In the National Football League (NFL), highly-skilled and highly-paid professional players spend a large portion of their time each week studying video recordings of previous game plays. Players are expected to study both at home and at the practice facility with guidance from coaches, breaking down plays -- running them forwards, backwards, and examining every detail in slow motion -- and critiquing the players' performance to prepare for the upcoming opposition. In addition, players spend hours studying their opposition's tactics and strategy to pivot and improve their own plan of action, all with the knowledge that their opponent is analyzing and preparing for them with equal intensity.
Every competitive sport involving an opponent does this to some degree, from chess to basketball.
Security should be no different. Next-generation security teams are continuously studying previous game plays. As defenders, our opponents are the outside attackers trying to break into our networks, or malicious insiders seeking to cause an intentional negative impact on the business. Studying and learning from our own previous compromises, and from compromises happening at other companies, will make us smarter defenders because we actually understand the attacker's techniques, tactics and procedures (TTPs).
The TTPs of some of the most noteworthy attack groups have been thoroughly documented in blogs, reports, and intelligence feeds. The next-generation security programs and defensive strategies are being built based on what we have learned about the opposition’s TTPs. Most public headlines focus on the fact that attackers were able to get into a company's network, rather than what the attackers did once they got inside. To me, that's the most important part. Anyone is able to get in. Instead, the key question is: what did the those attackers do while they were inside another company's network, and how can you detect and respond to those particular type of attackers if they are able to get inside your own network in the future? Most of those details are understandably kept private. That is why it is critical you learn from your own compromises -- to study your own game film -- as well as build trust circles to gain access to information from other companies in an effort to learn from others similarly situated to your own company, even if not in your own industry.
On a related note, one of my favorite talks this year was given by a person whom I think is very influential in the security space. John Lambert from Microsoft presented on "Changing the Physics of Defenders" at the Kaspersky's Security Analyst Summit, where he talked about how modern defenders have the mentality of "assume breach" and share information and learn about adversaries with trusted peers so that they can increase attacker requirements:
If you want to build a next-generation security team, you need to start watching the game plays. Discuss incidents in detail, including those that occur internally as well as within your trusted partners’ networks. Learn from those incidents and strive to continuously improve your on-field performance. We all fail. The important part is that we “fail forward” and learn from those failures.
Automated security orchestration with continuous testing infuses institutional learning into your everyday security practices, ensuring complete up-to-date readiness against an ever-changing threatscape.
Click here to learn how AttackIQ FireDrill is redefining the face of security to keep you one step ahead.