Hackers are constantly changing their attack strategies and security teams need to adopt the same mentality when it comes to defeating advanced persistent threats.
“We can’t view defense as something that’s static. The attackers are evolving and we have to be doing that too,” said Justin Lachesky, cyber intelligence analyst at Lockheed Martin.
Developing the perspective that cyber security is constantly evolving requires adopting an adversarial mindset and assuming that every action a hacker took was intentional.
However, that’s not how most organizations operate their security programs, said Cybereason CTO Yonatan Striem-Amit. Instead, analysts typically try to resolve a threat as quickly as possible, he said during a webinar Cybereason and Lockheed Martin hosted on the four secrets for combating advanced persistent threats.
The common behavior of incident responders is “if I find a machine that’s infected with malware, I immediately reimage it or block the malware and be done with it,” Striem-Amit said. But this serves as the base for attack's persistence, he added.
Security teams should “ask the why and what ifs” when investigating an incident, even if they managed to detect and stop it before serious damage was carried out, Striem-Amit said. "You should always ask yourself if it is indeed the end an incident."
Analyst need to consider what would have happened if the attack wasn’t stopped, how did the adversary manage to evade the company’s defenses and are there other components related to the incident that are still in the organization’s IT environment.
When fighting an advanced persistent threat (APT), security teams shouldn’t assume that any action taken by the adversary was accidental.
“This isn’t the case with an APT. We are being targeted by people who know how we operate, “ Striem-Amit said.
Just like doctors aim to cure a disease and not only alleviate its symptoms, security teams need to eradicate an entire advanced persistent threat and not only a few components of the attack. Each attack is an opportunity to eradicate the disease, he added.
A better approach to handling threats would be to incorporate the intelligence that was gained from handling a security incident into the company’s security program and use it to make “informed offensive decisions,” Lachesky said.
“We need to have the mindset that each attack is an opportunity to learn. The more we can learn, the more effective we can be,” he added.
Using security intelligence to drive an enterprise’s offensive plan could help identify what security capabilities the organization is missing or where the company needs to invest to prevent future incidents from occurring. Companies could decide to block certain types of emails or purchase a new detection tool, for example.
Learning from attacks and adding this knowledge to a company’s security plan ties into how an enterprise measures the success of its security operations, Lachesky said. Some companies equate successful security with how many alerts analysts close or how many alerts are received.
“But that doesn’t mean they’re getting a better understanding of the attack,” he said.
Lachesky recommended that organizations measure analytical completeness, which looks at how well a company analyzes and learns from every attack, or resiliency, which examines how well the business detects and protects against attacks across all phases of an attack.
“If we measure this data, then we have a chance of increasing resiliency instead of just remediating a threat, “ Striem-Amit said.
To learn more about combating advanced persistent threats, check out the other blogs in this series, which cover the importance of having full visibility into your IT environment, using analytics to turn threat information into threat intelligence and using security incidents to gain an advantage over attackers.
