Security processes are increasingly automated which has led some businesses to deprioritize developing their security teams’ defense skills. While antivirus and non-human generated threat detections efficiently identify vulnerabilities, they cannot detect every single threat.
With the rising number of cyber-attacks, organizations must make sure they are ready to defend themselves. That means equipping cybersecurity teams with sufficient skills to identify and effectively stop an attack in its tracks. Worryingly, only 17% of tech workers are completely confident in their cybersecurity skills, while 21% have no confidence at all. Given that 74% of data breaches are caused by human error, it is crucial that upskilling practices are in place.
One of the best ways to develop the necessary skills is through hands-on learning which allows employees to practice in a low-risk environment and better understand the methods used by cyber-attackers. This kind of experience is vital for security teams to be able to anticipate threats and capably protect the business.
The importance of testing security teams’ skills
Automated defense technologies are highly effective for commodity threats – those which are based on programs that are readily available and require no customization to launch an attack. But integrating AI/ML capabilities into security operations can generate a false sense of security. Attackers can still create the exact same program with millions of different file hashes or apply human ingenuity to evade known defenses.
Anti-virus is built on a massive signature-database-shaped house of cards that easily crumbles by changing text within programs. The same applies for network signatures, endpoint detection and response. There are certain behaviors that traditional defense technologies focus on, but ultimately, malware is just software. The more it can blend into common software activity, the less likely it is that an attack will be detected. And this is easier than it seems.
Security teams need easily replicable techniques to emulate threat scenarios to test their defense skills against the skill level of cyber-attackers. Testing is how businesses find out the cybersecurity teams’ skill level without waiting for a breach.
At least yearly, there should be a full red team assessment; the red team is made up of offensive security professionals whose role is to exploit the company’s vulnerabilities and overcome cybersecurity controls. But given attackers always operate in real time, there should be a weekly exercise for individual tactics, techniques and procedures (TTPs).
Start with the basics
Even the most advanced cyberattacks leverage basic techniques that have been around for years. Businesses need to focus on fully leveraging the tools they have to detect even the most basic of techniques and then move their way up to more advanced techniques from there. That will remove the most common threat from the equation first. This allows them time to identify and build the expertise and infrastructure required to be mature enough to defend against the most advanced or dangerous threats.
Anticipate the risk by using threat simulation learning models
One example of such an exercise is a blue team friendly attack simulation. The blue team here refers to security experts who are aware of the organization’s objectives and security strategy and are trying to defend and respond to attacks performed by the red team. One group poses as the opposing force, or in this case, cyber criminals, while testing the ability of the defenders to detect and protect against such attacks.
However, these types of simulations are performed on extensive cyber ranges that take a lot of time and effort to create, and don’t always accurately reflect the enterprise environment. In addition, it requires security teams to take several days off to play through the exercise. The quality of these simulations depends on the team that developed it and the complexity of the available cyber range resources. The rapid evolution of threats means that the work cyber teams do can have a short shelf life, as does the ability to properly prepare defenders.
Defenders need to be able to rapidly test against new tactics and techniques in their everyday environment. This allows them to quickly check the efficacy of their monitoring tools, as well as their people and processes, on an ongoing basis, that is accurate to current threats. This is important to the concept of ‘becoming the threat’. What cybersecurity teams really need is the ability to test individual tactics in their organization’s live environment, without the overhead of a full red team exercise.
Hone skills and build confidence through hands-on learning
Simulations are a good way to understand how to best defend and respond against different attacks and determine whether employees need to upskill. At its basic level, if the blue team wins, they can be confident when it comes to a cybersecurity threat. But if they lose, the organization still has work to improve their defense strategy.
When simulating various TTPs, you can categories them two ways. First by level of expertise required to perform the specific attack. Second, by the area, or type of data in which the attack should be detected.
The concept of defense in depth is that even if you miss one component of an attack, you can ideally catch others so that you can prevent the attackers achieving their goal. Measurement is based on the time it takes for a team to detect and respond to a particular TTP once launched, by category of the technique. Skill, process, and technology gaps can then be mapped by identifying where response times were low, or there was no response time at all.
Up to date skills central to staying ahead of the hackers
Cyber teams play a constant cat and mouse game to keep up with the evolving threat landscape. However, organizations can adopt specific practices to ensure teams have built in skills to defend against cyber-attacks and protect the business.
Providing employees with first-hand experiences of how a cyber-attack plays out can break down the barrier between the defender and the attacker to better understand the threat and anticipate the risks. This type of learning pathway is crucial for an organization who needs to know how well equipped their teams are for when a cyber-attack inevitably occurs. Only then can decisions be made to fill skills gaps with additional training or if their current level of expertise is enough to protect the business.
When it comes to cyber-attacks, security teams must act extremely quickly to minimize the impact in stressful environments. Hands-on threat simulations will arm cybersecurity experts with the skills and confidence necessary to react to a cyber-attack calmly and efficiently, whilst protecting the company’s sensitive data and avoiding costly damages.