The Anomali Blog
FEATURED BLOGS
Get the Anomali Newsletter
The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.
<p>Every day, we hear news stories or read articles about data breaches and other cyber security threats. As malicious threat actors and the risk of cyber threats increase, protecting networks and valuable information becomes more critical. So what can organizations do to ensure their networks remain secure? </p> <p>Organizations must understand their adversaries’ identities to keep data safe and protect it from cyber-attacks. This article will explore the different types of threats facing enterprise organizations and what they can do to stay ahead of them.</p> <h2>Evolving Cyber Attacks</h2> <p>Cyber attacks are constantly evolving as attackers continue to find new ways to exploit vulnerabilities. This includes:</p> <ul> <li>Increased use of artificial intelligence (AI) and machine learning: Attackers are using AI and machine learning to automate and improve the effectiveness of their attacks. For example, AI can be used to generate convincing phishing emails or to bypass security systems.</li> <li>Rise of ransomware: Ransomware attacks, which involve encrypting a victim’s data and demanding a ransom to decrypt it, have become increasingly common in recent years. Ransomware attacks can significantly impact businesses, disrupting operations and resulting in financial losses.</li> <li>More targeted attacks: Rather than broad-based attacks that aim to compromise as many systems as possible, attackers are increasingly using targeted attacks designed to exploit a particular organization’s vulnerabilities.</li> <li>Increased focus on mobile devices: Mobile devices, such as smartphones and tablets, are becoming increasingly vulnerable to cyber-attacks. As a result, attackers focus more on exploiting these devices’ vulnerabilities.</li> <li>Increased use of cloud services: As more organizations move to the cloud, attackers are finding new ways to exploit vulnerabilities in these systems. For example, attackers may try to gain access to an organization’s cloud-based data or disrupt its cloud-based operations.</li> <li>It’s not only crucial for organizations to stay up-to-date on the latest trends in cyber attacks and to implement appropriate security measures to protect against them. It’s even more important to pinpoint your adversaries to understand their TTPs to protect and predict their next attack.</li> </ul> <h2>Types of Adversaries</h2> <p>There are many different types of cybersecurity adversaries that organizations have to deal with. Some common types of adversaries include:</p> <ul> <li><strong>Hackers:</strong> Individuals or groups who attempt to gain unauthorized access to systems or networks for various reasons, such as stealing data, disrupting operations, or causing damage.</li> <li><strong>Cybercriminals:</strong> Individuals or groups who use the internet to commit crimes, such as identity theft, fraud, or extortion.</li> <li><strong>Cyber Terrorists: </strong>A group that’s goal is to disrupt operations, cause harm, and destroy data. Increasingly targeting critical infrastructures such as power plants, water treatment facilities, transportation systems, and healthcare providers.</li> <li><strong>Nation-state actors:</strong> Governments or government-sponsored organizations that use cyber attacks as part of their foreign policy or military operations.</li> <li><strong>Insider threats:</strong> Individuals with legitimate access to an organization’s systems or networks use that access to cause harm or steal sensitive information.</li> <li><strong>Malicious insiders:</strong> These are individuals who are intentionally malicious and seek to cause harm to an organization’s systems or networks.</li> <li><strong>Hacktivists: </strong>The term “hacktivists” refers to people who use hacking techniques to disrupt computer systems and networks in pursuit of political goals. Hackers often work alone, though some groups do exist.</li> <li><strong>Script Kiddies: </strong>Originally used to describe young hackers, it now refers to anyone who uses tools designed by others because they lack the skills and knowledge required to build their own. Script kiddies are typically motivated by money, fame, or notoriety and tend to attack easy targets because it is easier to do so.</li> <li><strong>Competitors:</strong> Organizations or individuals seeking to gain an advantage over competitors by attacking their systems or networks.</li> </ul> <h2>Different Strokes for Different Folks</h2> <p>The terms “threat actor,” “hacker,” and “attacker” are often used interchangeably, but they do mean different things. These three terms are commonly used within the cybersecurity industry but don’t always refer to the same thing. Let’s take a look at what each one means.</p> <p>A threat actor is someone with malicious intent. They want to cause harm to another party. They might use hacking tools to steal credit card numbers or personal information or destroy computers or networks. Sometimes, they might try to scare people into giving up confidential information.</p> <p>An attacker uses a tool to break into a system or network. An attacker doesn’t necessarily have malicious intentions; they might be trying to learn how something works or test out vulnerabilities. If an attacker finds a way into a computer system, they can access files, change settings, or delete important data.</p> <p>Hackers are technically skilled individuals who find ways to break into systems. Hacking isn’t limited to breaking into a computer system; hackers can also break into phone lines or social media accounts. Some hackers work alone, while others form teams called “hacktivist” groups.</p> <p>The difference between a hacker and an attacker is one of the motivations. An attacker is motivated by profit, while a hacker is motivated by curiosity. For example, a hacker might want to learn how a system works to break into it later. An attacker, however, is looking to exploit vulnerabilities in a system for his benefit. He might use the same vulnerability to take over a server and sell access to others.</p> <p>Organizations must be prepared to deal with all types of adversaries to effectively protect their assets from cyber-attacks. This can include implementing robust security controls, regularly monitoring for threats, and planning to respond to security incidents.</p> <h2>Types of Attacks </h2> <p>Cyber attacks come in many shapes and sizes. Some are obvious, while others are stealthier. It can sometimes be difficult to tell whether you’re being attacked or experiencing routine network traffic. Regardless of how sophisticated the attack appears, there are specific basic tactics attackers use to compromise systems. These include malware, phishing, man-in-the-browser (MITB), distributed denial-of-service (DDoS), and social engineering.</p> <p><em>Malware: </em>Malicious software is one of the oldest forms of cyberattack. It includes viruses, worms, Trojan horses, rootkits, keyloggers, spyware, adware, ransomware, and botnets. Malware is often used to steal sensitive information such as credit card numbers, passwords, emails, chat messages, and personal photos.</p> <p><em>Phishing: </em>A phishing email looks like it’s coming from someone you know. For example, it could look like it came from your boss, bank, or spouse. If you open the link or attachment, you’ll likely download malicious code onto your computer. This attack is usually done via email attachments or links embedded within web pages.</p> <p><em>Man-In-The-Middle Attack (MITM): </em>This is where an attacker intercepts data traveling over a network and alters it in transit. A MITM attack is typically performed against SSL/TLS connections. An attacker might modify the encryption keys, change the certificate authorities, or insert his own certificates into the chain.</p> <p><em>Distributed Denial-of-Service (DDoS) Attack: </em>This type of attack floods a target with traffic, overwhelming it and making it impossible for legitimate users to access the site.</p> <p><em>Social Engineering: </em>Social engineering exploits human weaknesses to access personal information and protected systems. </p> <h2>Types of Threats By Industry</h2> <p>Different types of cyber-attacks can be targeted at specific industries. For example:</p> <ul> <li><strong>Financial services:</strong> These industries are often targeted by cybercriminals because they handle sensitive financial information and large amounts of money. Attacks such as phishing, malware, and ransomware can be used to steal sensitive information or disrupt business operations.</li> <li><strong>Healthcare: </strong>Healthcare organizations store sensitive patient data and are, therefore, a target for cybercriminals. Attacks such as ransomware and phishing can be used to access and steal this sensitive information.</li> <li><strong>Retail: </strong>Retail companies often hold sensitive customer data, including payment information, which makes them a target for cyber attacks. Attacks such as point-of-sale (POS) malware and card skimming can be used to steal this data.</li> <li><strong>Government: </strong>Government agencies handle sensitive information about citizens and national security, making them targets for cyber attacks. Attacks such as phishing and malware can be used to access and steal this information.</li> <li><strong>Manufacturing: </strong>Manufacturing companies often have complex supply chain systems and handle sensitive intellectual property, making them targets for cyber attacks. Attacks such as industrial control systems (ICS), malware, and ransomware can disrupt business operations and steal intellectual property.</li> </ul> <p>It’s essential for organizations in all industries to be aware of the potential risks and to implement appropriate security measures to protect themselves against cyber attacks.</p> <h2>The Need to Focus on the Adversary</h2> <p>Organizations need to focus on the adversary because they need to understand the motivations and tactics of attackers to protect their assets effectively. Organizations can take steps to prevent, detect, and respond to attacks by understanding adversaries’ methods and tactics to compromise systems. This can include implementing security controls to prevent unauthorized access, monitoring for malicious activity, and planning to respond to security incidents quickly.</p> <p>Additionally, focusing on the adversary can help organizations prioritize their security efforts and allocate resources more effectively. By understanding the types of threats, they are likely to face and the tactics that attackers are likely to use, organizations can focus their efforts on the areas most likely to be targeted and implement the most effective security measures to protect their assets.</p> <h2>MITRE ENGENUITY Attack Flow Project</h2> <p>In 2021, Anomali joined <a href="https://mitre-engenuity.org/">MITRE Engenuity’s Center for Threat-Informed Defense</a> to collaborate on the <a href="https://ctid.mitre-engenuity.org/our-work/attack-flow/">Attack Flow Project</a> to understand adversary behavior better and improve defensive capabilities. This partnership culminated with the public release of the project in March 2022.</p> <p>Anomali has been working to incorporate attack flows into The Anomali Platform. With our latest product release, we’ve introduced an Attack Flow Library within Anomali ThreatStream that will provide an access point for new Attack Flows that sequence cyberattack techniques. This new capability provides context around adversary behavior that help security teams expertly profile the adversary to help better protect their organization before an attack occurs.</p> <h2>Understanding the Adversary with Anomali</h2> <p>Utilizing the largest global repository of threat intelligence, The Anomali Platform focuses on the attacker’s patterns rather than the victim’s behavior to help security teams understand:</p> <ul> <li>Who are my adversaries, and how could they attack me?</li> <li>What should I be looking out for?</li> <li>Where am I most vulnerable?</li> <li>How can I reduce my company’s risk of a cyber attack?</li> </ul> <p>Anomali extends visibility with intelligence from over one hundred million attack sensors. It gives us a unique ability to understand attacker activity globally, take a previously unknown threat, and make it known to the world. This allows our teams to apply machine learning to precisely understand an attacker’s next move and help stop them before they strike.</p> <p>Adversaries are constantly evolving. Your security program should too.</p> <p><a href="https://www.anomali.com/resources/ebooks/the-need-to-focus-on-the-adversary">Download</a> our new eBook, “<a href="https://www.anomali.com/resources/ebooks/the-need-to-focus-on-the-adversary">The Need to Focus on the Adversary,</a>” to hear from industry experts on how you can better understand your adversary.</p>
