Skip to main content

Organizations need to be able to predict cyberattacks

cyber security
(Image credit: Image Credit: Deepadesigns / Shutterstock)

I’m often asked what new threats we can expect to see in 2021. The good news is the threats themselves (e.g. ransomware, phishing, etc.) are not changing much. The bad news is threat actors are taking their strategy and the technology they’re leveraging to implement their attacks to another level. They’re becoming more innovative and sophisticated by the day, and many organizations are struggling to keep up.

Out with the old

Cybersecurity efforts continue to be largely reactive – security teams detect intrusions after the fact, when cybercriminals have already breached the company’s network and stolen data or inserted malware that will do further damage later.

Organizations are reactive oftentimes because they lack the visibility into threats, as they are still relying heavily on tools like security information and event management (SIEM) for advanced monitoring, but SIEM tools can only detect about 1 percent of advanced attacks. The traditional prevention approach is therefore only part of a holistic security strategy.

With threat actors leveraging automation and machine learning in order to scale their initiatives and out-smart incident response teams, it’s time for organizations to rethink their cybersecurity strategy and move to a more proactive and predictive approach. How can they achieve this? By gaining insight and intelligence into the full threat surface and monitoring cybercriminal activity to detect threat patterns. Embracing this approach will enable an organization to react more quickly to breaches and perhaps even prevent them, or at least minimize the damage to the network.

Seeing the bad guys coming

Moving from the current reactive model to a more predictive one, however, isn’t about adding another weapon or two to your technology arsenal. It doesn’t just mean employing the latest in AI or deploying more tools like encryption, multi-factor authentication, and vulnerability scanning. Companies need to look for threats.

By conducting regular security assessments, initiating penetration testing, and reviewing software code, the security team can identify and resolve issues before they escalate to the critical incident level.

The change to a more predictive model involves a major shift in the way organizations think about cybersecurity. This is a challenging undertaking and will require, in many cases, a major overhaul in terms of the way the security team thinks about and executes on security strategy, and there needs to be buy-in across the organization, including at the executive level.

The good news is that forward-looking leadership at many companies is beginning to recognize the need for a new cybersecurity model. Many executives are finally seeing that a more predictive model can provide a solid return on investment, with the cost of making a change far less than the cost of a major breach.

Your threat intelligence toolkit

Another bit of good news is that there are some good predictive tools already on the market; the industry is maturing.

Predictive analytics can look at the threat landscape and warn companies about the places where cybercriminals are most likely to attack next. In many cases, a predictive analytics tool can handle huge volumes of data from inside and outside the organization and model cyberthreat trends.

Cyberattack simulation tools are a related set of technologies. These tools allow companies to simulate attacks against their networks and data centers, then improve defenses after reviewing the results. In some cases, these tools take automated actions to shore up defenses.

Companies and their cybersecurity service providers can set up honeypots and other deception technology systems designed for criminals to attack while incident response teams study their latest techniques, which again can help predict and prevent new attacks.

Another way for companies to become more predictive is to join their industry’s information sharing and analysis center (ISAC), an organization that collects, analyzes and disseminates actionable threat information to its members.

Don’t forget your incident response plan

You’ve now successfully revised your security strategy from a reactive one to a holistic security operations model that includes not only a SIEM, but also ongoing monitoring, threat intelligence, incident analysis and managed support. Now, you can relax, right? Not quite.

Companies should still have an incident response plan in place. This is a key part of your holistic cybersecurity strategy and can make the difference between a breach with minimal damage and a catastrophic one. A few recommended strategies include:

Mapping tactics, techniques and procedures (TTP) used by ransomware groups helps to understand their strategy, the time it takes them to deploy the ransomware and how much time an incident response team has to discover, escalate and remediate. Ryuk, for example deploys within hours of infection, whilst Nefilim takes weeks.

Focusing on threat intelligence, so incident response teams can act as hunters and detect threats early on and even predict threats by analyzing patterns and offender profiling. Early detection and prediction are crucial, as these days response teams have minutes or less to respond to an attack. 

An offline backup solution that is reliable is important for a successful recovery. Incident response teams are usually notified after an attack has happened, so at this stage prevention isn’t entirely possible. However, ransomware does not encrypt all files at once, so organizations should disconnect large file storage and systems while the response team identifies the specific malware to block it using EDR tools. This is the identify, prevent, and recover approach.

The bottom line is, there are tools and support available. The first step is to recognize the need to shift your cybersecurity operations model to a more proactive and predictive one and then begin to take the steps to get there.

Ron Newman, SVP, NTT Ltd

Ron Newmann has 25 years of experience in the information security industry. As SVP, he oversees strategy, services and execution for NTT Ltd’s Security Division in the Americas.