How to Implement a Proactive Cyber Defense Strategy

Image by Mudassar Iqbal from Pixabay
Photo : Mudassar Iqbal from Pixabay

A reactive approach has been practiced in cybersecurity for years and is regarded as a traditional one. It means that only after a vulnerability has been exploited or a security breach took place, an analyst is able to recognize evidence of an ongoing attack and, hence, take measures to alleviate its negative impact. However, waiting for the adversaries to break into your system is not the safest way to go, that's why cybersecurity experts have come up with a new approach - proactive cyber defense. 

As you might have guessed, this new approach has one major conceptual difference: it takes into account existing vulnerabilities and potential threats and takes proactive measures to minimize the problems caused by these issues. Let's explore a bit deeper what are the main points to consider when implementing proactive cyber defense.

Behavior-Based Detections 

The latest defense-evading activities of cyber attackers are notorious for creating an explosive number of signatures. Due to installing a backdoor on a victim's machine and establishing a connection with C&C (command and control) server, adversaries may load multiple files and delete them after execution with the help of obfuscated scripts. As a result, the number of forensic digital evidence, also known as signatures, grows exponentially. So it becomes increasingly hard or even useless to try to capture all the indicators of compromise. Not just because there are too many of them but also because they have a very short lifespan and it makes no sense trying to catch up with, let's say, hundreds of IOCs if they expire in a few hours.

Then, a question arises: how do we detect the ongoing attack or the probability of attack if we don't have any hard evidence to follow? It's as if trying to catch a ghost - this is something non-material, and there is no 100% confidence about how to define things that we're observing. Imagine thousands of log entries in a typical SIEM environment. All of them can look like legit ones, yet at the same time, some of them might actually be a disguised cyber-attack.  

A more effective strategy, in this case, is to try to capture indicators of behavior. This is a more complex concept, yet it can help to gain better visibility of the unknown, or so to say, fileless attacks which are not yet registered in any attack directory and no one knows for sure what they consist of and how do they operate. Yet, it's hard to find a skilled professional who can create detection content based on indicators of behavior. If you're struggling with finding one, your security team can check out the benefits of MITRE ATT&CK mapping at SOC Prime's Detection as Code platform where seasoned professionals continuously supply detection items based on IOBs and mapped to the MITRE ATT&CK framework. If you need to implement queries across various vendor-specific formats, you might as well use Uncoder.IO, a free translation tool that instantly converts queries, searches, API requests, and more into the format of SIEM or EDR/XDR solution that you need. 

Penetration Testing

Why wait for the attackers to exploit vulnerabilities in your IT infrastructure if you can discover them yourself and make sure you leverage the proper protection measures. Some organizations prefer to have an in-house red team that performs penetration testing on a continuous basis, possesses excellent knowledge of all the internal nuts and bolts, and keeps track of threat intelligence feeds to see what vulnerabilities are worth increased attention. Meanwhile, other companies prefer to use the services of certified ethical hackers and let them play with systems, testing the defenses by trying to breach the security controls.

Both approaches are reasonable and depend on business needs, long-term security strategies, and budgets. For companies who do not like to trust a third party that can potentially gain access to their sensitive data, the best solution is to go for an in-house penetration testing team, although it might be a more expensive option. In other instances, it might be better to focus on the services of dedicated professionals. The terms of ethical hacking are up to negotiation, so if you don't want them to see your sensitive data, they might not perform testing that involves the probability of close access to this data. They might, for example, try to steal credentials, install some files, and not go beyond that.

Altering Detection Mindset

According to prominent cybersecurity expert Anton Chuvakin, modern SOC teams need to work on establishing a completely new mindset. While a lot of cyber professionals are used to working with hard-coded malware that is easier to indicate and mitigate, next comes the era of uncertainty, and security teams need to learn to work with that. There is a notion that machine-learning algorithms work better than people, yet still, they tend to generate a vast amount of false positives that need to be handled by humans and software solutions. 

At the current stage of technology development, the threat landscape evolves quickly and changes almost day by day. That's why, even when it comes to known vulnerabilities when you're implementing a working detection item, it doesn't guarantee that in a week it will work as well as right now. Adversaries are aware of detection capabilities and continuously trying to find ways around them. Weak alerts also don't always mean that the detection rules are bad because the same behavior might be considered good or bad, depending on multiple variables, and often it's impossible to mark something as definitely good or definitely bad. So having to continuously deal with uncertainty is a new normal now in the cybersecurity domain and it is necessary to establish this concept as a baseline and create detection routines and solutions that help to better navigate this uncertainty.

© 2024 iTech Post All rights reserved. Do not reproduce without permission.
* This is a contributed article and this content does not necessarily represent the views of itechpost.com

Tags

Company from iTechPost

More from iTechPost