Operationalizing a “think like the enemy” strategy

Security professionals have always been told to “think like the enemy.”  This philosophy could start with a series of questions like: How could an adversary gain a foothold in one of our systems? How would they circumvent our security controls? How would they find and exfiltrate our sensitive data? Armed with knowledge about what an adversary would do, security teams could then design countermeasures to impede or even stop the bad guys in the tracks.

Good strategy, but most security professionals don’t have the knowledge or skills to take an adversary’s perspective. CISOs, recognizing the value of thinking like the enemy, have overcome this deficit by conducting penetration testing or red teaming exercises, attacking themselves to test their defenses.   

Such exercises can be quite valuable. ESG research finds that:

• 47% of organizations believe that penetration testing/red teaming are a best practice for risk assessment and reduction and use these exercises to uncover previously unknown vulnerabilities, expose blind spots, and test security controls. Once test results are in, CISOs can then pinpoint areas needing improvement.
• 39% of organizations conduct penetration testing/red teaming after experiencing some type of security incident to assess risk. In this case, security testing can expose what went wrong.
• 38% of organizations conduct security tests in response to executive managers/board of directors’ mandates. Here, security tests provide security and business teams a baseline for cyber-risk assessment, future planning, and investment priorities.
• 35% of organizations conduct penetration testing/red teaming after another firm in their industry has experienced a data breach. This is especially useful to gauge whether an organization is susceptible to the latest cyberattacks plaguing a particular industry.

Given this broad agreement on the value of such testing, what’s the problem?

Security testing is complex, expensive, and dependent upon highly skilled professionals. Thus, most organizations can only do security testing periodically. ESG research reveals that 37% conduct penetration tests or red teaming exercises once a month or less. When they do perform these tests, they tend to do so on a limited basis—on a single application, data center, network segment, etc. This means that test results don’t provide a complete picture, and with the ever-changing attack surface, test results lose their relevance quickly over time.

What can organizations do to make thinking like the enemy part of their daily standard operating procedure? They can start by embracing the MITRE ATT&CK framework. First introduced in 2015, MITRE ATT&CK is described as, “a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” When bad guys act, MITRE ATT&CK categorizes each step they take within an overall cyber-threat taxonomy. Providing this classification at a granular level, MITRE ATT&CK acts as a mapping tool for defenders to understand how each action fits into an overall attack.

Beyond MITRE ATT&CK, organizations can move on to what MITRE calls a threat-informed defense, which “applies a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber-attacks.” A threat-informed defense is meant to directly counteract cyber-attackers by reacting to their tactics, techniques, and procedures (TTPs) with tailored defenses for threat prevention and detection.

As far as think like the enemy technology support, we suggest:

• Adopting breach and attack simulation (BAS) technology. This technology codifies penetration testing/red teaming within software and can be used for continuous testing of security controls and processes. Many of these tools have designed tests that follow the MITRE ATT&CK framework and emulate known adversary groups and/or cyberattack campaigns. Vendors like AttackIQ, CyCognito, Cymulate, Randori, and SafeBreach play in this space.
• Exposing and managing the attack path. Rather than test everything, attack path management is designed to uncover the most likely attack paths an adversary might take to gain network access and compromise business critical assets. Once these paths are revealed, security teams can then identify choke points (i.e., resources common to many kinds of attack vectors) and define the right remediation actions. XM Cyber takes this approach.
• Exploring new cyber-range options. Cyber-ranges can be used to emulate an organization’s IT and security infrastructure, providing a test bed for penetration testing, red teaming, and tabletop exercises. Cyber-ranges used to be limited to well-resourced organizations due to cost and complexity issues, but cloud-based options from vendors like CloudRange, Cyberbit, Fifth Domain, and SimSpace use public cloud infrastructure to bring the benefits of cyber-ranges to the masses.

Security professionals have numerous other suggestions to improve security testing. ESG research finds that 40% percent suggest establishing KPIs, metrics, and reports that could help communicate the importance of penetration testing/red teaming to the business, 35% recommend purchasing, deploying, and operationalizing attack surface management solutions that discover and security test all exposed assets, 32% advise improving our ability to analyze test results and prioritize remediation actions’ exploitability, and 32% propose creating a “purple team” model where testers and defenders work more collaboratively on what to test and how to respond.

Given today’s threat landscape, thinking like the enemy is not a cybersecurity platitude, it’s a growing requirement. The sooner we operationalize this philosophy, the better.