<p>Cybersecurity has a way of surprising us with the unexpected so I wouldn’t be surprised to see a completely new kind of security threat emerge in 2023. But as the ongoing cat-and-mouse game between attackers and defenders unfolds, certain scenarios are already coming into view.</p> <p><strong>Why Threat Actors Will Love Pink Slips</strong></p> <p>Amid growing economic uncertainty, many companies around the globe are tightening their belts and reducing headcount in advance of a possible economic recession. But as organizations brace for the worst, three related security risks now loom:</p> <p>1. External attackers aren’t the only threats companies face. Insider threat incidents are up 44% in the past two years, as costs per incident have climbed more than a third to $15.38 million. But there’s new reason for concern since layoffs create insider threat risks – either in the form of disgruntled employees or among existing employees angry about corporate’s decision to let go of colleagues. That means more potential for theft or sabotage from within. </p> <p>2. Staff reductions have unintended consequences on an organization’s security posture. When gaps in network defenses suddenly appear, the company now has fewer technical experts watching the situation. At the same time, the organization now has less visibility into the security status of its various products and systems. This presents a golden opportunity for professional threat actors searching out the path of least resistance. When they hear about layoff announcements at a particular firm, it doesn’t take very long before attackers start probing for security vulnerabilities.</p> <p>3. Companies regularly get into trouble by failing to set up well-controlled and thorough off-boarding personnel procedures – particularly when it comes to senior or privileged users. Proper processes with verification of completion on user accounts, data, assets, etc. is critical. Also, don’t ignore the consequences of adding roles and responsibilities to remaining employees who may shoulder added responsibilities following a staff layoff. There are risks in maintaining segregation of duties and inadvertently creating ‘super users.’ This could pose an insider threat risk or present targets of opportunity for attackers looking to exploit ‘novices’ in new roles they have taken on.</p> <p><strong>Commodity Malware and Tools Dominate</strong></p> <p>Threat actor groups operate a profitable business selling increasingly complex malware and tools to would-be attackers, a trend that will continue in 2023, making it even harder for forensic investigators to determine the origin of attacks. All of which further underscores the importance of better threat intelligence to understand why certain actors are likely to target specific organizations and what malware and tools they might deploy.</p> <p><strong>Supply Chain Is the Place to Be</strong></p> <p>Cyber attackers stick with what works. So, after the run of big supply chain breaches in the last few years – SolarWinds 2020, Log4Shell 2021 and its variants into 2022 – expect more of the same in the new year. The too-common occurrence of trusted relationship abuse and supply chain attacks is a particular favorite of state-sponsored groups. Look for them to demonstrate patience and remain hidden as they go to great lengths to accomplish their objectives.</p> <p>None of this means that attackers are fated to have the advantage over defenders in 2023. But given their growing sophistication, it’s more important than ever to have fuller awareness of your assets and supply chain vectors. Pay close attention to shared development environments, where you work with 3rd parties and contractors in developing and maintaining your applications. Maintaining oversight over the security and access to these environments is key. Assure development practices and establish adequate segregation of code bases, data, and documentation. It’s hard to sufficiently underscore how important it is to assure the integrity and fidelity of the code base and build procedures.</p>
<p>We’re excited to announce our quarterly platform update for November. This update introduces new capabilities that automate defense actions and allow enterprise organizations to understand their relevant threat landscape and visualize what’s happening inside and outside their network.</p> <p>Key highlights for this quarter include:</p> <ul> <li>Attack Surface Management</li> <li>Visualizations of Attack Flow Patterns</li> <li>Anomali Intelligence Channels </li> <li>Cloud XDR Data Usage and Notification</li> <li>Feeds Health Status</li> </ul> <h2> </h2> <h2><strong>Attack Surface Management:</strong></h2> <p>Understanding your threat landscape is essential in knowing which assets you need to protect. With this release, we’re proud to offer a unique Attack Surface Management solution that provides cyber security teams with a comprehensive, accurate view of their environment through the eyes of the attacker. </p> <p>“Recent ESG Research showed that security operations have become more difficult at most organizations over the past few years, partly due to a growing attack surface,” said Jon Oltsik, Senior Principal Analyst and Fellow, Enterprise Strategy Group. </p> <p>Anomali’s Attack Surface Management provides visibility into ALL external facing assets to identify exposures, enabling organizations to understand impact based on asset criticality, vulnerability, and attack severity. This allows analysts to prioritize investigation activities and perform remediation of misconfigured assets and security controls.</p> <p>The real power is using it in combination with other Anomali solutions. For example, with Anomali Match, organizations can prioritize asset remediation based on real, detected threats to exposed assets. With this, they can assess the potential impact of the threat actors targeting organizations, their motivations for attacking, and their tactics and techniques as they carry out an active campaign.</p> <p>Anomali’s proprietary data provides a point in time and a historical view with insights that others can’t. Reach out or download our datasheet to learn more.</p> <h2> </h2> <h2><strong>Visualizations of Attack Flow Patterns: </strong></h2> <p>Understanding an attacker and their tools, techniques, and procedures TTPs is paramount to becoming a proactive security organization.</p> <p>“Attack flows help defenders understand, share, and make threat-informed decisions based on the sequence of actions in a cyber-attack,” as per MITRE Enginuity’s Center for Threat Informed Defense.</p> <p>Based upon our work with the MITRE Engenuity Center for Threat-Informed Defense, we’ve added a new Attack Flow Library that helps visualize the sequence of attack techniques in ThreatStream Cloud. An initial group of 15 Attack Flows is available in ThreatStream, curated by the Anomali Threat Research Team.</p> <p>This library enables analysts to understand attack pattern sequences for infiltrating an environment. It also provides SOC teams with a foundation for future automated Attack Pattern detection capabilities that could help prevent, stop, or remediate an attack.</p> <p>Keep an eye out for more innovations around this initiative. And <a href="https://www.anomali.com/resources/ebooks/the-need-to-focus-on-the-adversary">download </a>our ebook, The Need to Focus on the Adversary, to learn why understanding the attacker is important.</p> <h2><br/> <strong>Intelligence Channels: </strong></h2> <p>Security teams are under pressure to do more with less. Unfortunately, most organizations need help effectively implementing threat intelligence, not benefiting from the value their threat intelligence team, processes, and tools provide.</p> <p>We’ve made it easier for Security teams to implement out-of-the-box tailored intelligence with Intelligence Channels.</p> <p>Intelligence Channels are for organizations that need help implementing threat intelligence. Curated by The Anomali Threat Research team, ready-to-go Intelligence Channels include: Threat Actor Monitoring and TTPs, Brand and Domain Monitoring, Phishing and Fraudulent Activity, Infrastructure, Malware Intelligence, Region or Sector Specific Threats, Social Media, Mobile Threat Defense, Vulnerabilities, and Exploits.</p> <h2> </h2> <h2><strong>Cloud XDR- Data Usage Dashboard and Notifications:</strong></h2> <p>The Anomali Platform leverages the power of cloud-to-cloud modern telemetry in Cloud XDR, ingesting all of your security telemetries and correlating them with intelligence to detect threats in your environment.</p> <p>The new Data Usage Dashboard details an organization’s event data ingestion and event data retention limits providing a view of the entitled daily ingestion limit and available time frame of historical search, as well as daily, average, and historical data volume and configuration for triggering notifications. </p> <p>This new dashboard allows practitioners to understand how much data they ingest into the Anomali Platform to ensure they keep operating within licensed limits. CISOs can realize how much data their teams ingest to optimize log source ingestion and align usage, projected growth in volume, and budgeting to ensure future needs are met.</p> <h2> </h2> <h2><strong>Feeds Health Status: </strong></h2> <p>Threat intelligence feeds provide an ongoing data stream related to potential or actual threats, delivering information about attacks, including zero-days, malware, botnets, and other security threats. </p> <p>Customers can now monitor the health status of their feeds to ensure they are up-to-date and accurate. Users will be proactively notified if a feed integration has been in an error state for 24 hours or more via an email or the app.</p> <p>This new feature will allow ThreatStream customers to quickly resolve issues directly with feed vendors.</p> <p> </p> <p>For more information, reach out to your customer success manager or check out the quarterly release webinar available at Anomali University.</p> <p>Until next time.</p>
<p>We live in a world of constant change. Digital transformation has fundamentally changed the way we work, play, learn, shop, travel, communicate, connect, collaborate, create, consume media, earn income, and even sleep. These changes have brought about new risks, challenges, and opportunities for innovation, efficiency, and growth. As the pace of change accelerates, organizations must adapt their business models, processes, and technologies to remain competitive.</p> <p>Digital transformation isn’t just about moving to the cloud, adopting new technologies, or building better apps. It’s also about protecting those investments and ensuring they’re protected from the beginning. This means taking a holistic approach to cybersecurity, including addressing the entire attack chain from end to end.</p> <p>To do so, organizations need to leverage technology to improve operational efficiencies while ensuring security and compliance. But doing so requires them to rethink many aspects of their current operations — including their network architecture, application development lifecycle, data center design, and cybersecurity strategy.</p> <h2>Increasing Concerns and Challenges</h2> <p>With the rapid expansion of cloud computing, mobile devices, social networking, big data analytics, and virtualized environments such as private clouds, public clouds, and hybrid clouds, enterprises now face significant challenges in managing all the various components involved in their IT infrastructure. They are forced to reevaluate their existing approaches to manage their networks, servers, applications, storage systems, and endpoints. And yet, despite the growing complexity, plenty of things still need to be clarified about the required solutions and how to deploy them efficiently.</p> <p>In addition to the traditional concerns regarding performance, availability, scalability, reliability, and security, organizations must consider the effects of digital transformation on their physical environment. For instance, as companies move toward using software-defined everything (SDX), the attack surface expands exponentially. Even if a company has a robust SDN solution, it may not be enough to protect itself from an advanced persistent threat (APT) or a targeted attack. There are many ways to classify APTs, but they share one common characteristic — they are highly targeted, stealthy, and extremely effective.</p> <h2>Cyber Attacks and Attackers Evolving</h2> <p>Today’s sophisticated attackers can exploit vulnerabilities in any aspect of the organization’s IT infrastructure, whether it’s a desktop operating system, server, router, firewall, VPN gateway, endpoint device, or cloud provider. A successful attacker could compromise an employee’s computer, gain access to sensitive corporate files, steal intellectual property, destroy critical production assets, disrupt operations, or cause catastrophic damage.</p> <p>As the number of connected devices continues to grow, the sophistication of cyber attacks targeting these devices is increasing. Advanced persistent threats are often referred to as “one-stop shops” because they simultaneously aim at multiple targets. Many APTs operate continuously without ever stopping to download updates or install patches.</p> <h2>Defining Your Attack Surface</h2> <p>Attack surfaces are comprised of all the technology that exists inside an organization. This includes computers, mobile devices, applications, networks, operating systems, browsers, network infrastructure, cloud computing platforms, email servers, databases, storage, and many others.</p> <p>Attack surfaces represent the potential vulnerabilities that could allow attackers to gain unauthorized access to internal resources and data. For example, a typical company might use a combination of Microsoft Windows XP, OS X 10.7 Lion, iOS 5.0, and WebKit browser versions 4.0 - 6.0. Each of these components represents a point of entry for malicious code, including viruses, spyware, Trojans, worms, exploits, denial-of-service attacks, account hijacking, theft of personally identifiable information (PII), fraudulent transactions, and countless other types of malware.</p> <h2>Defining Your Digital Footprint</h2> <p>A digital footprint is a collection of data about an individual or organization outside that person or entity. This includes everything from what people say about you on social media sites like Facebook and Twitter to what information is stored in databases.</p> <p>The concept of a digital footprint is nothing new. It dates back to the early days of computing when people used to talk about “footprints” left behind by computer viruses. But today, the term is being applied to much broader concepts, including how businesses are perceived by customers, employees, partners, and even competitors.