As the information security industry continues to mature, several things have changed, but many of the fundamental issues remain—even in the face of new technologies, threats, and regulations. Understanding and responding to current trends provides the opportunity for security and risk management leaders to better improve security, increase resiliency, and support the business. With renowned experts in multiple practice areas, TrustedSec works with a broad range of clients in all industries—from sole proprietorships to a large number of the Fortune 50. Here are a few insights from TrustedSec’s leaders on what they have seen over the past year—and what the future may hold.
The rapid evolution of adversarial breaches is driving the need for risk management to adapt to be more like the “real-world,” with scenarios that are actually validated in a client’s organization. There is a stronger desire to incorporate testing and validation results into the risk assessment to give a truer picture of the current state of risk based on actual, validated results. In addition, ordinal scales are losing ground in an effort to get at least some type of dollar equivalent. Even if the assessment is semi-quantitative (meaning assessments don’t go into the full details down to the exact dollar amount of the loss), executives are asking security teams for an understanding of risk in the language they can understand. However, the red-yellow-green heat maps are still the primary means of reflecting risk.
The other area that is garnering more attention is a move toward better aligning risk program management and risk operations. From a strategic perspective, there is the usual interest of how the areas of risk management are aligning to the risk tolerance and the choices being made therein. More mature companies are in the early stages of the operational aspects of better collecting, processing, and analyzing that information to ensure the results continue to improve and be refined.
In the last year, TrustedSec Incident Response has seen trends in both the ways attackers are working and how companies are employing Incident Response. On the attack front, there has been a definite shift in attackers moving away from utilizing ransomware for financial gain to working more stealthily and deploying crypto-mining software on compromised systems (although ransomware still pops its ugly head up from time to time). However, the tried-and-true methods of gaining an initial foothold—including brute-forcing exposed remote desktop protocol (RDP), phishing, and drive-by downloads—are still being used in force.
Organizations are taking note of this and are improving their Incident Response programs. Regardless of the organization’s maturity, Incident Response policies and plans are being created or revised; tabletop exercises are being run to ensure plans work as expected; and Incident Response retainers are established so if an incident does happen, the organization is able to respond quickly or augment their internal team. This last part is especially important with the increasing complexity of environments, including the continuation of cloud deployments. Finally, organizations are being more proactive and are actively looking for attackers in their networks through threat hunting or Breach Assessments—the latter being a threat hunt with a broader scope.
There has been a lot of interest in improving the various areas of security operations, but it has very much shifted to the “how” of getting solid results. Organizations continue to look for help on the tactical, “in the weeds” areas of the processes to drive effective and efficient operations. They want the step-by-step playbooks and evaluations of how programs are being run that comprises people, processes, and technology. Furthermore, as the tactical aspects of a security program mature, it is equally as important to ensure the appropriate metrics are developed to communicate back up into the business layers.
Clearly, trained personnel in the security operations center (SOC) are at a premium and are not easily found in the human resource pool available today. SOCs are also using on-site purple teams to both improve adversarial detection and countermeasures, and to increase the knowledge for defenders.
More mature organizations are venturing into advances in orchestration and automation—orchestration being how different technologies can be integrated to achieve a goal, and automation allowing a particular function that was done by humans to be done by a machine. However, neither orchestration nor automation are the norm because as with nearly everything important, human logic must be applied to achieve what is promised.
Security Program Building
The more large-scale security breaches make their way into the news, the more leadership worries about whether or not a similar issue could happen to them. Executives around the world are steadily realizing that data theft is a global enterprise business and must be treated accordingly. The natural result of this is a growing trend toward ensuring information security programs are appropriately funded. However, defining ‘appropriately’ and nailing down specific numbers can be especially challenging for organizations that do not have a dedicated security role. Even highly mature organizations with a security team in place can be challenged by determining what levels of spending are appropriate for information security and risk management.
From a trend perspective, we will continue to see organizations looking for assistance in building highly mature security programs. This can manifest itself in multiple ways—for example, some organizations seek a role dedicated to program building (e.g., vCISO for organizations that might lack that specific role). Alternatively, some organizations are seeking assistance with strategic, prioritized initiatives based on business need and an understanding of the organization’s business risks.
Regardless, the most critical aspect of program building assistance is helping organizations align the protection of their business-critical data with the goals of the business itself. Few organizations believe that they have enough security resources. The trend of businesses looking for highly experienced third-parties to assist with strategic guidance, tactical direction, and prioritization regarding security and risk will certainly continue.
Regulations and Standards
Organizations increasingly face challenges posed by compliance requirements, which will continue to come from many directions, including legislation and contractual requirements. As this occurs, organizations will continue to increase requirements on the third-parties who provide critical services or with whom data is shared.
The NIST Cybersecurity Framework will continue to see increased adoption as organizations look for guidance on building and maintaining Information Security programs. This development is due, in part, to organizations looking for ways to implement controls and processes in an organized and prioritized manner as a part of a holistic Information Security program.
The new revision of NIST 800-53, revision five, will help continue to move organizations into thinking not just about security, but also privacy. This inclination is not limited to just this standard but is part of a larger industry trend towards a focus on privacy. Where privacy was often seen as an afterthought and siloed away from security, the coming years will likely see a larger emphasis on privacy, especially in light of the General Data Protection Regulation (GDPR) and the coming California data privacy law, the California Consumer Privacy Act (CCPA). Revision five of 800-53 is designed to be more applicable to multiple industries as well, which will allow organizations to more easily use it as a controls catalog while leveraging the NIST CSF for program alignment.
