| 4 min read
Organizations need their cybersecurity strategy to suit their current threat landscape, lest they end up allocating their resources to ineffective solutions. A proper way to verify good decisions are being made in this regard is reviewing whether the company's technology, ongoing projects and roadmap cover the tactics, techniques and procedures factually targeting their assets. A feature of Lumu's platform facilitates exactly that by aligning actual incidents in a company's network with the corresponding entries of the MITRE ATT&CK® framework. This allows organizations to learn whether they are spending their resources on managing the true ways a malicious actor can get in. Importantly, they can also identify which scenarios should be present in continuous red teaming and penetration testing processes such as those provided by Fluid Attacks.
Knowing your threat landscape
Are you sure your organization's cybersecurity spending is not being wasted? Today, there is an overabundance of tools and service categories. Some companies believe the more tools they use, the more secure their systems are, so their budget goes to a lot of products. But when asked, a significant number admits that they still struggle with effective remediation. We believe they could prevent this by allowing ethical hackers to probe systems continuously to find the actual biggest risks before malicious hackers do. But the possibility exists that a breach to their systems might have already happened before implementing this approach and that it might even have gone unnoticed for hundreds of days. After all, companies worldwide are targeted by attackers hundreds of times daily.
Incidents and results of manual security testing provide evidence of what your system is up against in the wild. The facts learned can give you a pretty good idea of what you should spend more on. So, a helpful solution should be able to get information on risks from several fronts, organize it for better analysis and allow for identification of areas where defenses should be prioritized. One such solution is offered by the cybersecurity firm Lumu. Their platform, Lumu Portal, is a single pane of glass where the user can manage continuous compromise assessments and access the generated reports and related contextual intelligence.
Basically, Lumu's solution runs continuously, looking for actual or potential exposure of the confidentiality, integrity or availability of IT systems or the information in them. On the platform, you can see the connections attempted from your organization's devices toward adversarial infrastructure, which devices are controlled by threat actors, traces of adversarial contact in logs, and phishing attempts, among other things. Lumu characterizes all these attacks through the ATT&CK (adversarial tactics, techniques and common knowledge) framework.
Mapping incidents to the ATT&CK framework
The ATT&CK framework is a knowledge base that helps people understand how malicious threat actors behave. Relating the incidents in the assessed organization's network with entries in this framework allows for the classification of attacker activity through a shared language. On the Lumu Portal, each incident has its own matrix showing which tactics are related to it. Further, users can see the actionable steps from Lumu's incident response playbooks based on controls suggested by the NIST (National Institute of Standards and Technology).
Since organizations need to know where they should exert the most effort, the platform also gives them an overall view of how attackers are targeting the networks. It does so in its MITRE ATT&CK® Global Matrix, which shows all the detected incidents in a chosen time frame organized by incidence.
The following are clear benefits to having the information provided by the matrix:
-
Understanding, based on actual evidence, where the budget should go and what issues should be prioritized.
-
Learning which defenses need improvement to effectively protect against offenses from the organization's actual threat landscape.
-
Identifying which assets attackers are targeting and how. This allows the firm to continually assess the effectiveness of its security testing scheme and make informed decisions to improve security testing scenarios.
With these three benefits, which also represent use cases, companies can ask themselves whether they are covering tactics, techniques and procedures with their technology, ongoing projects or roadmap.
It is worth noting that the second benefit mentioned above is closely related to the Threat-Informed Defense (TID) strategy, which can be operationalized with the help of Lumu's MITRE ATT&CK Global Matrix, as Julian Brown recently noted in a blog post. There, Jon Baker, co-founder and director of the Center for Threat-Informed Defense, is quoted saying that "implementing a [TID] starts with understanding the threats that are relevant to your organization and then aligning your defenses to those threats."
Prioritize the right techniques in security testing
Ideally an organization should secure its systems completely. Despite this, prioritization helps concentrate efforts, knowledge and resources in the areas that represent the most risk. This involves requesting attack simulations that recreate actual incidents that happen the most in the firm's networks. In these simulations, ethical hackers employ the same techniques that attackers possibly used in such incidents.
By setting up your permanent Lumu Free account, you will be allowed to run assessments to understand your systems' compromise level. Then, you can upgrade to Lumu's paid offerings to get the most out of the solution, including access to the MITRE ATT&CK Global Matrix. Its information will allow you to prioritize the techniques in security testing that will be more effective for your organization.
When choosing your cybersecurity testing strategy, remember you should not rely on automated security testing alone. Tools cannot imitate today's threat actors accurately and have high rates of false positives and false negatives. At Fluid Attacks, we encourage companies to let ethical hackers simulate attacks against their digital assets' defenses. And these simulations should be conducted continuously. When they are done only every once in a while, they do not truly suit organizations' needs in an ever-evolving threat environment. That's why we offer Continuous Hacking, which you can try for free for 21 days. Our most comprehensive offering includes continuous manual work by our highly certified ethical hackers in pentesting and red teaming operations.
Recommended blog posts
You might be interested in the following related posts.
