What You Can’t See: Visualizing and Addressing MITRE ATT&CK Coverage Gaps with Threat Navigator

What You Can’t See: Visualizing and Addressing MITRE ATT&CK Coverage Gaps with Threat Navigator

by | Apr 11, 2023 | Managed Detection and Response

In this blog post, Marie Singleton and Pascal Reymond outline the onboarding process and core ideas behind Threat Navigator, Kudelski Security’s technology that enables clients to understand, visualize – and remediate – their security visibility & threat detection gaps. Delivered as standard for all clients of our Managed Detection and Response platform, Threat Navigator aligns closely with the MITRE ATT&CK Framework.

See how Threat Navigator helps you cover your MITRE ATT&CK gaps

There’s an old expression – based very loosely on Socrates – that says: “You don’t know what you don’t know”. In the security world, this adage has been adapted to “you don’t know what you can’t see” and a whole industry has been built around helping organizations gain true visibility into their threat landscape. The focus is on helping them understand what they should be looking at (their security visibility priorities) and whether they have the technology set up to enable that or not (the gaps in their visibility).

Get this right and you get security posture right.  Easier said than done. Trying to obtain this visibility in a way that is both easy and consumable is no easy task.

Kudelski Security’s Threat Navigator aims to help clients by answering this difficult challenge.

Engagements with clients will usually go through different steps, starting with determining the clients’ coverage (or lack of coverage) and up through the final step to determining how to close the priority gaps.

Step one: Determine your overall coverage…or lack of coverage

Our reference to visualize the coverage will be the MITRE ATT&CK Framework. Using this framework, your coverage will be demonstrated by which techniques you have visibility and detection capability against. The techniques you can cover are determined by:

  • The technology you are using (EDR, SIEM, …)
  • The detection rule capability of the technology
  • The data sources that can help trigger those detection rules
  • Other qualitative factors are taken into consideration such as the detection rule quality (false positive rate, …), ability to investigate, …

Any coverage gaps are marked by a cross in the Threat Navigator

Step Two: Determine what your security priorities are

To answer this question, we need to consider the client context and, in particular, what are the potential techniques that Threat Actors might use against you. Some of the information can be calculated such as:

  • The client’s industry vertical
  • The Threat Actors known to target this vertical
  • The Techniques used by those threat actors
  • Other factors taken into consideration are based on the client’s full context – more on this a bit later

In this example, the prioritized technique is highlighted in blue (while the non-prioritized technique is grey).

Once you have compiled your coverage and your priorities, you have a full overview of your priority gaps (each card represents a MITRE Tactic and each circle an individual MITRE Technique).

The Threat Navigator shows the client coverage and focuses on priority gaps in an easily consumable, high-level view.

So, the problem is solved?

Well, that would be too easy, right?

This initial outcome already provides you with a good first idea of your priorities, but not the full picture yet. There are still a few answers that are missing, which leads to the next step: deciding what gaps you should prioritize.

Step three: Determine what coverage gaps you should prioritize

 There are different approaches to prioritizing your coverage gaps. The approach we have taken with the Threat Navigator is to show a priority based on the number of Threat Actors using a particular technique. Although other approaches might also work, this is an interesting and quantitative method to represent the priority in an easily consumable way.

MDR threat Navigator Top Visibility Gaps

When you land on the coverage page, the Threat Navigator will show you your top 5 gaps as well as a Threat Coverage score.

What about the remaining security coverage gaps?

As mentioned earlier, Threat Navigator will show you the top 5 gaps on the landing page. However, you will still have the ability to review the full list of remaining gaps in the “Recommended Actions” section.

In this section, the “Open” tab will show you all your potential gaps based on the internal calculation made; however, this method might overlook some client specificity. This is why we provide the user with the ability to make some decisions such as:

  • Prioritize a technique: A technique gap might be low on the list, but for the user, it might be of particular importance, so we allow a user to prioritize a technique to ensure they always have an eye on it.
  • Dismiss a technique: On the other hand, a technique might not be relevant for the client (for any number of different reasons), which is why we’ve built a workflow to allow the user to “dismiss” a technique while providing additional information on this decision. In future reporting, the reason for dismissal will always be noted for reference.

