Speeding Discovery of a Cyber Attack
Speeding Discovery of a Cyber Attack
Cyber attacks continue to grow in complexity, in number, and in costs – now averaging $4.35M per breach, per IBM. Attacks affecting critical infrastructure such as water systems and power grids – some costing over $100 million, according to a report from Ponemon/Dragos. And those costs may be low.
The MGM attack is reported to cost over $100 million.
The Clorox attack will result in lost sales totaling between $487 - $593 million, plus the costs for remedying the attack.
Cybercrime costs are growing 15% YOY and cyber attack damage is expected to be $10.5 trillion annually by 2025, per Cybersecurity Ventures.
What’s the best way to speed the discovery of a cyber attack?
The best way to speed the discovery of a cyber attack is to have a SOC team with strong backgrounds in IT, networking, and security fundamentals.
It’s critical to know your network and what “normal” looks like. That includes understanding attack techniques, tactics, and procedures via a strong threat intelligence program.
Security tools must be configured and tuned to address organization needs, limit false positives, and avoid alert exhaustion.
Finally, team-based, hands-on training on a cyber range is crucial, as it gives team members real-world, dynamic experience working together to detect and respond to simulated cyber attacks. A real incident is not the time for the security team to figure out what to do or how to communicate.
What makes this approach so effective?
This holistic approach is effective because it doesn’t solely rely on processes or tools, but it assumes that a breach may have taken place without any triggers or alerts. It’s threat hunting in an environment that emulates what your SOC team sees every day – but it’s a safe, controlled cyber range so you can test techniques and tactics without the fear of breaking anything.
By adopting this attack simulation approach, the organization can be proactive versus reactive, leveraging the users’ knowledge of the environment and attack tactics to identify abnormalities.
What are the strongest detection tools?
In general, the strongest detection tools are those that are properly configured for your organization’s ecosystem. In too many cases, I encounter environments where the tools were installed by teams that did not understand the feature-set or how to configure it in accordance with their vendor’s best practices.
More specifically, endpoint detection and response (EDR) solutions are considered the best to provide automated threat detection and response through deep data visibility and the use of threat intelligence and data analytics.
Cloud Range’s cyber range includes multiple options for SIEMs, EDRs, firewalls and many other tools so users can practice using the same tool sets they are used to.
Cloud Range’s cyber range SOC environments can be customized with licensed versions of the same industry-leading security tools that you use every day.
What’s the danger in slow detection?
The danger in slow detection is that an attack is not detected in time to remediate or mitigate. In the case of some attacks, the trigger point of malware execution (ransomware) may be already past by the time the attack is detected.
That’s why it’s crucial to not just have the right technology and processes – but to also ensure your people have practical, immersive experience responding to a dynamic threat. Cyber range training improves technical proficiencies, yes, but it also improves communication, problem-solving, teamwork, and judgment skills. Security teams need all of those things to effectively, correctly and quickly detect and remediate incidents.
Are most organizations doing all they can to rapidly detect an attack?
Unfortunately, no. But we cannot lay the blame at the cyber defenders’ feet, either. Security initiatives require consistency and budget allocation for ongoing tooling and training. These are often overlooked until it is too late.
