Evolving Cybersecurity Strategies to Stay Ahead of Threat Actors

Today I wanted to touch on the benefits of a proactive, predictive, and retrospective cybersecurity defense strategy (aka threat hunting) to augment the more traditional protective and reactive defenses in place within most organizations. And I do mean augment, as protective and reactive capabilities are a critical first line of defense for your enterprise..

The end goal for a proactive, predictive, and retrospective defense strategy is to enable your security operations team to detect and respond to cyber threats before significant damage is done. And here lies what I view as the key difference between protective/reactive defenses and a proactive defense, detecting sophisticated threats with confidence much earlier in the kill chain.

• Preventative and reactionary defenses are based on the premise that your perimeter defenses will successfully detect and alert your security operations team of all threats probing your defenses, minimizing impact to your enterprise. The challenge with this strategy is that sophisticated attackers have gotten really good at disguising their attacks to confuse and circumvent preventative detections – enabling them to fly low under the radar and bypass your defenses.
• This strategy is further impacted by something I’ve also touched on in earlier blogs – alert fatigue caused by the overwhelming number of alerts that in many cases turn out to be false positives. Once the perimeter is breached, many organizations lack the internal monitoring and visibility needed to detect an attacker’s lateral movements within the enterprise enabling attackers to operate undetected for long periods of time and cause significant and costly damage.
• Additionally, many data breaches originate from insider threats – through accidental or intentional malicious actions – and preventative defenses are not particularly useful in detecting insider threats.
• A proactive, predictive, and retrospective defense strategy on the other hand is centered around the assumption that the attackers will be successful in breaching perimeter defenses and the added proactive capabilities provide your security team with the threat hunting tools, knowledge, and insights (visibility) necessary to detect the breach early in the attack kill chain, determine how the attackers breached your defenses and what systems have been compromised, take corrective action to eject the attackers from your enterprise, and prevent them from returning (at least using the same attack vector).

With that as a backdrop, let’s explore a little deeper why I believe a shift from a preventative to a proactive defense is the rational security strategy and how it can detect and block threats early in the kill chain before significant damage is done.

Proactive, Predictive, and Retrospective – what do these mean?

Proactive defense involves active threat hunting within your enterprise for activities that are indicative of an ongoing attack and then taking corrective action to mitigate any detected attacks. In this context, active threat hunting can involve human security analysts and/or automated detection and response capabilities that are tipped and tuned through predictive defense analytics, Machine Learning (ML), and Artificial Intelligence (AI) algorithms.

A key aspect of proactive defense is hunting “within” your enterprise; meaning you have the viability within your enterprise to detect, investigate, analyze, mitigate, and track anomalous activity that has breached your perimeter defenses. An important aspect of this is the ability to understand and then manage the perception of your network’s attack surface from the perspective of an attacker – that is, enable your security operations team to view your enterprise through the lens of an attacker.

Predictive defensive capabilities identify interesting events and activities that warrant further investigation and provide threat hunters with the knowledge and insights into an attacker’s behavior necessary for them to detect and investigate anomalous activities early in the attack kill chain, anticipate the attacker’s next moves, track their movements, and ultimately block their advance.

Predictive defense capabilities help to focus and direct where the threat hunters should be looking to enable them to find the proverbial needle in the haystack. For example, predictive analytics are continually churning through network and sensor metadata to correlate and sequence seemingly random pieces of information into interesting anomalies that require a threat hunter’s attention – perhaps a low bandwidth connection to an unusual network address that could be indicative of a beaconing host.

Threat intelligence also comes into play here by keeping the threat hunters and automated attack detection rule sets up to date on the evolving TTPs used by the attackers. Finally, attack frameworks like Mitre ATT&CK enable your security analysts (and predictive analytics) to understand the attackers TTPs (think like an attacker), string together those seemingly random events, and put those events in the context of a broader attack campaign.

Shifting Your Security Strategy from a Reactive to a Proactive Posture

A proactive, predictive, and retrospective cybersecurity approach allows you to identify, prioritize, and mitigate urgent threats to your enterprise – generally with greater confidence and earlier in the kill chain. However, despite the clear benefits of active threat hunting, many enterprises remain at a standstill. So how do I get started down the path to proactive, predictive, and retrospective defense?

Network Detection and Response (NDR) solutions use machine learning to predict how to adjust its internal detection logic and its response actions by correlating the execution sequence of an attack. Using the techniques detailed in the MITRE ATT&CK framework, you can drive detections and responses to threats, and stay one step ahead of attackers.

Contact with sales@pama.com.vn for more information.