What if the information is not accurate?

The coverage, the gaps, and the priority are all determined by the processed client data and the implemented logic… but what if the information is not complete or accurate?

Although we aim to provide the best coverage and gap information possible, there are still a few ways that the data might not be fully representative of  the client’s situation, such as:

  • The client may have other security tools, not managed by Kudelski Security, which might cover some gaps
  • The client may decide that a particular gap is covered (or not covered) and, therefore, want to show a refined representation of its security posture
  • The client may think that some Threat Actors are under or overrepresented

So, how do we solve that?

This is probably one of our favorite features in the Threat Navigator: Client-Modified Coverage.

Clients can easily switch from the Kudelski Security gap calculation to their modified gap calculation, making the Threat Navigator not a vendor-specific tool, but a true client tool.

Let’s review what you can modify:

Technique coverage:

  • Any technique (and sub-technique) can be easily overridden by editing the coverage status. In doing so, the user can add a comment to explain the rationale (which will be stored in reporting). Other users will be able to see who modified the technique when it was modified, and what the reasoning behind the decision was.

Data source:

  • Let’s say that you have a data source that is not activated in the Threat Navigator (maybe it’s managed by another vendor or Kudelski Security just doesn’t have the information). You can simply edit any data source that will adapt your coverage.

Threat actors & vertical(s)

  • What if you operate in more than one industry vertical and you believe that some Threat Actors are targeting you in particular? The Threat Navigator allows you to change those parameters and review how it modifies your gaps.

Step Four – What should I do with the information I have? How, practically, do I close the gaps?

Now that you have defined the best representation of your gaps, there are a few things you can do.

The first thing you can do is download your coverage (in CSV or ATT&CK Navigator format) to manipulate the data in your system the way you want.

An advantage of the CSV download is that it will provide you with all the additional details you may need (such as why a technique has been marked as covered/not covered, by whom, and when).

The second thing you can do – and arguably the most important thing – is understand how you can cover those gaps. To answer this question, it’s important to recognize the different scenarios that can arise:

  • A data source is missing.
    • This should be your number one focus. Is there any data source that you have that is currently not used to cover those gaps? Threat Navigator helps you determine those potential data sources for each technique.

  • There is a technology limitation.
    • It may happen that some of the technologies may have a limitation in their coverage capabilities. It may be such that a rule is active for technology A but not for technology B. Our detection team does its best to bridge a technology gap, but it could happen.
  • No rule exists to efficiently cover a technology.
    • This is the least preferred scenario, but it is possible that no data source and/or rules are currently available to cover a technique. The next phase of our Threat Navigator aims to compile all client data to efficiently highlight what are the most common gaps and ways to cover them efficiently.

Where do we go from here?

At Kudelski Security, we are particularly excited by the value Threat Navigator will bring our clients. An innovative, dynamic approach to visualizing your threat coverage gaps drives us all forward to a more secure future.

Request the Threat Navigator demo and see for yourself!

“I’m a New Security Leader and My Business Has Been Breached. What Next?” An Eight-Step Guide to Managing a Cyber-Attack for the First Time.

“I’m a New Security Leader and My Business Has Been Breached. What Next?” An Eight-Step Guide to Managing a Cyber-Attack for the First Time.

by | Feb 7, 2023 | Incident Response

It comes as no surprise to anyone who follows industry news that reports of cybercrime are increasing. While no security leader ever gets ‘used’ to being breached, the first time it happens is especially daunting.

This is a guide put together for new security leaders, based on discussions with our Incident Response team and CISOs from various backgrounds who have dealt with breaches more than once.

It’s worth saying that there is no one-size-fits-all answer to the question: ‘What should I do when a cybersecurity incident happens?’ The truth is there are no golden rules or magical solutions as every breach will be unique.

