cannot. Hunt, or be hunted.
Kevin Greene is public sector expert at OpenText Cybersecurity.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Defense Department cybersecurity unit crosses extraordinary milestone
DoD seeks single point of entry, new governance to boost vendors’ cyber defenses
DIA’s cyber assessments, including insider threat defenses, key to modernizing top-secret network