Adversarial evolution: How defenders must also evolve

North Korea flag with circuitry and fingerprint

To succeed against active adversaries, defenders must also be active and constantly work to adjust their tactics to align themselves against their attackers.

As we covered in How active adversaries adapt their attack techniques, active adversaries will utilize all of the tools and techniques at their disposal to get into the targeted organization. These trends were uncovered in an analysis of 232 cyberattack investigations conducted by Sophos's X-Ops Incident Response Team.

While that study found that most breaches involve stolen access credentials or an exploitable software vulnerability, that's not all. Sophos's analysis also found that, when pressed, active adversaries will also create custom malware and identify zero-day vulnerabilities within targeted software applications.

These active adversaries will also target external remote services, impair cybersecurity defenses and system recovery tools, and even abuse system services to gain entry.

Adaptable security posture

To effectively respond, organizations must have an adaptable security posture.

Steven Aiello, CISO at digital platform provider AHEAD, notes that adapting to changing attacker tactics requires building and maintaining an accurate environment baseline. "Baselines help identify when something deviates from the norm, which could indicate attack activity," says Aiello, adding that large organizations often run fewer baselines than they need to attain adequate security, including baselines of network traffic, normal system behavior, and the software installed in the organization.

Additionally, visibility into unpatched servers, misconfigured cloud storage systems, and outdated web apps — and having the processes to remediate these systems — is critical to reducing risk.   

Dale Zabriskie, field CISO at data management and security company Cohesity, agrees. "True business resilience comes when an organization comprehends all of its assets, infrastructure, and data," says Zabriskie. That includes cloud infrastructure and on-premises systems, domains, IP addresses, and security certificates.

To keep attackers out, the security program must keep pace with the active adversaries, how their tactics change, and the organization's growing and changing attack surface. This is crucial because as the attack surface changes, so do attackers' ways of finding their way in.

Minimize the attack surface

Experts advise CISOs to work to keep the organization's attack surface to a minimum.

That means identifying software and system vulnerabilities and patching and mitigating these risks. It also means minimizing the number of entry points into an organization and using multi-factor authentication. "Attack surfaces are expanding at a rate we haven't seen before, driven by the increase of cloud solutions, SaaS applications, and shadow IT," says Nabil Hannan, field CISO at NetSPI.

Hannan says organizations should consider turning to systems that help automate attack surface management so that security teams fully understand their assets and can better prioritize their risks. "To keep pace with the rate of change today, we must consider security continuity beyond isolated security evaluations, such as external penetration tests. Given that a penetration testing engagement typically lasts a few days to a couple of weeks. What measures are in place during the remaining 50 weeks of the year? Attack surface management addresses the visibility gaps between scheduled, deep dive security tests," says Hannan.

Experts also advise additional security program elements to ensure the program adapts to changing threats. One is utilizing adaptive access controls that can adjust the level of access, and trust provided to a user based on the context of access, such as when accessing from a risky network or geographic location. Another is maintaining comprehensive logging and monitoring. Such telemetry data is essential. When continuously analyzed, it can be used quickly to respond to new threats and identify changes in attacker behavior so that the security program can be adjusted accordingly.

Incident response matters

Finally, other areas that need to evolve as the threat posture changes include the incident response plan. Few things are worse than turning to the incident response plan during crises only to find it outdated or irrelevant. User security awareness training also needs to adapt as attacker tactics change.

This advice is by no means exhaustive, but these are vital areas to consider to continuously keep up to date as active adversaries change their tactics and the organization's attack surface grows.

If organizations don't adapt to these changing tactics, they'll always only be best prepared for yesterday's battles.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com. From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.