Nadradený pojem:
Reducing adversaries’ operational space
Description
Reducing—and ideally, eliminating—the unconstrained operational space of
adversaries, and making attackers’ presence known, must be top
priorities for defenders. The reality is that no one can stop all
attacks, or protect everything that can and should be protected. But if
you focus on closing the operational space that cybercriminals must have
for their campaigns to be effective and profitable, you can prevent
them from reaching critical systems and data without entirely evading
detection.
Reducing—and ideally, eliminating—the unconstrained operational space of adversaries, and making attackers’ presence known, must be top priorities for defenders. The reality is that no one can stop all attacks, or protect everything that can and should be protected. But if you focus on closing the operational space that cybercriminals must have for their campaigns to be effective and profitable, you can prevent them from reaching critical systems and data without entirely evading detection.
This report categorized different approaches that adversaries use to compromise and attack users and systems. We based our categories—reconnaissance, weaponization, delivery, and installation—on where the attacks are typically deployed in the attack chain. This exercise was meant to illustrate when, how, and where adversaries take advantage of vulnerabilities and other weaknesses to gain a foothold on a device or in a system, launch their campaign, and then reap the rewards they seek.
We suggest that defenders adapt their security approaches to stay ahead of attackers’ basic processes. For example, to undermine adversaries during the reconnaissance phase, security teams should be:
When weaponized threats are delivered, defenders must apply every tool in their arsenal to prevent them from spreading and worsening. This is where an integrated security architecture becomes critical. It will provide realtime insight into threats as well as automated detection and defense, which are essential for improving threat detection.
At the installation phase, security teams must stay informed about the state of the environment as they respond to and investigate the compromise. If that environment is simple, open, and automated, and if defenders have taken the other proactive steps outlined above, they can then focus their resources on helping the business to answer critical questions such as:
The answers to these questions will allow security teams not only to take appropriate actions to prevent further attacks, but also to inform management and the board about possible exposures and necessary disclosures. Then, the business can begin the process of ensuring that it has comprehensive controls and mitigations in place to address any security gaps—the weaknesses that provided the operational space adversaries needed to succeed—that were identified during the compromise.
Reducing—and ideally, eliminating—the unconstrained operational space of adversaries, and making attackers’ presence known, must be top priorities for defenders. The reality is that no one can stop all attacks, or protect everything that can and should be protected. But if you focus on closing the operational space that cybercriminals must have for their campaigns to be effective and profitable, you can prevent them from reaching critical systems and data without entirely evading detection.
This report categorized different approaches that adversaries use to compromise and attack users and systems. We based our categories—reconnaissance, weaponization, delivery, and installation—on where the attacks are typically deployed in the attack chain. This exercise was meant to illustrate when, how, and where adversaries take advantage of vulnerabilities and other weaknesses to gain a foothold on a device or in a system, launch their campaign, and then reap the rewards they seek.
We suggest that defenders adapt their security approaches to stay ahead of attackers’ basic processes. For example, to undermine adversaries during the reconnaissance phase, security teams should be:
- Gathering information about the latest threats and vulnerabilities
- Ensuring they are controlling access to their networks
- Limiting the organization’s exposure in an expanding attack surface
- Managing configurations
- Developing consistent response practices and procedures that are informed by this work
When weaponized threats are delivered, defenders must apply every tool in their arsenal to prevent them from spreading and worsening. This is where an integrated security architecture becomes critical. It will provide realtime insight into threats as well as automated detection and defense, which are essential for improving threat detection.
At the installation phase, security teams must stay informed about the state of the environment as they respond to and investigate the compromise. If that environment is simple, open, and automated, and if defenders have taken the other proactive steps outlined above, they can then focus their resources on helping the business to answer critical questions such as:
- What did the attackers access?
- Why were they able to get to it?
- Where did they go?
- Are they still operating in our network?
The answers to these questions will allow security teams not only to take appropriate actions to prevent further attacks, but also to inform management and the board about possible exposures and necessary disclosures. Then, the business can begin the process of ensuring that it has comprehensive controls and mitigations in place to address any security gaps—the weaknesses that provided the operational space adversaries needed to succeed—that were identified during the compromise.
Importance
High