The one principle the cyber-security industry is founded on is that defenders are always a step behind the hackers. Solutions are developed (FW, AV and onwards), technologies introduced (VMs, LB’s, microservices) practices emerge (DevSecOps anyone?) and yet – adversaries always find new ways. They bypass the IPS, prove WAF is not enough, exploit the endpoint – or all together in a single campaign all the way to the crown jewels.
Whenever a new crack is appeared, startups emerge and a new cybersecurity niche is created. Almost instantly, begins a dash of experts, funds are raised, acquisitions are reported, and everyone seem happy – but still a step behind. Because the next morning, hackers will find a new way to install a malware, steal identities or exfiltrate sensitive data.
Why are hackers always a step ahead?
Simply put – because they must. Otherwise, they will not fulfill their job or achieve their goal. Whether they are looking to spy or to extort, they must find a way in. The lucky ones enjoy from three contributing factors:
1. The more amorphic and abstract information networks become, the more loopholes there are.
2. Humans cannot perform at 100% 100% of the time and the as both complexity and numbers of solutions are growing, they are error-prone
3. Information sharing is much more common among hacking than among it is among commercial organizations that compete with each other. Establishing the cyber threat alliance is a step forward but the bottom line remains the same.
Getting into the mind of a hacker
The curriculum of cyber security programs – academic or in real-life – is usually similar and details the same fundamental principles. Practices are taught and processes are endowed yet are always based on the experience of the past. Let’s be fair though – how would you predict the unknown?
Hackers on the other hand, do not follow certain paradigms and heuristics. They just go around them. This different mindset makes them more creative than security practitioners are. In addition, they are nimbler – don’t have to follow any procedure or comply with any regulation.
Current approaches are… meh
Information security staff recognizes these differences and therefore usually hires a group of “white-hat” hackers, to show them where they are vulnerable. This exercise is called penetration testing, but its impact is usually low. Not because the pen-testers aren’t doing a good job, but rather since there are few inherent constraints:
First, this is done once twice a year. Not in a continuous manner. Consequently, by the time the defenders get to execute a plan based on the findings, these are long gone – whether patched, reconfigured or simply protected by a new solution. That, before even mentioning the number of new threats that were introduced since…
Turning it around
Due to all aforementioned reasons – such as mindset, training, information sharing, restrictions etc. – it’s unlikely to expect the security team to be ahead. And this is where technology comes in. No – not AI again… Artificial intelligence or machine learning may improve detection, yes, but not stop a full campaign of a determined hacker from reconnaissance to root.
In May 2021, following some high-profile campaigns against US-based institutions by APT groups, that included ransomware and supply-chain attacks, the administration has enacted an executive order that – among many other things – encourages organizations to make use of offensive testing practices to assess their security posture and better manage risk.
Specifically, this is a call for enterprises to test, practice and drill their incident response plans and security controls to better prepare their people, processes, and technologies for a case of a cyberattack.
Continuous security validation
Offensive testing technology, commonly known as Continuous Security Validation, provides information security staff and business executives a baseline of their posture of their current state in order to optimize their readiness for cyberattacks.
The other great thing about this technology is that it is completely automated – thousands of attacks are launched against the network, the systems, the applications, and the devices so the organization knows what is detected and blocked, what is detected but not blocked, and what isn’t detected at all (or detected but not reported).
A comprehensive assessment methodology must take a hacker standpoint and begin with exploring the attack surface – which digital assets are accessible and exploitable. The next phase following the reconnaissance is finding the penetration paths – an automated end-to-end campaign from the initial breach all the way to the crown jewels. The third phase is launching thousand of simulated scenarios against each and every security solution in the network to validate its configuration and find what it misses, and eventually helps to prioritize vulnerability patching.
This technology allows organizations “invite” automated hackers continuously – not just once a year – to find all the loopholes before real hackers do. This way, the enterprise can be one step ahead for a change.
Credit: Source link
