topic Re: Disrupting a cybersecurity incident in Tech Talk

Disrupting a cybersecurity incident

tmekelburg1 — Tue, 17 May 2022 12:10:00 GMT

Over the lifecycle of a cybersecurity incident, at which point is it most* easily disrupted and prevented?

Two competing strategies are:

1. Focus most of your efforts on initial penetration prevention that have the potential to be the most damaging to your environment, e.g., patch management, social engineering training, etc.

2. Focus most of your efforts further within your environment to locate Defender or Blue Team decision points that constrain adversaries into bottle necks, contain lateral movement, for easier disruption.

Is there a better strategy than these two?

*One strategy is not saying to completely ignore the other, key word is "Most".

Re: Disrupting a cybersecurity incident

Steve-Wilme — Tue, 17 May 2022 12:23:18 GMT

You probably get the greatest benefit from the former and it's easier to make a business case for. I'm not sure why you'd want to start on the right hand side of ATT&CK and work left.

Re: Disrupting a cybersecurity incident

tmekelburg1 — Tue, 17 May 2022 13:14:49 GMT

@Steve-Wilme The thought process behind strategy two is to accept the fact that you're going to get breached (eventually) and there are way too many threat vectors to adequately protect. You'll still have some prevention protections in place for due diligence but the majority of the focus is further into your architecture. I'm not defending this strategy over the other, just curious to see what the majority opinion is here.

Re: Disrupting a cybersecurity incident

Beads — Tue, 17 May 2022 16:57:41 GMT

I start by prioritizing say my five (5) most critical assets and losses to train my team against, learning as we go and fixing problems found. Always drill on the basics and work your way up. These are really easy wins and a great way to build teamwork when you approach as not being a punishment. You can continue down the stack of possible asset compromises along the way but start small. Your team will quickly understand which assets are most in need of protection and of course will feel a better sense of priorities and ownership of the process.

Once your cadre or trainers are trained send them off to train more junior resources to do the same. First train your juniors in their first and secondary roles, expectations and deliverable results. Once they have the drill down expand the exercise to broader, more advanced drills or problem sets so everyone is cross trained and ready to step in if someone should become unavailable.

Make this a quarterly or monthly part of your preparedness. The criminals out there are going to wait for your annual training exercise to attack you nor should you be waiting around in hopes everyone is both ready and available to respond.

Obvious examples would be Ransomware, "Crown jewels", Executive phishing attacks, system outages, etc.

Good luck!

- b/eads

Re: Disrupting a cybersecurity incident

tmekelburg1 — Tue, 17 May 2022 17:28:18 GMT

@Beads I like it, identify the crown jewels and build controls out from there. But hypothetically with limited time (average CISO tenure is 18-36 months) and budget, would you focus more on preventive controls or detection/eradication controls around those critical assets to disrupt a cybersecurity incident?

Re: Disrupting a cybersecurity incident

GerryS — Tue, 17 May 2022 22:33:57 GMT

If you're looking for the most easily, I would say the former would be best, disrupt as soon as possible. if they are already in, you'll be playing catchup a lot longer.

Both are critical and there's a balance out there somewhere. Ech organization will be different and have different priorities. That can change as your CISO, C Suite, and/or Board changes.

Re: Disrupting a cybersecurity incident

Caute_cautim — Wed, 18 May 2022 00:34:24 GMT

@GerryS What happens if the attacker example - China or North Korea, has been inside for months or longer, then wouldn't your approach change? Would it not look to investigate what they are accessing, and what assets they have access too or in fact manipulating or augmenting?

Simply disrupting the flow, may cause more damage or prevent you understand the current situation. Sometimes listening, without disrupting immediately may give you better understanding, whilst collecting evidence at the same time?

Regards

Caute_Cautim

Re: Disrupting a cybersecurity incident

tmekelburg1 — Wed, 18 May 2022 12:51:36 GMT

@GerryS wrote:

Ech organization will be different and have different priorities. That can change as your CISO, C Suite, and/or Board changes.

Very true. Typically we align on what needs to happen but it varies, operationally/tactically, on how we prioritize strategies to reach those goals.

@Caute_cautim I'm all for collecting evidence and not disrupting if I've successfully choked them into some form of deceptive/honeypot technology but if not, I'm definitely cutting them off asap. That's just my thoughts at this time but I'm willing to change my mind.

Re: Disrupting a cybersecurity incident

ODF37 — Wed, 18 May 2022 15:08:52 GMT

I kindly suggest that combining both strategies shall be the best approach always.
We should not rely on or be limited to gold standard prevention measures.
On the contrary, cybercriminals are updating their cyber-attack methods at a speed of light, so we have to adapt smoothly and wisely against them.

Re: Disrupting a cybersecurity incident

Beads — Wed, 18 May 2022 15:29:16 GMT

The two most important factors here are elements that I/we cannot answer.

First, historically, what are your security problems most likely to give you the most grief?
What strengths and weaknesses can your current team best or least handle well?

Concentrate on delivering on those metrics or outcomes most likely to benefit your organization and make this a policy level initiative thus negating the "18-36 month CISO horizon". A successful program for little to no money but desirable results that leads to better outcomes be they incident disruption, teamwork or loss of organization assets will be more noticeable if not profitable for your organization over time.

If your looking simply to disrupt "cyber" incidents (the term has been around since 1948 with too many definitions today to be taken seriously) there are plenty of BADs, NBADs, eDiscovery and automated forensics platforms for both Data Center and Cloud to evaluate and put into place. The tech is well known and easy enough to find. What I am referring is the team itself. Everything boils down to team effectiveness regardless of the tech deployed. You can have the best possible technologies out there but if your people are not engaged or don't work well as a team, under trained or just plain uninterested (something I see all to often in IT and Security), your tenure as CISO will be short and unremarkable. Might as well go back to working for the accounting department or CFO at that rate.

Both IT and later Security begged for a seat at the big table, now its time for us to look beyond just technology and tech strategy, what you refer to as disruption and directly involve your team. These are the people who will be able to tell you first hand where the skeletons in the closet are and how weak you are in any given place. Hence the identifying of the crown jewels and four other most vulnerable assets. If your people cannot or will not help you with this step they aren't going to be helpful during an event.

Bring your people onboard, engage, identify and train on the basics while pushing knowledge down by not siloing. Disrupting the chain means nothing if your people do not feel empowered to do so.

- B/Eads

Re: Disrupting a cybersecurity incident

Caute_cautim — Wed, 18 May 2022 20:29:56 GMT

@BeadsSome great insights you are bringing to the conversation here. What are your experiences of taking a more proactive approach in terms of actually using Orchestration and Automation and bringing this to the table.

Thus mitigating and reducing the impact of a detected intrusion attempt, using a SOAR:

SOAR Defined -Security Orchestration, Automation, and Response.

The term is used to describe three software capabilities – threat and vulnerability management, security incident response and security operations automation. SOAR allows companies to collect threat-related data from a range of sources and automate the responses to the threat.

Obviously not all patterns will be detected, but over time, with real time threat updates, this would reduce the impact of the incident and ensure the incident response team is kept up to date across the organisation.

Everyone has their preference in terms of SIEM + SOAR, but automating and orchestrating brings another set of insights and capabilities to the fore. I have no preference out of the multitude of solutions, vendors as long as they do their expected job to reduce the impact to the organisation or whether you ou

Regards

Caute_Cautim

Re: Disrupting a cybersecurity incident

GerryS — Thu, 19 May 2022 07:33:34 GMT

the approach will change based on where you are at in the incident.

I took the question as meaning the entire life cycle, not that it had already occurred.

Prevention is best but not a 100% guarantee. You need to know how to respond at each step.

Re: Disrupting a cybersecurity incident

Caute_cautim — Thu, 19 May 2022 20:23:01 GMT

@GerrySAnd yet Federal government is stating we should change our stance and be more proactive rather than reactive.

Regards

Caute_Cautim

Re: Disrupting a cybersecurity incident

Beads — Thu, 19 May 2022 21:29:41 GMT

My background is firmly in training new privates over and over for years in both active duty, reserves and National Guard. Toughest thing to deal with is a team be they Forward Observers (artillery grunts who direct fire) or security practitioners is training and instilling a sense of ownership for the team as a whole.

You need to reinforce basics till everyone understands every aspect of the job then move training forward in increasing increments. I used to keep a notebook of quick task trainings in my pocket to keep drilling basics. Took a couple of minutes to do and everyone got used to the routine and helps build comradery. I see the same problems in this field. Always training a new person expecting them to know everything out of the box. It doesn't work that way. Teams are built through trust not assumptions. Otherwise, your going to have one or two outstanding specialists on your team, while the rest feel a bit outside of the team. Sound familiar? It should as it happens in InfoSec just as regularly as it does with a front line unit.

What does this mean to a security team? Everything. Whether you wish to stop threats before they take hold or simply react to the problem it still takes a coordinated team not a single ubermensch who will either outgrow the position or simply move on because they are saddled with doing too much and not able to rely on the overall team. We have the technologies and abilities to quickly identify and kill many of these threats but we lack the internal coordination to do so. Again, training and cross training is a group effort not just an individual effort. As a Senior Director working with many teams across the globe I see this both in my organization and client sides. Wonder why we have such turn over?

This is a two pronged approach. First identify your weaknesses from a historical viewpoint. Then your current asset threats, train your team to recognize what the machines are telling you and stop playing 'whack-a-mole' reacting after the fact. Your team will know what your most critical problems are - ask them! Again, teamwork not a collection of egos riding roughshod over the organization. We did that back in the office of 'No!' days and it didn't work. I see the 'whack-a-mole' mentality almost daily and its counter productive.

Training your people and sharing knowledge should be slightly competitive to do and rewarded not siloed so everyone has the opportunity to grow. Twice weekly team meetings organized in the Agile or Scrum formats work well. Same with getting all your architects together twice a week and 'food fighting' your way through design problems. OK I am being kind about the food fight example. Seasoned architects tend to go straight to blood letting in the consulting world but its effective. 😁 Attending scrum and developer meetings is not out of my realm to attend as a security executive, far from it. Some of my best intelligence comes from developer types, don't ignore them.

Build your trainers, your cadre and have those people lead by taking on smaller groups explaining who is doing what, giving examples of what is seen, stopped and let everyone take credit when due and failure with lessons learned when we fail. What are the symptoms you see with say XorDdos or early ransomware. New grads particularly expect management teach them everything or they get frustrated and leave.

Your never going to break the whack-a-mole mentality unless you train your team to be proactive enough to feel comfortable looking for those things that go bump in the dark. You want a seat at the big table - lead, stop following.

We want many eyes looking to disrupt the bad actors out there but tend to over rely on one or two key team members. Regardless of the technologies available we need as many eyes looking for these possible incidents and make it a positive part of the job, the team not "its not my job" mentality. That's what I am getting at. Tech is the easy part.

Hope that helps.

Re: Disrupting a cybersecurity incident

Maya69 — Mon, 23 May 2022 06:27:40 GMT

Cyber-attacks can take varying forms including amateur hacking, "hacktivism," ransomware attacks, cyber espionage, or sophisticated state-sponsored attacks. These attacks have the potential to cause internet or utility outages, leak or delete sensitive data and information, compromise critical infrastructure or services, or cause physical destruction.