Breaches may vary in terms of what attack vectors were used in addition to the type of technologies utilized by a company. There are, however, simple-to-follow guidelines to set you on the right path to recovery.

Watch Darrell Switzer talk on Four Things His Clients Wished They’d Done Before Getting Breached.

Step 1: Remain Calm

Staying calm may be easier said than done when you get that sinking feeling that your company has been hacked. It’s not just the hack, it’s how it could potentially impact your business, the brand, and the bottom line. It’s all about staying calm. And not doing the following things that make it hard for an incident responder to investigate a case properly.

Things to avoid include:

  • Deleting valuable data (preservation of artifacts is key!)
  • Resetting any passwords or disabling any accounts without a plan
  • Attempting to contact the threat actor
  • Attempting to fix the problem or patch a system without a plan

Step 2: Determine the Scope of the Breach

Response to a breach is better after an initial analysis of the full incident. Ask yourself the following:

  • ‘Have I identified what was comprised?’
  • ‘How did it happen?’
  • ‘When did this occur and over what time period?’
  • ‘What actions did the threat actor perform?’

Answers to these questions will help the responders decide how best to proceed in containing and eliminating the attack.

Step 3: Make a First-Steps Response Plan and Act

When it comes to addressing a cyber-attack, we all know time is of the essence. It is crucial to act swiftly but also, to be guided by the process. The information you extract or gain about the incident should be enough to help you plan your first steps. By no means does this plan need to be fully comprehensive with assigned roles and timelines but it should include a clear step-by-step process for the preliminary stages of the response.

Obviously, the most important thing to say here is incident preparedness. Cyber playbooks and planning can – and should – be done well in advance of the breach. In the first months as a new security leader, you should organize red teaming and purple teaming exercises, cyber crisis simulation, and incident response readiness plans and playbooks.

One of the major threats you will have to face at some point in time is ransomware. This threat is worth spending focused time on. There are plenty of resources out there – you may find the guides below, which we compiled with a wide range of incident response practitioners, useful:

Download ‘What to Do in the First 24 hours’ of a ransomware attack for advice on immediate response.

Download the Ransomware Response Playbook, a detailed guide to planning and preparing for a ransomware attack, with technology, people, and processes considered in full.

Step 4: Containment

With any security incident, a key step is to ‘stop the spread’. Several factors need to be considered, for example:

  • Does the company have an Endpoint Detection and Response (EDR) system that could be used to contain the asset remotely or does this need to be done physically by pulling the network from the asset?
    • If the asset must be physically contained, can you locate it based on the information available?
  • Are you dealing in the first instance with a user’s workstation or a server?
    • A workstation is easier to take offline with the impact limited to a single user. If we’re talking about a server, the impact widens.
    • What services are impacted if this server were taken offline?
      • This is worth careful consideration. If the organization affected is a manufacturing plant, any downtime would lead to material financial losses.

If threat actors have already been in the network for many months, it could be unwise to begin containment. This can alert the threat actors to the fact that they have been discovered and can trigger them to launch their end game – e.g., destruction of data, ransomware deployment, etc.

You’ll gain much more if you observe their behavior and discover how much of the network they have infiltrated. Then, you can make a plan on how to effectively contain the breach all at once and minimize damage.

Step 5: Find an Expert

Breaches can cause significant financial damage. How the incident is handled can further impact the depth of that damage. Regardless of your company’s security posture and maturity, it’s always worth reaching out to respected experts, a tried-and-tested cyber emergency response team, whose experience and know-how could save time and money.

Managed Detection and Response providers have the benefit of exposure to a broader spectrum of technologies and environments as well as threat intelligence than a single-focus incident response firm. A good provider will be well placed to respond to an incident in any environment and work effectively in every unique situation.

Step 6: Reporting the Breach

Business leaders must handle the reporting stage on any incident with caution as there are financial and reputation implications, ranging from public perception to fines and penalties. It is imperative that all aspects and angles of the breach are discussed. You’ll need to cover all topics, including:

  • Technical details of what was achieved by the threat actors
  • Possible ramifications of those actions

You must consult Public Relations and Legal teams to devise a proper course of action and messaging for media, shareholders, and staff.

