It’s no news that our threat surface is exploding. Moreover, this is now a multi-dimensional expansion, almost a “big bang”.
Horizontally – the threat surface is expanding: cloud, OT, IoT, 5G and other elements of our digital transformation are new entry points for threat actors. Each one, unfortunately, requires a different type of protection, but from the attacker’s point of view, they are all one big converged opportunity.
Vertically – alerts are increasing in volume, and they become more targeted every day. Attackers are investing more time and resources on precision-targeting, particularly when it comes to high-value targets. The recent Dtrack Attack on an Indian nuclear plant was actually found to have the specific network credentials hard-coded into the malware!
We repeatedly find that our investment in technologies to minimize our attack surface and preventing threats is only effective to a limited extent. Just recently our very own analysis team found cryptominer malware installed on multiple endpoints in an international airport. This airport already had threat prevention systems installed. This is where we have to rely on our incident response team, which is our last line of defense after all technologies have failed. But surprisingly, on this front, we see little progress.
On the blue (defensive) team side, we have continued our normal course of business, introducing more technologies and new tools, chasing for internal resources and budgets to grow our SOC teams, define new playbooks, re-organizing our troops and occasionally even run a tabletop exercise or two… But does this approach actually help?
Considering that our most limited resource is our people, will these new technologies help them, or do they, in fact, complicate their jobs by having to learn new systems while trying to integrate them into a helpful, orchestrated operation? Perhaps we should take a moment to focus on the team itself, our last line of defense, and think how we can help them be more effective?
Our teams are overwhelmed with information
and tools that they cannot digest or, frankly, operate effectively. Most importantly,
they lack the basic process for addressing complex challenges:
Prepare yourself > Train > Debrief > Correct the defaults >
Repeat, until you know and feel that you are ready.
As security leaders, before investing in the next shiny tool, we must ask ourselves a few basic questions:
- Have we ever seen our team perform under pressure?
- We’ve purchased a great stack of tools, but have we seen our team use them effectively?
- Do we know if our playbooks and technologies are effective?
- Do we know if our team can handle a massive cyber campaign?
- Bottom line: how many of us can honestly say we can count on our team’s readiness for an attack?
We know what we have to do, but have we ever seen it work?
Today we do not have answers to most of these questions, and worse, we lack a solution enabling us to break this vicious cycle.
So what am I suggesting? As in any high-stress role we have to provide our cybersecurity experts with the ability to practice – in real-world scenarios, using real-world tools and using their own playbooks and methodologies. Both as a team and as individuals. There’s nothing that will improve your security organization more effectivity than practicing the attack BEFORE the attack.
We’ve seen this take shape and form with the approach of a hyper-realistic cyber range, which can replicate these exact types of multi-stage attacks that are so hard for SOC teams to experience before the fact. Let your team prepare. Ask every pilot, military commander, first responder or paramedic – there’s nothing like hands-on experience!
Adi Dar is the CEO of Cyberbit