Over the lifecycle of a cybersecurity incident, at which point is it most* easily disrupted and prevented?
Two competing strategies are:
1. Focus most of your efforts on initial penetration prevention that have the potential to be the most damaging to your environment, e.g., patch management, social engineering training, etc.
2. Focus most of your efforts further within your environment to locate Defender or Blue Team decision points that constrain adversaries into bottle necks, contain lateral movement, for easier disruption.
Is there a better strategy than these two?
*One strategy is not saying to completely ignore the other, key word is "Most".
You probably get the greatest benefit from the former and it's easier to make a business case for. I'm not sure why you'd want to start on the right hand side of ATT&CK and work left.
@Steve-Wilme The thought process behind strategy two is to accept the fact that you're going to get breached (eventually) and there are way too many threat vectors to adequately protect. You'll still have some prevention protections in place for due diligence but the majority of the focus is further into your architecture. I'm not defending this strategy over the other, just curious to see what the majority opinion is here.
I start by prioritizing say my five (5) most critical assets and losses to train my team against, learning as we go and fixing problems found. Always drill on the basics and work your way up. These are really easy wins and a great way to build teamwork when you approach as not being a punishment. You can continue down the stack of possible asset compromises along the way but start small. Your team will quickly understand which assets are most in need of protection and of course will feel a better sense of priorities and ownership of the process.
Once your cadre or trainers are trained send them off to train more junior resources to do the same. First train your juniors in their first and secondary roles, expectations and deliverable results. Once they have the drill down expand the exercise to broader, more advanced drills or problem sets so everyone is cross trained and ready to step in if someone should become unavailable.
Make this a quarterly or monthly part of your preparedness. The criminals out there are going to wait for your annual training exercise to attack you nor should you be waiting around in hopes everyone is both ready and available to respond.
Obvious examples would be Ransomware, "Crown jewels", Executive phishing attacks, system outages, etc.
@Beads I like it, identify the crown jewels and build controls out from there. But hypothetically with limited time (average CISO tenure is 18-36 months) and budget, would you focus more on preventive controls or detection/eradication controls around those critical assets to disrupt a cybersecurity incident?
If you're looking for the most easily, I would say the former would be best, disrupt as soon as possible. if they are already in, you'll be playing catchup a lot longer.
Both are critical and there's a balance out there somewhere. Ech organization will be different and have different priorities. That can change as your CISO, C Suite, and/or Board changes.
@GerryS What happens if the attacker example - China or North Korea, has been inside for months or longer, then wouldn't your approach change? Would it not look to investigate what they are accessing, and what assets they have access too or in fact manipulating or augmenting?
Simply disrupting the flow, may cause more damage or prevent you understand the current situation. Sometimes listening, without disrupting immediately may give you better understanding, whilst collecting evidence at the same time?
Ech organization will be different and have different priorities. That can change as your CISO, C Suite, and/or Board changes.
Very true. Typically we align on what needs to happen but it varies, operationally/tactically, on how we prioritize strategies to reach those goals.
@Caute_cautim I'm all for collecting evidence and not disrupting if I've successfully choked them into some form of deceptive/honeypot technology but if not, I'm definitely cutting them off asap. That's just my thoughts at this time but I'm willing to change my mind.
The two most important factors here are elements that I/we cannot answer.
Concentrate on delivering on those metrics or outcomes most likely to benefit your organization and make this a policy level initiative thus negating the "18-36 month CISO horizon". A successful program for little to no money but desirable results that leads to better outcomes be they incident disruption, teamwork or loss of organization assets will be more noticeable if not profitable for your organization over time.
If your looking simply to disrupt "cyber" incidents (the term has been around since 1948 with too many definitions today to be taken seriously) there are plenty of BADs, NBADs, eDiscovery and automated forensics platforms for both Data Center and Cloud to evaluate and put into place. The tech is well known and easy enough to find. What I am referring is the team itself. Everything boils down to team effectiveness regardless of the tech deployed. You can have the best possible technologies out there but if your people are not engaged or don't work well as a team, under trained or just plain uninterested (something I see all to often in IT and Security), your tenure as CISO will be short and unremarkable. Might as well go back to working for the accounting department or CFO at that rate.
Both IT and later Security begged for a seat at the big table, now its time for us to look beyond just technology and tech strategy, what you refer to as disruption and directly involve your team. These are the people who will be able to tell you first hand where the skeletons in the closet are and how weak you are in any given place. Hence the identifying of the crown jewels and four other most vulnerable assets. If your people cannot or will not help you with this step they aren't going to be helpful during an event.
Bring your people onboard, engage, identify and train on the basics while pushing knowledge down by not siloing. Disrupting the chain means nothing if your people do not feel empowered to do so.