David Damato, Chief Security Officer at Tanium, explored the past, present and future of the cyber threat landscape in his presentation to Argyle's CISO membership at the 2017 Chief Information Security Officer Leadership Forum in New York on Feb. 2. In his presentation, "Today's Threat Landscape – The More Things Change, the More They Stay the Same," Damato provided tips to help businesses craft more sustainable and resilient cyber security programs.
Although the threat landscape is evolving, Damato indicated that there are common cyber security problems that have affected businesses over the years.
"The threat landscape isn't changing quite as much, and you can actually use it to your advantage for further developing your cyber security strategy," Damato stated.
According to Damato, the threat landscape consists of two components:
- Threat Actors: Includes the cyber security dangers that can harm a company, its customers and its employees.
- Tactics, Techniques and Procedures (TTP): Consists of the processes and steps that businesses can use to minimize cyber security dangers.
Furthermore, Damato defined three types of threat actors:
- Targeted: Includes cyber attackers that may target a business, its customers and/or its employees.
- Opportunistic: Consists of malware, ransomware and viruses that enable a cyber attacker to penetrate a business' cyber security program.
- Insiders: Includes employees or other "insiders" who target a company from within.
Damato pointed out that advanced cyber security attacks are becoming increasingly prevalent. As such, businesses must deploy cyber security problems before these issues escalate.
"If you just focus on exploits and vulnerabilities … you're going to miss some advanced attacks."
In addition, malware, phishing and viruses are becoming less relevant in the modern threat landscape. Many hackers are deploying sophisticated cyber attacks that are more difficult to detect and resolve than ever before.
"In most cases today, you're not going to see a ton of malware," Damato pointed out. "There is a general trend that is moving away from malware and more toward things like commands and tools that administrators might use because they are harder to detect."
To combat cyber threats effectively, Damato indicated that companies must understand all steps of the cyber attack lifecycle. If a company dedicates the time and resources to learn about the cyber attack lifecycle, it may be able to find ways to resolve cyber dangers quickly.
The cyber attack lifecycle consists of the following stages:
- Initial Recon: During the initial stage, a hacker will identify targets, analyze vulnerabilities and start a cyber attack.
- Initial Compromise: A hacker will execute malicious code on one or more of a business' systems.
- Establish Foothold: A hacker will ensure that he or she can maintain control over one or more compromised systems.
- Internal Recon: A hacker will assess a victim's environment to understand how a business stores data, the types of data that are available to a company and much more.
- Move Laterally: The hacker will start to move from system to system within a compromised environment.
- Maintain Presence: The hacker will ensure that he or she can maintain access to a compromised environment for an extended period of time.
- Complete Mission: The hacker accomplishes his or her goal. This hacker likely will maintain access to a compromised environment in case a new mission needs to be completed.
Today's businesses cannot focus exclusively on exploits and vulnerabilities. Conversely, companies must be able to identify the root causes of these issues and respond accordingly.
"Make sure you're balanced across the attack lifecycle. Develop a strategy so you can better detect, inhibit and respond to attacks."
"If you just focus on exploits and vulnerabilities … you're going to miss some advanced attacks," Damato said. "If you're just looking at the first few phases and not building out your cyber security program to look at other things along the attack lifecycle, you're going to miss advanced attacks."
Also, Damato said businesses must prioritize each stage of the cyber attack lifecycle. He stated that hackers can strike from any location, at any time, and businesses must establish a cyber security strategy that accounts for cyber dangers of all sizes.
Meanwhile, companies that fail to minimize gaps in a cyber security strategy risk missing out on opportunities to protect their customers, employees and sensitive data.
"If you're skipping the tail end of the attack lifecycle … you're missing insider activity," Damato noted.
A comprehensive approach to cyber security is key for businesses across all industries, and for good reason. Damato pointed out that business managers must learn about cyber dangers to develop an effective cyber security strategy. And if managers assess the cyber attack lifecycle closely, they may be able to mitigate the effects of cyber attacks in any threat landscape.
"Understand your investments in security," Damato recommended. "Make sure you're balanced across the attack lifecycle. Develop a strategy so you can better detect, inhibit and respond to attacks."
David is Chief Security Officer at Tanium. As Chief Security Officer, David provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations, and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security-consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.