Why Cyber Defenders Should Embrace a Hacker Mindset
Published 04/10/2024
Originally published by Pentera.
Written by Nelson Santos.
Today’s security leaders must manage a constantly evolving attack surface and a dynamic threat environment due to interconnected devices, cloud services, IoT technologies, and hybrid work environments. Adversaries are constantly introducing new attack techniques, and not all companies have internal Red Teams or unlimited security resources to stay on top of the latest threats. On top of that, today’s attackers are indiscriminate and every business – big or small – needs to be prepared. It is no longer enough for security teams to detect and respond; we must now also predict and prevent.
To handle today’s security environment, defenders need to be agile and innovative. In short, we need to start thinking like a hacker.
Taking the mindset of an opportunistic threat actor allows you to not only gain a better understanding of potentially exploitable pathways, but also to more effectively prioritize your remediation efforts. It also helps you move past potentially harmful biases, such as the misconception that your organization is not interesting or big enough to be targeted.
Let’s explore these concepts in a bit more depth.
The Hacker Mindset vs. Traditional Defenses
Thinking like a hacker helps you gain a better understanding of potentially exploitable pathways.
Many organizations take a conventional approach to vulnerability management, documenting their assets and identifying associated vulnerabilities, often on a rigid schedule. One of the problems with the current strategy is that it compels defenders to think in lists, while hackers think in graphs. Malicious actors start with identifying their targets and what matters to them is to find even a single pathway to gain access to the crown jewels. Instead, defenders should be asking themselves: What assets connect to and trust other assets? Which are externally facing? Could a hacker establish a foothold in a non-critical system and use it to gain access to another, more important one? These are crucial questions to ask to be able to identify real risk.
Thinking like a hacker helps you more effectively prioritize remediation activities.
Deciding which issues require immediate action and which can wait is a complicated balancing act. Few companies have unlimited resources to address their entire attack surface at once – but hackers are looking for the easiest way in with the biggest reward. Knowing how to decide which remediation activities can eliminate a potential pathway to your crown jewels can give you a clear advantage over malicious actors.
Thinking like a hacker helps you more critically evaluate existing biases.
Smaller organizations tend to assume – incorrectly – that they are not an attractive target for an opportunistic hacker. However, reality shows otherwise. Verizon’s 2023 Data Breach Investigation Report identified 699 security incidents and 381 confirmed data disclosures among small businesses (those with less than 1,000 employees) but only 496 incidents and 227 confirmed disclosures among large businesses (those with more than 1,000 employees.) Automated phishing attacks are indiscriminate. And ransomware attacks can still be highly lucrative at these smaller organizations. Thinking like a hacker makes it evident that any organization is a viable target.
How to Think Like a Hacker
How can security professionals successfully implement this mindset shift? In a recent Pentera webinar, Erik Nost, Principal Analyst at Forrester and Nelson Santos, Pentera Security Expert, outlined four essential steps.
1. Understand Attackers’ Tactics
Adopting a hacker’s mindset helps security leaders anticipate potential breach points and build their defense. This starts with a realistic understanding of the techniques malicious actors use to get from A to Z.
An example: today’s attackers use as much automation as possible to target the massive number of systems on modern networks. This means that defenders must prepare for brute force attacks, loaders, keyloggers, exploit kits, and other rapidly deployable tactics.
Security teams must also evaluate their responses to these tactics in real-world scenarios. Testing in a lab environment is a good start, but peace of mind only comes when directly evaluating production systems. Similarly, simulations are informative, but teams must go a step further and see how their defenses stand up to penetration tests and robust emulated attacks.
2. Reveal Complete Attack Paths, Step by Step
No vulnerability exists in isolation. Hackers almost always combine multiple vulnerabilities to form a complete attack path. As a result, security leaders must be able to visualize the “big picture” and test their entire environment. By identifying the critical paths attackers could take from reconnaissance through exploitation and impact, defenders can prioritize and remediate effectively.
3. Prioritize Remediation Based on Impact
Hackers typically look for the path of least resistance. This means that you should address your exploitable paths with the most impact first. From there, you can work your way through incrementally less-likely scenarios as resources allow.
Leaders should also consider the potential business impact of the vulnerabilities they need to remediate. For example, a single network misconfiguration or a single user with excessive permissions can lead to many possible attack paths. Prioritizing high-value assets and critical security gaps helps you avoid the trap of spreading your resources too thin across your entire attack surface.
4. Validate the Effectiveness of Your Security Investments
Testing the real-world efficacy of security products and procedures is critical. For instance – is your EDR properly detecting suspicious activity? Is the SIEM sending alerts as expected? How fast does your SOC respond? And most importantly, how effectively do all of the tools in your security stack interact together? These tests are essential as you measure your efforts.
Traditional attack simulation tools can test known scenarios and test your existing defenses against known threats. But what about testing against what you don’t know? Using the adversarial perspective allows you to autonomously test against all scenarios and threats, which can reveal hidden misconfigurations, shadow IT or incorrect assumptions regarding how controls may be working. These unknown security gaps are the hardest for defenders to spot and are therefore actively sought out by attackers.
Validation test findings need to go all the way up to the CEO and the board in a way that conveys the business impact. Reporting on a percentage of vulnerabilities patched (or other similar vanity metrics) does not truly convey the effectiveness of your security program. Instead, you must find more meaningful ways to communicate the impact of your efforts.
Related Articles:
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024