What if? Security through the eyes of an attacker

CISOs and security managers often see their environments from a macro perspective, seeing the “whole” as an object of protection rather than the separate parts that define it.

However, the same isn’t true for threat actors. Every network, device, system or app presents a separate opportunity to exploit. What’s more, in a world with deeply interlinked technology and business partnerships bringing vast efficiencies in ROI, the weakest links in these chains of production could very well cause the figurative “whole” to crumble from within.

Thus, leadership faces a necessity to marry business and technology needs while also showing ample caution before they commit to a one-size-fits-all security approach. Instead, they should look to see their security through the eyes of an attacker, taking an offensive position toward their own environment.

Key points of this article:

• To achieve true cyber resilience, SOCs must go all in. They should test their assumptions, incident management strategies and tools by assuming the role of a real attacker.
• Advanced attackers rely on stealth, getting lost amidst detection and work noise. Make their job harder by seeing their moves for what they are.
• Cybersecurity is constantly evolving. The ebb and flow of the threat landscape should be mirrored by organizational defenses being enacted on time to prevent unseen enemies.
• Since time is essential, incident response should be as agile as an APT’s fast-evolving TTPs, dealing with malignant action in minutes, not months.

Getting into character

Note that offensive security (OffSec) isn’t a new term. Offensive practices like red teaming, pen testing and vulnerability checks are standard approaches that should not be foreign to any CISO. Except it’s not exactly what this article has in mind. 

While an offensive approach can test an environment against real-world attacks securely, that approach might not account for an attacker’s specific view, nor their actual TTPs. What’s obvious is that internal security won’t have the same tools/experience at hand.

Mind you, professional emulations like MITRE ATT&CK Evaluations Enterprise or NATO’s Locked Shields exercise do test tangible TTPs, but that’s outside the scope of this article.

To address that gap, and to reflect on what malicious actors do best, security managers must adopt the mindset of their foes. 

See like an attacker

First and foremost, attackers love to evade detection for as long as possible. Initially, they might scan for openings in a network, an unsecure VPN, SQL servers and the like, or they could just craft a tailored spear phishing message to collect someone’s credentials, and they’re in.

Whichever way they go, one thing is clear: The attackers bet on security practitioners not finding out about the initial compromise. This often happens because internal SOCs are understaffed, leading to multiple months of persistence by an attacker, or perhaps because SOCs may under-analyze a detection.

Sometimes it’s a skill issue. Other times it’s a matter of scope, wherein enterprises can’t fully cover their networks’ footprints (lots of technical debt). In either case, the real issue is visibility. You can’t protect what you can’t see. Attackers know this, which is also why they tend to attack during the busiest business hours (as per ESET MDR telemetry).

Strategize like an attacker

Second, attackers are constantly on the move. Ransomware actors like Warlock might have just a few public victims, but they’ve massively advanced their tech and have introduced innovative and dangerous evasion techniques. 

With ESET research projecting a 40% year-over-year increase in the number of ransomware victims encountering threat actors leveraging EDR killers and UEFI-compromise-capable malware, security postures must mirror the changing threat landscape.

Learn more about EDR killers and defensive measures.

How? Rethink your current posture/strategy. Too vague? Go deeper. Does your security platform and its protective modules reflect your company’s footprint? Are the detection rules in your EDR/XDR solution up to date? Can they detect “bring your own vulnerable driver” techniques? Only by staying dynamic, like a frontline commander, can a business survive in the years to come.

Move like an attacker

The difference between a compromise and prevention can be as little as six minutes. If you’re a company located within a high-stakes industry like manufacturing, you probably don’t want to upend your production for several months, costing literally billions of dollars for some. Threat actors don’t want you to do that either; in fact, they’d rather escape notice and move within a network to bide their time for the right opportunity.

Thinking is theory. Movement is practice. If you can’t make decisions in a matter of minutes, nay seconds, you’re on the losing end of a security battle. Also, you don’t want there to be friction between the security console, its modules, and additional human input. Attackers largely rely on malware doing a lot of the work for them.

Adaptability is, therefore, as vital to the defenders as it is to the attackers, with an agile response that necessitates mixing automation with the human touch needed to counter malicious logic. 

Test your might

It’s easy to fall into complacency. From the boardroom, it’s enough to see a few “cyber” checkboxes ticked off and, potentially, let that be that. The world’s changed though. Checked boxes won’t satisfy cyber insurers, nor convince regulators of your preparedness. They also won’t stop advanced persistent threats from hacking their way around them.

Yet they do help — if you can make them work for you. While trying to profile yourself through the eyes of an attacker, look at these checkboxes as features you’d not only like to achieve but also to test. Be the attacker, go on the hunt, and see how you fare against your own assumptions by:

• Knowing your enemy: It’s one thing to use a particular security platform to defend against attacks, but it’s an entirely different thing to understand the toolsets of actual threat actors. They might not use an XDR product to attack you, but they could very well employ legitimate RMMs or signed drivers to escape detection, together with their own proprietary or MaaS code.
• LARPing as an attacker: Commit to the bit, reflecting real-world attack chains much like an enterprise test would. Validate whether your employees and systems can withstand advanced attacks by using scenarios located in the MITRE ATT&CK knowledgebase and outsourced tailored threat intelligence against your systems. If you feel like there might not be enough capacity to do this internally, consider professional external assessments by a red team service provider.
• Providing feedback: Transform the offensive experience into actual feedback. Test your SOC’s response time and incident bottlenecks, and validate your cyber resilience strategy by deliberately abusing your weak points. A massive benefit here is that such simulations can map the vestigial parts of your network, streamline operations and reduce unnecessary IT spend.

It’s all a matter of perspective

By both viewing your systems as an attacker and (actually) becoming one, the insights gathered should help transform organizational cyber assumptions. Moreover, this also tests a CISO or security manager’s ability to dynamically adjust an environment’s posture against the latest malicious security trends.

While you could just rely on your platform of choice as well as the security analysts using it, that only tells you one side of the story. To caution readers, we should remember that with critical thinking, you can’t form a sound opinion without validating both sides of a story.

For more information about current threat trends and research breakdowns, see the latest ESET Threat Report.