</p> <p>While there are many different types of digital footprints, one thing they all have in common is that they’re growing larger every day. </p> <h2>Why Your Digital Footprint Matters</h2> <p>Your digital footprint is part of your attack surface. In addition to understanding your attack surface and attacker behavior, companies must identify where their digital footprint lies. This includes identifying the digital assets, people, processes, technologies, and policies that make up their digital presence.</p> <p>Once you know where your digital footprint resides, it becomes easier to defend against malicious activity by taking steps such as:</p> <p>* Identifying and managing the assets that comprise your digital footprint</p> <p>* Monitoring changes to those assets</p> <p>* Maintaining visibility into the status of your assets</p> <h2>Risks of an Unknown Attack Surface</h2> <p>Most organizations need to prepare for what lies beyond their network perimeter. Some may lack visibility into things happening inside their environment, like applications running on servers, mobile phones, laptops, and desktops; the people interacting with those systems; and the data being stored, transmitted, and processed. This exposes businesses to attacks that could compromise customer information, intellectual property, and physical safety.</p> <p>Traditional approaches to security that do not include external monitoring miss a large part of the picture. By focusing solely on the perimeter, organizations need to account for the massive amount of data generated daily by employees and customers. They often overlook that people communicate via email, messaging apps like Slack, and social media platforms like Facebook and Twitter. These channels are all potential avenues for attackers to communicate with each other and potentially compromise an organization.</p> <h2>Understanding Your Attack Surface</h2> <p>Understanding your attack surface enables you to better protect yourself against threats from attackers, cybercriminals, disgruntled employees, and/or competitors. It also helps to identify any gaps in your security program that could open a door for an attacker.</p> <p>A common misconception is that once an application or software has been deployed, it cannot be compromised again. However, new vulnerabilities continue to be discovered after initial deployment. In addition, attackers frequently develop new techniques for exploiting known weaknesses even if no new vulnerabilities are identified. Consequently, continuously monitoring your infrastructure, including existing software, is critical to ensure that patches are applied promptly so that vulnerabilities do not become exploitable.</p> <h2>Monitoring Your Attack Surface</h2> <p>Monitoring an organization’s digital footprints and attack surface enables security teams to proactively identify, mitigate, and prevent threats beyond merely monitoring endpoints and networks. With continuous visibility into cyber threats, security teams can make better decisions about where to focus resources and take proactive steps to protect against future attacks.</p> <p>Organizations are vulnerable to attack without continuous monitoring and actionable threat intelligence to defend against potential threats. Attackers can leverage known vulnerabilities to access and steal sensitive data. They can also use unknown vulnerabilities to bypass traditional defenses and security controls to move laterally throughout an environment. This makes detecting and responding to attacks much harder because there is no way to anticipate what vulnerabilities might be exploited next.</p> <p>Additionally, without continuous monitoring and actionable intelligence, it becomes increasingly difficult to stop ongoing attacks once they begin. Once an attacker gains initial access to a system, it becomes tough to determine whether they are actively exploiting a vulnerability or passively observing the activity. In either case, the attacker can remain undetected while continuing to exfiltrate data.</p> <h2>Using Attack Surface Management to Defend Your Organization</h2> <p>Attack Surface Management (ASM) helps organizations assess their risk exposure and develop strategies to mitigate those risks.</p> <p>ASM should start with a comprehensive inventory of all the resources and technologies used within the organization. This includes identifying all the hardware, software, and third-party vendors that provide connectivity between the organization and the outside world.</p> <p>Next, it identifies each component’s purpose and determines its role in the organization’s operation.</p> <p>Finally, it analyzes each resource’s potential vulnerabilities and determines the likelihood of exploitation. With this information, organizations can ensure that their technology investment is secure and reliable.</p> <p>An effective Attack Surface Management solution includes: </p> <p><strong>Asset Identification:</strong> Taking inventory of your assets allows you to prioritize the most valuable and business-critical ones. It can also help reduce technical complexity by flagging redundant assets, products, or solutions. </p> <p><strong>Vulnerability Discovery:</strong> Identifying vulnerabilities in your attack surface allows you to eliminate potential attack vectors and counter emerging threats. </p> <p><strong>Risk Assessment:</strong> Performing a risk assessment is crucial in determining how and where adversaries are likeliest to strike. A risk assessment typically goes hand in hand with vulnerability discovery. </p> <p><strong>Technology Implementation</strong>: When implementing a new product or service, you should first assess how the implementation will impact your attack surface. </p> <p><strong>Continuous Monitoring:</strong> Implementing a solution for continuously monitoring all assets represents a core goal of attack surface mapping, building on the foundation established by the previous steps.</p> <h2>Managing Your Attack Surface</h2> <p>Because security risks posed by an attack surface are constantly evolving, it is imperative to review your attack surface and update your defenses accordingly periodically. To manage your attack surface, you should perform the following tasks:</p> <p>• Review Software Updates – Ensure that all software running on your network is up to date. New updates fix bugs and add features but also introduce unknown risks. You must, therefore, regularly apply software updates.</p> <p>• Conduct Security Audits – Perform periodic security audits to verify that your enterprise has adequate protection measures to mitigate risk. For example, you might check to see if all firewalls are properly configured and that patch levels are current.</p> <p>• Create a Strategy – Once you have reviewed your attack surface and determined which areas require additional attention, devise a plan to address those needs. Develop a strategy that will enable you to assess risks, prioritize efforts, deploy solutions, track progress, and measure success.</p> <h2>Anomali’s Attack Surface Management Solution</h2> <p>Anomali’s Attack Surface Management provides a contextual inside-out and outside-in view that enables organizations to see what’s exposed and understand the attack’s who/what/how and the additional context needed to fix any vulnerabilities.</p> <p>Anomali’s proprietary data provides a point in time and a historical view with insights that others can’t. This includes identifying vulnerable assets and information on how long they’ve been vulnerable and if they’ve been compromised.</p> <p>Organizations can uncover vulnerabilities and continuously monitor their environment to call attention to new or emerging threats and respond quickly.</p> <p><a href="https://www.anomali.com/resources/data-sheets/anomali-attack-surface-management">Download</a> our datasheet or reach out to learn more.</p>
<p>The digital transformation era has fundamentally changed how organizations operate, including how they manage information technology processes and systems. This change has been driven primarily by a desire to improve efficiency, reduce costs, and increase agility across multiple business areas. These changes are often accompanied by a shift from traditional physical environments to fully virtualized ones.</p> <p>While the benefits of virtualization are well documented, the adoption of virtualization leads to the creation of highly vulnerable network architecture, especially when combined with public cloud resources.</p> <p>The risk of cyberattacks is increasing across industries, impacting every aspect of modern life. This includes everything from financial institutions to healthcare providers, manufacturing companies to retail stores, government agencies to educational institutions, energy utilities to transportation systems, telecommunications carriers to media outlets, and many others.</p> <h2>Gartner Cybersecurity Research</h2> <p>In fact, according to Gartner, nearly 90% of large enterprises now face some form of cyberattack each month. And among those attacks, 40% are considered high severity. In addition, there are over 3,200 known malware families, ranging from simple viruses to sophisticated targeted attacks.</p> <p>Gartner found that most organizations understand the importance of addressing cybercrime, but only some know how to do it properly. They believe cybersecurity must address technology and people issues, but they don’t fully realize how much of a challenge this truly is.</p> <p>Gartner’s research found that the current cybersecurity approach is failing, and a shift is needed. </p> <p>The <a href="https://www.anomali.com/resources/whitepapers/gartner-how-to-respond-to-the-2022-cyberthreat-landscape">research</a> recommends that organizations take a holistic view of the problem and ensure proper alignment of security to top emerging threats by:</p> <p>• Gaining a clear picture of the current state of play: What are the biggest threats facing companies today? Where do they lie within the context of the overall threat landscape? And can you identify the threats?</p> <p>• Understanding where the most significant risk lies: Which areas pose the greatest threat to businesses today? And why?</p> <p>• Implementing effective strategies for mitigating threats: What are effective ways to address the most significant threats? For example, what types of technologies can help protect against data breaches? And how do you protect against insider threats? Or secure cloud environments?</p> <h2>Post-Covid Era Cybersecurity</h2> <p>Even though we’re now past the COVID-19 crisis, there were many disruptions in the cybersecurity industry. Many large companies continue to focus on remote work, causing cloud-based operations to increase and expanding 5G networks connected devices at faster speeds and greater bandwidths. Cryptocurrencies exploded in popularity and are now bought, sold, and traded by individuals on a grander scale than ever before.</p> <p>Many organizations need more visibility into the full extent of the risks across their growing attack surface, making it challenging to identify and address vulnerabilities effectively.</p> <p>In addition, the rapid pace of innovation and sophistication in attacks makes it increasingly challenging for organizations to keep up with new threats. Organizations must ensure they have the right solutions, like a threat intelligence management or extended detection and response (XDR) platform, to defend against cyberattacks proactively.</p> <h2>Cyber Attacks and Attackers are Evolving</h2> <p>The stereotypical hacker working alone is no longer the main threat. Today’s attackers are more methodological and work within larger teams of individuals, often organized into hacking collectives known as advanced persistent threats (APTs). These groups are typically comprised of highly skilled professionals who spend months planning and executing complex attacks against specific targets. They employ multiple security measures to avoid detection and maintain operational secrecy. In addition to traditional hacking techniques like social engineering, spear phishing, and brute force password cracking, APT actors rely heavily on automated tools, including artificial intelligence, machine learning, and automation, to carry out their attacks.</p> <p>Over the next few years, attackers will be able to accelerate the end-to-end attack lifecycle, from reconnaissance through exploitation, from weeks to days or even hours, due to technological advances.</p> <p>For example, Emotet, an advanced banking malware that uses social engineering tactics to steal credentials, can change the nature and scale of its attacks based on what it learns about its target environment, making it difficult to detect and stop.</p> <h2>Increased Cyber Risk Regulation</h2> <p>The number of global regulatory bodies overseeing cyber risk is expanding rapidly. In addition to the European Union’s General Data Protection Regulation (GDPR), there are now additional regional laws such as the California Consumer Privacy Act (CCPA), the Australian Privacy Principles (APPs), and the Canadian Personal Information Protection and Electronic Documents Act (CIPPEDA).</p> <p>In parallel, the complexity of digital transformation continues to evolve, creating challenges for businesses across industries. For example, while most enterprises have adopted cloud computing, only some have fully embraced big data and analytics. This leaves many firms needing to prepare for the next wave of digital disruption.</p> <p>The combination of increased regulation and technological change creates significant challenges for companies seeking to protect sensitive information and maintain control over it.</p> <h2>Technology Advancements</h2> <p>With the advent of artificial intelligence (AI), it seems that many of today’s most pressing cybersecurity challenges are being met head-on by technology. The threat landscape continues to evolve rapidly, from the rise of botnets to the proliferation of zero-day exploits. This evolution presents significant opportunities for businesses seeking to automate manual tasks and free up human expertise to tackle higher-level problems.