Depending on the impact of the incident, there will be questions from various stakeholders and scrutiny of how the company handled the incident, so you need to get this right.

It goes without saying that it’s best to avoid denial of facts, which may later come to light later on and lead to a backlash. Note that if you are in a highly regulated space, such as finance, public utilities, or education, you’ll likely have compulsory reporting processes to the government or other regulatory bodies, which you need to adhere to.

Step 7: Recovery

The recovery process depends on the scale of the incident.

For minor incidents, recovery could simply include:

  • Removing malicious artifacts from the system
  • Patching a vulnerability and updating all software to their latest releases
  • Deploying an endpoint detection and response (EDR) agent

Larger incidents may need you to redeploy infrastructure or build a clean environment from scratch, which will have considerable time and financial implications.

Regardless of the situation, it is best to prioritize what requires the least amount of time to implement while securing the environment against further attack. This process includes putting in place targets that will help you achieve other goals to strengthen the overall security posture of the business.

Step 8: Post-Mortem

Regardless of whether you were able to stop the attack before deep damage was done, or whether you were only able to contain and eliminate the threat after data exfiltration took place, the post-mortem is a key step that will help ensure you build resilience.

You need to ask some simple questions:

  • What were the root causes of the incident?
  • How could the incident have been prevented?
  • What changes can be made to minimize the risk of a similar incident occurring in the future?

And regardless of the scenario, preparation for the future is key. In an incident, an attacker reveals the holes in the security of the business, and this is the perfect opportunity to address them and work towards increased cyber resilience.

Schedule compromise assessments and penetration tests as well. These will show any future active threats in your environment and enable you to stay ahead of the curve.

Think about getting in touch with your Incident Response service provider to ensure they are providing you training in the form of threat simulations, playbooks, and scenario planning.

As said earlier on, preparation is key.

No-one judges a CISO on being unable to stop an incident, but they will look closely at how you respond to it. And good preparation will help ensure you’re not left scrambling to get a robust response plan together.

Our top cybersecurity predictions for 2023

Our top cybersecurity predictions for 2023

by | Jan 10, 2023 | Advisory Services, Blockchain, Cyber Resilience, Cybersecurity, Quantum, Risk, Zero Trust

It’s the time of year when the industry begins making its top cybersecurity predictions for the year ahead. Gartner, among others, recently released their top 8 cybersecurity predictions for 2023, writing that supply chain and geopolitical issues will continue to dominate cybersecurity.

In this article, our team looks into the proverbial crystal ball to share their top cybersecurity predictions and what initiatives security leaders should prioritize for 2023.

What Cybersecurity Lessons Did We Learn in 2022?

The breaches, hacks, and cyber breakdowns in 2022  taught us many cybersecurity lessons that we can use to improve security in the new year. Lessons learned include:

  • You can’t rely on MFA.
  • Company stakeholders, including VCs and board members, must have insight into their company’s security stance.
  • Don’t sacrifice security for a 1% improvement of your product. Constant re-architecting creates numerous security holes.
  • Continuous security is mandatory for blockchain. Instead of one-time assessments at launch, teams should strive for continuous validation throughout the project lifecycle.

What Are the Top Cybersecurity Predictions for 2023?

The top cybersecurity predictions for 2023 identified by the team of experts at Kudelski security are:

  1. Basic, human-targeted attacks will be the biggest risk to cyber defenses.
  2. Zero trust will replace VPN.
  3. Insider and third-party risk will rise.
  4. Reliance on passwords will decline.
  5. Skepticism around blockchain security and availability will continue.
  6. Quantum-interested companies will need to start assessing risks.

Prediction #1: Basic, human-targeted attacks, like ransomware, phishing, and email attacks will be the biggest risk to cyber defenses.

In 2023, we will see the most basic security attacks — email compromise, active directory attacks, ransomware, phishing, and multi-factor authentication attacks — continue to be the most effective and lucrative for cybercriminals.

Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system. Phishing and emerging MFA bombing schemes are more sophisticated than ever and will render cybersecurity training ineffective.

“Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system.”

To combat these attacks, corporate security teams should not trust human factors. Instead, they should adopt an offensive security posture. Detection and response initiatives should focus on preventative features instead of reactive quick fixes.

Will your threat detection and response strategies stand up to advanced threats? Watch our webinar to learn how to improve program maturity.

Prediction #2: Zero trust will replace VPN to secure a distributed workforce.

In 2023, zero trust will replace virtual private networks completely as security teams adjust to a more dispersed workforce. With work-from-home here to stay, company network borders won’t look anything like they used to. Employees are accessing most work applications via SaaS, and IT teams are hesitant to inherit the risk of home networks. Mistrusting every device is the key to supporting and securing remote workforces.

Can zero trust be a business enabler? Read our take on this blog from Vincent Whaart.

Prediction #3: Insider and third-party risk will rise as attackers take advantage of vulnerable parties in the economic downturn.

The impending recession will loom even closer in 2023, and cybercriminals will take advantage of the dire economic situation to bribe their way into corporate systems. We predict that software hacking will decline in 2023 in favor of “insider risk.”

Attackers will set aside their hacking skills and instead single out vulnerable employees at third-party vendors, such as shipping authorities, supply chain companies, internet service providers, and software vendors.

Companies must remain vigilant to not only secure their own network perimeters but also build a strong vendor risk management program.

Prediction #4: Reliance on passwords will decline as the flimsiness of MFA is exposed.

While it’s unlikely that passwords will completely disappear in 2023, MFA fatigue could usher in a passwordless future in years to come. The recent Uber breach highlighted the flimsiness of MFA and left security teams searching for a better alternative. In 2023, we’ll see an emphasis on securing accounts with as many other safeguards as possible, including stronger passwords and password managers.

Prediction #5: Skepticism around blockchain security and availability will continue without more caution.

2023 will be another tumultuous year for blockchain technologies unless it shifts away from “point in time” security measures. Currently, too much trust is put into code to be perfect.

Blockchain security teams must layer in more robust controls, including detection and response capabilities, to deter threat actors. The billions of dollars of bridge hacks that occurred in 2022 put a huge dent in users’ confidence in blockchain security.

Luckily, blockchain enterprises and projects are aware that customers are just as concerned about their chosen blockchain’s security as its features. This will lead blockchains to apportion the appropriate resources to improve security in 2023.

In addition to cryptocurrency theft, blockchain availability and stability should be a priority in 2023. If outages and slowdowns continue, blockchains face user decline or even complete collapse.

Learn more about Kudelski Security’s portfolio of blockchain security services.

Prediction #6: Companies concerned about quantum computing should begin assessing risks now.

Controls to prepare for quantum computing are unlikely to see mass adoption in 2023, but keep an eye on it for 2024. The current risks of quantum computing don’t quite outweigh the incredible investment required yet. That said, companies that stand the most to lose from future quantum attacks — e.g., financial services, defense contractors, and companies that transmit extremely sensitive data especially — should begin assessing their risks now.

Are you ready for the era of quantum computing? Watch our webinar to know how to be better prepared.

What Impact Will the Recession Have on Security Teams in 2023?

The recession should have relatively little impact on security teams in 2023. We predict security teams are going to remain mostly untouched even as companies across industries are forced to make cuts to their budgets and workforce in response to the upcoming recession.

American privacy laws will likely elevate to reach current European standards, putting a renewed focus on security and compliance in boardrooms and C-suites.

Additionally, cybersecurity labeling for consumer products, especially on hardware, will further the importance of corporate security teams. Economic hardships will necessitate that security teams work smarter and consolidate to meet the evolving economic and tech landscape.

What Should Security Leaders Prioritize in 2023?

