Exciting football games seem to have nothing to do with serious cybersecurity defense, but in fact there is a struggle between the two parties. The ball game involves our team fighting against the enemy team, while the cybersecurity offensive and defensive game pits the enterprise cybersecurity team against the elusive adversary (or hacker group).
This article is divided into five stages. The analysis of the cybersecurity offensive and defensive game is like the team preparing to play, and even collecting information about the opponent, until the actual match. Each stage requires careful attention to achieve a perfect game.
Stage 1: Register for the competition
When an enterprise embarks on the road of digital transformation, introducing various network devices and online systems, and even migrating data to the cloud, the enterprise has signed up for the cybersecurity defense competition and officially faced the competition with hackers.
Enterprises need to take inventory of networked devices (also known as endpoints), account permission lists, information asset lists, etc. to fully understand their strengths and weaknesses. (Learn more: How to Check the Cybersecurity Defense Status of the Enterprise according to the NIST Cybersecurity Framework?)
Stage 2: Battle table announced
Compared with teams participating in the competition, the organizer will plan and publish the match schedule, and the team can clearly know in advance which team the opponent will be. The cybersecurity offensive and defensive game requires enterprises to collect information from multiple parties and judge the enemy's strength in advance. Specific methods include:
- After reading news about cybersecurity threats, company personnel should use high-level, strategic threat intelligence to reflect on whether the company is facing risks and understand the opponents and their possible attack range.
- Obtain actionable threat intelligence and master indicators of compromise (IoC), including malicious samples, malicious relay stations, and social engineering techniques commonly used by hackers, as a means to identify opponents.
- With the help of analysis reports provided by threat intelligence providers, you can learn about attacks that have occurred in related industries and further confirm the cybersecurity of your own environment. You can also use the analysis reports to understand who the opponent is, the motivations and targets of the attacks (such as paralyzing factory products). line, stealing business information, stealing consumer personal information)
Based on the aforementioned information, companies can understand possible enemies and can also confirm whether they may be within the attack range based on their recent behavior. (There are three types of threat intelligence, see this article for details)
A complete information profile of the enemy must cover the attack group's usual methods, attack purposes, and country of origin. This requires long-term in-depth observation by the expert team of the threat intelligence provider and classification based on the attack status. The profiling will also point out that the attacking group is supported by different forces (often supported by national-level units).
Stage 3: Analyze the enemy situation
Just like after a team has mastered the opponent's basic information, it needs to further understand and analyze the enemy team's abilities by observing past game records and videos, such as: usual tactics, defensive configuration, and good ball routes.
In the cybersecurity attack and defense competition, when an enterprise understands that one or several specific attack groups are more likely to affect itself, the enterprise should further obtain the attacker's intrusion techniques (TTPs), which are:
- Tactics: describing cyberattacks with macro-level descriptions
- Technique: Provide the complete context of the attack, such as the tools used by the attacker and which vulnerability was exploited
- Procedure: Describe the complete attack process
If an enterprise can understand the attacker's intrusion methods, it can better protect the system from attacks; it can also help investigate and track the hacker's actions in order to find the source of the attack and take appropriate countermeasures.
Stage 4: Pre-match training
Before the team officially takes the field, it needs multiple rounds of training to cultivate players' tacit understanding and establish a team cooperation model. In the cybersecurity attack and defense competition, when enterprises face attacking groups, they also need to conduct simulation training step by step in order to successfully defend enterprise cybersecurity in actual attacks and defenses. Specific measures include:
- Formulate response strategies, plan operational continuity plans, and cybersecurity incident response scripts
- Choosing the right security solution is like choosing the right golf equipment
- Conduct red and blue team drills: By understanding the opponent’s intelligence, you can imitate the opponent’s possible tactics and techniques, practice on your own, and figure out the directions that need to be strengthened.
- Strengthen combat energy and conduct education and training
- Summarize intelligence collection results and communicate across departments
Most importantly, the above information includes red team drills, detailed incident scripts, hacker background descriptions and technical capabilities. It should be summarized into a non-technically oriented report for cross-department communication and communication with corporate executives to plan a sufficient budget. , complete the corresponding preparation plan.
Threat intelligence also plays an important role at this stage in making communication more effective. Just like a team refers to past games to see how its opponents used their best skills to defeat the loser, companies use threat intelligence to understand previous security incidents and how the victim companies' systems were invaded and their defenses were breached; just like a game is determined by points.
If the company loses or loses, the company can also obtain from threat information how much money the victim company has lost in the past. The victory or defeat of the game affects the popularity and fan support of the team, and negative events in which the company is attacked will also cause the company to lose its brand reputation. Finally, combining the above aspects, effective corresponding policies can be drawn to prepare for the cybersecurity offensive and defensive competition.
Stage 5: The game begins
Enterprises focus on business operations, and the cybersecurity attack and defense competition is not something that enterprises want to see. However, if the competition really starts, in addition to the cybersecurity hosting services that the enterprise has cooperated with, it is also recommended to seek an cybersecurity incident response team based on the severity of the cybersecurity incident team’s professional services to solve problems in a timely manner and prevent the disaster from expanding.
At this stage, if there is threat intelligence assistance, the efficiency and accuracy of the judgment of these foreign aid teams can be increased, and cybersecurity incidents can be handled more properly and effectively.
There is more to the game than just the one in front of you, and cybersecurity offense and defense are not just the events we are facing at the moment. The game with hackers is an infinite game. Enterprises should continue to improve the resilience of their cybersecurity, and the use of threat intelligence is the key point.
TeamT5 consists of top cyber threat analysts. Leveraging our geographic and cultural advantages, we have the best understanding of cyber attackers in Asia Pacific. TeamT5 is frequently invited to share insights at top cybersecurity conferences. Our threat intelligence research expertise and solutions are recognized as the 2023 Company of the Year Award in Taiwanese Threat Intelligence by Frost & Sullivan. Our endpoint detection and response solution is wardesd Golden Award from Computex - Best Choice Award.Easily take the first step in enterprise cybersecurity defense, contact us now: https://teamt5.org/en/request-information/
Keywords: ball game, baseball game, basketball game