Iron Rain: Cybersecurity Is an Ever-Changing Battlefield

Share and earn Cybytes
Facebook Twitter LinkedIn Email

The ever-changing battlefield. Just like in combat operations, cyber operations are changing on a second-to-second basis. To effectively combat an insurgency, one must drive to an intelligence-driven operations center. Internal and external threat intel become crucially important to combating attackers.              

Understand Your Variables

Leaders need to understand the ever-shifting landscape of their environment. In a tactical sense, this can be best facilitated in an automated fashion by collecting and using the proper telemetry and intelligence.

Strategic understanding of your environment will be key to driving a winning strategy. You will need to understand just these (to list a few):


How much time does your staff have? What is delta on dwell time of the last adversary?


What is your security budget? 


What tools do you have? Are they integrated?


What’s the culture of your organization?


How are they attacking you and for what aim?

The war for our systems has been on us. It’s time we adopt new ways of thinking about the problem. We need to think less like law enforcement and soldiers and more like an insurgent.  

Counterinsurgency in cyberspace manifests shared risk.  We must clandestinely observe the adversary and suppress their activity as we force them to become resource constrained. 

According to Carbon Black’s Quarterly Incident Response Threat Report (QIRTR)   counterinsurgency is playing out in a number of ways:

Nearly half (46%) of incident response professionals say they’ve experienced instances of counter incident response,another concerning sign that attackers have become increasingly sophisticated and are initiating longer-term campaigns — as well as a clear signal that incident response must get stealthier.

Nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organization. They’re getting in, moving around and seeking more targets as they go. Of note, 100% of respondents say they’ve seen PowerShell used for attempted lateral movement.

A growing number of hackers won’t stop at a single network — they’re after your clients’ partner and customer infrastructure as well. A full 36% of our respondents say they see attacks where the victim was primarily used for island hopping.

Intrusion suppression is a viable architectural model whose core tenant lies in can you detect, deceive, divert, contain, and hunt an adversary, unbeknownst to the adversary. We must dig at the roots of the insurgencies footprint on our networks.  Begin the hunt.

“Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent’s fate.”– Sun Tzu

The commercial cyber equivalent of that would be: identities, data, systems, applications and communications. Is my list of identities accurate, how do I ensure no unauthorized identities have been added or privileges have been escalated? For example: Is the list of data updated manually or automatically, how do I know a change has been made? 

As you begin to shift your operations the following are important to focus on:


            Realistic Threat Profile

            Current Control Framework

            Understanding Business Strategy

            Understanding the people and their normal


            External and Internal Intelligence Sources

            Change Management


            Fail Fast



            Intel should be available at the lowest level

            Automate Automate Automate


            Endpoint Telemetry

            Network Sources


For too long, we have relied on Lockheed Martin’s Kill Chain to understand and predict attacker behavior.  This framework does not account for the psychology of the adversary, nor does it  truly dig into the tactical phenomenon associated with the phases of attack. We would suggest embracing a new, predictive model, one which takes into account the intent and cognition of a cyber criminal – a framework that studies the threat behaviors (a.k.a.- modus operandi of  elite hacker crews and allows you, as the defender, to anticipate and suppress the contemporary phases of a cyberattack.


Interested in learning more how you can put incident response best practices into use? At Cb Connect 2018 you’ll have the opportunity to connect with other like-minded security users and build your resume while you become Carbon Black Certified. Becoming Carbon Black Certified for Cb Defense, Cb Protection and/or Cb Response gives you the opportunity to: Earn continuing professional education (CPE) credits through (ISC)2,  Strengthen your knowledge of the product, Continue to develop your skills in information. Learn more here.

The post Iron Rain: Cybersecurity Is an Ever-Changing Battlefield appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?