Minimise security risks with threat simulations

Aaron Rosenmund at Pluralsight explores the role of hands-on cyber-threat simulations for security teams

 

Many security processes are automated these days, so it’s easy to forget the important work that security professionals do behind the scenes to mitigate threats.

 

Though antivirus and non-human generated detections certainly help organisations stay ahead of security issues, these solutions aren’t perfect. Often security teams are left defending against threats that slip past automation barriers.

 

Indeed, nearly one third of security breaches go unnoticed by security professionals, which means they are exposed for extended periods of time which is incredibly costly. 

 

To address this, automated security processes must be combined with skills training to best protect a company’s sensitive data. However, Pluralsight’s 2023 State of Upskilling Report reveals that only 17% of tech workers are completely confident in their cyber-security skills, while 21% are not confident at all.

 

At the same time, if security professionals aren’t constantly testing their skills in threat scenarios, it’s hard to determine how successful those defensive skills are. Worryingly, less than a third of tech managers say their organisations provide hands-on learning experiences – which are crucial for building confidence in responding to an attack in a low-risk environment.

 

The importance of testing 

Automated defence technologies are highly effective for commodity threats – those which are based on programs that are readily available and require no customisation to launch an attack.

 

But integrating AI/ML capabilities into security operations can generate a false sense of security. Attackers still have the ability to create the exact same program with millions of different file hashes, or apply human ingenuity to evade known defences. 

 

Anti-virus is built on a massive signature database shaped house of cards that easily crumbles by changing text within programs. The same applies for network signatures, endpoint detection and response.

 

There are certain behaviours that traditional defence technologies focus on, but ultimately, malware is just software. The more it can blend into common software activity, the less likely it is that an attack will be detected. And this technique is easier than it seems.

 

Security teams need easily replicable techniques to emulate threat scenarios as a way to test their defence skills against the skill level of cyber-attackers. Testing is how businesses find out the cyber-security teams’ skill level without waiting for a breach. 

 

At least yearly, there should be a full ‘red team’ assessment; the ‘red team’ is made up of offensive security professionals whose role is to exploit the company’s vulnerabilities and overcome cyber-security controls. But given attackers always operate in real time, there should be a weekly exercise for individual tactics, techniques and procedures (TTPs). 

 

Nailing the basics

Even the most advanced cyber-attacks leverage basic techniques that have been around for years. Businesses need to focus on fully leveraging the tools they have to detect even the most basic of techniques and then move their way up to more advanced techniques from there. That will remove the most common threat from the equation first. This allows them time to identify and build the expertise and infrastructure required to be mature enough to defend against the most advanced or dangerous threats.

 

Threat simulations in action

One example of such an exercise is a ‘blue team’ friendly attack simulation. The ‘blue team’ here refers to security experts who are aware of the organisation’s objectives and security strategy, and are trying to defend and respond to attacks performed by the ‘red team’. One group poses as the opposing force, or in this case, cyber-criminals, while testing the ability of the defenders to detect and protect against such attacks.  

 

However, these types of simulations are performed on extensive cyber-security ranges that take a lot of time and effort to create, and don’t always accurately reflect the enterprise environment. In addition, it requires security teams to take a number of days off to play through the exercise.

 

The quality of these simulations depends on the team that developed it and the complexity of the available cyber-security range resources. The rapid evolution of threats means that the work cyber-teams do can have a short shelf life, as does the ability to properly prepare defenders. 

 

Defenders need to be able to rapidly test against new tactics and techniques in their everyday environment. This allows them to quickly check the efficacy of their monitoring tools, as well as their people and processes, on an ongoing basis, that is accurate to current threats. This is important to the concept of ‘becoming the threat’.

 

What cyber-security teams really need is the ability to test individual tactics in their organisation’s live environment, without the overhead of a full ‘red team’ exercise.

 

Measuring the response with hands-on learning pathways

Simulations are a good way to understand how to best defend and respond against different attacks and determine whether employees need to upskill. At its basic level, if the ‘blue team’ wins, they can be confident when it comes to a cyber-security threat. But if they lose, the organisation still has work to improve their defence strategy.

 

When simulating various TTPs you can categorise them two ways. First by level of expertise required to perform the specific attack. Second, by the area, or type of data in which the attack should be detected.

 

The concept of defence in depth is that even if you miss one component of an attack, you can ideally catch others so that you can prevent the ultimate goal of the attackers from being accomplished. Measurement is based on the time it takes for a team to detect and respond to a particular TTP once launched, by category of the technique.

 

Skill, process, and technology gaps can then be mapped by identifying where response times were low, or there was no response time at all.

 

An evolving cyber-security landscape

Cyber-security teams play a constant cat and mouse game in keeping up with the evolving threat landscape. But there are steps that can be taken to ensure teams are as prepared as they can be with the right skills that have been put into practise. 

 

If individuals can visualise how an engagement with an attacker will play out and experience a victory, then they will feel empowered when it comes to the real thing. Staying calm, relying on experience, and not being overly superstitious are traits that training and simulation develop over time – and are key to high stress incident response situations. 

 

---

 

Aaron Rosenmund is Director of Security Curriculum and Research, Pluralsight

 

Main image courtesy of iStockPhoto.com