Break the Cyber Threat Cycle with Zix Layered Protection Part I
Achieving robust security does not have to be hard work. However, with the multitude of ways organizations are targeted, coupled with the hundreds of security companies pitching different approaches, choosing and implementing the right security solution can be daunting.
Endpoint security vendors will highlight the many risks of bring your own device (BYOD) and the need to install security directly on the endpoint. Security awareness vendors will tell you that your people are the weakest link. Web or email gateway security vendors will recommend that securing the gateway is your best bet. Finally, a threat hunting expert will tell you it is too late because you’ve already been compromised!
What can you do?
If you evaluate your security strategy through the lens of the security vendor, they all make valid points and the need for every single solution makes sense. Unfortunately, most growing organizations neither have the money, expertise, or time to implement and integrate such a complex strategy. Therefore, what is the most straight forward yet robust security strategy? To answer this question, let’s first review the Cyber Threat Cycle.
The Cyber Threat Cycle
The Cyber Threat Kill Chain or Cyber Threat Cycle was first articulated by Lockheed-Martin. Many security organizations have developed their own interpretation of this kill chain but, at its simplest form cyber threat actors commence in 5 major activities:
Activity 1: Identify a target
Threat actors will use a variety of methods for reconnaissance based on their mission goals to identify a target. Tactics can range from company and user profiling via LinkedIn or other social media platforms, through to conducting internet-wide vulnerability scans or snooping communication traffic via man-in-the-middle attacks. Yet, the most widely and easily accessible method has always been email. By sending a seemingly innocent email, threat actors can collect a lot of information, from the type of security gateway in place to whether the user actually exists and willing to engage.
Activity 2: Attack the target
Once a target has been identified, the threat actors will launch their initial attack. The attack can spawn multiple steps but the end goal is the same – gain access to an endpoint or internal server. From analysis of hundreds of thousands of breaches over recent years, email has been the easiest way to gain initial entry in the majority of instances.
Activity 3: Infiltrate the target
Gaining access to a single system does not automatically result in a completed mission. Often the compromised system doesn’t have the right access to move within the organization. Threat actors will attempt to establish a foothold through a number of steps including:
- creation of a back door
- set-up a connection to a command
- and control (C&C) server
- download an exploit
- launch phishing attacks internally
- infiltrate communication channels to establish their reconnaissance.
It’s often increasing or elevating the credentials they already have that helps establish a foothold. often increasing or elevating the credentials they already have that helps establish a foothold.
Activity 4: Evade and move
Once a threat actor has infiltrated their target, they can act methodically to gain more information and evade detection. At this point, it is important to remember that the breaches that make headlines are often years in the making. The threat actor often laid dormant, closely researching their victim, and waiting for the perfect time to execute the mission goal. Compromising a user’s inbox is a common technique to gaining more information about the business processes and personnel within an organization. Yet, threat actors are cunning enough to augment mailbox rules so that their presence is never detected.
Activity 5: Complete mission
The last activity is execution of the mission goal. Is the goal to exfiltrate sensitive data? Is it to force the victim to execute a wire transfer due to ransomware or carefully crafted Business Email Compromise (BEC) attack? Is the goal to wreak havoc by corrupting or making the victim’s data inaccessible? At this point, it is a matter of mitigating or containing the execution before the breach makes headlines.
Alignment with industry-known security frameworks ultimately should be the right approach, but to reach that point takes a heavy investment of money, personnel, and time. Further, the deeper the organization finds itself within the cycle the more business interruption will occur. With that in mind, we can begin to formulate a tactical, simple layered protection strategy that initiates a move towards a security-mature goal.