By Hugo Sanchez, Founder and CEO of rThreat
Just a few weeks ago, the FBI released a statement confirming that their server was hacked over the weekend, resulting in thousands of spam emails warning of a fake cyberattack that were sent to individuals and companies nationwide. In the statement released to address the incident, the bureau clarified that the attack did not compromise their system or allow an outsider to gain access to their data.
The mere fact that this attack was possible, however, highlights the glaring problem with our cyber defenses: they are not impenetrable, and the gaps are not proactively identified because they are not battle tested.
In a world where cyber criminals are getting smarter and our technology is becoming more advanced with every passing day, it is unthinkable that our approach to cyber defenses should remain unchanged. To combat the attacks of tomorrow and shore up our defenses to meet them, cybersecurity needs to pivot in favor of defending forward and using threat emulation – and not simulation – to determine any vulnerabilities.
The concept of modern penetration testing was dreamed up in the 1960s, and in 1967, more than 15,000 computer security experts, government and business analysts gathered together at the annual Joint Computer Conference to discuss concerns that computer communication lines could be penetrated. Early penetration testing was carried out primarily by the RAND corporation and the government, and most systems immediately failed the tests, confirming the validity of the concerns.
Today, penetration testing has evolved to enable ethical hackers to test a system’s vulnerabilities through simulated cyber attacks. A recent survey found that 70% of organizations perform penetration tests as a way to measure their security level and 69% do so to prevent breaches.
But these tests are flawed. Simulations using threat signatures are not enough to ensure defenses are adequate, and testing the capabilities of cyber protections in this way is akin to testing a bulletproof vest by firing blanks.
The biggest difference between attack simulation and attack emulation is that attack emulation showcases a threat actor’s strengths and weaknesses. In an attack simulation, it is possible to recreate the exploitation aspect, but if testers aren’t using the same tools and making the same mistakes that threat actors do, they will be unable to create defenses that detect those same mistakes.
Another problem is that current methods dictate the use of customized and refined attacks to test cyber defenses, when in reality, it’s essential to replicate exactly what the system will be responding to in a real-life scenario, utilizing the same tools and the same mistakes that threat actors use during security tests.
Those that rely on a machine learning or AI-based solution also have to contend with the possibility of causing the program to learn the wrong behavior during simulated attacks, because the attacks are not based on the latest threat intelligence or indicative of what threat actors are using. Additionally, because attack simulations are not real attacks, they run the risk of not being recognized by security controls as a threat, making it impossible to be sure the controls will work in a real-world scenario.
Experts who weighed in on the FBI breach pointed to the possibility that the lack of malicious email attachments was simply due to the hackers finding the vulnerability without a concrete plan to exploit it. But Austin Berglas, a former assistant special agent in charge of the FBI’s New York office cyber branch, summed up the problem quite succinctly: “It could have been a lot worse.”
Leaving our systems vulnerable to attack is unacceptable when there is a better way. Breach and attack emulation solutions are more dynamic in nature, can expose gaps in a company’s infrastructure, and can mimic the tactics of real-world threat actors, allowing organizations to prioritize the gaps that represent the greatest threat to their networks.
We have come a long way in our understanding of cyber threats and methods of detection, but our defenses remain lightyears behind. The government wouldn’t send soldiers into combat with faulty equipment, and it’s time we take that same tack with our cybersecurity. Battle testing our defenses is a necessary next step, and until we do, we are leaving ourselves open to the kind of threats that could bring our country to its knees.
About the Author
Hugo Sanchez is the founder and CEO of rThreat, a breach and attack emulation software that challenges cyber defenses using real-world and custom threats in a secure environment. Learn more about Hugo and his company at www.rthreat.net.