</p> <p>But while some organizations are leveraging automation to address low-hanging fruit, others need help to adapt to the ever-changing nature of modern threats, adopting a risk-based approach toward automation. Organizations can leverage existing technologies to better manage the risks associated with particular attacks by taking a risk-centric view of automation.</p> <h2>Understanding Tactics, Techniques, and Procedures (TTPs)</h2> <p>The key to success lies in understanding how attackers operate. Understanding why attackers behave the way they do helps you identify the risks associated with their actions and what mitigation measures need to be taken to reduce the likelihood of successful attacks.</p> <p>I’ve <a href="https://www.anomali.com/blog/getting-value-with-the-mitre-attck-framework">written</a> about how the MITRE ATT&CK Framework helps analysts understand how attackers operate to identify potential weaknesses and take appropriate measures to strengthen them.</p> <p>ATT&CK helps analysts understand both the techniques and the ways attackers use them. If an attacker has successfully pivoted from one target to another by stealing credentials, you need to know why they did so. Because they don’t have the tools to exploit an application’s remote-executable vulnerability, or do they prefer to leverage credentials over exploits because it gives them greater flexibility and stealthiness?</p> <p>Once you understand the tactics attackers use, you can develop a strategy for mitigating risks posed by specific attacks. You could also invest in a threat intelligence management solution with automation and AI capable of analyzing massive amounts of data to identify emerging trends, like Anomali ThreatStream.</p> <p>Automating routine tasks frees up critical resources for tackling more complex issues. And by understanding TTPs, you reduce the likelihood that an attacker will succeed in compromising sensitive information.</p> <h2>Preparing for the Next Cyber Attack Wave</h2> <p>Many organizations continue to think that cybersecurity risk is just about technology; it’s not. Many organizations still see themselves as isolated islands, disconnected from the rest of the world.</p> <p>The evolution of threats has changed the cyber threat landscape. Today, attackers no longer just target individuals or organizations—they go straight for the heart of the enterprise, where data resides, and attack the systems that process and store information.</p> <p>Gartner recommends that companies align their security strategies with the changing threat landscape. This means understanding the most likely future threats, developing a plan to address those threats, and building a resilient infrastructure that can withstand attacks.</p> <p><a href="https://www.anomali.com/resources/whitepapers/gartner-how-to-respond-to-the-2022-cyberthreat-landscape">Download</a> Gartner’s report, “How to Respond to the 2022 Cyberspace Landscape,” to gain insights on preparing for the next wave of cyberattacks.</p>
<p>The increasing reliance on big data has created a broader scope for hackers to exploit. But, it’s also made opportunities for cybersecurity professionals to help identify threats.</p> <p>Recent <a href="https://www.anomali.com/resources/ebooks/soc-modernization-and-the-role-of-xdr">ESG research</a> found that survey respondents want to use more data for security operations, driving the need for scalable, high-performance, cloud-based back-end data repositories.</p> <p>The research found that 80% of organizations use more than 10 data sources as part of security operations to detect malicious activities, believing the most important to be: endpoint security data, threat intelligence feeds, security device logs, cloud security data, and network flow logs.</p> <p>While these are all valuable in their own right, they can also be difficult to collect, store, analyze, and correlate across multiple systems. Big data analytics has made it possible for organizations to combine multiple sources of information into one unified view of an event or incident.</p> <p>Though there have been advanced, many security tools still lack the ability to integrate, especially if they are from multiple vendors. This makes sharing information harder and highlights the need for better integration between telemetry sources and analysis tools.</p> <h2>Challenges with Big Data</h2> <p>There is no shortage of hype surrounding big data. Many companies are already reaping the benefits of big data and applying it to improve their operations. Big data is often described as “dense,” meaning that it contains a lot of information and is hard to analyze. While this makes it easier to collect, it also challenges organizations to figure out what information is relevant and how to apply it.</p> <p>The same goes for cybersecurity threats. There is a lot of buzz about the potential of big data to help identify attackers, but the reality is that it doesn’t just work like that. Instead, big data also provides a way for attackers to hide within vast amounts of information. They can further exploit this to avoid detection and even change their identity multiple times before unleashing a cyber attack.</p> <h2>Using Data for Cybersecurity</h2> <p>Even though data is the most appetizing and easily accessible target for attackers, that doesn’t mean you shouldn’t collect and analyze it. Data analysis can provide insights into how attackers target your organization for a cyber attack and what they might do next.</p> <p>According to the <a href="https://www.anomali.com/resources/ebooks/soc-modernization-and-the-role-of-xdr">ESG Research</a>, SOC teams collect, process, and analyze a variety of security telemetry to help them determine detection weaknesses where custom rules are needed. Security teams customize vendor rule sets to meet their needs and develop custom rules to detect threats targeting their industry or organization.</p> <h3>Data Visualization & Analytics</h3> <p>Big data analytics allows an organization to visualize attacks, detect anomalies, and discover relationships between different data sets.</p> <h3>Machine Learning & Predictive Modeling</h3> <p>Machine learning helps identify potential threats and behavior patterns by analyzing the data collected during the attack and comparing it with patterns we know about. We can even build predictive models based on our experience to detect similar attacks in the future.</p> <h3>Security Controls Automation</h3> <p>Artificial intelligence can help quickly automate threat intelligence to security controls to protect against security breaches. For example, machine learning could help identify activities related to a particular type of event and block access to those actions or events.</p> <h2>The Need to Understand the Attacker</h2> <p>Threat actors use three main attack vectors: social engineering, malware, and brute force. Social engineering occurs when someone attempts to trick another person into disclosing confidential information or giving up control over his system. Malware is software designed to harm a computer, such as installing spyware or stealing personal data. Brute force involves trying every possible combination of letters, numbers, and symbols until a valid password is found.</p> <p>To defend against these threats, organizations must understand the tactics, techniques, and procedures (TTPs) used by attackers. In addition, they must understand how attackers think and behave and use that knowledge to develop effective countermeasures.</p> <p>Attackers are constantly changing and growing more sophisticated. It will be harder to defend your organization if you don’t understand their motivations.</p> <h2>Mitigating Risk with Data</h2> <p>Big data analytics isn’t just about detecting attacks. It can also help organizations mitigate risk by automating the security response to many types of attacks. For instance, a predictive model can scan thousands of files daily, looking for known vulnerabilities and alert administrators when a vulnerability is found. Automation makes it possible to scale up the number of scans to hundreds of thousands per week without requiring additional resources.</p> <h2>Becoming Proactive</h2> <p>Cybersecurity is no longer just about preventing an attack; it’s about detecting an attack, mitigating damage, and responding quickly to reduce future threats. This approach requires organizations to change their thoughts about cybersecurity and adopt a proactive and resilient mindset.</p> <p>The traditional concept of cyber defense is based on a defensive model where security teams are responsible for stopping attackers. Organizations today cannot afford such a static approach to defense strategies because there are too many ways for attackers to penetrate systems and cause harm.</p> <p>This shift to a proactive and resilient mindset separates a cyber-resilient organization from others. A resilient enterprise can detect, respond and recover from cyber-attacks within minutes rather than hours or days. In addition, a resilient enterprise proactively monitors its attack surface and network infrastructure, looking for suspicious behavior that could indicate an impending threat.</p> <h2>XDR Solutions Emerging</h2> <p>The Internet of Things, cloud computing, social media, and mobile devices are a few factors driving vast amounts of data growth. Many organizations struggle to make sense of all the data they collect. They lack the skills to analyze the information and find insights that could help them better understand the threats they’re facing.</p> <p>Security teams are facing a significant challenge due to the increasing network traffic volume and modern threats’ rising complexity. Traditional SIEMs cannot cope with today’s massive volumes of log data and cannot provide timely analysis of events occurring across the entire enterprise.</p> <p>Extended detection and response (XDR) solutions have emerged to meet the need for a big data solution that helps organizations better detect and respond to threats. XDR solutions utilize data lakes to collect, store and correlate telemetry from key XDR components and relevant data sources. This enables the collection and storage of vast amounts of information, including logs, system activity, network packets, etc., and data analysis within seconds to minutes.</p> <p>Big data collection enables an effective XDR solution to conclude all telemetry instead of the siloed data that SIEMs collect. This also results in a more extensive curated library of threat data from multiple sources than the limitations of only collecting network logs with a SIEM.</p> <p>XDR solutions utilize advanced machine learning and automation to enable organizations to focus on relevant threats and quickly respond, trying to solve the challenges SOC teams have with SIEM and SOAR platforms. An effective XDR solution will utilize out-of-the-box automation and machine learning to minimize false positives, surface relevant threats, and improve organizational efficiencies.</p> <h2>Visualizing Attack Patterns</h2> <p>The biggest challenge facing most organizations is correlating historical information with a specific incident and determining whether there is a correlation. This is where big data analytics comes into play. Organizations can detect attack patterns to predict future events by leveraging machine learning. For example, a predictive model could tell you that a specific type of malware is likely to hit your network within the next 24 hours. Or perhaps it predicts that your organization is vulnerable to a targeted attack based on previous trends in similar situations.</p> <h2>Using MITRE ATT&CK to Better Understand Adversaries</h2> <p>The ATT&CK Framework is one of the most widely adopted frameworks for analyzing malicious behavior and helping security professionals understand how attackers operate.</p> <p>Blocking or identifying attacks based on their techniques is essential, but understanding what these techniques do and how they work is just as important. By doing this, we can identify potential weaknesses in our environments and improve them accordingly.</p> <p>Understanding why attackers behave the way they do helps you identify the risks associated with their actions and what mitigation measures are needed to reduce the likelihood of successful attacks.</p> <p>The ATT&CK Framework provides an extensive understanding of attacks and their methods to prioritize investigations and remediation activities.</p> <h2>Anomali and Big Data</h2> <p>Today’s threats evolve quickly, targeting specific vulnerabilities to exploit known weaknesses. Organizations must move from a reactive approach to a more proactive one. Data collection is just one aspect of the larger process. After collecting all the information, you need to develop a plan for analyzing and processing it.</p> <p>The Anomali Platform helps address the need for a big data solution. </p> <p>Anchored by big data management and refined by artificial intelligence, The Anomali Platform delivers unique proprietary capabilities that correlate the largest repository of global intelligence with telemetry from customer-deployed security solutions. This combination empowers security operations teams to detect threats with precision, optimize response, achieve resiliency and ultimately stop attackers and breaches.</p> <p><a href="https://www.anomali.com/resources/ebooks/soc-modernization-and-the-role-of-xdr">Download </a>the SOC Modernization and the Role of XDR ebook from ESG Research to learn more about what security teams are looking for.</p>
