US Cyber-Defense Agency Urges Companies to Automate Threat Testing


The US government’s cyber defense agency recommends for the first time that companies embrace automated continuous testing to protect against long-term online threats.

The guidelines, from a cluster of US and international agencies published Wednesday, urge companies to strengthen their defenses by continually validating their security program against known threat behavior, rather than taking a more piecemeal approach.

“The authors recommend that you continue to extensively test your security program,” reads a warning from the Cybersecurity and Infrastructure Security Agency and several other US and international agencies. The warning warned that malicious cyber actors allegedly affiliated with the Iranian government’s Islamic Revolutionary Guard Corps are exploiting known vulnerabilities for ransom operations.

An official at CISA told Bloomberg ahead of the announcement that emulating opponents and testing against them is key to defending against cyber-attacks.

Central to the effort is a freely available list of the most common cyber-attack tactics and procedures, first made public in 2015 by MITRE, a federally funded research and development center, and now regularly updated. While many organizations and their security contractors are already consulting that list, too few organizations verify that their systems can actually detect and overcome them, the CISA official said.

Automated threat testing is still not very widespread, according to the official, who added that sometimes organizations don’t really go ahead after deploying expensive tools on their network and instead just assume they’re doing the job.

ALSO READ  Greece-managed ship shipped coal from Russia despite EU sanctions

Automating security checks makes it easier to prevent attackers from relying on established tactics. The main threat actors are still going back and exploiting vulnerabilities that are up to 10 years old and older, the CISA official warned.

CISA is making the recommendation in partnership with the Center for Threat-Informed Defense, a 29-member nonprofit organization founded in 2019 and building on MITRE’s framework.

Iman Ghanizada, global head of autonomous security operations at Google Cloud, a research sponsor of the Center, said automated testing is important for creating continuous feedback loops that can steadily improve protection.

“Whether you’re a large company or a startup, you need visibility, analytics, response, and continuous feedback,” he said. It makes a big difference to test cybersecurity protection in the real world, rather than just in lab conditions, Ghanizada said.

A growing number of cybersecurity companies, including AttackIQ, Cymulate, Mandiant, Picus Security and SafeBreach, offer so-called breach and attack simulations and other security validation services. The CISA official said the agency is agnostic about which supplier companies are using.

ALSO READ  US DOL Expands OSHA's Serious Violation Enforcement Program

Martin Petersen, chief information security officer at facilities management giant ISS A/S, said he persuaded his company to implement automated testing after a 2020 ransomware attack. The breach left hundreds of thousands of employees without access to email and other systems. .

The company’s three-year contract with AttackIQ, a founding member of the Center for Threat-Informed Defense, costs $300,000 per year. ISS calculated the price was cheaper than deploying so-called penetration testers, which do similar work but less regularly and effectively, he said.

Petersen said the company had improved tamper protection around its 60,000 endpoints, making it more difficult to disable malware protection as a result of continuous testing. It also fixed “funny” Windows configurations and local firewall settings that could be vulnerabilities.

He added that the company had also “significantly increased” its cybersecurity budget, which it now believes is 7.5% of its information technology budget. He declined to say what the number was before the attack, but said it would continue to rise next year.

JetBlue Airways Corp. also relies on AttackIQ, a California-based company founded in 2013. The airline turned to automated continuous testing, in part because a government threat warning is “usually quite slow and of little value by the time it gets to us,” said Tim Rohrbaugh, its chief information security officer since 2019.

ALSO READ  Typhoon Noru hits Philippines, kills 5 and leaves millions without power

Current protections are often inappropriate, according to a new study from AttackIQ coming out Wednesday. Cloud-based customers’ overall cybersecurity controls — also known as endpoint detection and response systems, which aim to automatically detect and block compromises in real time — stopped what the company rated as the top seven attack techniques 39% of the time by 2021, it found. . And, according to the report, none of the more than 100 cloud-based companies in the study prevented all seven of the “deadly” techniques.

Jonathan Reiber, AttackIQ’s vice president for cybersecurity strategy and policy and one of the authors of the report, said continuous automated testing can help identify changes in personnel and equipment that undermine cybersecurity protection. He likens the approach to actively searching for potential threats rather than fingerprinting in the aftermath of an incident – a retroactive approach known as the search for ‘indicators of compromise’.

“People just don’t have enough data,” he said. “Often the attacker is the only feedback mechanism people have.”

Copyright 2022 Bloomberg.

US Cyber

Interested in Automation optimization?

Receive automatic notifications for this topic.