In response to these top cybersecurity predictions for 2023, security leaders should prioritize the following initiatives:

  • Adopting an offensive security posture rather than a defensive one.
  • Focusing detection and response initiatives on preventive features instead of reactive fixes.
  • Phasing out VPN in favor of zero trust strategies for the remote workforce.
  • Building out a strong vendor risk management program to protect against third-party risk.
  • Looking for alternatives to MFA while implementing stronger password requirements and account protections.
  • Working smarter and consolidating to meet the evolving economic and tech landscape.
  • Bolstering availability and security of blockchain-related services.
  • Assessing risks related to quantum computing, especially for those in financial services, defense, or other industries that deal with highly sensitive data.

Get in Touch

Kudelski Security can help you prepare for 2023 and beyond with a comprehensive suite of security advisory services. From MDR and zero trust to blockchain and quantum, our experts can assess, design, implement and manage a resilient cybersecurity strategy. Get in touch with  our team here.

15 Practical Tips for More Effective Cybersecurity Incident Response

15 Practical Tips for More Effective Cybersecurity Incident Response

by | Nov 2, 2022 | CISO, Cyber Resilience, Incident Response

Building an effective cyber incident response plan requires more than having the right tools in place or engaging the right cyber incident response services. As a security leader, you’re responsible for building the right security foundation and fostering a culture of teamwork and open dialogue during a crisis. Summarizing a recent webinar, this article will explain:

  • 3 Common Pitfalls in Cybersecurity Incident Response
  • 8 Practical Tips for Building an Effective Incident Response Team
  • 4 Technical Fixes to Reduce the Likelihood of a Breach

It almost goes without saying that everything is connected to the internet these days. It’s a business enabler and a necessity in the global economy. But it’s also a playground for cybercriminals.

The good news is the impact of cyberattacks like ransomware can be minimized or entirely prevented with an effective incident response plan in place. And it doesn’t require fancy techniques like AI and machine learning. Don’t get me wrong AI and machine learning can help detect attacks. But they are frequently overrated. It won’t do the job we would all like to think it can do.

Based on our team’s experience investigating breaches for clients, here are the common pitfalls we see CISOs fall into during an incident and some practical tips for avoiding them.

Three Common Pitfalls in Cybersecurity Incident Response

There are three characteristics that come up again and again in organizations that experience an incident, and they are all totally avoidable.

 

#1 Speed-Based Trust – Thinking Security Vendors Will Do the Full Job for You

Collectively, we have a culture of outsourcing trust. Where we used to trust our peers or institutions, we are now in an era of outsourced, “speed-based” trust. We assume trust in exchange for convenience.

Just as we trust Uber to get us to the right location safely, we trust our security vendors to keep our organizations safe. None of these security vendors, however, can fully address our security issues. We’re going to have gaps.

We call this a Swiss Cheese Model of security. While an MSSP or EDR solution may have you covered when it comes to detection and response, you’re still going to have to assume responsibility for applying patches to close any backdoors that may go undetected and ensure that your systems have secure configuration.

#2 Not Doing the Basics (It Was Never Going to End Well for the Titanic)

Almost worse than the Swiss Cheese Model of security is the Cyber Titanic Model. In the Cyber Titanic Model, you believe you have built a ship that can’t sink. You believe so much in the tools you have invested in, that you let your guard down. Maybe you even relax your security requirements.

Eventually, the boat will sink, and you will not be prepared.

Investing in endpoint detection and network security makes sense, but you need to balance it with basic security practices. If you don’t have a solid foundation of patching, configuration, segregation and hardening, you will just be investing in a sinking boat. Too many times we see breaches that could have been prevented if the basics were in place.

#3 Not Understanding Where to Harden vs. Add New Solutions

To put a finer point on this, detection technology isn’t the end-all-be-all when it comes to preventing an attack. Often security vendors will use the MITRE attack framework to show you how much coverage they can give you across the phases of the attack. This can be helpful but also misleading.

Detection is not the only way to prevent attacks. You can also use MITRE to understand where you need to harden your system to make it harder or impossible to breach your security at each phase of an attack, to begin with.