<h4 class="mb-4" style="text-align: center;"><em>“Anomali delivers a breakthrough to the alphabet soup of SIEM, SOAR, Intelligence & XDR at a fraction of the cost”</em></h4> <h2>Doing Business Today</h2> <p>In good or tough macroeconomic environments, security efficacy should be delivered with efficiency and a positive impact on earnings per share.</p> <p>CIOs and CISOs tell us that their overarching deliverable is to amplify the visibility of their security controls and enrich the visibility with actioned context to stop adversaries and attackers. Easier said than done due to the scale and performance of the underlying technology and because the cost to deliver optimal visibility has been simply inhibitive.</p> <p>Security operations are growing more complex and need to be modernized while rationalizing cost.</p> <p>The Anomali Platform delivers breakthrough levels of security visibility use cases while lowering cost and then applying the best democratized actioned intelligence to stop the adversaries —with automation at the heart of everything that we do.</p> <p>Our breakthrough is your consolidation and optimization of the alphabet soup of SIEM, SOAR, Intelligence, XDR, and the next-generation versions of the same. Indebted to my partner and founder Hugh Njemanze (aka Silicon Valley’s father of SIEM and Visibility) for tirelessly evolving and optimizing our vision to help our customers and the broader community of peers and partners beat the bad guys.</p> <h2>Background</h2> <p>Security operations are challenged with talent scarcity and rising costs to deal with a changing threat landscape (including ransomware), growing (often uncontrolled) attack surface, higher volume and complexity of security alerts, growing adoption of public cloud services, and keeping up with their business challenges in a more digital world.</p> <p>CIOs and CISOs have appropriately invested in comprehensive security controls (Endpoint, Network, Cloud, Email, Identity, Patching, etc.) and yet lack orchestrated visibility across the stack with the necessary forensic lookback (up to seven years in some cases). Most of the security controls do not talk to each other and along with growing cloud logs results in mega growth of telemetry terabytes.</p> <p>To date, the technology that attempts to solve the big data problem traverses the alphabet soup of SIEM, SOAR, Intelligence, XDR, and the next-generation versions of the same. The challenge continues to be scale, performance, and democratized actioned intelligence. And it is just too costly.</p> <p>Hugh Njemanze long ago declared: “Visibility is crucial to the digitized enterprise. Back in the day, we started ArcSight to help address that problem with telemetry. Years later, despite the advent of next-gen SIEMs, SOARs, and various claims to XDR, it is still not commercially feasible to attain full visibility. That is the first step required in security operations and it is simply inhibited by cost. At Anomali, we ingest all telemetries and with proprietary technology, we do it at an affordable cost. This is essential to empowering modern businesses to unlock their true potential and what I had in mind in building the first SIEM.”</p> <h2>Solution: Modernize and Scale at a Lower Cost</h2> <p>At Anomali, we help our customers modernize their security operations by building a scalable foundation to deliver better and more relevant visibility while orchestrating and automating the rest of the security tech stack. We also help our customers move from a reactive baseline to a more proactive delivery of security.</p> <p>Some of our long-time XDR customers are now using The Anomali Platform to drive broader business insights. It’s an infinite game and we will continue building the latest innovations in cloud, AI and ML, big data, intelligence, and automation.</p> <p>Given the economic and geo-political challenges, we are working tirelessly with our customers to modernize their security operations with an emphasis on reducing their costs. We have been humbled with accolades for offering until the end of the year free proprietary attack surface and premium digital risk protection solutions – all rooted in democratized actioned intelligence.</p> <p>Please reach out and let us know how we can help you.</p>
<h2>Creating a Successful Threat Intelligence Program</h2> <p>The foundation of any effective security program is cyber threat intelligence. Organizations that adopt threat intelligence as part of their overall cybersecurity strategy find themselves better prepared to respond to emerging threats and avoid costly mistakes.</p> <p>To effectively protect an organization and its sensitive information, you need to know what active threats and malicious entities security teams may face. This means you must collect, analyze, and share threat intelligence to detect attacks and take action against them quickly. </p> <p>Your ability to effectively secure your network depends directly on the quality and timeliness of your threat intelligence. Intelligence analysts need curated, relevant threat data to protect their organizations’ most valuable resources from persistent threats.</p> <p>Cyber threats are relentless and constantly evolving. Cyber threat intelligence provides intelligence teams with critical insights into advanced adversaries and the insights needed to inform internal resources and security technologies to protect themselves from cyber-attacks. Staying ahead of external threats requires a holistic threat intelligence program encompassing security operations to understand adversary behaviors and gain a complete picture of the overarching risks.</p> <h2>Where to Begin</h2> <p><em>Set a Goal:</em></p> <p>Start with a goal to set expectations around what you want to do with the collected cyber threat information to keep your organization safe. Make sure it’s attainable and actionable; otherwise, it might become noise.</p> <p><em>Outline Deliverables: </em></p> <p>Who within your organization will be consuming threat intel and reports? You’ll need to inform security analysts cross-functionally, the C-suite, and your board. But you must ensure the intelligence is timely, relevant, and actionable to make informed decisions.</p> <p><em>Understand Your Threat Landscape:</em></p> <p>You need to understand your attack surface, your vulnerabilities, and the threats that could be targeting your security environment. You also need to review current security practices and what security tools and architecture you use to protect your most valuable assets against potential threats.</p> <p>Cyber threats are relentless and constantly evolving. Staying ahead requires advanced automation and a holistic <a href="https://www.anomali.com/resources/what-is-a-tip" target="_blank">threat intelligence program</a> (TIP), which lead to a strategic advantage. There are three main pillars to help your organization advance up the maturity curve: people, process, and technology. </p> <p><strong>People:</strong> Identify stakeholders for reporting and feedback in mapping out a process that effectively channels intelligence.</p> <p><strong>Process:</strong> Processes that take <a href="https://www.anomali.com/resources/what-is-threat-intelligence" target="_blank">threat intelligence</a> to a more strategic level must be developed and agreed upon cross-functionally.</p> <p><strong>Technology:</strong> The technology used should deliver on the processes outlined to ensure it supports organizational goals. </p> <h2>Climbing the Threat Intel Maturity Curve</h2> <p>While all organizations are at a unique level of development in their threat intelligence program, take general steps to determine where you are now and what is needed to evolve your program.</p> <h4><strong>Threat Data Collection</strong></h4> <p>Raw data collection is the beginning of any intelligence-gathering process. The relevancy of the data is critical, coming from external and internal sources, including open-source and commercial threat intelligence feeds. External data may include reports on IoCs (e.g., ISACs, Dark Web, vendors, clients, etc.) relevant to organizational vulnerabilities. Internal data is just as necessary as it informs intelligence with business-specific threats. Even at the beginning stage of a program, feedback from internal teams that have experienced a security incident should inform threat intelligence feeds to ensure they are relevant to the business.</p> <h4><strong>Threat Data Processing</strong></h4> <p>The next stage of development is processing or curating the data of relevant threats based on the complete environment. Even when using only the most relevant sources for incoming data, the volume can be overwhelming, and automation is essential. Security tools can save analysts time by automatically weeding through the data for actionable information. Based on the organization’s threat experience, well-targeted criteria will optimize this curation, enabling the automation to filter out the noise and produce practical intelligence.</p> <h4><strong>Threat Intelligence Integration</strong></h4> <p>As threat intelligence is a shared resource essential to stakeholders in different business functions, integrating systems will enable more relevant reporting and a better flow of feedback to improve intelligence gathering. A solid configuration management database (CMDB) and vulnerability management program are fundamental to successfully integrating systems and processes. Forming a Digital Forensics Investigations team that runs intel feeds against the complete environment can add significantly to actionable cyber threat intelligence.</p> <p>Once the integration is complete and your organization operates based on the latest threat intelligence, threats can be identified and blocked quickly. In addition to a faster response, insights into the capabilities of threat actors can be gained to thwart attacks at an earlier stage and before they enter the network.</p> <p>Another advantage of comprehensive integration is the convergence of physical with logical security. A simple use case would be if someone badged into a facility and then got on the virtual private network (VPN). The system could raise a flag that an employee within the firewall should not need to access the VPN. The odd behavior could be due to a stolen badge or malicious cyber activity. Either way, it would trigger an alert.</p> <h4><strong>Measuring Threat Intel Effectiveness</strong></h4> <p>Measuring effectiveness is a pillar of a mature threat intelligence program. The two main types of metrics are the organization’s security posture and the team’s efficacy in doing their job. The benefits of tracking these areas are better cybersecurity, greater resource productivity, the justification of current and future threat intelligence investments, and feedback for continual improvement.</p> <p>The main focus for measuring effectiveness is to add value, so your organization can take action, not simply tally threats found. The tracking process doesn’t matter more than what is being tracked. A baseline measurement should be set to compare against improvements, and the tracked metrics should be those your security team has direct control over. Specific measurements may include time to IoC response, the number of campaigns tracked, feed efficacy, etc.</p> <h4><strong>Strategic Use of Intelligence</strong></h4> <p>The ultimate test of a cyber threat intelligence maturity assessment is whether or not the program is being used strategically. On the cybersecurity front, this would include moving to the 'who and why' of threat actors from just the 'what,' seeing trends in the threat landscape, and weighing the opportunity costs of taking action. On a business level, threat intelligence maturity can lead to collaboration across functional teams, company-wide involvement in technology investment, better risk management, and strategic planning. An effective threat intelligence program can even become a competitive advantage, assuring customers of their data security and protecting a company from devastating breaches.</p> <h2>Threat Intelligence Management Solutions</h2> <p>Most security teams turn to threat intelligence solutions like Threat Intelligence Platforms (TIPs) or Threat Intelligence Management solutions to help. Solutions like Anomali ThreatStream, automate the collection and processing of raw data to transform it into actionable threat intelligence for security teams to make faster decisions. ThreatStream helps build relationships between the various pieces of data to minimize false positives to better prioritize and respond to threats and increase analyst productivity with real-time information, resulting in the following:</p> <ul> <li>Automated correlation of data with threat intel</li> <li>Contextual analysis </li> <li>Generated alerts </li> <li>Confidence scoring </li> </ul> <p>Hear more from industry expert Jimmie Owens, CISO and Vice President, Enterprise Security, at DXC Technology, as he shares his insights and journey in cyber threat intelligence through various industries and organization types. Watch the webinar, <a href="{page_5144}" target="_blank">Climbing the Threat Intelligence Maturity Curve</a> today. </p> <p> </p> <!-- START: Parmonic embed for video --> <div class="parmonic-widget" data-layout="single" data-v-id="moment/87621"> </div> <script defer="" src="https://awjs.blob.core.windows.net/awjs/v5/aw-single.js"></script><script> document.addEventListener("DOMContentLoaded", function () { setupParmonicWidget(); }); </script><!-- END: Parmonic embed for video -->
