As a CISO, I have participated in many discussions about breaches. We do our best to understand who the attackers are, what exploits they use, and how they compromise systems. During this analysis, however, we often overlook patterns that might show up between different breaches. Headlines grab our attention, we look empathetically, leaning in, counting our blessings that our company name is not in the headlines, but then we move on, waiting for the next breach to grab our attention.
Each attack might be a unique situation, so it’s prudent to study and learn from each. But the bigger opportunity is in the identification of patterns that often appear when looking across multiple attacks. This is important because these patterns can become key to defense strategies for future attacks. Look at this way: if you focus on the act—in this case, the breach—you are potentially missing the bigger themes that could be useful in validating your cyber-defense strategy.
Take the following two breaches from recent years. Organization A was breached and lost millions of customer records. It was later learned that part of the attacker playbook (that is, the steps the attacker took to facilitate the breach) used credential theft to move into critical systems as a credentialed system user. In Organization B, well-crafted malware was used in a targeted spear phishing campaign. Upon further analysis, the attacker playbook had a similar pattern to that of the attack on Organization A: malware installed on the employee endpoint harvested production credentials the attacker could use.
Reacting to each of these breaches independently, you might focus on educating the employees not to click on suspicious emails. Or you might, instead, focus on the exploit and adopt a patch strategy. Worse, you might determine that your organization is not vulnerable because the exploited application isn’t running in your environment. By comparing the attacks, though, we see a common theme: credential abuse. This shared element is a key, even though these organizations are different industries, and despite much debate about the identities of the attackers. The facts of the case and the digital footprints of the attackers can be extracted for use in future defense strategies.
Common defense points
This is how I look at breaches. I use them to stress-test my strategies, first looking for patterns, developing themes, and using those attack scenarios against my organization to determine and measure my defense posture. I have come to love the use of internal segmentation to divide my internal risks into common defense points. When looking at these breaches, the initial targets were employees. Early attack stages often target machines that have access to email, web, and other software. However, these same systems are often used to manage internal production systems. Thus, dividing work streams based on risk allows for improved security posture. Machines used to access the internet may not be best suited for direct access to your production systems. By using segmentation internally, any compromised employee machines are isolated from other, more critical resources.
This is just one playbook—there are many more. Instead of focusing on who attackers are or what they are after, focus on looking back at as many breaches as you can, finding common playbooks that can identify ways attackers succeed. The next phase of your cyber defense strategy should be to set up proper prevention and monitoring controls to counter these attacker playbooks. By developing a continuous validation and discovery process, you’ll be able to add new breaches to your playbook knowledge set and test for new angles of attack. From there, you’ll be able to stress-test your defensive controls and know you are prepared. Monitoring preventive and reactive controls is the last step in ensuring you’re able to properly respond to an attack in near-real time.