Watch the webinar “Common Pitfalls Every C-Level Should Know About – Stories From Our Incident Response Team”

Tips for Building a More Effective Incident Response Team

Building a more effective incident response team requires more soft skills than technical skills. Leadership, communication, and policy are critical to improving response outcomes. Here are my top tips.

#1 Understand Organizational Bias

We all have bias because we have experience in certain areas and blind spots in others. Having bias is not the issue. It becomes a problem when you do not recognize the bias.

As a CISO, you will have to understand the bias of your team. They may have a limited view of an issue because they are specialized in a specific area of security. You need to identify the biases, articulate them, and map them. This is foundational to addressing incident response blind spots.

Watch out, especially for the more expert or senior team members who may be very confident in explaining an issue, but don’t have the whole picture.

#2 Bridge Skills to Avoid Bias

One way you can break through the bias is by bringing different teams together to solve a problem. Ask questions that require teamwork to answer. Instead of “Are we secure?”, ask “How bad could it get?”

Then put together a purple team to work together to create a joint report with agreed-upon points of action. This creates a culture of exchange. Teams with better communication will be much better equipped to respond in a crisis situation.

This can cause the organization to focus on a very narrow component of security without addressing the entire ecosystem.

#3 Develop KPIs with Value

Bad KPIs run rampant in security. Security can be hard to report on. But because we want to prove our value, we end up reporting on KPIs that don’t actually mean anything.

We say we blocked one million attacks on our firewalls, or we processed three trillion events because we want to look like we are effective. But what do these numbers actually tell us? If we say we blocked one million attacks on a firewall, all that communicates is that we configured a firewall. If you’re asked for those numbers, challenge the requester, and ask what they’re really trying to understand.

Instead, I recommend going smaller and more actionable with your metrics. Rather than how many attacks we blocked, try reporting on metrics like these:

  • # of common attack vectors removed
  • # of new techniques added to detection coverage
  • % decrease in the attack surface

#4 Shrink Your Digital Footprint

Think about all the data stored in email, your Google accounts, and your mobile apps. All that data can be exfiltrated. Reducing your personal and corporate digital footprint also reduces the impact of a successful attack.

When data is no longer needed, delete it rather than archive it. If you have a legal requirement to keep the data, encrypt it and store the keys off the server. Encrypted data leaks have little to no impact on security, as long as the secret keys remain secret!

Further, how you store data is important. If you have a document on SharePoint called “Insurance Policies” or “Digital Assets Value”, you are giving an attacker a flashing arrow to the documents they need to hold you ransom. If they know your insurance policy is for one million dollars and that one day of disruption would cost your company ten million dollars, they know exactly what to ask for.

#5 Augment your team

Major incidents require more work than your day-to-day security operations. It would be difficult to scale your internal team for such a situation.

Bringing in external partners can help augment your incident response team. Remember to look beyond security when it comes to team augmentation. Your incident response plan will likely include system administrators, cloud administrators, etc.

As a rule of thumb, if you don’t have a dedicated team member working on a required security discipline on a monthly basis, you may need to find an external partner in the event of a breach. While thinking about this, don’t forget your IT. You’ll need to augment your IT operation capabilities. Rebuilding an infrastructure can absorb a lot of resources.

There are different options.  Emergency response support, preparation and resilience support. The best option to go for is usually a 24/7 incident response retainer because you have guaranteed response support when things go wrong. It’s a safe investment – many companies will ensure the retainer can be reassigned to another program, if not spent on incident response services.

#6 Explore Different Response Paths

There is no one-size-fits-all incident response plan. It is up to you, the CISO, to explore different paths and choose the one that will work the best for the organization. In some cases, it may make sense to choose the plan that results in the least business impact. In other cases, it may make sense to err on the side of security.

Augmentation, as mentioned above, can help your team move faster and work on steps in parallel. After all, your incident response process should not be linear; that will only slow things down. If you do augment your team with an external partner or security provider, carefully consider their recommendations and the tradeoff between value and cost.

For example, forensic disk imaging might make sense as part of the plan, but it could overwhelm your IT team with time-consuming tickets. Additionally, security providers may take advantage of an organization’s desperation during an incident, knowing they’ll do anything to get the business back up and running.

Challenge every recommendation and request. Look at the types of requests, the costs, and the hours associated. Ask “Is this really necessary?” or “Could we do this differently?” Explore all the different response paths and choose a way forward.

#7 Foster Open Dialogue

Creating a culture of open dialogue during an incident is incredibly important. If people are afraid to speak up or ask questions, you will not be able to accurately assess the team’s understanding of the question. There are a number of reasons a team member may not feel comfortable asking questions:

  • Fear of looking stupid
  • Tensions within the team
  • Power dynamics created by an authority figure or expert

“Asking questions may mean that you don’t understand something.  But not asking questions, will mean that you remain ignorant.”

As a CISO, you need to be able to spot this behavior and act on it very quickly. You must ensure that everyone has the right level of understanding to do their work. It’s how you will turn an incident into a constructive, rather than destructive, experience where everyone is learning from each other.

#8 Show Your Appreciation

Breaches are stressful for everyone in the organization. As a C-level, you can send signals to your team that you understand the toll an incident takes on them and their families.

It could be as simple as providing food, drinks, and a place close to the office for the team to stay. For remote employees, you could provide a meal of their choice for themselves and their family. It sends a really strong message that you appreciate the work that they (or their mother, father, or spouse) are doing to help the organization. These types of signals can change the mood.

Learn more about Kudelski Security’s Incident Preparedness and Cyber Resilience advisory services

Four Technical Fixes to Reduce the Likelihood of a Breach

In addition to the nontechnical guidance above, I’d like to leave you with four of the low-hanging technical fixes that could significantly reduce the likelihood of a breach. In 70% of the cases we’ve investigated, one of these four best practices was missing.

#1 Proper Segmentation

Often in breach scenarios, we find the organization has a flat network, which makes it much easier for the threat actor to move through.

#2 Zero Trust

Understand the zero trust framework and how to apply it in your organization. Achieving zero trust won’t happen overnight. It’s very iterative work, so be patient.

#3 Timely Patching / Emergency Patching

Threat actors will quickly be there to exploit new vulnerabilities. For that reason, it’s important to have an emergency patching plan in place. Ask yourself “Do I want to have an operational issue or a security issue? Would I rather have a system down or data leaked?”

#4 Configuration

Misconfiguration can have a huge impact, and so, proper configuration can also have a huge impact. Sometimes it’s just a small detail that is overlooked that would allow an attacker to gain access to something they shouldn’t.

Download the Infographic: 15 Practical Tips for More Effective Cybersecurity Incident Response

Get in Touch

It is my hope that if you follow the advice presented in this article, that you will never need our services. However, if you do experience a breach or if you would like a pre-emptive review of your current configurations, architecture, or incident response plan, please get in touch with our incident preparedness and response team here.

BIG-IP iControl REST API Authentication Bypass

BIG-IP iControl REST API Authentication Bypass

by | May 6, 2022 | Security Advisory

Credit: Yann Lehmann iControl REST is an evolution of F5 iControl framework. Leveraging this Representational State Transfer (REST) API, an authenticated user can accomplish anything that can be accomplished from the F5 BIG-IP command line. It is an extremely powerful API. On May 04, 2022, F5 disclosed a critical CVE, CVE-2022-1388. It may allow an unauthenticated attacker with network access to the management port or the self IP addresses of the BIG-IP system to leverage the iControl REST component. This is because some requests to iControl REST can directly bypass the authentication mechanism. Due to the capabilities of this component, anyone with network access to the management port or the self IP addresses can execute arbitrary system commands and modify services or files. From the nature of the iControl rest component, this is a control plane vulnerability that does not expose the data plane. For additional details on how to identify what could be your impacted systems, please review the attached advisory. Would you need further assistance, please ask the Cyber Fusion Center by using the MSS Portal or by phone: North America: 1-866-929-3528 EMEA: +41 58 317 77 77 Kind regards, The Cyber Fusion Center