<p style="text-align: center;"><strong>Anomali Earns Frost and Sullivan Market Leadership Award for Broadening their Command of the Threat Intelligence Management Market to Deliver Comprehensive Threat Detection and Response</strong></p> <blockquote class="blockquote"> <p>“Keeping up with market trends has certainly paid off for Anomali – the different information inputs have allowed it to make a key strategic move: expanding its TIP to encompass a broader Extended Detection and Response (XDR) focus. Anomali’s ThreatStream, a cloud-native SaaS offering, is the market-leading TIP/threat intelligence management solution.” - Clara Dello Russo, Research Analyst</p> </blockquote> <p>Anomali is proud and honored to earn Frost & Sullivan’s 2022 Global Market Leadership Award in the Threat Intelligence Platforms industry. Anomali was recognized for being at the forefront of innovation and growth, extending its market leadership in threat intelligence to meet the growing challenges of extended threat detection and response.</p> <p>The challenges within the Cyber Threat Intelligence (CTI) space continue to grow. And with that growth, there is an increased need for intelligence-driven solutions that can meet the demands of other parts of the cybersecurity market. We saw the evolution of the threat landscape as an opportunity for us to expand and take advantage of our strengths and the power of our platform.</p> <p>Seven years ago, we recognized that organizations needed a way to collect, aggregate, analyze and operationalize threat intelligence, which led to the development of Anomali ThreatStream, a leading enterprise threat intelligence platform (TIP). Shortly thereafter, we introduced Anomali Match, opening new opportunities for our customers to optimize intelligence by immediately matching internal threats against external threats.</p> <p>This resulted in The Anomali Platform, an integrated cloud native offering that collects and manages unlimited levels of threat data. The Anomali Platform enables investigations, empowers internal threat detection by matching it against all telemetry, and ultimately helps to power faster response by operationalizing intelligence across security infrastructures.</p> <p>At its foundation, our approach aims to close the gap against adversaries by continuously correlating all telemetry with the largest repository of global intelligence to optimize security ecosystems. We introduced The Anomali Platform, a cloud-native solution focused on intelligence-driven threat detection and response. The Anomali platform is unique in that it applies the power of big data, machine learning, and AI to identify and intercept attackers in real time.</p> <p>The Anomali Platform is comprised of:</p> <ul> <li><strong>Anomali ThreatStream</strong>: Threat intelligence management that automates the collection and processing of raw data and transforms it into actionable threat intelligence for security teams.</li> <li><strong>Anomali Match:</strong> Fueled by big data, this threat detection engine helps organizations quickly identify threats in real-time by automatically correlating ALL security telemetry against active threat intelligence to expose known and unknown threats.</li> <li><strong>Anomali Lens:</strong> This powerful natural language processing engine extension helps operationalize threat intelligence by automatically scanning web-based content to identify relevant threats and streamline the lifecycle of researching and reporting on them.</li> </ul> <p>With this single cloud-native platform approach, customers can leverage common platform capabilities through a single sign-on experience instead of combining multiple systems to manage in silos. Shared cloud capabilities include:</p> <ul> <li>High-performance indicator correlation at a rate of 190 trillion EPS.</li> <li>Appliance and cloud to cloud-based ingestion of any security control telemetry.</li> <li>Global intel management across open, commercial, and proprietary sources.</li> </ul> <p>And we continue to innovate with a focus of helping our customers move from reactive to proactive security. Our vision is to further empower business leaders to drive more effective and efficient security operations at scale enabling them to maximize their return on security investments while accelerating their digital transformation needs.</p> <p>Working with our customers we recently introduced solutions they need to defend against cyber attacks. This includes:</p> <ul> <li>For Cyber Fusion and SOC teams: A proprietary Attack Surface Assessment that will survey and report on an organization’s exposed attack surface in the current environment.</li> <li>For Intelligence teams: Premium Digital Risk Protection that delivers phishing detection, brand monitoring, fraud protection, rogue app identification, and leaked credentials monitoring.</li> <li>For security teams: Integrated automation that improves analysts’ efficiency, reducing 20% or more of full-time employee (FTE) tasks.</li> </ul> <p>Recognition by Frost and Sullivan of Anomali’s world class performance in threat intelligence and our mission of continuous innovation within the cyber security industry to effectively address new challenges is highly regarded.</p> <p><a href="https://wwwlegacy.anomali.com/files/white-papers/Anomali_Award_Write-Up.pdf">Click hereto read the latest report from Frost and Sullivan.</a></p>
<p>One of the more significant headaches in cyber security is the overuse of buzzwords and acronyms and the overlapping mutations of what they mean. Cyber threat Hunting has become one of those phrases, but it has gained clarity over the last few years as organizations strived to become more proactive.</p> <p>So what is threat hunting? Depending on who you ask, you may get somewhat different answers to the same question.</p> <p>Cyber threat hunting is a proactive approach to detecting suspicious activity from known or unknown, remediated, or unaddressed cyber threats within an organization’s networks. It involves finding malware such as viruses, Trojans, adware, spyware, ransomware, worms, bots, and botnets.</p> <p>The goal is for security analysts to find these threats before they cause damage to systems and data. It’s similar to how fire departments respond to fires; they go into buildings to ensure no additional problems before calling the firefighters.</p> <p>There is a vast collection of tools, skill sets, approaches, and processes to help identify advanced threats that could happen within the network. What is an effective hunting process for one organization may be a waste of time for another, depending on each company’s understanding of what threats they might face. Man-hours spent hunting are typically most beneficial for large organizations targeted by the cybercriminal community regularly, but that’s not to say that regular hunts for small/medium-sized enterprises can’t benefit from and identify threats by doing the same.</p> <h2>Structured Threat Hunting</h2> <p>The structured hunt is based on indicators of compromise (IOCs) and tactics, techniques, and procedures (TTP). IOCs provide information about potential adversaries, such as IP addresses, domain names, operating system versions, etc. TTPs describe how attackers operate and what tools they use. Combining IOCs and TTPs makes it possible to build a picture of the adversary.</p> <p>This approach allows us to detect threats earlier and prevent attacks. In addition, we can quickly identify the threat actors because each activity is described in detail.</p> <h2>Unstructured Threat Hunting</h2> <p>The concept of unstructured hunting is relatively new. It wasn’t until 2013 that we began seeing the emergence of unstructured hunters. Unstructured hunting is a method of finding malicious software (malware), such as viruses, Trojans, worms, etc., without knowing exactly what type of malware you are looking for. Instead, the hunter relies on behavioral analysis to find these threats.</p> <p>In short, unstructured hunting is investigative work where a cyber threat hunter observes behavior and looks for anomalies. For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further. If he finds something suspicious, he could take action immediately or wait a few days to see if the same email addresses start sending again.</p> <h2>Traditional Threat Hunting</h2> <p>The traditional definition of threat hunting can be defined as a focused and intensive human/machine-assisted process aimed to identify the possibility of something malicious happening within the network or likely about to happen; this is based on abnormal network behavior, artifacts, or identification via active threat research. A good example of this would be:</p> <p>A large bank has team members whose part of their job is to consume threat reports related to activity targeting their vertical and other companies that match their Enterprise profile. > A new threat report is published from an intel provider describing a new variant of malware that has been catastrophic at similar organizations. This report would ideally contain information around the process tree, registry key, etc., to help the cyber threat hunters not just hunt for detection of the associated IOCs but dig deeper to identify patterns that match the behavior of the malware across the network, like abnormal PowerShell execution or account behavior to look for potential threats and other malicious activity. Essentially, one could assume that if other similar banks have already seen this, “we” are either currently being affected or are about to be. Threat-hunting teams can go on the hunt to confirm or deny that hypothesis.</p> <p>But that’s just one basic example. The “possibly malicious” aspect mentioned above can come from various hunting methods, which can all be “correct” in their own right, depending on the hidden threats, skills, and tools specific to an enterprise. These methods can be driven by the following:</p> <ul> <li>Intelligence-led hunting (IOC, actor, TTP), as mentioned above</li> <li>Hunting for specific unpatched vulnerabilities and if they have been exploited</li> <li>Hunting based on abnormal account activity</li> <li>Hunting based on abnormal machine behavior (i.e., deviations from the network baseline)</li> <li>Identifying imminent threats based on keyword monitoring of Deep Web and Dark Web forum activity</li> </ul> <p>One interesting thing about this topic is that when discussing it, you may hear something like, “Threat hunting is not detection/remediation, and detection/remediation is not threat hunting.” This is 100% accurate, but the two processes rub shoulders and complement each other to a certain degree. An example of this could be a high-priority detection from a known critical asset to a known APT IP (which could be provided by a third party, open-source, etc.). Now, of course, this a detection and not part of a Threat Hunt, but if that one asset is communicating to that IP, what else might that APT have been up to? This is where a Hunter could pivot into an Actor profile and gather/extract all additional information about their behaviors and additional infrastructure, such as TTP's, IOC's, etc., to execute a retrospective search within their SIEM/Endpoint tools to identify: a) what other machines might have been mapping to these behaviors; b) what other machines may have direct identification (associated IOC's); c) what known critical assets were involved; and d) how long this activity has been occurring in the network.</p> <h2>SANS 2022 Threat Hunting Survey</h2> <p>According to the SANS 2022 Threat Hunting Survey, 51% of respondents consider their threat hunting still maturing.</p> <p>Although threat hunting is not a pure tooling game, selecting appropriate tools significantly affects the quality of threat hunting.</p> <p>Essential components of an effective threat-hunting program include:</p> <ul> <li>Qualified hunters</li> <li>Security solutions and tools to establish visibility</li> <li>Actionable threat intelligence</li> </ul> <p>The survey found that classical security tools like SIEMs and EDRs again led the list this year, with 83% of respondents using them for threat hunting.</p> <p>Hunters need visibility into security systems that include the most available endpoints within an organization. That way, every covered endpoint acts as a sensor to limit the space available for an attacker to move around freely. Once threat-hunting teams have almost complete visibility into an organization, they must be able to perform real-time analysis to identify advanced threats. That’s when threat intelligence comes into play.</p> <h2>Utilizing MITRE ATT&CK for Effective Threat Hunting</h2> <p>Organizations are increasingly adopting threat hunting as part of their overall information assurance strategy. This requires a shift from reactive responses to attacks to a proactive approach where organizations actively monitor their environments and respond to suspicious activity. To achieve this, organizations must adopt a risk-based approach to threat hunting and ensure that their threat-hunting activities focus on areas of concern rather than being limited to reacting to incidents.</p> <p>The MITRE ATT&CK framework provides a structured process to help organizations understand how to identify and investigate potential threats using a structured approach to identifying potential attack vectors. It helps organizations focus on the most relevant TTPs and prioritize activities based on risk assessment.</p> <p>Regardless of your definition of threat hunting, an enterprise needs to have the right components in place for it to be possible.</p> <ol> <li><strong>Identify the right people with the proper knowledge.</strong> Hunting is a resource-intensive process. Larger organizations may have a dedicated hunt team. The team executing the hunt should have an intimate understanding of the network configuration, the endpoint/SIEM/XDR tool interfaces, the user access policy, and, perhaps more than anything, a deep knowledge of the prevailing operating systems in use. Most organizations do not have the resources for a dedicated hunt team, so your threat hunters will most likely be wearing multiple hats. Analysts who know the native processes installed on an organization’s “gold image” endpoint deployment are good places to start.</li> <li><strong>Dedicate time for the team to hunt.</strong> As mentioned before, this process is human-driven and will never get any results if there isn’t any time dedicated to it. Set aside daily or weekly hunt hours on your skilled hunters’ calendars.</li> <li><strong>Know your critical assets.</strong> Sometimes it’s surprising to hear that the security teams of large organizations don’t know where the “crown jewels” are located, but it’s not uncommon. If your team doesn’t have this mapped out, take the time to identify the MAC addresses, hostnames, etc., of the machines that hold the employee, customer, web application, and intellectual property data. This means Threat Hunters can easily key in hunting against assets as part of their schedule.</li> <li><strong>Invest in the right tools</strong> - The team needs a beach that holds hidden treasures for the metal detector to have a purpose. Without proper implementation of SIEM, XDR, Endpoint, and Threat Intelligence, they can’t find any treasure in an empty room.</li> <li><strong>Invest in third-party intelligence</strong> – Know the threats specific to your vertical and your brand by investing in threat intel and threat intelligence management solutions to collect/curate/integrate large datasets of threat intelligence, like Anomali ThreatStream.</li> <li><strong>Collect internal intelligence</strong> - Document all information and artifacts collected from successful hunts so that you don’t have to hunt the same thing twice from proper implementation of defensive measures, or at the very least, make it a lot easier to identify and remediate the second time around.</li> <li><strong>Know your vulnerability landscape</strong> - Know what CVEs are currently unpatched in your network; know their associated severity level; understand what is actively being exploited by the actors that target you so that the Hunt team has yet another logical launching point. The “knowing” part can come from manual analyst research or third-party solutions like vulnerability scanners and threat intel companies.</li> <li><strong>Have a clear plan before beginning.</strong> Don’t get caught up with trying to block/quarantine or set up correlation on each suspicious entity as you find them; develop a clear hypothesis of what could happen, and tailor your hunting activities to confirm that hypothesis.</li> </ol> <p>Every organization must dedicate skills, tools, and time to the hunting process to become proactive and be considered an end-to-end security organization. While each organization’s approach may be slightly (or widely) different from others, that doesn’t mean it’s “wrong.”</p> <p>Adopt a process that works best for you to ensure a successful threat-hunting program.</p>
