Taking the Assume Breach approach

In a world where people need to collaborate and communicate, and users work with various business systems, it’s outright impossible to reach 100% protection against all existing and future attacks. No defence is perfect, ever. Against current and future cyber threats, it is important to have an ‘Assume Breach’ mindset. This means that, sooner or later, a cyber incident will inevitably happen. Whether the attack is a smaller or bigger incident, it’s crucial that you have prepared yourself for such a situation.

Article by Mika Rintamäki

The traditional approach has been for companies to focus mainly on preventive controls. Here, efforts are focused on for example network security, firewalls and anti-virus solutions, which seek to prevent the attacker from breaking into your systems. Today, preventative security controls are not enough.

By taking the ‘Assume Breach’ approach, companies will have both the technical capabilities and softer process capabilities in place. On the technical side, we refer to Detect and Response security capabilities. In these cases, the objective should be to detect a cyber-attack on the company environment as quickly as possible.

During an attack, time is of the essence. Through early detection, companies can better mitigate the impacts of an incident. Having a playbook ready, or as ready as possible, will help your company survive an attack. In the playbook, you should have clear procedures on what actions need to be taken, how these will be completed, and by whom. The focus should be on restricting or isolating the damage as early as possible.

Assume Breach is for those who look at cyber security holistically and are preparing for all cyber risk scenarios

You have been breached

To succeed you need to have very good visibility on the endpoint level as well as on network level. This helps security teams successfully manage:

  • network traffic (e.g. traffic logs, NetFlow, full packet captures)
  • endpoint usage statistics, such as process trees network traffic, memory contents etc.

Automation and predefined rules can help you detect indicators of compromise, also more modern artificial intelligence or machine learning solutions can be used to detect behaviour-based alerts. This is especially needed when the attacker is not directly utilising previously known methods. In fact, skilled attackers are able to carefully cover their tracks, and do not need to apply much brute force. This helps them avoid detection, for example by increased traffic volumes.

Use a structured approach to perform what is commonly known as ‘Red Team’ testing. Essentially, working with a trusted partner, preferably a skilled and trusted security company, to attempt to break into your environment. This will help you test your security controls and uncover any issues or shortcomings in your protection systems.

Risk management perspective

From a risk management perspective, cyber risk scenarios need to be included in both Disaster Recovery planning as well as in other company crisis exercises. Once you have completed a major cyber incident crisis exercise, you are better prepared for such an attack if it were to occur in reality.

It is worth noting that larger cyber incidents often happen by surprise and are executed in a way that you were not expecting. The truth is that you cannot train for every possible scenario, however a good practice is to prepare for various situations, practicing how to handle these, and testing for attacks regularly. This will increase confidence in your system for when an actual cyber incident happens.

“Prevent Breach” mindset

In closing, it is important to note that the “Prevent Breach” mindset remains vital, as this is most definitely still needed. Companies must have good preventive security controls in place, e.g. security patching, malware protection and firewalling. These are fundamental requirements that have not gone away, they are still mandatory.

By applying both of these approaches, companies can increase their preparedness for a cyber attack and capabilities to reduce the impacts of an incident when it occurs.

Note that it is an essential and valuable practice to regularly test and verify that your existing prevention systems are in working order. This will help to evaluate how detection and response is working in practice, if you were attacked today.