Fighting Fire: How MITRE Helps Cybersecurity Teams Stay Cool Under Pressure?

Pressure is ramping up for cybersecurity teams. As noted by Forbes, attack volumes increased by 435% in 2020 alone, ransomware cost companies more than $11.5 billion, and at least 125 distinct malware families have now been detected worldwide.

The result? It is not a matter of if your business will come under fire. Instead, it is a series of stressful questions: When, how long, and to what extent will systems and networks be targeted?

For Infosec professionals, this creates a functional flashpoint: To handle both current attack vectors and manage emerging threats, fighting fire with fire is fundamental. But with malicious actors constantly on the move, how do teams stay cool under pressure?

The Heat Is On

Three conditions have conspired to turn up the heat on cybersecurity teams.

First is the rapid adoption of Cloud computing frameworks to store, move and manage information at scale. With data volumes and sources quickly ramping up — and intelligent analysis critical for competitive success — this shift towards the Cloud is critical. However, this also puts increasing strain on security teams to manage and monitor these assets at scale.

Next is the cybersecurity skills gap. Recent estimates, noted by Infosecurity Magazine, suggest a decline of more than three million security professionals: a slight decline in this gap from last year. Fortunately, there has been an increased demand as companies grapple with the realities of remote work, meaning that trained and certified staff are more sought-after than ever.

Evolving attack vector varieties are also fanning the flames. From the ongoing success of ransomware tools and DDoS attacks to the increasing use of file-less malware capable of evading traditional defenses to the more recent uptick in pandemic-related, targeted phishing attacks, there’s no single, overriding source of security concern. Instead, firms face certain knowledge that certainty is an illusion. Attacks could come from anywhere, anytime.

Controlled Burn

The last thing cybersecurity teams must do when sparks fly is searching for fire extinguishers. When attacks occur, the ideal outcome is a controlled burn: find the source of the fire, snuff it out as quickly as possible and then remediate any damage caused.

But this is easier said than done.

Here is why: skill mastery is critical to stay cool under pressure. As noted in the 2015 research paper Development of teaching expertise viewed through the Dreyfus model of skill acquisition, this mastery has two key components: Skill acquisition and deliberate practice.

What does this mean for cybersecurity teams? While knowledge of common threat vectors and the in-situ experience of responding to these threats are beneficial, they offer the biggest benefit in tandem.

Consider an IT professional tasked with securing corporate network services but lacks any formal skills training. While repetitive exposure to malware threats will eventually improve practical response, the amount of time required for mastery could put critical infrastructures at risk.

Now, imagine an Infosec expert with a host of relevant certifications but no real-world experience. Insert the Infosec personnel into the situation described above. There is a steep learning curve that comes with applying this training effectively, especially when digital alerts are set off, data is at risk, and critical systems are starting to fail.

By pairing these two approaches — providing staff with the tools and training they need to address immediate attacks and defend against evolving threats, companies can kick-start skills mastery and help teams stay cool under pressure.

Moving Toward Mastery with MTIRE

Recent survey data found that 80% of security professionals felt inadequately prepared to defend their organization, and 68% believed this was in part because their company did not provide the right training to help reduce total risk.

The result? Cybersecurity teams recognize the disconnect between current skills and critical knowledge and are looking for a way to bridge the gap. The MITRE ATT&CK matrix offers a way to jumpstart mastery with globally accessible knowledge of adversary tactics and techniques based on real-world observations.

Areas of mastery include:

• Reconnaissance

The staff gains knowledge of common attacker recon techniques, including active scanning, data gathering across network, host, and organization sources, open websites, and technical databases.

• Initial Access

Initial access training includes education in drive-by compromise efforts, public-facing application exploits, hardware additions, and supply chain compromise.

• Execution

From command and scripting interpreters to native API manipulation and Windows management instrumentation, Execution training helps prepare teams for common attacker efforts.

• Persistence

Attackers are not just concerned with gaining access — they are also looking for ways to establish persistent presence over time. Understanding boot scripts, implanted container images and hijacked flow execution can help teams stay ahead of cybercriminals.

• Credential Access

Armed with valid credentials, malicious actors can evade common security tools and gain unfettered access. Knowledge of common tactics such as brute force discovery, forged web credentials, network session sniffing, and cookie-hijacking lets teams stay one step ahead.

With the speed and sophistication of malicious attacks ramping up, even seemingly small digital fires can quickly burn out of control. Armed with the right combination of practical experience and in-depth skills training, however, teams can stay cool under pressure and reduce the risk of IT catastrophes.