Applying Context, Controlling Adversaries (TCDO Part 1)

The threat centric narrative in cybersecurity hasn’t worked. If you look at it pragmatically it was never going to work. Tradecraft is not rigid, it can and should evolve, so if you are focused on defending against all known tradecraft then you’ve just signed yourself up to play an infinite game of catch up. The consequence being that you’ll never feel confident about your security posture because it is under the control of the very adversaries you are defending yourself from.

As any red-teamer knows, there is always a way to achieve a goal, the only real parameter in any offensive operation is the amount of effort you need to expend in order to achieve your goal. If you’re dealing with an APT, then it is quite probable that their willingness to expend effort exceeds your ability to invest in cyber.

As cybersecurity advances the tradecraft that is required to overcome defences must also advance, sometimes in new and novel ways. Multi Factor Authentication (MFA) is a good case in point here, there was historically very little need for phishing toolkits to circumvent MFA but now, with its much more widespread adoption, every current phishing toolkit or attack framework will handle MFA to some extent. The same is true of EDR; before that was widespread there was little need to evade it, now, with its widespread deployment, there is. It’s progress on both sides, but is it a net positive on either side? Or does it simply maintain the status quo? Defenders are better at defending; adversaries are better at attacking, it’s not a game that is solved by better understanding how our adversaries have operated. How adversaries operate is entirely within the control of those doing the defending. The attack paths within your environment dictate how an adversary must operate. So, by leveraging this defender's advantage and taking control of our attack paths we also take control of how adversaries must operate.

At Lab539 the model we use for building tailored cyber defences encompasses 3 different areas; general, threat informed and context centric:

Combine these three areas and it gives you the ability to hit that sweet spot in the middle (that yellow triangle), which informally we refer to as “the warm fuzzy feeling of security”. No one approach alone works, without the other two you can’t achieve that triangle. Each approach informs the other (e.g. a context centric approach blind to known TTPs will have gaps; if you’ve not covered off some cyber security basics you’ll struggle to manage your attack paths etc.).

Threat informed and general activities are vitally important but the challenge each of them have is that without a context centric approach guiding them they are somewhat infinite and will never be complete. Adversarial tradecraft will continue to evolve; even if you are keeping on top of how it is evolving you are still missing a very key parameter which is “how it is most likely to be applied given the goals of the adversary and the constraints which your environment place upon them?”. How an adversary achieves their goal in your environment will be different to how they achieve it in another environment, sometimes in significant ways, other times in much more subtle ways. What their goal is and what your organisation cares about may also be radically different too.

Tailored cyber defence is all about taking back control by dictating how an adversary must operate within your environment to achieve their goals, it turns the tables and puts the defenders in the driving seat. For too long adversaries have had the upper hand and defenders have been on the back foot. “More of the same but better” should not be the answer the cyber security industry throws at the problem.