The traditional approach to cybersecurity has been to use a prevention-centric strategy focused on blocking attacks. While important, many of today’s advanced and motivated threat actors are circumventing perimeter based defences with creative, stealthy, targeted, and persistent attacks that often go undetected for significant periods of time.
In response to the shortcomings of prevention-centric security strategies, and the challenges of securing an increasingly complex IT environment, organisations should be shifting their resources and focusing towards strategies centred on threat detection and response. Security teams that can reduce their mean time to detect (MTTD) and mean time to respond (MTTR) can decrease their risk of experiencing a high-impact cyber incident or data breach.
Fortunately, high-impact cyber incidents can be avoided if you detect and respond quickly with end-to-end threat management processes. When a hacker targets an environment, a process unfolds from initial intrusion through to eventual data breach, if that threat actor is left undetected. The modern approach to cybersecurity requires a focus on reducing MTTD and MTTR where threats are detected and killed early in their lifecycle, thereby avoiding downstream consequences and costs.
Cyber attack lifecycle steps
The typical steps involved in a breach are:
Phase 1: Reconnaissance – The first stage is identifying potential targets that satisfy the mission of the attackers (e.g. financial gain, targeted access to sensitive information, brand damage). Once they determine what defences are in place, they choose their weapon, whether it’s a zero-day exploit, a spear-phishing campaign, bribing an employee, or some other.
Phase 2: Initial compromise – The initial compromise is usually in the form of hackers bypassing perimeter defences and gaining access to the internal network through a compromised system or user account.
Phase 3: Command & control – The compromised device is then used as a beachhead into an organisation. Typically, this involves the attacker downloading and installing a remote-access Trojan (RAT) so they can establish persistent, long-term, remote access to your environment.
Phase 4: Lateral movement – Once the attacker has an established connection to the internal network, they seek to compromise additional systems and user accounts. Because the attacker is often impersonating an authorised user, evidence of their existence can be hard to see.
Phase 5: Target attainment – At this stage, the attacker typically has multiple remote access entry points and may have compromised hundreds (or even thousands) of internal systems and user accounts. They deeply understand the aspects of the IT environment and are within reach of their target(s).
Phase 6: Exfiltration, corruption, and disruption – The final stage is where cost to businesses rise exponentially if the attack is not defeated. This is when the attacker executes the final aspects of their mission, stealing intellectual property or other sensitive data, corrupting mission-critical systems, and generally disrupting the operations of your business.
The ability to detect and respond to threats early on is the key to protecting a network from large-scale impact. The earlier an attack is detected and mitigated, the less the ultimate cost to the business will be. To reduce the MTTD and MTTR, an end-to-end detection and response process—referred to as Threat Lifecycle Management (TLM) needs to be implemented.
Threat lifecycle management
Threat Lifecycle Management is a series of aligned security operations capabilities and processes that begins with the ability to “see” broadly and deeply across the IT environment, and ends with the ability to quickly mitigate and recover from a security incident.
Before any threat can be detected, evidence of the attack within the IT environment must be visible. Threats target all aspects of the IT infrastructure, so the more you can see, the better you can detect. There are three principle types of data that should have focus, generally in the following priority; security event and alarm data, log and machine data, forensic sensor data.
While security event and alarm data is typically the most valuable source of data for a security team, there can be a challenge in rapidly identifying which events or alarms to focus on. Log data can provide deeper visibility into an IT environment to illustrate who did what, when and where. Once an organisation is effectively collecting their security log data, forensic sensors can provide even deeper and broader visibility.
Once visibility has been established, companies can detect and respond to threats. Discovery of potential threats is accomplished through a blend of search and machine analytics. Discovered threats must be quickly qualified to assess the potential impact to the business and the urgency of response efforts. When an incident is qualified, mitigations to reduce and eventually eliminate risk to the business must be implemented. Once the incident has been neutralised and risk to the business is under control, full recovery efforts can commence.
By investing in Threat Lifecycle Management, the risk of experiencing a damaging cyber incident or data breach is greatly reduced. Although internal and external threats will exist, the key to managing their impact within an environment and reducing the likelihood of costly consequences is through faster detection and response capabilities.