WASHINGTON, D.C.: How can the enterprise effectively use offensive tactics against their own networks to improve security practices? Mandiant executives weigh in.
The cyberthreat landscape is getting worse. Many businesses find it difficult to fill roles in IT security, attacks are becoming more complex and sophisticated, and companies of any size are under an onslaught of digital threats every day.
In a recent Mandiant report, enterprise players admitted detecting attacks once a business is compromised is also a complicated process. Out of those surveyed, only 31 percent of companies realized their networks had been breached on their own, whereas 69 percent of victims said they had been notified by an external source.
On average, 205 days passed before a threat group was detected on company networks, with the longest unnoticed presence of threat actors reaching 2,982 days.
For businesses looking to protect their data and reputation, the evolving threat landscape is a critical issue. But can businesses successfully utilise offensive operations to augment their security?
Speaking at the FireEye Cyber Defense Summit in Washington, D.C., Mandiant executives Marshall Heilman and Evan Pena said launching "friendly" offensive operations - otherwise known as Red teams - can increase the enterprise's defense against cyberattacks by simulating real world situations.
If you permit a Red team to probe around your network and attempt to steal data, you can discover weaknesses in network security in a safe manner before an external attacker does -- which grants businesses the opportunity to patch things up.
Breaches are inevitable -- as Pena says, it's simply "the world we live in," but this doesn't mean a corporation has to lose data or what matters, such as confidential records or intellectual property. According to Pena, the golden standard enterprise players should aim for is 12 hours -- as there is little chance major damage has been done by intruders in this timeframe.
"As long as i can kick them out before they can do any damage, who cares?," Pena says.
This is where Red teams come in. However, preparation is key when an offensive group is testing your incident responses. To begin, higher level management needs to sign off on such a scheme, and they must allow a Red team to conduct a no-holds-barred approach to cracking a network -- as this is what a real-world group will end up doing.
Secondly, a business must identify its critical assets before an assault is launched. Once business-critical data is identified, you are giving the team a target and allowing them to focus on an area of your business which must be protected -- whether it be data, people or systems -- at all costs.
The next step is to secure a talented Red team whether they are internal or hired. The team must understand the latest techniques and what attackers are actually doing in real-world scenarios in order to be effective in evading detection and challenging internal security teams.
Pena says it is "extremely important to get the right people in for the job," and they must be able to provide a realistic experience through the use of targeted attacks and vulnerability exploitation -- as well as possess the ability to be able to try and bypass people, processes and technology through customized tools and stealthy techniques.
When a Red team has conducted their offensive, businesses can then use these findings to improve their security. However, for an effective campaign, the executives provided a list of do's and don'ts for enterprises to get the most out of these projects:
Do: Allow the Red team to get on with it. Restricting them will only result in a skewed perspective of a corporation's security. It's better for a friendly to enter your network rather than a criminal, after all.
Don't: Tell your internal security team the juicy details of the Red team's movements. If they know what to expect, you don't truly know how they are performing when it comes to threat detection.
Do: Simulate real-life network infiltration and allow the Red team to extract non-harmful data.
Don't: Allow bruised egos to get in the way of progress.
Finally, do make sure the Red team log all their movements for analysis.
Overall, throwing money at a problem and new cybersecurity solutions does not always result in improvement, no matter the intention. Instead, businesses should consider implementing Red team offensive operations on a frequent basis to improve detection time, prepare against a variety of evolving attacks and techniques, and keep their data and reputations from harm.
Disclosure: FireEye sponsored the trip to the Washington cybersecurity summit.