Keys to Working Smarter Not Harder in Cybersecurity Part 3 of 5

Welcome to Part 3 in this series about keys to working smarter not harder in cybersecurity.

In this article we'll look at unrealistic tendencies, how MITRE ATT&CK can help if used correctly, and how the nature of cyberspace has evolved from a prevention-centric approach.

Unrealistic tendencies 

Older ways of thinking about cybersecurity and the nature of cyber fail to understand how interconnected threats and attack chains work.  Prevention items are often looked at in isolation rather than as links in an attack chain.  

As it has been said, defenders often think in lists, and attackers think in graphs.  Defenders like to believe doing all things on a checklist will achieve success.  But everything on the checklist has a potential bypass.  

All it takes is the weakest link in the chain - and there are many - for an attacker to achieve success.  This is where defense in depth – the right way – must be achieved.  There are some errors of judgment that can be made in this area as well, so one must be careful.

Enter MITRE ATT&CK

Only in the last few years have defenders truly started to gain a better understanding of the nature of cyber defense.  This is thanks to models such as the intrusion kill chain, and even more so from frameworks such as MITRE ATT&CK.  

Even such insight can cause friction, if one tries to implement all detections of MITRE ATT&CK equally, for example.  Not only is that unrealistic, but there should be a more focused approach.  This must be based on relevant cyber threat intelligence regarding what’s most likely to occur.

Avoid older ways of "all-or-nothing" thinking and advice that says:

  • Apply all security baseline items 
  • Fully implement app whitelisting
  • Fully implement the framework (CIS 20, NIST CSF, MITRE ATT&CK, etc.)
  • MFA everything (though as much as possible is advised in this one)
  • Patch everything
  • Be thorough in all you do
All-or-nothing thinking and trying to defend everything causes more friction, so be careful.  Don’t try to implement everything in every area of any framework.  This is futile and will result in failure and burnout.  

There is a much better way to implement these things in a way that causes less friction.  This should never be an all-or-nothing approach, where all = success and none or some = failure.  Instead, a more precise focus in necessary.  Be selective and precise.

Fallacy of static rather than dynamic view of the nature of cyber defense

Not understanding the nature of cyber is a root issue and challenge that must be overcome.  Older thinking assumes the more thorough, the better.  Such conventional thinking still believes “prevention is best” because that’s how things work in many other environments, in the kinetic world.  

Older environments were much simpler with less issues to address.  This is no longer the case, and unlike the kinetic world, cyber interdependencies are much more complex.

The Nature of cyberspace and cybersecurity

Here are some things that seem to characterize the world of cyberspace, as I see it:

  • One-to-many complex relationships and interactions that grow daily
  • A highly interconnected and interdependent environment beyond measure & growing
  • Built on an inherently insecure foundation (insecure languages and coding practices)
  • Insecure defaults, protocols, devices and credentials constantly used, found and exposed
  • Constant change and ever-expanding dynamics on a massive and exponential scale 
  • Constant drive for usability and speedy deliverability rather than security
Cybersecurity Implications:
  • Old analogies cloud our understanding of the cyber environment (cause, effect, etc.)
  • Prevention doesn’t work in most cases - so detection and response are a must
  • Single point solutions don’t scale and won’t last (IOCs vs IOAs for example, AV sigs, etc.)
  • No framework or solution is a panacea, and may be better in theory than in practice
  • Working smarter is a must because scalability is critical and working harder doesn’t scale
  • Nothing endures, things can change on a dime, massively and suddenly - game changers rule
  • Attackers are highly creative – and – need only one path in, meaning defenses will fail
  • Security is always behind considering the scope and scale of growth and attack capabilities
  • Elements of surprise and speed favor attackers - and are critical elements of attack success

A failure to understand these things means failure and resource waste regarding cyber priorities. 

Prevention-based security and diminishing returns 

Diminished returns from too much prevention comes quicker than expected, for various reasons, in cyber.  Advice that’s great today can change tomorrow.

