In today’s sophisticated threat landscape, network defenses can become obsolete just as quickly as they’re developed. As a result, accepting cyberattacks as inevitable has become vitally important for CISOs. Adopting an assume breach mentality—accepting and planning for when, not if a data breach will occur in your environment—shifts focus away from traditional perimeter defenses, towards addressing weaknesses within the network and organization itself.
Think about every horror movie you’ve ever seen. Picture that hapless, naïve victim who is completely unaware of the threat lurking just around the corner. How do their actions change once they realize they are in danger? They become hyper-observant of their surroundings. They lock every door, become suspicious of everyone’s actions, and continually look over their shoulders.
Cybersecurity needs to be approached with the same vigilance and assumption that someone will compromise your environment, if it hasn’t already happened. Exhausting? Perhaps. Try recovering from a breach of 400 million records or a ransomware attack.
This blog will focus on adopting an “assume breach mentality” and how operating with this mindset will help strengthen the security posture of your organization.
Getting into the right frame of mind
Adopting the assume breach principle begins by accepting that there is no ‘silver bullet’ for security, and there’s no such thing as an impenetrable network. You must avoid assumptions about the trustworthiness of your network segments, mobile devices, and data transfers among clients. Often, a “completely secure” environment is not a convenient or user-friendly one.
So, when security is traded for convenience in the name of operational efficiencies, it’s like rolling out a welcome mat for malicious actors to help them easily achieve their goals. After all, if working within your network is convenient for an employee, it will be convenient for attackers as well.
While detecting an insider threat may be difficult, bordering on impossible, it remains vital to invest in ongoing education for employees around the threats facing your environment. The more your team knows about the dangers of clicking on malicious links, opening email attachments, and the general state of the threat landscape, the more likely they are to remain vigilant. Employees are your first line of defense—when an organization operates under the “when, not if” mentality, it reduces the chances of suspicious activity being discounted or ignored.
Albeit, these few things to keep in mind only scratch the surface, they will help you create a stronger security posture.
Prepare for the worst, hope for the best
Ray Pompon, Principal Threat Researcher Evangelist with F5 Labs has noted, “Like water, [cyber] attackers flow to where the cracks are. Accepting that your network will be broken into is called the ‘Assume Breach’ principle. It means you’ve accepted the fact that an attack is going to succeed no matter what, and you’re going to build your defenses accordingly.”
While detections themselves are incapable of preventing intrusions, they are one of the essential building blocks in your defenses, providing real-time and historical context around potentially anomalous activity occurring in your network. One of, if not the most important questions that will arise during a security incident is “how far back does this go?” Without sufficient logging and detections in place, you may never be able to answer that question. Establishing a timeline, scope and root cause for security incidents is paramount to returning to normal business operations with confidence. Akin to removing the mask from our hypothetical serial killer, these answers provide closure and assurance.
Skilled attackers will utilize various tools and techniques to impersonate legitimate users while operating in your environment, making it difficult to distinguish their presence and actions from normal business operations. More so, since long-term operation on a victim’s network is a common goal for many threat actors, it’s more than likely they’re achieving persistence through the use of backdoors—most of which can be very difficult to locate and remove, unless you are tracking activity and changes within your network. This underscores another important step in establishing detections: identifying your organization’s baseline of normal or expected activity. When organizations are forced to respond to an incident, panic often sets in. Suddenly everything becomes suspect—log entries that you would otherwise ignore are now being heavily scrutinized. If you have working knowledge of what is actually occurring inside of your environment under normal conditions, you will be much better equipped to identify outliers when the time comes.
While operating under an “assume breach mentality,” many experts suggest that developing an incident response plan (or update an existing one) may be the single most important step you can take. Having an incident response plan in place ensures that key personnel within your organization are prepared to respond effectively and provide for the best outcome. Front-loading these efforts allow you to get all your ducks in a row by creating and testing plans based on a variety of scenarios, with the appropriate people, procedures and resources in place. Think about it this way – in the event of an emergency, is it easier to follow a pre-determined plan, or come up with something on the spot? A data breach already elicits heightened emotions and an incident response plan can help reduce any additional stress.
Reaping the reward
Securing your network is an arduous task, nearly impossible to do perfectly. The difficulty scales, of course, with size and the age of the environment. Still, if you assume there are persistent threats to your environment, it must become your first, perhaps most important task.
The non-tangible reward is keeping the threat actors at bay as long as possible and managing the threats appropriately when they do pop up. Investing your assets to understand the balance of security vs. convenience, educate employees, and build out an incident response plan pays off when you’re faced with the worst-case scenario.
In the end, an assume breach mentality keeps CISOs and systems managers from being hapless victims in a cybersecurity horror movie. Being realistic about the growing threats facing networks, and accepting that perfect security is nearly unattainable, will help organizations prepare and put the right proactive and reactive defenses in place.