Home SecurityNetwork Security Operationalizing a “think like the enemy” strategy

Operationalizing a “think like the enemy” strategy

Source Link

Security professionals have always been told to “think like the enemy.”  This philosophy could start with a series of questions like: How could an adversary gain a foothold in one of our systems? How would they circumvent our security controls? How would they find and exfiltrate our sensitive data? Armed with knowledge about what an adversary would do, security teams could then design countermeasures to impede or even stop the bad guys in the tracks.

Good strategy, but most security professionals don’t have the knowledge or skills to take an adversary’s perspective. CISOs, recognizing the value of thinking like the enemy, have overcome this deficit by conducting penetration testing or red teaming exercises, attacking themselves to test their defenses.   

Such exercises can be quite valuable. ESG research finds that:

  • 47% of organizations believe that penetration testing/red teaming are a best practice for risk assessment and reduction and use these exercises to uncover previously unknown vulnerabilities, expose blind spots, and test security controls. Once test results are in, CISOs can then pinpoint areas needing improvement.
  • 39% of organizations conduct penetration testing/red teaming after experiencing some type of security incident to assess risk. In this case, security testing can expose what went wrong.
  • 38% of organizations conduct security tests in response to executive managers/board of directors’ mandates. Here, security tests provide security and business teams a baseline for cyber-risk assessment, future planning, and investment priorities.
  • 35% of organizations conduct penetration testing/red teaming after another firm in their industry has experienced a data breach. This is especially useful to gauge whether an organization is susceptible to the latest cyberattacks plaguing a particular industry.

Given this broad agreement on the value of such testing, what’s the problem?

Security testing is complex, expensive, and dependent upon highly skilled professionals. Thus, most organizations can only do security testing periodically. ESG research reveals that 37% conduct penetration tests or red teaming exercises once a month or less. When they do perform these tests, they tend to do so on a limited basis—on a single application, data center, network segment, etc. This means that test results don’t provide a complete picture, and with the ever-changing attack surface, test results lose their relevance quickly over time.

What can organizations do to make thinking like the enemy part of their daily standard operating procedure? They can start by embracing the MITRE ATT&CK framework. First introduced in 2015, MITRE ATT&CK is described as, “a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” When bad guys act, MITRE ATT&CK categorizes each step they take within an overall cyber-threat taxonomy. Providing this classification at a granular level, MITRE ATT&CK acts as a mapping tool for defenders to understand how each action fits into an overall attack.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment