This year sees the expedited evolution of cybersecurity issues, increasing the threat level for many organizations. In this context, what can businesses, security teams, and employees alike anticipate?
Steve Luke, Director of Content, MITRE ATT&CK Defender has provided Digital Journal with his take on a variety of issues that many will run into sooner rather than later. This includes the impacts of cloud migration on cyber jurisdiction through to increased use of purple teaming and imposing more costs on attackers.
Increased cloud migration leaves gaps in cyber jurisdiction
According to Luke: “The industry has already witnessed a great migration to the cloud over the past couple of years, and that’s going to continue considering all of its benefits. However, this also means that cloud providers such as Amazon and Google will need to partner with smaller organizations and their respective SOCs. This separation between visibility and authority will leave gaps in which adversaries can live. Similar to how criminals often head for state lines after committing a crime, there could easily be confusion and an authority grey area in the cloud cyber realm as well.”
Defenders need to impose most costs on malicious cyber actors
Luke looks at the economics of cyberattacks, noting: “Ultimately, cybersecurity is just a means to an end for both attackers and defenders, for example, producing a product or service without having to endure the cost and time associated with R&D. Currently the cheapest, easiest, and lowest risk approach is often cyber. Considering that nation-states aren’t going to ever stop trying, the only way to really fight back is to hit them where it really counts: their wallets. A threat-informed defense, including threat hunting and adversary emulation, has high potential to make cyber-attacks cost more than they’re worth for the adversary.”
Purple teaming becomes a highly sought after defensive cyber strategy
Purple teaming is a security methodology in which red and blue teams work closely together to maximise cyber capabilities through continuous feedback and knowledge transfer. This is where a blue team proposes an idea and a red team challenges it, with the ideal outcome being a robust solution.
In relation to this approach, Luke says: “Current cybersecurity approaches of defense in depth and basic cyber hygiene are great foundational strategies for organizations to implement in order to strengthen their cybersecurity posture. However, the list of things to block or patch is growing exponentially, making these methods difficult to keep up with. That being said, in order for attackers to develop a brand new tool or technique from square one requires a large, technically-focused team to conduct extensive research and testing to find a new approach, take the time to train their teams on how to use it properly, and then finally deploy it.”
The expert adds: “If defenders can effectively defend against existing techniques, in addition to practicing good cyber hygiene, they’ll impose more cost on malicious actors. This is where purple teaming comes in as a robust and repeatable approach that also is a collaborative effort across the cyber community. Purple teaming helps defenders understand and more effectively identify and prevent those malicious techniques.”
Purple teaming is a collaborative effort between adversary emulation and threat hunting
Luke looks at the purple teaming approach further, noting: “Adversary emulation simulates realistic malicious techniques with the purpose of evaluating and helping improve defenses. In a purple teaming event, cyber defenders gain valuable insight about what realistic malicious techniques will look like in their network and how they are impacted by existing defenses. In collaboration with the adversary emulation, defenders can design, test, and tune new defenses iteratively and confidently improve at a quick pace.”