CISO2CISO.COM & CYBER SECURITY GROUP

THE DEFENDER´S ADVANTAGE – A GUIDE TO ACTIVATING CYBER DEFENSE BY MANDIANT

FOREWORD

In today’s world, cyber threats, physical systems, and geopolitical issues intersect on the battlefield where the cyber security war is being fought.
Adversaries are leveraging ransomware and multifaceted extortion campaigns with unprecedented frequency. It can seem daunting, and pervasive attacks do not require sophisticated, coordinated efforts.
Organizations often succumb to phishing and password reuse that leads to initial compromise and ultimately the deployment of ransomware.
In my role as Senior Vice President of Mandiant Services in EMEA, I often see the lack of confidence organizations exhibit in their ability to thwart attacks and ready their defenses against these attacks. This is rarely due to a scarcity of tools. It is more likely due to improper deployment of capabilities, lack of properly trained forces with ineffective automation to support them, a deficiency in understanding the threats being faced and poor application of defenses against them.
We must remember that the battle is not being fought on the adversaries’ turf. We own the battlefield—the Defender’s Advantage. This provides opportunities to do better. We have the capabilities. We need to activate them and bring them to the battle.
To ready the battlefield and prepare our forces to fight the adversaries, we must:
• Use intelligence to guide all actions within Cyber Defense with centralized command. Organizations often have an abundance of intelligence coming in but don’t understand how to verify its credibility, applicability, or how to action it. Intelligence should provide situational awareness of the cyber threats an organization faces and feed a command and control system to orchestrate each Cyber Defense function. This intelligence-driven approach offers a Cyber Defense battle plan to reduce systemic risk and provide
a common front against the evil being faced.

• Apply intelligence to activity seen in the environment to provide the right information to enable teams to fight. More data seems great, but when analysts are presented with too much data, they can miss
critical events. Intelligence should be applied to events BEFORE they are presented to the analyst to prioritize investigation efforts and reduce the noise that can distract them.
• Continually assess defenses against active threats and stay nimble as the battlefield changes and our enemies evolve. A critical failure of Cyber Defense organizations is to quickly set up controls with the
intent of circling back to optimize the deployment. As businesses progress and adversaries change tactics, defenses quickly become outdated and ineffective. Continuous validation of the effectiveness
of security controls against the latest threat-actor tactics, techniques, and procedures (not just alert signatures) is required to reduce the security deficit.
With proper preparation, I believe we can change the course of the battle. Now is the time to activate our cyber defenses against the adversaries and fight. Gloves off!
Stuart McKenzie
Senior Vice President of EMEA Services, Mandiant

INTRODUCTION

Prominent attacks dominate the headlines and have security leaders scrambling for solutions, legislators imposing new cyber security requirements, and businesses demanding answers from their security groups. Ransomware and multifaceted extortion are just some of the threats organizations must defend against. Insider threats and the consolidation of risk in the cloud are also top of mind for security leaders.
The Defender’s Advantage is the concept that organizations are defending against attacks in their own environment.

This provides a fundamental advantage arising from the fact that they have control over the landscape where they will meet their adversaries. Organizations struggle to capitalize on this advantage.
Establishing and orchestrating robust cyber defenses help organizations take command and galvanize their defender’s advantage. It allows organizations to prepare their environment to identify malicious activity, detect and respond to compromise and validate the effectiveness of controls and operations against active threats. Once established, security organizations must activate their cyber defenses, advancing capabilities from a prepared state to active duty. Threat intelligence guides this activation.

With effective use of threat intelligence, organizations can understand who is targeting them, what threat actors are after and if they can be compromised.
Threat intelligence is leveraged to:
• Trigger hunt activities through the use of information about active advanced persistent threat (APT) groups and the latest relevant attacks to identify active or past compromise.
• Prioritize vulnerabilities based on the likelihood and impact of compromise. IT and Security groups use this to inform patch and upgrade priorities.
• Inform security engineering teams of the monitoring required to alert on activities tied to active APT groups.
• Prompt security operations groups to refresh playbooks to reflect shifts in adversary tradecraft.
• Provide context around breaches so that incident responders can scope, rapidly contain a breach and avoid repeat compromise.
• Update validation efforts on the latest TTPs to continually assess the controls and operations’ ability to prevent or reduce the impact of an attack.
The functions of cyber defense, as described in this book, are rarely built and resourced entirely inside an organization. A strategy of task and process automation is key to maintaining consistent quality and
amplification of existing expertise. To accelerate achieving Cyber Defense capabilities, organizations leverage strategically selected managed services to provide full Cyber Defense coverage, microservices
for targeted needs and expert resources for in-house deployment and operations development. It is also critical to ensure that all capabilities are continuously validated to ensure Cyber Defense performance is
meeting expectations.
Capitalizing on The Defender’s Advantage is achievable by operationalizing intelligence, applying effective automation, leveraging services to fill in capability gaps and having a rich understanding of the
environment (i.e., the battlefield). This book provides information about what Cyber Defense functions make up mature security organizations and the activation of the capabilities within each function.

WHAT IS CYBER DEFENSE?
Cyber Defense is actively resisting attacks and minimizing the impact of a compromise. It is one of the four domains of Information Security with the other domains being Security Governance,
Security Architecture and Security Risk Management. A successful Cyber Defense organization seamlessly integrates with the other information security domains to create a resilient security program.

Leave a Reply

Your email address will not be published.