Recent research from Omdia has highlighted a significant trend among cybersecurity decision-makers to move towards proactive security measures. 47% of respondents said one of their top three objectives for the next twelve months is to reduce the opportunity for threats through proactive security. So it’s clear that this is a key investment area for many organisations.
A key element of proactive security solutions is identifying where the threats are targeting and bolstering defensive efforts there. Without understanding one’s attack surface, it’s impossible to know where to start with a pre-emptive approach to exposure management.
Knowing what specific attack methods are prevalent in a particular industry or environment allows cyber defenses to be focused on the areas of the network most likely to be targeted. Taking this proactive approach allows network owners to prioritize threats specific to their organization and provides a strategy that allows for more efficient and effective security measures.
But how does this work in practice? Taking one example of a common tactic used by adversaries, it shows how a proactive approach can safeguard networks.
A recent Talos report on prominent ransomware groups has shed light on common TTPs used by these adversaries. One of the most prevalent methods of network access identified is the Valid Accounts TTP. This involves adversaries gaining and then abusing credentials of existing accounts for initial access, and then escalating throughout the network.
Analysis from CISA further supports the significance of the Valid Accounts TTP as a method of attack. In their Risk and Vulnerability Assessments - Fiscal Year 2023 report, CISA states that threat actors use various attack paths. But their analysis revealed that Valid Accounts (T1078) was the most common successful attack technique, responsible for 41% of successful attempts.
Being vulnerable to the Valid Accounts TTP can have severe consequences for an organization. Once attackers have gained initial access, using stolen or compromised credentials, they can maintain long-term access, escalate privileges, and evade defenses. This allows them to move laterally across the network, steal sensitive data, and cause significant operational disruptions, including potential ransomware attacks. Such breaches can go unnoticed for extended periods before leading to substantial financial losses and damage to the organization’s reputation.
Identifying where your network is vulnerable to TTPs – such as Valid Accounts – is a crucial step in a proactive security approach. By understanding and addressing these weakness, organizations can better protect their networks from potential threats.
Having a list of all the CVEs that your network is vulnerable to in risk-prioritized order, such as in a security audit report from Nipper, can show you on a device-by-device basis where you need to start remediation work. But if you want to take the proactive approach – this is where Nipper Enterprise comes in.
Enriched data from a Nipper Enterprise software vulnerability assessment, imported into a SIEM, can be mapped to the MITRE ATT&CK framework, giving an analysis of which of those CVEs are actually known exploited vulnerabilities (KEVs). From this, organizations can see which devices are vulnerable to the most critical KEVs, and focus on these for remediation efforts, as this might only be a subset of the devices on a network.
But taking this one step further by mapping the KEVs on to ATT&CK allows an organization to see which known exploited vulnerabilities on their network leave them exposed to a specific TTP, and the exact vulnerabilities that need to be remediated to shut down that exposure.
This proactive approach means that efforts can be focused on where they will make the most difference. For example, with Valid Accounts being a prevalent method of attack, being able to see exactly which devices have vulnerabilities that are known to expose the network to that TTP allows targeted remediation work to shut down exposure to that technique.
Organizations can use this approach to identify which devices on their network possess known exploited vulnerabilities and are susceptible to the TTPs employed by real-world threat actors targeting their industry that leverage these KEVs. This capability enables organizations to prioritize and focus on remediating the most critical issues across their network.
The emphasis on proactive security is more critical than ever. By investing in proactive solutions that allow organizations to focus on specific threats and understanding which TTPs are being used, organizations can take meaningful steps to safeguard their networks and reduce the opportunity for cyber threats.
To see for yourself how Nipper Enterprise can give near real-time visibility of exposure to APTs’ specific TTPs as a result of network misconfigurations and software vulnerabilities, request a demo or POV.