Not all security teams are born equal. Each organization has a
different objective.
In cybersecurity, adopting a proactive approach is not just a
buzzword. It actually is what makes the difference between staying
behind attackers and getting ahead of them. And the solutions to do
that do exist!
Most attacks succeed by taking advantage of common failures in
their target’s systems. Whether new or not, known, unknown, or even
unknown, attacks leverage security gaps such as
unpatched or uncharted vulnerabilities, misconfigurations,
out-of-date systems, expired certificates, human errors, etc.
As attackers rely on a range of automated offensive testing
tools to scan their targets’ attack surfaces and propagate inside
their network, a purely reactive defensive stance based on
detection and response is increasingly likely to be overwhelmed by
an attack.
The logical tactical move is to emulate attackers’ TTPs and
behaviors beforehand by integrating attack simulation tools to
continuously validate the impermeability of the attack surface as a
whole, the efficacy of security controls, as well as access
management and segmentation policies, etc.
As cyber attackers typically move on to the next target when
they meet a challenge, organizations that have already implemented
proactive tools and processes benefit twice. Run-of-the-mill cyber
attackers are frustrated and deterred, and attackers targeting them
specifically have to work much harder to find a way in without
detection and progress unimpeded within the network.
These organizations’ mature, forward-looking cyber security
thinking puts them ahead of the curve in terms of
impregnability.
Practically, there are different angles from which to look at
and integrate attack simulation tools that can vary depending on
your objectives, such as, for example.
► Boosting prevention capabilities
Using a Breach and Attack Simulation (BAS) solution continuously
validates your security controls efficacy, provides actionable
remediation guidance for uncovered security gaps, and optimizes the remediation
prioritization[1]
efforts in line with the attack success likelihood uncovered
through attack simulations.
When available in a BAS solution package, integrated immediate
threat intelligence further elevates resilience against emerging
threats by automatically verifying your system’s ability to thwart
such new threats and providing preventative recommendations to plug
any uncovered security gap that could be leveraged by those new
threats.
► Strengthening Detection and Response
Running automated recon attacks shores up your attack surface
management procedure by uncovering all exposed assets, including
long-forgotten or clandestinely added shadow IT, while integrating
continuous outside-in attack simulation[2] capabilities with your
SIEM/SOAR tool stack shines a bright light on its limits and flaws.
By granularly comparing the progression of simulated attacks
launched with the proportion of those detected and stopped, it
gives a clear, comprehensive picture of the detection and response
array’s actual efficacy.
With a detailed map of security gaps and capability
redundancies, rationalizing the tool stack by implementing
recommended tool configuration fixes and eliminating redundant
tools positively impacts detection and response and, as a bonus,
prevents environmental drift.
Once integrated, these capabilities can also be used to run
in-house Incident Response exercises with minimal preparation
required and at zero extra cost.
► Customizing risk management
Incorporating security validation into organizational risk
management and GRC procedures and providing continuous security
assurance accordingly might require a certain level of customizing
the available off-the-shelf attack scenarios validating the
security controls and outside-in attack campaigns.
A Purple Teaming Framework with template attacks and modulable
widgets to facilitate ad hoc attack mapping saves red teams hours
of grunt work which maximizes the use of in-house red teams and
accelerates scaling up their operations without requiring
additional resources.
When starting from zero in-house adversarial capabilities, the
recommended progression to integrate security validation solutions
is to:
1 — Add security control validation capabilities
Tightening security controls configuration is a crucial element
of preventing an attacker who gained an initial foothold in your
system from propagating through your network. It also provides some
protection against zero-day attacks and some vulnerabilities that
take advantage of misconfigurations or leverage security gaps found
in vendors’ default configurations.
2 — Integrate with SIEM/SOAR and verify SOC procedures’
efficacy
As mentioned in the “Strengthening Detection and Response”
section above, integrating security validation solutions with your
SIEM/SOAR array streamlines its efficacy and improves security. The
data produced can also be used to optimize the people and process
aspects of the SOC by ensuring that the team’s time is focused on
the tasks with the highest impact instead of investing their best
energy in protecting low-value assets.
3 — Prioritize remediation
Operationalizing the remediation guidance included
in the data collected in steps 1 and 2 should be correlated with
the attack likelihood and impact factors associated with each
uncovered security gap. Integrating the results of the simulated attacks in the vulnerability
prioritization process[3]
is key to streamlining the process and maximizing the positive
impact of each mitigation performed
4 — Verify the enforcement of segmentation policies and
hygiene
Running end-to-end attack scenarios maps the attack
route and identifies where segmentation gaps allow attackers to
propagate through your network and achieve their goals.
5 — Evaluate the overall breach feasibility
Running recon and end-to-end outside-in attack campaigns to
validate how a cyber attacker can progress through your environment
from gaining access all the way to exfiltrating the crown
jewels.
Typically, forward-thinking organizations already try to control
their fate by adopting a proactive approach towards cyber security
where they leverage breach and attack simulation and attack surface
management to identify gaps in advance. Usually, they would begin
the journey with the goal of prevention – making sure they finetune
all security controls and maximize their effectiveness against
known and immediate threats. The next step would be running SOC and
incident response exercises to make sure nothing goes undetected,
moving onwards to vulnerability patching prioritization.
Most mature enterprises with plenty of resources are also
interested in automating, customizing, and scaling up their red
team activities.
The bottom line is that when you are looking at incorporating a
continuous threat exposure management program, you are likely to
find many different point solutions but eventually, regardless of
the particular objective of each team, like in real-life, it is
best to find a partner that with whom you can scale up.
Note — This article is written and contributed by Ben
Zilberman, Product Marketing Director at Cymulate.
References
- ^
optimizes the remediation
prioritization (thehackernews.com) - ^
outside-in attack simulation
(thehackernews.com) - ^
simulated attacks in the vulnerability
prioritization process (cymulate.com)
Read more https://thehackernews.com/2022/09/what-is-your-security-team-profile.html