Future proofing, to us, means determining what is not working in a cybersecurity program and fixing it. At SEI, that starts with a process called regression testing, which takes newly available threat intelligence and applies it to past activity. If there is a “hit” for the regression test, it means a cyberthreat related to that intelligence has previously been on or around the company's infrastructure, evading detection. These things happen, unfortunately—the adversary is dynamic and well-funded.
Done regularly, the feedback of a regression program can limit the amount of time a threat lives undetected within the business' IT environment. It can also help diagnose consistent gaps in the security program's monitoring and detection process, facilitating investment into the appropriate improvement. Most importantly, it can assist the security team in growing resiliency against not just a particular attack, but a style or type of attack. Cybercriminals recreate a failed attempt with new attack infrastructure, and then circle back. They also mimic and reproduce other successful attacks. The lessons from one missed attack can prepare the business to stop many similar future attacks.
Awareness of the regression testing process is rising, with the requirements called for by some cybersecurity insurance providers. The businesses we observe that are already doing this process are typically looking for a “hit,” and then using that to pursue the scope of the issue (when, where, what, how) to contain the threat.
The future-proofing step
Containment is important, but we want to make sure it doesn't happen again. Doing this requires updating and strengthening both detection capability and prevention capability.
Going back to an intelligence community and getting a fresh IOC (hash value, domain, IP) for the attack is better than nothing. But IOC's have a short shelf life—like changing the license plate on a stolen car. But as mentioned, threat groups “spin up” new infrastructure and try again. Detection and prevention, at the IOC level of intelligence, don't scale.
Future-proofing requires getting intelligence above the IOC level. Where does that point to? TTP's. These are rules that address the tactics, techniques and procedures of threat actors, as opposed to IP's, domains, and hash values (IOCs).
Referencing back to the stolen car example, TTP's require the criminal to change the entire car. This is a highly effective defense, as criminal efforts are mostly in search of the greatest return on their investment.
These TTP protections have to be written and deployed by either the business' security team or its security vendors. It should be done across email, network, and endpoint pillars of infrastructure, every time. This can be a challenge for small/medium sized businesses without dedicated security professionals. It also will often be outside the service agreement or operational capabilities of a security monitoring and detection provider.
To take security from good to great, the deployment of these protections would align across each pillar of infrastructure, in accordance with each stage of that attack: true defense in depth.
Once deployed, another regression test can simulate whether those controls would “fire” (i.e. saw/stopped the threat) next time. It will allow the team to assess the effectiveness of the controls with any false positives they may generate. This validation process is a part of a fully remediated incident, and provides confidence that the threat is controlled-for going forward. If the threat actors create a new IP, domain or hash value as part of their attack, security is set to block it over and over. Security now has confidence against that threat, and can quantify its risk. This fully-baked regression process that included research, updating protections and deploying TTPs has moved security from reactive to proactive, and unlevered to levered.