With the cybersecurity threat landscape evolving at an ever-increasing rate, security teams have little time to rest. Protective measures must be constantly reviewed and augmented and any incidents that occur met with a rapid response.
This comes at a time when industry research[1] shows cyberattacks have been increasing at a rate of 27% annually. In 2021, it is estimated that the cost of cybercrime globally reached $US 6 trillion[2].
Many security teams are also finding that taking a reactive approach is no longer sufficient. Instead of bunkering down and waiting for an attack to occur, more proactive approaches are required.
Proactive IT security
A proactive IT security strategy needs to comprise a range of elements. It must have strict preventative measures that reduce the overall attack surface while also having tight controls over which applications can run and when.
It should also have robust proactive detection and response capabilities for incidents that are caused by cybercriminals who actually manage to get past existing control measures.
Where in-house capacity is limited, consideration should also be given to harnessing the capabilities of an external security specialist that is capable of undertaking managed threat hunting services. This will increase the likelihood that any attackers who have breached the network can be quickly discovered and neutralised.
Preventing living-off-the-land attacks
The selected security partner should be able to discover attackers who are using so-called living-off-the-land (LotL) and malware-less techniques in their attempts to get around existing security controls.
LotL attacks occur when an attacker makes use of what is already on a target organisation’s devices and servers and doesn’t need to download or install any malware. This makes such attacks particularly difficult to spot.
Types of LotL attacks that have been observed include double-use of tools such as PowerShell and threats that run only in memory. There are also attacks that take place in non-executable files, such as Office documents, or within macros.
Avoiding these attacks requires security teams to undertake a range of steps. These include limiting the use of scripting languages as much as possible, and undertaking detailed, constant monitoring for unusual behaviour on the network.
The role of the SOC
To achieve this level of protection, the external IT security partner that is selected should be able to offer the resources of a full off-site Security Operations Centre (SOC). The SOC can filter through the large volumes of alerts that occur everyday and identify those that require closer inspection.
In this way, security teams can respond to LotL and other types of attacks before the cybercriminal is able to inflict damage or steal data. Freed from the task of trawling through huge numbers of alerts, they can instead focus their time and attention where it will have the most impact.
A well-engineered external SOC becomes a valuable extension of an organisation’s internal IT resources. It can ensure the organisation is prepared for an attack at all times and assist in running an incident response program when one occurs.
A SOC can also ensure there is unified visibility and coordination between all the security tools that are in place across an organisation. It can enrich context information about incidents and allow teams to identify exactly what has taken place much more quickly.
It should also be able to accelerate endpoint investigation, mitigation, and response activities. This will further support the internal IT security team which may already be working at full capacity.
With the evolution of the IT threat landscape showing no sign of slowing, taking advantage of the capabilities of an external SOC makes sense. It can significantly increase the capabilities of an internal security team without the need for large investments in equipment or staff.
[1] The Identity Theft Resource Center: https://www.idtheftcenter.org
[2] CSIS: https://www.csis.org/analysis/economic-impact-cybercrime
