“It’s over, Anakin! I have the high ground.”

Obi-Wan Kenobi

One of the main advantages that cyber defenders have over attackers is inside knowledge of their environment. Well, at least they’re supposed to. It turns out that many organizations don’t have that inside knowledge; the full picture of their IT environment. Without it, cyber defenders are hard pressed to hold onto the high ground; the battlefield is levelled. If an attacker gains access to the network (and is detected), a race condition is started to see who can discover vulnerabilities first and exploit or mitigate them. There is a lot of talk about “just doing the basics” to prevent such attacks and bolster your cyber security posture. Unfortunately, “the basics” aren’t always easy. Regaining the high ground can be accomplished in four simple (but not easy) steps:

  • Illuminate your environment
  • Validate your vulnerabilities
  • Internalize external threats
  • Mitigate like crazy

Before you can truly understand where your greatest threats lie, you must gather the fullest picture of your environment. You must ensure your network diagrams are up to date with the latest IP and flow information, based on IP monitoring tools and a current view of network and security appliance configuration, to start. Running periodic Nmap scans will help you find systems and services running where you thought there were none (you’d be surprised how many times we’ve discovered folks running non-approved server software on their workstations, for “testing purposes”, of course). Remember, if the bad guys get into your environment, they only need to see their next step towards achieving their objectives; you need to see the whole enchilada. Once you start illuminating your environment, you will be able to move on to step 2: validating vulnerabilities.

Seeing more of your environment helps you better scan for and identify vulnerabilities, which adds another task to the to-do list: vulnerability validation. Some tools have a one-click validator, and you can use standard pen test scanners to validate, if you’d like, but it can’t stop there. You need to better understand where your vulnerable assets lie (i.e. are they Internet-facing, or tucked away behind layers of mitigating controls?), as well as known threats looking to leverage such a vulnerability (e.g. SMBv1 and WannaCry). If you are performing penetration tests to validate the vulnerability, grab some artifacts – indicators of compromise – upon success, so that you can add them to your security monitoring and threat hunting platforms to help identify these activities should someone else take it upon themselves to “validate” your vulnerabilities. Speaking of which, that brings us to our last step: internalizing external threats.

In order to internalize external threats, we first need to gather some information. Who are the major threat actors out there who might want my information? What types of tools are they using? Which vulnerabilities are they currently exploiting regularly? You can figure out the answer to these questions by doing some research. First, look for indiscriminate actors (i.e. script kiddies, hacktivists, or opportunistic attackers) and figure out what they’re doing on a regular basis to break into systems, plant malware, etc. Then you can look at industry-specific attackers to determine if there are any attacks on organizations in your specific industry. Then you can determine what types of vulnerable services or software they are looking to exploit (and compare with the results from your scans and validation process above). Ingesting cyber threat intelligence (CTI) into your cyber capability is a great way to get a firehose-like feed of this information, that you can filter or parse as you need. Having this information enables your security operators to now scan and hunt for indicators of compromise (IOCs) and indicators of attack (IOAs), and enables your pen testers to use new tactics, techniques, and procedures (TTPs) of the guys on the outside trying to get in. The next step: Mitigation.

After going through the processes outlined above, we’ll probably have a substantial “honey do” list written out. Luckily, with each item we check off, well be removing one shoulder knot’s worth of stress from our lives (until the next time we go through the first three steps, at least). Basically, when it comes to mitigation, the strategy here should be to create our own TTPs. The adversary is keeping playbooks of what works for them, and we defenders should be doing the same! In order to do this, we need to take the data we get from illuminating, validating, and internalizing, and put it in one central repository that we can use to monitor our existing attack surface, and note if its scope expands or contracts. We also need to ensure that we have a handle on who’s doing what. Our TTPs need to include actors, since we’re not decentralized like many of the adversarial groups out there. We need to know who’s responsible, accountable, consulted, and informed (RACI) when it comes to the many-faceted defenses we must mount to keep the ne’er do wells out. Once we have our defensive TTPs in place, we simply need to put them into action. Simply, not easily. In the end, it will all pay off.

To sum things up, if we’re going to regain the high ground that we must (and should already) hold, we must ensure that we have a full understanding of our environment: what do we have, and how is it critical to our business mission? Where are we vulnerable, how vulnerable are we, and are our vulnerable assets easily accessible? What kind of threats are out there, how are attackers able to my weaknesses, and what tools, tactics, and procedures are they using? Understanding the answers to these questions enables us to build out and enhance our own TTPs, in turn enabling us to fight for – and win back – the high ground.