<p>Since 2004, the President of the United States has proclaimed October as cybersecurity awareness month, helping individuals better understand cybersecurity threats and protect them from them. Every year, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) collaborate to increase cybersecurity awareness among private sector companies and consumers.</p> <h2>This Year’s Theme: “#See Yourself in Cyber</h2> <p>“This year’s campaign theme — “See Yourself in Cyber” — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people. This October will focus on the “people” part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organizations make smart decisions whether on the job, at home or at school – now and in the future. We encourage each of you to engage in this year’s efforts by creating your own cyber awareness campaigns and sharing this messaging with your peers.”</p> <p>-Cybersecurity and Infrastructure Security Agency (CISA)</p> <h2>Cybersecurity is Complex</h2> <p>See Yourself in Cyber can be interpreted in multiple ways. To me, it’s speaking to those students unsure of what to major in, telling them to see themselves working in the industry. It’s reaching out to other departments within an organization to get them to understand how they impact security. And highlighting how hard a security analyst’s job is.</p> <p>In a recent <a href="https://www.anomali.com/blog/security-operations-are-more-difficult-now-more-than-ever-buy-why">blog post</a>, I dove deeper into why security is more challenging than ever.</p> <p>And it all comes back to people. People are the heart of any security organization. Security tools are a requirement, but they don’t replace people.</p> <p>According to (ISC) ²’s <a href="http://2021 Cyber Workforce Report,">2021 Cyber Workforce Report</a>, there is still a <a href="https://www.isc2.org/-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx">cybersecurity workforce gap of more than 2.72 million</a>.</p> <p>Which for some organizations can mean they’re already behind before even starting.</p> <h2>Improving Your Security Posture</h2> <p>There are many ways an organization can improve its security posture.</p> <p>They can <a href="https://www.anomali.com/blog/the-need-for-savvy-sharing-of-threat-intelligence">share threat intelligence</a>. They can invest in <a href="https://www.anomali.com/resources/what-is-a-tip">threat intelligence platforms</a> or <a href="https://www.anomali.com/resources/what-is-extended-detection-and-response-xdr">XDR solutions</a> that improve their existing investments.</p> <p>For this blog, I’ve narrowed it down to five:</p> <h3>1) Understanding Your Relevant Threat Landscape</h3> <p>Understanding the attack surface is key to knowing what assets need protection and how best to protect them. Unfortunately, most organizations struggle because their attack surface keeps changing.</p> <p>Start with an attack surface assessment. Find out how an attacker sees you. Map your assets against their potential vulnerabilities and readiness to prevent or respond to threats. This will help understand how well current tools and investments protect critical assets and what additional measures need to be taken to improve protection.</p> <p>A comprehensive assessment should include the following:</p> <p>• Visibility into all external facing assets to uncover exposed assets</p> <p>• Identify and evaluate the current security programs</p> <p>• Evaluate the effectiveness of information security policies, procedures, and processes</p> <p>• Determine the effect of cybersecurity incidents on KPIs, including availability, integrity, and privacy</p> <p>• Assess the maturity level of current tools and investments</p> <p>• Identify areas where the current infrastructure could be improved</p> <p>While identifying and managing cyber risks begins with a thorough inventory of existing IT assets. It’s more than just attack surface management. Threat intelligence needs to be at the foundation of any security program.</p> <p>Organizations must understand their adversary to understand their threat landscape completely.</p> <p>Threat intelligence helps organizations better comprehend:</p> <ul> <li>What are my opponents’ strengths and weaknesses? And how might they attack me?</li> <li>What are the attack points that could compromise the safety of my business?</li> <li>What should my security team be watching out for?</li> <li>What steps can we take to minimize our company’s risk from a cyber attack?</li> </ul> <p>Understanding your relevant threat landscape will help your security team become more proactive and stay ahead of threats targeting you.</p> <h3>2) Continuously Monitoring for Threats</h3> <p>Many organizations rely on technology to conduct critical operations in today’s environment. These technologies include mobile devices, cloud computing, web applications, and social media platforms to databases, networks, and physical assets. As a result, the risk of cyberattacks is growing exponentially, leading to increased exposure to potential threats.</p> <p>IT teams are under constant pressure to improve the performance of their networks while ensuring they remain secure. At the same time, security teams must deal with various threats, ranging from sophisticated malware to zero-day exploits and ransomware.</p> <p><strong>Monitoring Your Infrastructure</strong></p> <p>Organizations must continuously monitor their IT infrastructure to identify vulnerabilities and maintain compliance with regulations to address this issue. Continuous monitoring enables organizations to detect potential threats and vulnerabilities quickly and efficiently.</p> <p>Most security teams use several security management tools to help them manage their security infrastructure. Continuous monitoring can provide insights into how well your security controls work, what risks you face, and where you stand against your peers. This allows you to make better decisions about your security programs and take action to address issues.</p> <p><strong>Monitoring for Threats</strong></p> <p>It’s challenging to keep up with the ever-changing threat landscape. Most security teams use threat intelligence platforms or threat intelligence management solutions to help them identify threats. Solutions like Anomali ThreatStream, automate the gathering and analysis of raw data to turn it into actionable threat intel for security analysts.</p> <p>The effectiveness of your security posture relates directly to the quality and timeliness of your threat intelligence. Analysts equipped with curated, relevant threat data can act quickly, securing the organization’s most valuable assets first and conducting efficient investigations afterward.</p> <p><strong>Detecting Threats</strong></p> <p>With increasingly sophisticated attacks, analysts need better visibility and insight into their networks to detect them sooner. They need a solution that intelligently combines all relevant security data to help detect advanced adversaries and sophisticated attacks in real-time.</p> <p>Extended detection and response solutions collect telemetry from security tools in real-time to eliminate security gaps and provide an integrated platform for effective threat detection. They offer increased visibility across multiple security solutions through one single interface.</p> <p>Anomali takes the data collection process further by integrating threat intelligence with our XDR solution. Data is normalized and enriched and then correlated with the world’s largest curated global intelligence repository.</p> <p>This enables organizations to understand what’s happening inside and outside their network to keep an eye on and detect advanced threats.</p> <p>Continuous monitoring of all parts of your security programs will help you understand your organization’s risk tolerance and manage them consistently across the board.</p> <h3>3) Educating Your Employees</h3> <p>To some, security isn’t a tech problem - it’s a people problem. Even with the most advanced tools, uneducated staff can fall victim to some of the simplest and most common attacks. Stanford Research found that 88% of data breaches are caused by human error.</p> <p>The shift toward remote work created challenges for companies looking to protect employee information and applications. This undoubtedly makes IT departments scramble to ensure that data security and compliance regulations are followed. At the same time, many employees are now using personal devices and apps to connect to corporate networks and email accounts, making it easier for attackers to gain access to sensitive files and data.</p> <p>In addition, some people might forget to log out of their personal accounts when they finish using them. As such, even if you’ve disabled sharing across devices, someone could easily find themselves logged into multiple accounts and open up to the risk of phishing attacks.</p> <p>Finally, employees must remember to change their passwords regularly. Hackers use password databases to identify weak passwords and try those passwords against other sites. When you change your password, you increase the chances of avoiding a breach.</p> <p>It’s challenging to educate employees on cybersecurity best practices. Many companies still rely heavily on traditional methods of communication, such as email, phone calls, and meetings, to inform their workforce about essential changes. This approach leaves employees feeling disconnected from their employer and increases the risk of employee theft or misuse of confidential information.</p> <p>Organizations should consider adopting alternative ways of communicating with their employees, such as live chat sessions, instant messaging, and social media. These options allow employees to feel more engaged and connected to their workplace while providing additional protection against cyber threats.</p> <p>Adopting a security-first culture and educating employees will pay dividends.</p> <h3>4) Planning for an Attack</h3> <p>Breaches are inevitable. An effective security strategy means planning for the worst possible outcome. Security teams must ensure they have the right people, processes, and technology to respond effectively to attacks.</p> <p>Whether it’s ransomware or phishing scams, many types of attacks can cause severe damage to both companies and employees. But what happens when a cyberattack does occur? What do you do about it? How do you prepare for such events?</p> <p>A Cybersecurity Incident Response Plan (CIRP) is a document that guides organizations about what steps to take during a cyberattack. NIST defines it as “a plan detailing actions to be taken in response to a cybersecurity incident.” This includes planning ahead with training, communication, and notification. </p> <p>An organization must develop a comprehensive plan that covers every aspect of managing a cybersecurity incident. The plan should include the following components:</p> <p>• <strong>Detection and Analysis </strong>- How do you detect the threat? What tools are used to monitor systems? What happens if something goes wrong? What is being done to prevent future attacks?</p> <p>• <strong>Containment</strong> - Is the attack contained within the network perimeter? If the attacker gains access to another computer outside the network, what does the plan say about that? What do you do if someone tries to hack into the network from outside? Do you notify law enforcement?</p> <p>•<strong> Eradication</strong> - Can the threat be removed from the network? Are there ways to prevent this from happening again? Does the plan detail how to recover from a failed attempt to erase the threat actor?</p> <p>• <strong>Recovery</strong> - After the incident is over, what do you do next? Will you rebuild the affected computer? Will you restore backups? What happens to the attacker?</p> <p>Without a comprehensive plan, you risk missing critical actions and exposing yourself to costly fines. Your organization could even face criminal charges. </p> <p>A well-written plan helps ensure that employees know how to react during an emergency and gives management a clear path forward following a breach.</p> <h3>5) Aligning Security with Business</h3> <p>Many organizations view security as a cost center rather than a strategic asset. Organizations are typically looking for quick wins without considering the long-term impact on the organization, often overlooking what that means from a security perspective.</p> <p>Today’s threat landscape demands a different approach to keep up with the changing world of cybersecurity.</p> <p>In today’s world, everyone needs a seat at the table to break down silos and ensure a strong security posture. The CEO and board of directors must understand what it takes to build a secure environment and how to manage risks associated with cybersecurity threats. Employees must understand how their actions impact security. The marketing team. Finance. Sales. Everyone needs to know how their actions affect the organization’s overall security.</p> <p>While business leaders might understand the risks facing their organizations, this might not boil down to a clear, consolidated approach across the organization. Most organizations struggle to align their cybersecurity programs and their organizations’ business strategies. This creates operational friction between a security team wanting to protect the business and business leaders wanting to expand revenue.</p> <p>Organizations must foster a collaborative environment to align business objectives with cyber risk to expand their markets, protect revenue streams, and secure the development and deployment of new products and services. Weighing the potential risk and consequences in a way that makes cents (intended) to the business will go a long way.</p> <p>As this year’s theme states, cybersecurity may seem like a complex subject, but ultimately, it’s all about people. The more people work together, the more they’ll be able to comprehend how their actions impact security. Maybe then they’ll “See Yourself in Cyber.”</p>
