'Are we adversary aligned?' is the new 'Are we secure?'
"Are we secure?" For most security leaders, this is one of the most daunting questions they can be asked. While it may seem like a basic inquiry for those in leadership positions, for those on the ‘cybersecurity front line’, thinking in these terms is far too vague and oversimplifies a complex and ever-evolving threat landscape.
Instead, management and IT teams need to shift their thinking to a far more appropriate measure of security: "Are we adversary aligned?" But what does adversary alignment really mean?
External, internal, and endemic adversaries
Adversary alignment refers to an organization’s ability to detect and respond to the full spectrum of threats across the cyberattack lifecycle. It goes beyond simply trying to understand common attack vectors and instead widens the scope to look at potential conditions or individuals within the business itself that may cause a data breach or control failure.
This approach breaks down adversaries into three distinct categories: External, Internal, and Endemic. External adversaries refers to "traditional" threat actors. These are the kinds of people or threat groups that one typically thinks of when you hear the phrase "cyber adversary". They may be individual criminals or nation-states, but the defining factor is that they exist outside of the organization. Common tactics employed by external adversaries include compromising credentials, hijacking browser sessions, or extracting data from local systems or shared drives.
Internal adversaries on the other hand are defined by their existence within the organization: either someone already in the network, or a third-party outside the organization that has gained access to internal systems. Often commonly referred to as an ‘insider threat’, these adversaries are more unpredictable than their external counterparts. They may be intending to cause harm to the business, or they may be completely unaware that they have been compromised by an external party. A typical example of an internal adversary is someone who unknowingly clicks on a phishing link.
Finally, endemic adversaries are decision-makers within an organization who have exacted or allowed processes, policies, or priorities that do not support threat detection and response. This may manifest itself in a reluctance to invest in appropriate cybersecurity infrastructure, reliance on legacy systems, or poor management of third-party partners/contractors.
Addressing endemic threats
Because endemic adversaries are so heavily embedded within an organization’s culture they can be the most difficult threat to tackle. However, there are several strategies that leadership teams can implement to mitigate any negative impact:
- Fix the culture
Business leaders need to evaluate the current state of their organizational culture. Are there any current sources of friction or conflict that are affecting cybersecurity decision-making? Does the work culture prioritize and value cybersecurity? Do employees deem it acceptable to find security workarounds?
Additionally, it’s vitally important that organizations foster an environment that emphasizes collaboration. Cybersecurity is a shared responsibility and it’s important that there are open lines of communication among senior leadership and across teams.
- Invest in cybersecurity
Although cybersecurity can seem like a large investment upfront, it can be a huge money saver in the long run. As such, it’s important to allocate a sufficient amount of resources towards building and maintaining a robust cybersecurity strategy, including investing in tools, technologies, and infrastructure.
- Address tech debt and legacy systems
Unpatched software and legacy systems are responsible for a vast number of breaches/control failures and therefore it’s vitally important that organizations prioritize updating and replacing outdated systems.
- Improve third-party management
Third-party partners, contractors, or vendors are one of the most favored attack vectors for threat actors. Subsequently to reduce potential security risks, it’s essential that businesses enhance the coordination and integration of these third parties, implement security policies in contracts, and explicitly ask about security measures.
Implementing a successful adversary alignment strategy
To successfully implement a robust adversary alignment strategy, firstly, decision-makers need to ensure their business has the capacity to preempt, manage, and mitigate issues before they occur. Organizations should ensure IT teams are ranking and tallying any deviations in normal user behavior, device behavior, and network activity. By cataloguing and ranking expected behavior, businesses can take action when a risk score exceeds a designated threshold and prioritize the response accordingly.
Next, the correct tools and technologies should be utilized to ensure behavioral analytics trigger the appropriate response. This can be assessed by looking at the accuracy and efficacy of alerts, as well as how effectively identified threats are being triaged. Finally, there needs to be an adoption of a proactive threat-hunting or "assume breach" mindset. Organizations should analyze intelligence reports and breach details from other organizations and pursue a creative approach in which hypothetical scenarios are played out.
A new mindset
Adversary alignment is more than just a strategy; it encourages CISOs and senior decision-makers to look at their security posture in an entirely new light. Leaders need to understand that adversaries are not always external threat actors, sometimes they are dedicated employees, or even the company culture itself.
By aligning how adversaries act or present themselves, IT security teams can anticipate behaviors, limit risks, and continuously refine security processes through powerful insights and analytics.
Image credit: alphaspirit / depositphotos
Tyler J. Farrar, is CISO at Exabeam.