How to Speed Cyberattack Discovery
Who’s that suspicious network visitor? Is the guest explainable or a potential threat? Cyberattack discovery will help you find the answer.
At a Glance
- Threat actors are becoming sophisticated and continue to evolve their tactics and procedures to evade detection.
- The best detection tools are tailored to match its adopter’s unique ecosystem.
- Opening visibility into core business systems is imperative to enable continuous threat monitoring.
A cyberattack can devastate its victim. MGM Resorts, for instance, expects to take a $100 million hit from its September cyberattack. What’s less well known is that in many cases a cyberattack can be either prevented or nipped in the bud with the assistance of cyberattack discovery.
Threat actors are becoming increasingly sophisticated and continue to evolve their tactics, techniques, and procedures to evade detection, says Eric Doerr, vice president of engineering for cloud security at Google Cloud in an email interview.
Further, organizations today are overwhelmed by alerts and often don’t know how to prioritize and focus their efforts. “Therefore, the best way for organizations to speed the discovery of a cyberattack is to gain a deep understanding of the threats most likely to impact their specific business,” Doerr advises. “Enriching and contextualizing alerts with the latest threat intelligence helps organizations to eliminate blind spots and ultimately detect threats faster.”
Defense Tactics
A fast and reliable way to identify cyber threats is with proactive threat hunting, which utilizes human defenders armed with advanced detection and proactive response technologies and approaches, says Mike Morris, a Deloitte risk and financial advisory managing director via an email interview. “In particular, threat hunting, during which human defenders actively maneuver through their networks and systems to identify indicators of a network attack and preemptively counter these threats, can speed the discovery of cyberattacks. ”
Yet he warns that for threat hunting to function optimally, it’s necessary that specific, relevant, and accurate intelligence is coupled with automation to identify and mitigate the adversary’s activities.
When deploying human-based threat-hunting capabilities, it’s helpful to think about the parallels to physical security leading practices, Morris says. “For example, human security guards, tasked with protecting critical assets, constantly inspect physical infrastructures and maintain the integrity of their responsible spaces by actively patrolling and investigating,” he explains. “The less static, routine, and predictable a defensive team is, the harder it is for attackers to anticipate defenders’ actions.”
You need to constantly tune and refine your detection and alerting tools, says Joseph Perry, a senior consultant and advanced services lead at MorganFranklin Consulting in an email interview. Regular audits of your security controls, constant feedback from your security operations center regarding false positive rates, regular assessments, and a healthy, prioritized backlogging process are all critical, he notes.
Detection Tools and Approaches
The best detection tools are tailored to match its adopter’s unique ecosystem. Sentinel, Splunk, and CrowdStrike, provide a basic level of competence, Perry says. He also advises considering more advanced approaches, particularly SIEM and SOAR. Perry suggests focusing on automation-friendly tools that any IT team member can master in a relatively short amount of time. “I aim for no more than one month learning a new technology, with a preference for under two weeks,” he explains. “If I need to learn a new branch of mathematics, that tool is probably out.”
Implementing intrusion detection systems (IDS), employing SIEM solutions, performing regular vulnerability scanning, automated threat hunting, and continuous monitoring are the most effective security approaches, says Rick Driggers, Accenture Federal Services’ cyber practice lead via email. “Speeding the discovery of cyberattacks is a multi-layered effort, requiring organizations to master the art of quickly educating teams on emerging trends by ensuring that training and educational opportunities are readily available.”
Driggers believes that preparation can be broken down into four basic steps: develop a cloud security plan, leverage available AI/ML/threat detection and response tools, embrace Zero Trust, and implement compliance requirements.
Just as the cyber threat landscape constantly evolves, so should organizations’ cybersecurity strategies, particularly when it comes to threat detection and response. Opening visibility into core business systems is imperative to enable continuous threat monitoring, Morris advises. Automation can, for instance, help identify threats quickly, leading to rapid mitigation. Deploying security capabilities to counter threats as soon as they are identified, and before they can strike, is key to protecting business-critical systems, he adds.
Keeping Pace
Even as new security technologies and approaches emerge, adversarial behaviors are evolving to keep pace. There’s still not enough information available, for example, on how to detect an adversary leveraging AI-based malware or code to target a victim, Driggers says. Yet he believes that vigilance combined with strong detection tools and approaches can greatly minimize intruder risk. “Adversaries are human just like analysts,” he notes. Catching them when they make mistakes is easier during the early stages of an intrusion.
There are parts of security which can be postponed until an organization reaches a certain level of maturity, Perry says. “But good, effective detections are the lifeblood of a security operation, are the best protection a business has.”
About the Author
You May Also Like