Additional regulations will require companies to change aspects of their businesses. As companies continue to figure out how to comply with the GDPR, they will be faced with the new California data privacy law, which is set to take effect in January 2020. One of the consistent challenges we see for organizations is knowing exactly what data they have, where it is, and who has access to it. While there are many aspects of the California law that will affect organizations, we expect one of the biggest challenges to be establishing accurate data inventories and measuring compliance.
NIST will continue to be increasingly prominent, having been directed by the President of the United States to create standards for information security for small and medium-sized businesses (SMBs). These voluntary guidelines should provide SMBs with direction as they continue to struggle with how to prioritize security and privacy efforts with often limited resources.
TrustedSec is seeing that organizations are increasingly turning to the MITRE ATT&CKTM (Adversarial Tactics, Techniques, and Common Knowledge) framework to help them better understand and protect against active IT security threats. As noted at https://attack.mitre.org/, the MITRE ATT&CK Framework is “a globally accessible knowledge base of adversary tactics and techniques” that is “open and available to any person or organization for use at no charge.”
The ATT&CK framework is valuable as an index of adversarial techniques, but it’s the mappings between the techniques and other data points (platforms, required permissions, mitigation strategies, detection strategies, data sources, groups, etc.) that really allow organizations to better understand how their security posture is aligned to the threat landscape. This is mainly because these mappings allow users to pivot across the framework in different ways based on what is important to them.
- An organization worried about a specific group/campaign can look up the group in ATT&CK and find the techniques that they are using.
- An organization assessing their cybersecurity tools can use ATT&CK to understand gaps in their preventative and detective capabilities.
- An organization focusing on securing a specific step in the cyber attack lifecycle can use ATT&CK to understand the associated adversarial techniques.
- An organization with known issues could use ATT&CK to understand relevant mitigation options.
MITRE is also currently working on building out an index of how well specific tools perform against the techniques utilized by specific groups. Although currently limited, this information will make the framework even more valuable once it is populated with additional data.
Organizations both large and small can quickly pull relevant information from the ATT&CK framework with minimal effort, but many are going even further by aligning their cybersecurity programs to the ATT&CK framework and using it to drive cybersecurity assessments.
In 2018, we saw great improvements in tools like endpoint detection and response (EDR) and log monitoring, as well as advances in the skills of blue teams. Growth in these areas can be attributed to the sharing of information by researches in the security community—TrustedSec’s research, in great part, was driven by this starting with the extension of existing tools and techniques. There was also a deeper understanding of the Indicators of Compromise (IoCs), which improve not only the tools and techniques themselves but provide better guidance to customers as well.
Going forward into 2019, we believe we will see more research in the automation of testing and improvements of Tactics, Techniques, and Procedures (TTPs). We will expand our automation and analysis of information gathered from engagements and further expand custom tooling to better simulate existing threat actors.
TrustedSec is also seeing an expansion of the analysis, development, and use of not only the various tools but also the behavior of adversaries by leveraging more threat intelligence to better represent the current threats customers may face. The types of threats we are more likely to run up against for their given field or business will allow us to move faster to higher levels of Adversarial Attack Simulation or Red Teaming. Therefore, we will move away from the base technical emulation and move more into the trusted advisor role, helping our customers identify areas of improvement at higher levels of the business and operational structures.
Payment Card Industry (PCI)
The PCI Council has been busy updating some of the standards and guidance documents. They have recently released new guidance documents, including “Protecting Telephone-Based Payment Card Data” and “Best Practices for Maintaining PCI DSS Compliance.” They have also released the “Secure Software Standard,” which will eventually fully replace the PA-DSS standard.
For the Data Security Standard (DSS), we probably won’t see any changes this year until version 4.0 comes out. With this, the PCI Council has stated that they are looking to address a number of topics within the standard, including data-level encryption, segmentation, least privilege access, behavioral analytics, and password requirements aligned to NIST guidance. We will have to wait and see exactly what will change, but rest assured we will be talking about it here when it is available.
2018 saw Red Teaming continue to grow in popularity as more companies will be looking to move beyond traditional Penetration Testing. Penetration Testing is great for coverage of a large number of assets looking for paths towards compromise and data. However, as companies continue to invest in EDR products, Security Information and Event Management (SIEM) solutions, and hiring or contracting with experienced defenders, offensive testing approaches need to evolve. Red Teaming allows companies to test the entire technology stack and emulate a targeted attack on an organization. This helps resolve the current pitfall with pen testing in mature organizations—that avoiding detection takes time and focus that doesn’t always fall within a one or two-week pen test engagement.
However, not all companies have the budget for multi-month engagements. As a result, more offensive security testing companies will work toward custom testing parameters including: an assumed workstation breach, an assumed DMZ breach, external compromise of endpoints, and building other custom scenarios to help focus the engagement on particular target areas.
Automated TTPs replay frameworks will also increase in popularity, allowing blue teams and defenders to quickly test their EDR or SIEMs for generic attacks. The downfall of these tools is that attackers live in a space where their success hangs on circumventing signatures or alerting. As long as attackers are constantly evolving, defenders will need to rely on their own creativity to build effective detection methods.
In addition, offensive testing will continue to increase in complexity, and companies will be required to reinvest in their teams at a rate previously unseen. Offensive teams will need to be highly research-driven as defenders’ rate of building and deploying detections becomes increasingly quicker. Understanding how to stay a step of ahead of EDR products is now a requirement to avoid detection. Even anti-virus is seeing major leaps forward when historically it was more of a speed bump in offensive testing.
In sum, TrustedSec takes a pragmatic approach to viewing trends in security and risk. It’s always an interesting exercise to predict what will happen in the distant future, but we never want to lose sight of what’s happening right now. Hopefully these trends will prove practical in your quest to make better decisions and take appropriate actions for your risk and security programs.