<p>In 2013, researchers at MITRE Corporation published the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework. This framework describes how attackers operate within an organization and offers a common language for describing these attacks. The framework describes both adversaries’ behaviors and their attempts to compromise systems and provides a set of indicators for measuring the effectiveness of security measures.</p> <p>Recent <a href="https://www.anomali.com/resources/ebooks/soc-modernization-and-the-role-of-xdr">ESG Research</a> found that the MITRE ATT&CK framework has grown in popularity to the point that nearly nine in ten organizations use it today. As SOC managers look into the future, they see even greater MITRE utilization. 97% of security professionals believe that MITRE ATT&CK (and derivative projects) will be critically important to their organization’s security operations strategy.</p> <p>If you missed our recent <a href="https://www.anomali.com/resources/webcasts/mitre-engenuity-and-anomali-help-you-anticipate-an-adversarys-next-move">webinar</a>, here’s an excerpt on how to explain MITRE ATT&CK to executives: </p> <div><script async="" src="https://fast.wistia.com/embed/medias/2skkpry7lp.jsonp"></script><script async="" src="https://fast.wistia.com/assets/external/E-v1.js"></script> <div class="wistia_responsive_padding" style="padding:56.25% 0 0 0;position:relative;"> <div class="wistia_responsive_wrapper" style="height:100%;left:0;position:absolute;top:0;width:100%;"> <div class="wistia_embed wistia_async_2skkpry7lp videoFoam=true" style="height:100%;position:relative;width:100%"> <div class="wistia_swatch" style="height: 100%; left: 0px; opacity: 1; overflow: hidden; position: absolute; top: 0px; transition: opacity 200ms ease 0s; width: 100%;"><img alt="" aria-hidden="true" onload="this.parentNode.style.opacity=1;" src="https://cdn.filestackcontent.com/S4zjpAYHQD2cjtZnYjS7" style="filter:blur(5px);height:100%;object-fit:contain;width:100%;"/></div> </div> </div> </div> </div> <div><script async="" src="https://fast.wistia.com/embed/medias/2skkpry7lp.jsonp"></script><script async="" src="https://fast.wistia.com/assets/external/E-v1.js"></script></div> <div><script async="" src="https://fast.wistia.com/embed/medias/2skkpry7lp.jsonp"></script><script async="" src="https://fast.wistia.com/assets/external/E-v1.js"></script></div> <p> </p> <p>Or check out our <a href="https://www.anomali.com/resources/what-mitre-attck-is-and-how-it-is-useful">“What is the MITRE ATT&CK Framework” </a>resource for an in-depth overview.</p> <h2>Seeing the Big Picture with the MITRE ATT&CK Framework</h2> <p>Breaches are inevitable. Anyone who tells you otherwise probably has a bridge for sale as well.</p> <p>The reality is that breaches happen—and often multiple times. Our <a href="https://www.anomali.com/resources/whitepapers/anomali-cybersecurity-insights-report?utm_medium=document&utm_source=anomali&utm_campaign=harris-poll&utm_content=blog&cid=7014z000001Ivxt">Cybersecurity Insights</a> report showed that no industry is safe as even with increased investment, most businesses (87%) have fallen victim to successful cyberattacks in the past three years that resulted in damage, disruption, or a breach to their businesses.</p> <p>As an organization’s attack surface grows, it provides more opportunities and vulnerabilities for attackers to exploit. Adversaries continuously improve their stealth and TTPs to bypass existing security controls, a reality that is forcing organizations to change how they approach threat detection and response.</p> <p>MITRE ATT&CK helps organizations understand the bigger picture by shifting their focus away from just looking at IP addresses and domains to one that illuminates the threat within the context of an organization’s overall cybersecurity posture.</p> <p>With MITRE ATTACK, organizations are creating more secure futures by detecting incoming attacks and identifying and mitigating them before they cause damage.</p> <p>The ATT&CK framework helps security professionals with their daily technical analyses, making them better at what they do. When used to its full potential, MITRE ATT&CK can help security executives gain better value from existing technologies, including threat intelligence platforms (TIPs), SIEMs, and other security analytics tools.</p> <h2>Using ATT&CK to Understand Gaps</h2> <p>ATT&CK helps organizations establish strategic visibility into gaps in controls, making it easier to prioritize security investments in people, processes, services, and solutions. </p> <p>By using the MITRE ATT&CK framework to apply contextualization to security postures and controls, organizations can quickly identify weaknesses within their security ecosystems. </p> <p>Security leaders should use the ATT&CK framework with threat intelligence to validate their security tools and programs and determine the most prevalent threats in their environment. By understanding where their most significant risks lie, organizations can prioritize their threat mitigation efforts, assess the effectiveness of their current cybersecurity measures, and identify opportunities for cost savings. This leads to greater efficiencies, increased productivity, and better defense capabilities.</p> <h2>Applying Cyber Threat Intelligence with MITRE ATT&CK</h2> <p>ATT&CK and threat intelligence can be a powerful combination, as it allows for describing adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&CK that they have been known to utilize. This allows defenders to apply insights against operational controls to see their strengths and weaknesses against certain threat actors.</p> <p>By leveraging threat intel to enrich existing knowledge about threat actors by connecting their attacks, behavior, and tactics from specific threat actor campaigns, you’ll gain a richer understanding of attacker capabilities and intentions.</p> <p>The intelligence creation process can also benefit from using the common vocabulary of ATT&CK. As mentioned, this can apply to actors and groups and observed behaviors as seen from the SOC or incident response activities. Malware can also be referred to in terms of behaviors via ATT&CK. Tools supporting ATT&CK can help make this process straightforward and consistent.</p> <p>Standardizing on ATT&CK references can dramatically improve efficiency and ensure shared understanding. This makes disseminating intelligence to operations or management much more manageable when all parties speak the same language around adversarial behaviors. </p> <h2>Using ATT&CK to Better Understand Adversaries</h2> <p>The ATT&CK framework is one of the most widely adopted frameworks for analyzing malicious behavior and helping security professionals understand how attackers operate.</p> <p>While blocking or detecting attacks based on the techniques used is essential, it is equally important to understand what the technique does and how it works. By doing this, you can identify potential weaknesses in your environment and take appropriate measures to strengthen them.</p> <p>It’s equally important to understand both the techniques themselves and how attackers use them. If an attacker has pivoted to another target using stolen credentials, you must figure out why he did so. Is it because they don’t have access to the necessary tools to exploit a web server application’s remote code execution vulnerability? Or do they prefer to leverage credentials over exploits because it gives them greater flexibility and stealthiness?</p> <p>Understanding why attackers behave the way they do helps you identify the risks associated with their actions and what mitigation measures need to be taken to reduce the likelihood of successful attacks.</p> <p>The ATT&CK framework provides an in-depth knowledge base of attack intelligence - making it more straightforward to apply these to investigations. Organizations can form conclusions based on verified data and structure to improve prioritization and remediation strategies based on observations from real-world activity.</p> <h2>Understanding Your Relevant Threat Landscape</h2> <p>In addition to providing a detailed view of attacker behavior, the ATT&CK framework helps organizations build a complete picture of their threat landscape by identifying the tactics, techniques, and procedures used by different threat actors and mapping out their relationships with each other.</p> <p>This enables organizations to correlate events from different data streams, including emails, social network posts, and even malware, to understand the threats they face and their potential impact.</p> <p>For example. An organization wants to know where a specific threat group is attacking its targets. You could use the ATT&CK framework to look up “targeting.” Once the tactics are identified, an analyst could drill down further to identify the specific techniques used by each technique. In this case, the TTPs may include phishing emails, spearphishing emails, watering hole attacks, etc. After reviewing the specific tactics, techniques, and procedures (TTPs) used by the threat group, an analyst can decide if they fit the profile of the attack and take action against the threats posed by that group.</p> <p>By leveraging ATT&CK, organizations identify the specific threat groups targeting them. They can look at the TTPs used by those groups and use the insights to look at specific TTPs that specific threat actors use. This allows security teams to prioritize and plan remediation efforts based on observed attacks.</p> <h2>Anomali and MITRE </h2> <p>In 2021, Anomali joined MITRE Engenuity’s Center for Threat-Informed Defense to collaborate on the Attack Flow Project to better understand adversary behavior and improve defensive capabilities. This partnership culminated with the public release of the project in March 2022.</p> <p>The Attack Flow project will provide context around adversary behavior and help security teams expertly profile the adversary and visualize attack patterns. It will also enable them to better protect the organization against potential threats before an attack, detect it in real-time, and respond post-attack.</p> <h2>Why Analysts Should Use Threat Frameworks</h2> <p><em>Understand Context:</em></p> <p>A framework helps an organization better identify the context of a cyber attack and determine whether they’re at risk. With the latest vulnerability or breach making its way around, risk management frameworks can help organizations assess their current level of exposure and quickly respond to the question everyone wants to ask: “Are we impacted?”</p> <p><em>Improve Efficiencies:</em></p> <p>A further reason for adopting an agile approach is to improve organizational efficiency by allowing all teams to benefit from successful projects immediately. Security teams are already stretched thin, making it difficult to defend against every threat. Frameworks are scalable for all organizations, from small security operations centers to large enterprises with dedicated threat-hunting teams, incident response teams, red teaming teams, and blue teams.</p> <p><em>Visualize the Threat Landscape</em></p> <p>Finally, by visualizing the threats in real-time, analysts can map them to their footprints on the framework to reduce their scope of the investigation to only what is relevant to their organization’s security posture and vulnerability profile.</p> <h2>ESG Research Findings</h2> <p>ESG Research found that MITRE ATT&CK has become instrumental in various security operations processes to defend against advanced threats. Of those organizations embracing the MITRE ATT&CK framework, 35% use MITRE to better understand cyber adversaries’ tactics, techniques, and procedures.</p> <p>Using the ATT&CK framework, organizations can quickly identify weaknesses within their security ecosystems to increase defensive activities against potential attacks.</p> <p><a href="https://www.anomali.com/resources/ebooks/soc-modernization-and-the-role-of-xdr">Download the ESG research</a> to learn more.</p>