This also means that if one requires an entire year of effort to lock things down, and then the OS changes or there are bypasses, a large part of this effort can go to waste.  There’s no time for that, resources are scarce enough as it is.   

Making the right decisions for what to pursue versus what not pursue in cyber defense is critical.  It’s about “doing the right things” not just “doing things right”.  Think of architecture vs engineering for example.  One seeks to do things right, the other seeks to do the right things.  Combining both correctly is key.

Understanding the nature of cyber defense also helps us make the right decisions and consider the trade-offs and risk involved.  Also, there may be diminishing returns on investments, so one must actively discover what's no longer worthwhile.  In such cases, it’s best to move on, because any extras may require more effort that they're worth.  

Stay tuned for Part 4 where we conclude the Keys to Working Smarter Not Harder in Cybersecurity series.

#Cybersecurity #LessIsMore #Infosec #WickedProblems - CYBER Y'ALL! - @CyberYall

Comments

Post a Comment

Popular posts from this blog

Slay the Log4Shell Dragon TEAM 2 - Hunt and Detect Attacks Playbook

Image
Slay the Log4Shell Dragon Playbook TEAM 2 – Hunt and Respond Playbook Struggling with how to tackle the Log4J / Log4Shell Dragon and low on resources? First, as I've said before, start with my “ RAPID LOG4SHELL RESPONSE 1-PAGE CHECKLIST ” to begin immediate actions to tackle this issue.  In that 1-pager, I provide concise guidance to get started quickly.   However, for medium and larger sized companies, this approach might not be enough , although it is a great and immediate start.   Simply patching alone will likely not meet the expectations in the case of the Log4J / Log4Shell vulnerabilities, if there is a breach.  A more comprehensive approach is required to reduce risk.  I’ve therefore put this playbook together to help go above and beyond just a patching-based approach and hope it proves useful.   My goal was to provide something that would help ensure a high enough level of due diligence for risk reduction of this issue.   In this article I’ll provide a TEAM 2 PLAYBOOK o
Read more

Slay the Log4Shell Dragon TEAM 1 - Protect and Detect Vulns Playbook

Image
Slay the Log4Shell Dragon Part 2A - TEAM 1 -  Immediate Protection and Detection Struggling with how to tackle the Log4J / Log4Shell Dragon and low on resources? First, start with my “ RAPID LOG4SHELL RESPONSE 1-PAGER - 8 STEP CHECKLIST ” to begin immediate actions to tackle this issue.  In that 1-pager, I provide concise guidance to get started quickly.  However, for medium and larger sized companies, this approach might not be enough, although it is a great and immediate start.   Simply patching alone will likely not meet the expectations in the case of the Log4J / Log4Shell vulnerabilities, if there is a breach.  A more comprehensive approach is required to reduce risk.  I’ve therefore put this playbook together to help go above and beyond just a patching-based approach and hope it proves useful.   My goal was to provide something that would help ensure a high enough level of due diligence for risk reduction of this issue.   In this article I’ll provide a TEAM 1 PLAYBOOK of recomm
Read more

Keys to Working Smarter Not Harder in Cybersecurity Part 5 of 5

Image
Welcome to the last in the series - part 5 of a  discussion about working smarter not harder in cybersecurity.   We'll look at: How to tackle the huge tasks with bite-sized chunks and baby steps  What to do instead of trying to defend everything despite competing priorities Baby Steps and less is more  It’s been said that a long journey begins with a single step.  It’s also been said that to eat a large steak, you have to do it one bite at a time.  Remember the movie “What About Bob?”  Baby steps folks.  Small incremental progress in important things like low-hanging fruit is key.   A “Less is More” philosophy should be a basis of a better approach in cybersecurity.  Also, “try softer” rather than “try harder” is another important strategy.  Trying too hard usually ends up backfiring and causes too much friction.  All of these things are behavioral patterns on the human and process side of things.   For example, why try to implement 30 items in a  STIG checklist  when the attack to
Read more