Cyberattacks from various threats are growing in scope and increasing in frequency as shown in AV vendor threat reports such as Symantec’s Global Threat Report. Current defensive strategies of mitigating prolonged and determined attackers leveraging advanced techniques fall short by relying on a patch and signatures approach. Most organizations continue to focus on defending against vulnerabilities and zero-day exploits by relying on commercial security products to block bad sites and software and by patching systems to correct vulnerabilities in installed software. Even in instances where browser or application plug-ins are fully hardened and patched, a GAP persists within a vendor vulnerability lifecycle (e.g. discovery, disclosure, exploit, patch-date) between when mitigation patches are available, and when a patch is deployed within an organization (e.g. testing, deployment, validation) vulnerability lifecycle.
While patching is still necessary, these approaches do not attack the root cause or reduce the threat, rather they counter the vulnerabilities discovered. Threat-based defense maximizes the knowledge gained from single, often disparate attacks and related events, and uses that knowledge to reduce the likelihood of success of future attacks. Cyber threat intelligence analysis, strives to better positioning cyber defenders to prevent or quickly contain cyber intrusions that occur by the attack lifecycle model built upon the kill chain framework. Defenders collect and analyze data and work to correlate it against the stages of an attack.
Threat based computer network defense is a risk management strategy that addresses the threat component of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrine and limitations and deconstructs attacks into various stages used to target and engage an adversary to create desired effects.
Kill Chain=
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
C2
Actions Objective
By removing any one of these paths, an attacker is unable to execute their objective. Further, a defender is better equipped to define indicators for events of concern. While not all encompassing, the chart below provides an example.
Defending against these paths is constructed similarly and gives insight into a defender’s ability to detect and prevent threat activity within a given category.
As stated above, Patching and signatures remains a necessary component. Using threat based network defense in addition to traditional vulnerability management adds great depth to your defense practices.
No comments:
Post a Comment