“More than four out of five organizations we surveyed in 2020 experienced a cybersecurity incident due to the poor security hygiene of a third-party partner,” says Noor Bains, Senior Security Solutions Architect, CDW Canada, speaking at CDW’s BTEX 2021 virtual event. “We understand that partners provide vital services. However, they also provide opportunities for malicious actors to circumvent even the best security controls.”
Bains suggests deploying an identity and access management solution, and well as having an identity and access management process to ensure that vendors who require access to systems and data can be authenticated and identified. “This process should incorporate regular user attestation and enable the ability to grant removal of user access to data and systems when it is no longer required. Access to data and systems should be enforced, allowing only the required access and visibility to perform the tasks.”
The evolution from cybersecurity to cyber resilience
“The biggest difference in the security journey from 2000 to 2020 is the approach that more organizations are leveraging,” says Bains. “Two decades ago, when we looked at cybersecurity, a firewall deployment would be considered job done. However, it has been more of a question of not when, but how an organization can be breached. Understanding how quickly we can identify, contain and recover from a breach is essential.”
“Building cyber resilience is really important at this point, making sure that prepare, defend, respond is considered, and the cycle continues to not only understanding your cyber risk, deploy technologies, but also being able to have the forensics teams, if there’s a breach, be able to contain the app and eradicate the threat.”
What is the MITRE ATT&CK framework?
MITRE ATT&CK provides a common language for tactics and techniques across different environments. This enables organizations to map common and dangerous attack chains and ensure appropriate understanding, mitigations and detections are identified. Red teams leverage MITRE ATT&CK techniques for different types of scenarios, depending on the situation.
As an example, an attack scenario would be compromising a device using the Initial Access tactic, then jumping on to the User Access tactic, from Privilege Escalation back to the Execution tactic with PowerShell.
“The MITRE ATT&CK framework helps us to understand our adversaries in order to defend against them,” says Bains. “Cybersecurity practitioners can map MITRE ATT&CK with security control threat predictions to better protect their organizations.”
MITRE ATT&CK also has attack assessments, which can be useful for security engineers and architects in justifying threat-based security improvements. “Assessing how your defences currently stack up to techniques and adversaries in attacks, identify the highest-priority gaps in your current coverage and modify your defences to acquire new ones to address those gaps.”
“It’s very important to start small,” says Bains, “Selecting a single technique to focus on, determine your coverage for that technique and then make appropriate engineering tasks. Once you’re familiar with this process, you can expand this analysis to a larger subset of attack tactics.”
4 stages in a security incident response lifecycle
“A cybersecurity response plan needs to empower decision-makers and provide mechanisms to keep them informed,” says Bains. NIST Special Publication 800-61 Rev. 2 – Computer Security Incident Handling Guide identifies the iterative process that incident response efforts take. “It describes everything from tactical decision making to higher levels of strategy, command and control.”
The key stages in this incident response lifecycle are Preparation; Detection & Analysis; Containment, Eradication & Recovery and Post-Incident Activity.
Preparation – includes authorization, logistics, inventory and operations
Detection & Analysis – includes type, extent and magnitude
- What do we need to know?
- How can we tell?
- What must we preserve and analyze?
Containment, Eradication & Recovery – includes evidence, scope and the challenge of attribution
Post-Incident Activity – review and improve your security posture
- What could have reduced dwell time?
- Did we anticipate this would have been exploited?
- What additional tools or resources are needed?
“Each one of these steps should be tackled one at a time,” says Bains. “Understanding of scope is very important. We don’t want to be in the process of recovery and the attacker is still within the environment, and then you’re back to Square One.”
The CDW approach: Prepare, defend and respond
The CDW approach to helping our customers improve their security posture is comparable to the NIST Cybersecurity Framework, says Bains. This can be broken down into three phases: Prepare, Defend and Respond.
The Prepare phase includes:
- Understanding risk
- Building an effective security program, including the top security talent
- Understanding what are your crown jewels and data flows to those crown jewels
- Threat risk assessments
- Gap assessments
- Third-party evaluations of vendors and partners
The Defend phase includes:
- Implementing defences
- Integrating leading technologies and making sure they are deployed properly, according to the business use case
- Maximizing visibility
- Understanding control
- Making sure logs are properly logged in, and understanding how much time they’re logged in for
- Monitoring critical business assets
The Respond phase includes:
- Being able to respond quickly to incidents
- Backup strategy for your critical assets
- Implementing an incident response plan
- Defining a threshold for your breach retainer, if you don’t have an in-house team
- Checking your cyberinsurance policy
“The extent of damage a breach does is directly related to the time it takes to recover from it,” says Bains. “The recommendation we provide to customers is to have a protect, defend, respond methodology.”