Two weeks ago, the world rejoiced during the Game of Thrones “Battle of the Bastards” episode as multiple villains in the show received their just due. It was one of the best episodes in the season, but what resonated the most with me was the scene when Sansa Stark tells her half-brother Jon Snow not to underestimate Ramsay Bolton, in the battle for her childhood home Winterfell.
“You’ve known him for the space of a single conversation, you and your trusted advisors. And you sit around making your plans on how to defeat a man you don’t know.
I lived with him…
I know the way his mind works, I know how he likes to hurt people.
If you think he’s going to fall into your trap, you won’t. He’s the one who lays traps.
He plays with people, he’s far better at it, he’s been doing it all his life...”
These are important lessons about understanding your opponent and really putting yourselves in their shoes. It also reminded me of the asymmetric battle we fight every day. Attackers only need to find one hole—one exploit, one open port, one careless credential—to succeed, while we as defenders, need to be always right all the time. The level of effort and innovation being invested by the hacker community will continue to increase. The market for new and cleverer ways to defeat enterprise security is lucrative and driven by the spirit of the free market. Thetechniques that are—and will be—used by attackers are targeted, sophisticated and even collaborative. They’re far better at it, they’ve been doing it for a long time, they’re the ones who lay traps.
The only way to close the gap between the current state of IT security and the capabilities of the enemy is to outflank them; to beat them at their own game; to rip a page from the hacker’s playbook and out-innovate them. If we can better “predict attacks” and prioritize the right things to do, we can stay a step ahead.
Gartner, in their report “Designing An Adaptive Security Architecture for Protection from Advanced Attacks” by Neil MacDonald and Peter Firstbrook, published in Feb 2014 and refreshed in January 2016, states the following – “Enterprises are overly dependent on blocking and prevention mechanisms that are decreasingly effective against advanced attacks.... Comprehensive protection requires an adaptive protection process integrating predictive, preventive, detective and response capabilities”.
In other words, yes, you should have firewalls and IPS and all the other good prevention and detection security technologies. But, those alone will not be enough without the missing layer of predictive security. It’s important to consider additional areas of security coverage. Take a look at the Gartner adaptive security architecture chart in Figure 1. The top left column, “Predict” is an important emerging category to proactively anticipate new attacks against the current state of systems and information. The goal is that by predicting how attacks may occur, enterprises can then adjust their security protection strategies to prioritize and address exposure.
Source: Adaptive Security Architecture – Gartner, 2016
“Predict” is an important and critical part of any security framework. If we can better anticipate and predict our opponent’s moves, just like Sansa Stark, we can adjust our defenses. The biggest issue with security today is not that we don’t have innovative security solutions, it’s whether we are using them in the right way, prioritizing the right things to do every day with our limited resources, and able to react quickly and mitigate as many breach scenarios as possible before a breach happens.
Traditionally, security teams have used ethical hackers and red team consultants to unearth issues before a breach happens. But, these are are expensive, point-in-time engagements that are entirely dependent on the skillsets of the team members (and their favorite hacking tricks).
A more optimal way to predict attacks is via breach or adversary simulation platforms. When you simulate hacker breach methods, you are seeing how your infrastructure and systems are viewed as a target, so you can make the right decisions to reduce your attack surface and exposure. Imagine the benefit of time to actually understand the weaknesses you have in your security are and remediate them before they are “exploited”.
You can use “predictive breach simulations” for the following:
- Validate the efficacy of your security defenses – The average enterprise deploys more than 75 different security products. Are they actually working as expected? With more dynamic environments, our ability to ensure the efficacy of our controls on a continuous basis is limited, especially with the manual resources we have. A SafeBreach customer, a CISO of a leading mobile and online messaging company said this to me recently, “The most important thing is validation -- validating your controls and assumptions. We all know assumptions break easily when checked. It’s not just about offense versus defense, because over time we have invested money in both areas. The bottom line is you must validate your controls, your beliefs and that the concept in your mind is true.”
- Proactively understand the impact from a breach – Are you able to defend against the latest breaches in the headlines? Rick Howard, the CSO of Palo Alto Networks said, "One of the reasons the blame game exists in information security is that as a community, network defenders are horrible at assessing risk. The tendency is for network defenders to assess risk as either high, medium or low based on experience. But, if we are asked to defend our assessments by C-Level executives or board members, there usually is not a lot of precision underneath the first layer of spreadsheets." If you can simulate breach methods in the headlines or breaches that are currently occurring to your peers, you can show the actual impact, and quantify your specific risks. You can then use this information in various ways – get more budget from the board, reduce your attack surface, break the kill chain. You can add that layer of precision for the board and your executive team to invest in the right areas.
- Train your SOC teams – Do your SOC analysts understand exactly what a specific breach scenario might look like? Are the right alerts going off and are the right people being called when a simulated breach scenario occurs? Breach simulations can be used to develop the muscle memory to enable your teams to react quicker and in the right way. Lots of practice makes perfect -- our armies, fire fighters and athletic teams do this. Why aren’t we doing this in security?
There are several architecture considerations when you evaluate “predictive breach simulation” technologies:
- Use a real hacker playbook – Attackers typically don’t have any prior knowledge of the network being targeted. They use a variety of hacker breach techniques to get from the initial infiltration point to the crown jewels. As a result, any breach simulation platform should be a black box approach (no prior knowledge of the environment is required) and must incorporate a comprehensive “hacker’s playbook” including brute force, exploits, malware, remote access tools, and not just depend on vulnerabilities.
- Run simulations in a real production environment. - Don’t use test environments. Simulations in an actual production environment are the only way to know if someone can exfiltrate data or infiltrate the network. The key is to do this in a way where the simulated breach methods are actually challenging the security defense but without impacting users or the infrastructure. The ability to as closely as possible simulate breach methods, without unleashing the “detonation” capability and without creating false positives is the true innovation for this category.
- Simulate across the entire cyber kill chain – Simulations must be supported across network, endpoint and cloud, and be able to showcase the cyber kill chain. By analyzing the entire kill chain, you can determine the company’s strengths and weaknesses and decide on what’s the most effective way to stop the breach. For example, if simulations show hackers can easily steal user privileges to gain access to the network, you may decide that you need to focus on strengthening network segmentation capabilities, stopping lateral movement and preventing exfiltration.
- Continuous simulations - Continuous monitoring and analytics is the core of the Gartner adaptive security architecture. You must continually validate your assumptions and be proactive about asking questions as to whether your people, processes and technology are adequate. Breach simulations should be run continuously – either everyday or tied to change control systems when policy changes are made to security products.
- Capabilities must work with others as a system – As outlined in Gartner’s report, the “predict” technologies must work with the others-- “prevent”, “detect” and “respond”. For example, when a breach is simulated, can you integrate with ticketing systems to create a task for the blue team? Can you push simulated breach alerts to security information and event management (SIEM) systems? Can you integrate threat intelligence indicators of compromise from the dark net, security community and threat intel vendors into breach methods to understand how they might play out in your environment.
If you’re not spending some of your security innovation budget on predictive security such as breach simulations, you should. The best kind of security is to understand what your opponent will think tomorrow, not find out what he/she thought yesterday. Don’t be stuck in this endless prevention/detection loop, playing catch up with your opponents.
Let’s take some lessons from the Game of Thrones. It’s not enough to have warriors (and a giant) on your side in a battle, you need a security strategy that predicts what may happen to stay one step ahead.