Are Your Organization’s Critical Assets Five Steps or Fewer from A Cyber Attacker?

By Gus Evangelakos, Director Field Engineering, XM Cyber

Cybersecurity is an asymmetric battle — and one in which attackers hold an unfair advantage. Adversaries maintain the initiative and can attack from novel and unexpected angles, while defenders are forced into a reactive role.

The asymmetric nature of cybersecurity isn’t the sole reason data breaches continue to rise every year, of course. The popularity of cloud computing and constant expansion of the attack surface also present substantial ongoing challenges for today’s organizations.

This raises an interesting question: Just how quickly can critical assets be exfiltrated by cyber attackers? The 2020 Verizon Data Breach Investigations Report (DBIR) sheds some light on how attacks are unfolding — and why adversaries often need only a handful of steps to expose the most valuable “crown jewel” assets.

The Landscape Has Never Been More Favorable for Adversaries

Understanding just how vulnerable your systems are is key to assessing risk. This applies to the specifics of our security environments and the larger conditions that affect how and why breaches occur.

Misconfiguration errors — which remain at epidemic levels — are one reason why attack paths are often so short and direct. Cloud migration mandates, building remote workforce capabilities, managing access on the fly — all of the demands placed on IT professionals create conditions that are highly conducive to misconfigurations. If you look at the highest-profile data breaches of the last five years, misconfigurations pop up as the culprit again and again.

Launching successful attacks has also never been easier or more accessible, particularly for adversaries with low to moderate skill and limited resources.

• Deloitte estimates a low-end cyber-attack costing just $34 a month could generate $25,000..
• A phishing campaign for $30 a month can return $500 a month.
• Keylogging can return $723 a month for as little as a $183 investment.
• More sophisticated attacks costing a few thousand dollars could return as much as $1 million per month

Yet whether you’re dealing with an amateur equipped with cheap darknet malware or a sophisticated Advanced Persistent Threat, one thing doesn’t change: Nobody wants to waste time on hard targets. The shortest path is always the most attractive.

Five Steps — Or Less — From Danger

Attackers have many paths they can choose to target specific assets. Defenders, meanwhile, must try to visualize and map all the variables related to those paths and manage any vulnerabilities — certainly no small task. Hardening the environment by reducing the number of obvious pathways is vitally important, as many attackers will simply move on to the next target when faced with a resilient security posture. Attackers are just as concerned about efficiency and ROI as any conventional business.

This means that organizations that can develop security robust enough to require a long procession of steps are best positioned to deter attacks. Verizon’s 2020 DBIR shows that the average breach requires fewer than five steps. Beyond 20 steps, attacks begin occurring with vastly less frequency. Interestingly, hacking and malware-based attacks tend to be highly overrepresented among attacks requiring more than 10 steps, while attacks based on errors, misuse or social paths are highly clustered within the fewer-than-five-steps category.

Adversaries prefer short paths and rarely attempt longer or more complex attacks — the numbers attest to this. This means that any action taken to increase the number of steps adversaries must take also increases the odds of a successful breach.

What Organizations Can Learn From This

Deterring attackers often comes down to one thing: Being a harder target than the next guy. Adversaries will typically take the path of least resistance. In practical terms, this means focusing on a few key areas:

• Creating a true security culture within your organization. It’s essential to create buy-in from the C suite on down. Every strategic decision should be viewed, in part, through the lens of cybersecurity.
• Human error — the kind that can compromise critical assets in a few short steps — is inevitable. Raising awareness of best security practices through routine training will only do so much before returns begin diminishing. One way to manage this risk is to commit to a security posture focused on continuous improvement.
• Automated penetration testing (using tools such as breach and attack simulation software) can help develop a harder and more resilient security environment. By continuously probing your own defenses for vulnerabilities, you can uncover gaps before they are exploited and wrest the initiative from attackers — making the battle of cybersecurity less asymmetrical.
• Gaining insight into how attackers can move laterally to compromise your assets is a core challenge. Determine how many steps would it take and what remediation steps will close the attack path. Again, automated penetration testing tools that provide prioritized remediation recommendations can be helpful in this regard.

In Conclusion

Given that critical assets are often just a handful of steps from danger, it’s imperative to harden your security environments and work toward continuous improvement. For more information on this topic, I heartily recommend a recent webinar hosted by Security Scorecard that delves into these issues in greater detail.

About the Author

Gus Evangelakos is the Director of North American Field Engineering at XM Cyber. He has extensive experience in cybersecurity, having managed implementations and customer success for many major global brands such as Varonis, Bromium and Comodo. Gus has spent a decade also working on the client-side, supporting IT infrastructure and cybersecurity projects. He has a strong background in micro virtualization, machine learning, deep learning (AI), sandboxing, containment, HIPS, AV, behavioral analysis, IOCs, and threat intelligence. Gus can be reached online via LinkedIn and at our company website http://xmcyber.com/