Skip to main content
NCSS 2023

25-27 APRIL 2023

Exhibitor Products

National Cyber Security Show

16 Dec 2022

Compromised Mindset, Assume Breach. How to Reduce Risk with Proactive Defence

SenseOn Stand: 4/L21

Why Adopt a Compromised Mindset?

Most organisations are complex—and getting more so. Legacy systems co-exist with sprawling collections of cloud assets. Trends like M&As and remote working can open up massive holes in an organisation’s security posture overnight. 

Complexity is making the already hard job of reducing cyber risk and ensuring business continuity almost impossible.

In PwC’s latest 2022 Global Digital Trust Insights Survey, three-quarters of executives said that growing complexity within their businesses is leading to concerning cybersecurity risks.

The reason why: evolving attack surfaces present an opportunity for attackers. Cybercriminals love to go after assets which organisations have forgotten exist, failed to patch, or misconfigured.

As many as 70% of companies that fell victim to a cyber attack last year had a vulnerability in an asset they were unaware of. 

Threat actors are also getting better at evading security controls designed to stop them. Although it might sound pessimistic, the truth is that determined and well-resourced 

attackers will almost always find a path to compromise. 

This is especially true for adversaries seeking long-term access to an organisation’s digital estate. Traditionally this meant nation-state actors but increasingly also includes profit-motivated criminals. Researchers have observed several cybercriminal operations using Tor-based backdoors to gain ongoing access to compromised networks. 

Adopting a Compromised Mindset

Adopting a compromised mindset and assuming breach means starting with the point of view that your organisation has been compromised and then systematically proving or disproving this idea. 

Threat hunting and being proactive about your security is a way of verifying that your controls are effective and investments are worthwhile.

Here’s how to adopt a compromised mindset and assume breach. 

Start with understanding your adversary 

Know your enemy. 

Figure out what the most likely threats to your organisation are, and focus on putting in place controls that can both protect against them and detect them specifically. 

If you’re not sure where to start, look at your competitors and peers within your industry. 

Have they suffered any attacks lately, and if so, from whom? Although not all attacks are made public, a fraction of those that are get detailed write-ups. Take advantage of these write-ups to go really technical and see if a tactic or technique that impacted your peer could also be used against you. 

If an organisation you are aware of in your industry has fallen victim to a cyberattack, you almost certainly are a target for the same attacker.

Write-ups are not your only resource, though. You can also use MITRE ATT&CK, a knowledge base that documents the tactics and techniques used by threat actors in the wild, to see who your adversaries might be.

For example, if a specific nation-state is a threat to your industry, ATT&CK can help you understand what groups may be linked to it and the types of tactics and techniques these groups are known to use. 

An easy way to bring together all the attack techniques that matter to your organisation is to use ATT&CK Navigator, a web-based tool that makes it easier to analyse threats and build heat maps. 

In the UK, companies can also join the Cyber Security Information Sharing Partnership, or CISP, a joint government and industry initiative that lets UK organisations share cyber threat intel in real-time. 

Then, look at your security controls 

Once you have a heat map of the kinds of tactics and techniques threat groups that pose a risk to your organisation use, you can start to overlay your own security controls over it to better visualise your defensive coverage. 

This is a good way to see how effective your controls would be if they were focused on preventing and detecting particular threats. 

Review your data

You can break down the data you end up with from the above exercise into charts and graphs, as shown below. 

Doing so will allow you and other interested parties (like the board) to see the kinds of hypotheses you’ve investigated and what cyber attack techniques you’ve detected in your environment over a period of time at a glance. 

Consistently observed tactics indicate a good hardening opportunity. 

You can also review this data over longer periods of time to see how the improvements you make to your preventative and detective controls start to impact what you see in the real world. 

For example, let’s say in August and September, you observe a significant volume of credential access and persistence tactics and techniques in your environment. However, the volume of these techniques decreases sharply in October. Instead, you notice an increase in execution techniques. 

This demonstrates that whatever you’re doing to stop credential access and persistence techniques is working because threats are being stopped earlier on in the attack lifecycle. 

Understand your limits

Cybersecurity can’t be done through a simple assessment. 

For example, while ATT&CK enables organisations to follow a data-driven process to develop a compromised mindset, it’s critical to remember that threat actors can use new techniques that may not yet be documented. 

Each ATT&CK technique can also have multiple sub-techniques, which can be applied in different ways and different parts of your estate. You might have effective security controls in your enterprise, but will you still be protected if the threat moves to the cloud? 

It’s important to be wary of blindspots, whether that’s the cloud, legacy systems, or remote endpoints, and be able to correlate data. Often, an activity that looks benign in one part of the estate (like the endpoint) can indicate an intrusion when looked at with data from other parts of the estate (like the network or the cloud).  

A Compromised Mindset and SenseOn

Although you don’t need any specific tools to adopt a compromised mindset, having a tool stack that helps you take a proactive approach to security and test your hypotheses can be a massive boon. 

This is where SenseOn comes in. 

One of the first products to integrate the ATT&CK framework into its security platform, SenseOn:

  • Consolidates security tools. SenseOn’s “Universal Sensor” software gathers and correlates data from across an organisation’s devices, servers, databases, and cloud environments, eliminating blind spots and replacing the need for complex security stacks. 
  • Automates the investigative process. SenseOn looks for trigger events and maps them to hypotheses based on the ATT&CK knowledge base. SenseOn’s platform then takes action to confirm or deny these hypotheses to produce what we call “Observations,” which are analysed with data from other sources to verify their validity. Only genuine threats are flagged for human analyst attention. 
View all Exhibitor Products

The Safety & Security Series

FSEHSENCSSPSO LiveTSEThe Workplace Event

Register for a FREE pass

What's included in your free pass?

  • Source hundreds of cyber products and solutions from industry-leading suppliers
  • Engage with an accredited CPD seminar programme
  • Network with colleagues and peers in a face-to-face environment
  • Co-located with 4 other leading-industry events: The Fire Safety Event, The Health & Safety Event, The Security Event and The Workplace Event

Register for your FREE pass