Cyberattacks are hitting the headlines around the world and there seems to be no end to the noise that these attacks are making. Worse than the noise is of course the damage these attacks are causing to the impacted organisations who evidently need to change some of their behaviours and strategies to help close the gap.
With that in mind, and to better understand what an organisation should do to stay breached, I’ve put together some thoughts:
Getting into the mind of an attacker
Consider this scenario: An attacker lands on a random endpoint in your organisation. What is their first objective? First, they’ll need to identify where they are in the organization and then scrape the endpoint for cached information. This could include:
Before they make their next move, they’ll of course need to avoid setting off antivirus or leaving any kind of trace.
Stealth is the name of the game, but where to next?
They need to establish multiple ways to stay inside the corporate network in order to move laterally. It’s also worth noting that attacking network and hybrid cloud infrastructures can be very effective to staying persistent. Once this has been established, it’s game on! They’ll be able to:
Now, reconnaissance through watching and learning, but what are the main objectives for the attacker?
I know, that’s a lot of damage in the final step. But the good news is that if we can detect and stop an attacker before this point, we have a really good chance that no actual damage will occur.
But, what if the attacker is undetected or has accomplished their goals?
Well, they can erase their evidence, backups, logs and malicious files. Keep in mind that ransomware is effective to divert attention and encrypt evidence. Not only that, but future access can also be sold on the dark web.
As we’ve all seen across the headlines, often it’s “too little too late” and all you’re left with are a lot of questions.
So, what do you need?
Security operations needs to start building the next generation security operations centre (SOC), or SOC v2.0 if you will. The rationale behind the SOC v2.0 concept, is that current measures—and how SecOps is built with a continuous churn of key resources, information overload and siloed technology tooling—is a security risk, even if some of the tooling is adequate.
Building a SOC v2.0 means an approach that is more affordable, less reliant on large numbers of people, detects attacks faster, introduces automation, new analytical techniques and is ready for the battle against the never-before-seen-attacks. Please stay tuned for a future post where we’ll go into deeper detail about SOC v2.0.
Henrik Davidsson is director of sales business development at Vectra, where he is responsible for customer value creation & managed service providers. He has over 15 years’ experience in working with large enterprises, service providers and always stays in the frontline of new security challenges and coaching end customers and partners alike on how to augment their security posture and cyber resilience. Henrik has held leading position at companies such as Cisco, Juniper Networks, VMware, FireEye and NTT Security.