6 Reasons Why Hackers are Ahead of the Game and Tips to Close The Gap

In our recent webinar, Yonatan Striem-Amit, CTO and Co-Founder of Cybereason, discussed six main reasons why hackers are ahead of security and some practical tips for minimizing this growing security gap.

Gap #1: 70% of the security's efforts are focused on preventing penetration 

The Hacker Reality: Hackers are determined to penetrate a network and have a 100% success rate. There are hundreds of ways to penetrate a company's perimeter and an ambitious hacker will surely find one.

Tip for closing the gap:  shift to an “already compromised” mindset. Assume the network is already hacked. Shift your focus from detection of penetration to detection of a hacker's actions inside the network. Good news: you have time to act, as attacks are lengthy and persistent and often the majority of damage is done after several months.

Gap #2: Security teams are satisfied with the simplest explanation. It is a human tendency to accept the most simple solution and move on with our lives.

The Hacker Reality: Never assume the simplest explanation when it comes to security issues. Hackers will take advantage of any weakness within an organization and they are well aware of this human flaw. A hacking operations is composed of many different groups of people including a deception team, whose purpose is to create simple to detect and simple to understand decoy attacks that distract SOC-teams and give them a false sense of security.

Tip for closing the gap: Always stop and ask yourself: Do I see the whole picture? Am I missing something? Always assume you've been deceived and that you may be wrong. If possible, appoint someone on your security team to play the devil's advocate.

Gap #3: Remediate incidents as fast as possible. When security removes a detected malware, they lose a valuable piece of evidence that could potentially reveal an attack in their network.

The Hacker Reality: Hackers will use multiple tools and methodologies, assuming that some will be revealed while others will successfully help them persist in the network. When simply removing one tool, the defender exposes his capabilities or lack thereof. For example, in the investigation of the NY Times breach, more than 40 different hacker tools were revealed. This ensures that if one tool is detected and removed, the attackers will still succeed.

Tip for closing the gap: Become the Hunter! Use the detected malware as bait and monitor the attacker's actions: investigate the malware and it's purpose, reveal related communications and affected endpoints. This will help you uncover other parts of the attack.

Gap #4: Neglecting the endpoints. We recently discussed why endpoints  cannot remain security blind spot. Because endpoint solutions are notorious for being difficult to deploy and maintain, security teams tend to overlook endpoint security.

The Hacker Reality: Endpoints serve as a common penetration point and can reveal hacker's persistence and spread.

Tip for closing the gap: Stop making excuses.  Deploy next generation endpoint security tools that are easy to deploy and do not interfere with user experience, like Cybereason Silence Sensor

Gap #5: Security is too focused on Malware 

The Hacker Reality: Malware is only a means to an end and it is just one of the tools used by a hacking team to achieve their goal. In many cases, malware isn't even used in order to better evade detection.

Tip for closing the gap: Look for a complete attack story:  Instead, strive to leverage user and endpoint behaviors to uncover malicious communications, spread, which endpoints are affected and the malware in order to contain a complete attack.

Gap #6: Security teams are overwhelmed by no. of incidents. As described in our recent blog, excessive alerts and false positives paralize secuirty teams .

The Hacker Reality: Hackers will produce a large amount of alerts to desensitize security teams and distract them from the real attack.

Tip for closing the gap: TRACE the alerts! For each alert look for the Timeline of events, Root cause, Adversarial activity and tools used, Communication and involved Endpoints and users. By doing so, you can easily eliminate false positives and enhance your investigation of true alerts.

Bottom line: always seek the complete picture of the attack, never settle for a partial snapshot.  

Watch the full webinar Now.