Understanding and Protecting Against Adversaries (Guest blog by Rebellion Defence)
Adversaries present our institutions with increasingly sophisticated, severe, and frequent threats. Here’s what we learned working in national security.
Adversaries are attacking institutions across the public and commercial sectors with increasing frequency, severity, and sophistication. They aim to degrade, deny our systems or steal our intellectual property and critical intelligence.
Our company, Rebellion Defence, experiences this alongside our customers on the front lines in the world of defence and national security. We build software to help government institutions protect themselves in order to gain an advantage over adversaries, including in the cyber domain.
In our work with these institutions, and during our experience as part of the NCSC accelerator programme, we observed that many of the most common defensive- and compliance-based cybersecurity tactics fall short of providing this protection. They do not accurately account for the aggression and sophistication of adversaries, nor do they contextualise the risk posed against specific, critical operations.
We’ve learned that the most effective way to enable institutional cybersecurity readiness against adversaries is to step into their shoes, and attack our systems as they would to find the most significant risks to missions. In order to do so, organisations — both public and commercial — need to approach the problem from a few perspectives.
See what they see
Institutional defenders must first accurately account their entire attack surface, through the eyes of an adversary. Yet many common, agent-based cybersecurity tools fail to provide this perspective. They miss nodes if there is no agent installed — either because it is missed or because an agent is not supported on the particular endpoint — or if a new node is added.
In the context of national security, this lack of oversight can be catastrophic, and the massive size and complexity of networks compound the risk. We’ve seen at first hand the importance of establishing rigorous attack surface management practices that address these potential blind spots.
Attack as they attack
Armed with a dynamic understanding of their network, institutions must attack their own systems in a way that reflects true — not theoretical — emulation of adversarial tactics, techniques, and procedures (TTPs).
Certain offensive tactics such as penetration testing effectively identify vulnerabilities, but don’t represent a sophisticated adversarial attack. The goal of this type of testing is to identify and exploit found vulnerabilities within a predefined scope— for example, within applications, but not infrastructure. This leaves out-of-scope weaknesses undiscovered and vulnerable to attack.
Offensive attacks from red teams more accurately emulate the comprehensive tactics of adversaries — from reconnaissance to compromise to escalation — and assess end-to-end institutional resilience against a specific adversary attack while eluding detection by defensive tools and teams. They are critical to effective security in both the public and commercial sectors.
Never sleep, never stop
However, institutions that rely on manual red teaming run into scale constraints that prevent accurate adversary emulation. These constraints must be addressed with urgency.
A single red team exercise can run for a month or longer, which means they are often only performed a few times a year. With countless adversaries around the world attacking with increasing frequency and significant resources at their disposal, we must act as if they never sleep. This demands approaches that offer both the thoroughness of red team exercises, and that reflect this relentless cadence.
Additionally, there is a persistent emergence of new adversarial TTPs. With the typical cadence of manual red team testing, it is assumed that an institution will be exposed to unaddressed TTPs between exercises.
As is the case with many of the most pressing national security challenges of our time, these problems of scale are impossible to address through human intervention alone. In the US, some government institutions have responded to aggressive, state-sponsored cyber attacks by explicitly recommending the automation of testing to augment these efforts and address the scale challenges. The UK should do likewise.
By augmenting existing offensive and defensive efforts with on-demand automatic red teaming and adversarial emulation, organisations can continuously refine their defences at a scale commensurate with today’s threat landscape. These types of augmentation also make it possible to implement protections against emergent TTPs without the time and resources demanded of a manual red team.
Not all risk is created equal
Finally, given the breadth and varying severity of attacks, we’ve found that it is unlikely that an institution will be able to address and remediate all vulnerabilities at once. As a result, they must develop a more nuanced understanding of the impact of each vulnerability on actual operations.
Many of the common approaches to prioritise vulnerability severity (such as the Common Vulnerability Scoring System) fail to approach risk from an operational perspective. For example, using these methods, a vulnerability with a high CVSS score but with minimal actual impact on a unit’s mission may be considered higher risk than a vulnerability that is theoretically scored lower but has a catastrophic impact on mission operations. In another example, a series of low-risk vulnerabilities may be benign in isolation, but when chained together, create a pathway for an attacker to compromise mission operations.
In the context of defence, we ask ourselves, “What downstream systems or organisations are going to be impacted by this attack? What are the actual implications on our most important missions?” Vulnerabilities can then be properly prioritised. Translated to the commercial sector, one might ask “How would this exploit tangibly impact my business and employees?”
Having sat next to cybersecurity operators in high-stakes environments, we believe that these approaches are core to effective defence against — and subsequent deterrence of — adversarial threats across both the public and commercial sectors.
They’re not slowing. Neither can we.
Help to shape and govern the work of techUK’s Cyber Security Programme
Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.
*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.
Cyber Innovation Den
On Thursday 3 November, techUK will host our fourth annual Cyber Innovation Den online. This year we’ll explore efforts being made to realised the ambition set out in the National Cyber Strategy, with speakers taking a look at the progress we’ve seen to date, including the foundation of the UK Cyber Security Council, the reinvigoration of the Cyber Growth Partnership and the continued growth in the value of the sector to the UK economy.
Cyber Security Dinner
In November techUK will host the first ever Cyber Security Dinner. The dinner will be a fantastic networking opportunity, bringing together senior stakeholders from across industry and government for informal discussions around some of the key cyber security issues for 2022 and beyond.
All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.