The cyber world is filled with lots of scary threats and new buzzwords, none of them bigger than AI. As boards, CEOs, and security leadership teams decide where to put their energy and time going forward, I'm going to propose the perhaps controversial recommendation.
More important than identifying a strategy against any particular attack vector, type of intrusion, or buzzword is actually getting the confidence to run your business regardless of how techniques and attacks change.
The connection between the listener and the worker processes was tenuous, and any time the listener crashed and rebooted, all the worker processes had to be restarted, leading to outages for any and all mobile devices currently trying to utilize the service.
My recommendation to security teams everywhere is to learn from this story.
There is always time to implement a particularly specific solution against a particularly specific attack vector.
Regardless of how an attacker breaches the perimeter, their malware/attack still needs to beacon out for instructions - for lateral motion, privilege escalation, data exfiltration, and even encryption.
The infrastructure it beacons out to, commonly called command-and-control, by definition must be created and established prior to launching the attack, and DNS-routable on the Internet.
The digital exhaust common to any attack today is the beaconing activity to command-and-control.
The metadata inside an organizations' environment that can be turned into key intelligence is the DNS lookups of command-and-control, because that's the first step that occurs after any breach.
If you can combine visibility in your environment into all outbound requests for communication with expertise in what is, and what isn't, command-and-control or adversary infrastructure on the Internet, then you can ensure that any breach can be identified and stopped in near real-time.
So let's talk about these two pieces - visibility into outbound communication and adversary infrastructure expertise.
It's also a great mechanism to see infections in IOT devices and other connected devices in the organization because they use the network just like any other device, and therefore the outbound communication to command-and-control can still be observed at the DNS level.
The key is matching this visibility against expertise in adversary infrastructure so that you can make a well-informed and accurate decision about whether or not the destination is command-and-control.
Many have tried to solve this problem by detonating and analyzing new malware in real-time but this strategy fundamentally hinges on hope - hope that the malware is detonated, the command-and-control is understood, and added to a deny list before you get attacked by it.
Hope is not a strategy that allows a security practitioner to get a confident, good night of sleep.
Visibility into all outbound communication and comparing this in real-time to an adversary infrastructure intelligence source, is exactly the resiliency strategy that organizations of all sizes need to prioritize as they consider their 2024 roadmap and set of initiatives.
It is more important than blocking any specific attack vector, and more important than following the buzz-word bingo of the day.
The priority needs to be making sure that your organization has resilience built into the architecture - in part because everyone will unfortunately be breached, and in part to provide a backstop and detection method for whatever new attack vector gets utilized and weaponized in the future.
Replace legacy allow-and-deny lists and all other approaches tenuously built on the strategy of hope, and instead rely on up-to-the-minute intelligence of adversary infrastructure to identify and stop cyber attacks in your environment.
Only then will you, the security team, the CEO and the Board have confidence in the face of ever-changing attacks.
This Cyber News was published on www.cyberdefensemagazine.com. Publication date: Sun, 07 Jan 2024 06:13:06 +0000