In a recent EM360 podcast episode, Michael Quattrochi, Senior Vice President of Defensive Security here at CyberMaxx, spoke on the “Offense Fuels Defense” approach when monitoring cyber risks. Here are some of the key insights gathered that can improve your posture, reduce the damage of an attack, and minimize business downtime caused by an incident.
Offense Fuels Defense
A unique approach adopted by CyberMaxx, the “Offense Fuels Defense” concept, is thinking like an adversary so you can defend like a guardian. Rather than waiting for a successful attack to incubate before adjusting security controls, you take insights from digital forensic investigations (DFIs), pen tests, and red team operations to improve defensive solutions like MDR proactively.
By thinking like an adversary, you remain vigilant against current and emerging cyber threats, which helps enhance defensive security strategies. Cyber risk is all over the place. However, you can mitigate risk by understanding adversaries’ common tactics that exploit the most common vulnerabilities. For example, while investigating business email compromise (BEC) incidents, the CyberMaxx team noticed an interesting pattern.
“We take out insights gained from our offensive and DFI work and use them to directly improve our [CyberMaxx] defensive services.”
— Michael Quattrochi, Senior Vice President of Defensive Security at CyberMaxx
Nearly every time a threat actor gained email access, they would create a new inbox folder with a short, unnoticeable name and set rules to forward messages to that inbox — preventing the email owner from seeing an adversary read their emails. This issue prompted the defensive security teams to implement detection tools that logged, tracked, and notified users of new folders and email forwarding requests to stop a BEC in its tracks.
Manual vs. Automated Detection
There’s always the question of how much detection should be done manually compared to automatically. While automated detection is always an ideal course to help scale a security operations center (SOC) and improve defensive security, some manual work is inevitable.
For example, before taking an adversarial behavior to track within your network, you must manually identify the pattern and create the detection program. You can only deploy your automated detection mechanisms once you’ve mapped everything and logged the behavioral data into various security tools by hand.
“The manual work is a lot of creating the detections. When you find a behavior that you see repeated over and over again by adversaries, you try to take that behavior and figure out a way to automatically detect it over and over again. That’s where a lot of the manual work comes in.”
— Michael Quattrochi, Senior Vice President of Defensive Security at CyberMaxx
Staying Ahead of Adversaries
The challenge in proactive cybersecurity, particularly for detection, is that threat actors constantly evolve their tactics. So, just when you think you’ve figured out the next attack vector and strategy, a new one emerges — making most common security tools insufficient.
For example, attackers often get copies of commercial antivirus products to research detections and find ways around them. That’s where proprietary detection solutions, such as the ones provided by CyberMaxx, play a huge role. Threat actors can’t simply download the malware and detection library somewhere online because they’re privately distributed.
“The nice part is our detections are not out in a commercial product. So it’s hard for an adversary to see what we have to figure out a way around it. That’s how it’s different than from commercial [antivirus] tools…There’s there’s no way they can download a detection library and work around it.”
— Michael Quattrochi, Senior Vice President of Defensive Security at CyberMaxx
Proactive Research for Early Detection
As mentioned, in-depth research is the foundation of “Offense Fuels Defense” and risk monitoring. CyberMaxx dedicates an entire team to monitoring, analyzing, and reporting on threat activity occurring inside and outside client environments.
The insights gathered help identify threat trends to better predict where and how the next cyber attack will deploy. By gaining intelligence early on, security teams can fine-tune their controls and detection mechanisms before an attack — strengthening defenses and mitigating vulnerabilities to keep businesses safe.
“We have a whole team of researchers. They analyze across our client environments for what we are seeing and if there are any commonalities. We take this information, and we generate reports that are given to our clients and also taken back to our defensive team, who then uses it to tune our defenses to tune our detections and to help our clients tune their security controls to protect against what’s most prevalent.”
— Michael Quattrochi, Senior Vice President of Defensive Security at CyberMaxx
Ransomware Threat Landscape
When discussing cybersecurity detection, you can’t have a legitimate conversation without covering the devastating effects of ransomware. As part of robust research initiatives, CyberMaxx recently published a ransomware research report that had some key findings:
- Ransomware attacks are up 26% over Q1 in 2023
- Nearly a quarter of all attacks are facilitated by the Lockbit group
- Unpatched vulnerable devices are the most common exploitation
During the podcast, Michael Quattrochi predicted ransomware attack numbers will likely grow once they see the Q3 data. It’s not individual players causing impact; organized groups, such as Lockbit, AlphV, 8Base, and others, are and will continue in prominence.
In terms of delivery tactics, exploiting unpatched system vulnerabilities is the culprit, especially ones publicly known for a while. Companies may know about them but do nothing to mitigate risk, leaving them open to attack.
“Ransomware is still a thing, still growing and locked. It’s still the major players getting in it. It’s opportunistic. Exploiting existing vulnerabilities that have been out there and just haven’t been mitigated or patched, and they find them and take advantage of them.”
— Michael Quattrochi, Senior Vice President of Defensive Security at CyberMaxx
Key Takeaways
If there’s anything to take away from the podcast, offensive insights are the only way to combat an evolving attack landscape. Leveraging DFI, red teaming, and pen-testing information puts you in the adversary’s shoes to predict what they might do next. Additionally, working with a cybersecurity partner who combines manual and automated controls with proprietary detection solutions is essential to continuously stay ahead of emerging threats.
CyberMaxx is THE full-service security provider that can help the volatile security landscape. Leveraging its DFI and offensive insights to fuel its defensive MDR security services, CyberMaxx stands out in a crowded marketplace with its “act like an adversary, defend like a guardian” approach.
Leverage Offense to Strengthen Defense with CyberMaxx
Robust monitoring is essential to spotting threats before they incubate into a full incident that impacts your business. You can stay ahead of the adversaries by leveraging automated MDR solutions and an “Offense Fuels Defense” mentality.
Want to learn more? Check out our CyberMaxx resource page for more news and insights on all things cybersecurity.
Also, be sure to schedule a meeting to learn more about our holistic approach to cybersecurity and how we can enhance your program.