How can busy security teams stay ahead of the cybersecurity curve and prepare for the unforeseen?
Attackers are, by their very nature, always looking for new vulnerabilities, and often, they’re armed with threats even the savviest cybersecurity teams haven’t seen before. It might be a zero-day attack, a malware infestation c/o polymorphic and metamorphic code, long-term attacks (using multiple methods) that aim to steal data rather than cause immediate damage, or the compromise of a trusted vendor or supplier used to gain access to its. Planning for each specific eventuality is enough to cause even the most seasoned CISO to lose sleep.
“When we graduate from CISO University, they don’t give us a crystal ball and a magic wand. They give us a skill shortfall, a tight budget, an open plan office, and a big damn hammer to play whack-a-mole.” – Anonymous Telecoms CISO during one of our case study calls.
So, how can busy cybersecurity teams, especially those within large organizations, stay ahead of these unforeseen threats when these vulnerabilities aren’t known, can’t be predicted, and there are probably no working patches, antivirus definitions, or specific support out there to address them? Seriously, who’d be a CISO? Right?
Some of the following advice is standard practice, but some hit a little harder, and the overall strategy is simple:
“Before anything else, preparation is the key to success,” – Alexander Graham Bell.
Security Training Programs
We know it’s been said a thousand times on this blog and across a million industry channels, but training is an organization’s first line of defense.
Security teams have to make sure that every staff member undergoes cybersecurity training, regardless of their role. Training is a full-time job for some security practitioners – and “CISO University” should probably put PowerPoint on the curriculum.
Everyone needs to be aware of the basics, like how to identify phishing/whaling attempts, the importance of strong password practices, the dangers of unsecured BYODs, and why least privilege access is best practice and should be supported across the org. It’s amazing to us, but so many colleagues are still deeply ignorant or blasé of best practices or forget them due to the pressures of performance. Testing and retesting compliance, and teaching and reinforcing best practices, probably have the best return for team time and budget expenditure.
Fostering a security-centric culture is vital. Encouraging employees to report suspicious activities, conducting regular drills, and simulations, and rewarding those who actively participate in making the organization more secure.
A part of this will be testing with the likes of phishing exercises. Regular “red team” exercises, to simulate real-world attacks on an organization, helps to identify vulnerabilities in a system and gauge a business’s readiness.
Prioritize Patch Management
We all probably know the saying, ‘Patch Tuesday, Exploit Wednesday,’ but this also highlights why patch management is so important in cybersecurity’s fast-moving stimulus and response threat ecosystem.
Regularly updating and patching software ensures that known vulnerabilities are addressed, significantly reducing the risk of a potential breach or attack. As well-funded nation-state bad actors and digital opportunists continuously seek out new weaknesses in systems, patch management serves as the first line of defense. It promotes system stability and optimal performance and shores up an organization’s defenses against emerging threats.
Even though zero day attacks exploit vulnerabilities that aren’t known, many cyberattacks exploit known vulnerabilities that haven’t been patched. Having a rigorous patch management strategy ensures that all software updates and patches are applied promptly, and our security team knows who is responsible for doing so.
Embrace Network Segmentation
Seriously, embrace network segmentation like you would a long-lost sister returning from two years missing in The Congo.
By segmenting our network, we’re limiting attackers’ access once they penetrate the network – and statistically, they will get it. When they do gain access to one segment, due to network segmentation, they can’t easily move to another without crossing another line of defense. Microsegmentation, which goes granular and allows even more security control, is the best practice for protecting service accounts and preventing lateral movement, effectively reducing the blast radius of any attack – known or unknown.
Advanced Threat Detection
If advanced threat detection (ATD) were a fictional character, it would be Sherlock Holmes – always a step ahead, with a magnifying glass on every byte. Logical and analytical, approaching the problem with cold, scientific detachment. Keen powers of observation and deductive reasoning, able to spot the unexpected based on a wealth of prior knowledge. However, ATD will never take drugs or play the violin while we’re trying to concentrate.
Advanced threat detection solutions that use behavioral analytics can detect anomalies in network traffic. We can’t just rely on known signatures. By closely monitoring application and workload behaviors in real-time, and establishing a baseline of approved “normal” activity, it’s possible to identify the tell-tail signs of deviations or anomalies quickly. This means that any potential threats (like the footprint of a zero day exploit) are detected and addressed before they can escalate.
Regularly Backup Critical Data
We all know the drill. Regular backups aren’t just a best practice; they’re a necessity. In the event of an attack, having an up-to-date backup means we can restore our systems to their state before the attack, significantly reducing downtime and data loss. It won’t stop an unforeseen attack, but it’s good practice and essential for remediation.
Leverage Threat Intelligence
Organizations get a bird’s eye view of emerging threats by tapping into global threat intelligence feeds. While it may not directly pinpoint a zero-day attack, it can offer indicators of compromise that can be early warnings. There are tools like our own that can help us stay ahead, and a legion of online resources to keep us abreast of cybersecurity news.
Adopt a Zero Trust Model
The zero trust security model operates on the principle of “never trust, always verify.” Organizations can ensure that every access request is authenticated and verified by not automatically trusting anything inside or outside its perimeters.
Regardless of where a request originates – inside or outside the organization – zero trust mandates strict identity verification for every user and device trying to access resources on a network. By not automatically trusting anything, organizations significantly reduce the risk posed by unknown vulnerabilities. Traditional models, which often trust traffic within the network, can leave unknown vulnerabilities exposed. However, even if a vulnerability is exploited with zero trust, the potential damage is contained, as attackers still have to verify their identity to progress further. This proactive stance ensures that potential breaches are stopped, protecting assets from known and unknown cybersecurity threats.
Have an Incident Response Plan
Even with the best preparations, breaches can happen. An incident response plan outlines the steps to take in the aftermath of an attack. This ensures that the organization can recover quickly, reducing potential damage.
As Benjamin Franklin rightly said, “By failing to prepare, you are preparing to fail.”
The cyber landscape is continually shifting, with attackers always looking for the next loophole to exploit. While there’s no foolproof strategy to guard against every potential threat, especially unforeseen ones like zero day attacks, a layered defense approach, having our colleagues in sync with our security team, the right tools and best practices like zero trust and segmentation, and sharp-eyed vigilance, can go a long way in safeguarding an organization. After all, it’s not just about being prepared to evolve and adapt swiftly to emerging threats, it’s also about having the best defenses in place before the unforeseen happens. No one wants to play whack-a-mole for a living, it’s not sustainable.