3 steps to conquer cyber-attacks through a data-driven defence

Imagine two great armies fighting in a long and arduous, multi-battle war. In the right flank of the battle, the opponent is having continual success. Our protagonists are aware of this but respond by pouring additional resources into defending the bloodless left flank instead. In fact, as the battle progresses, they continue to pour resources everywhere but into the embattled, vulnerable right, even going so far as to start stacking resources vertically because they’ve heard that the opponents might one day attack from the air.

Finally, a new leader is appointed to lead the army out of their chaos. He assesses the situation, takes heed of the right flank’s battered state, and, after much contemplation, orders yet more resources to be sent to the left flank.

Does this scenario sound insane?

Unfortunately, this is how most defenders shield against cybersecurity threats. Despite a decades-long accumulation of evidence that exposes the most common cyber threat attack methods, distracted defenders relentlessly concentrate their resources on less likely threats and then wonder why their cyber defence strategies aren't working.

Conversely, a data-driven defence framework uses a defender's local experience to determine the most likely threats and align appropriate defences against these first before counterposing less risky hazards.

In this defence strategy, a few core tenants support the defenders as they create a superior and more responsive cyber shield and effectively reduce cybersecurity risks. These tenants include:

In short, to safeguard virtual resources more effectively, it is essential for cybersecurity defenders to list the possible ways cyber attackers could exploit their resources. The likelihood of the attack method should then be ranked, and the mitigation strategy should be implemented against the most likely and dangerous threats first. Here are three steps to a data-driven defence:

Based on 22 years of research, I have assembled a basic list of the various potential initial root cause exploit procedures employed today. Every hacker and malware attacker, regardless of motivation, uses one of these exploit methods to gain initial access:

This list is by no means exhaustive, and defenders are welcome to develop their inclusive lists of root cause exploit methods or apply another model, such as the MITRE ATT&CK root access list, as long as the list is inclusive and doesn’t overlap.

It’s also important to note that, compared to the malware's initial access point, the actual outcomes of attacks - such as ransomware – are less crucial for planning purposes. If you want to stop thieves from breaking into your home, your focus needs to shift to how they would break into it instead of what they would steal once inside.

Next, all the root causes that have just been identified should be evaluated according to their likelihood of involvement in compromising the organization’s environment. Looking at the list generated in Step 1, determine which attack methods are most frequently or likely to be used to gain an initial foothold into the environment, based on experience and near-term future risk analysis. How has the organization been broken into in the recent past, and how is security likely to be compromised in the near future?

Historically, social engineering and unpatched software have been the two most common ways hackers and malware have gained initial foothold access in most compromised environments for decades. However, risks and rankings may vary greatly, and it’s up to each organization to determine their distinctive threat risk ranking based on their own experiences, current defences, and projections.

Once the initial root causes have been ranked according to the defender's unique risk analysis, the first and best mitigations can be applied to the highest ranked root cause exploit methods.

Each company needs to create and apply a layered, defence-in-depth combination of policies, technical defences (antivirus software, secure configurations, content filtering software, etc.), and education on the top-ranked threats. Moreover, all company stakeholders should stay informed about what the greatest threats are and how they will be alleviated. In addition, each applied mitigation should be evaluated as to how well it accomplishes its specific role in reducing the threat.

As the outcomes change over time, it should be an ongoing evaluation of both the dangers, as well as the mitigations used to determine the overall effectiveness. The mitigation strategy should change as necessary but should always focus on the biggest root threats and whether they are effectively being addressed and managed.

Each defender should constantly ask themselves

“Are we focusing on the right threats?”

“Are we deploying the most effective mitigations?" and

"Do we need to change anything?”

Following these core data-driven defence principles and steps, if practised successfully, will lead to an enhanced and more economical cyber defence that reduces risk more efficiently.