Mandiant recently published the latest edition of The Defender’s Advantage Cyber Snapshot report. This recurring report aims to arm cybersecurity teams with practical insights from Mandiant’s frontline experience responding to breaches worldwide. The goal is to help defenders maintain their advantage against constantly evolving threats.
This new report provides guidance across five key topics organizations are focusing on: moving beyond traditional passwords to more secure authentication methods, navigating the cyber insurance process, detecting attacks by understanding adversary techniques, testing defenses proactively, planning effective incident response, and implementing new security guidelines for critical infrastructure.
By sharing challenges and recommendations learned from real-world attacks, the report enables security leaders to make more informed decisions. Organizations can leverage The Defender’s Advantage findings to continuously strengthen cyber defenses. The report is one way Mandiant supports the broader security community with knowledge and intelligence to stay ahead of emerging threats.
Here are the key highlights from The Defender’s Advantage Cyber Snapshot report:
- Move beyond passwords to stronger passwordless authentication using biometrics, tokens, and certificates.
- Involve legal and risk teams when applying for cyber insurance. Review for exclusions or limits.
- Understand attacker techniques to better detect intrusions between IT and operations networks.
- Proactively test defenses with simulations of real attacks like red teaming and penetration testing.
- Tailor incident response plans for industrial control systems. Practice with third parties that access them.
- Adopt new security guidelines like NIST and CISA Critical Infrastructure Performance Goals. Map to your environment.
- Share frontline insights on challenges to help cyber defenders maintain their advantage against threats.
Summary of The Mandiant’s Defender’s Advantage Cyber Snapshot Report- Issue 3
Moving Beyond Passwords for Better Authentication
The report highlights that many organizations still rely solely on passwords for authentication, which leaves them vulnerable to stolen credentials. It advises adopting stronger “passwordless” options like biometrics, security keys, and logins tied to devices instead of passwords alone. This is more secure because it uses factors connected to a user’s physical identity or possessions.
Companies should first build off existing multi-factor authentication methods before going fully passwordless. This involves integrating passwordless technologies like FIDO2 and WebAuthn into single sign-on solutions. With proper planning for rollout and recovery, passwordless authentication significantly reduces the risk of phishing, password theft, and account takeovers.
Navigating the Cyber Insurance Process
As cyber attacks have increased, insurance coverage has become essential to offset costs. But the report cautions that policies can be complex with exclusions or sub-limits that impact coverage. It recommends involving legal counsel and risk management early when applying for cyber insurance.
Carefully review specimen policies for exclusions related to ransomware payments, legal costs or long-term recovery expenses. Also, research incident response providers to ensure they will be covered if a breach occurs. Treat insurance providers as partners in risk management by implementing controls like multi-factor authentication which can positively impact premiums.
Detecting Attacks by Understanding Threat Techniques
The report stresses that understanding how adversaries break-in is crucial for detecting them early. Security teams should become deeply familiar with the tactics, techniques, and procedures (TTPs) used in targeted attacks. Then leverage that knowledge to hunt for those TTPs between IT and operations systems, where threat activity is high but the impact is lower.
With supply chain attacks especially, suspicious events often get detected later since malicious code is trusted initially. But analyzing attacker behaviors can uncover the initial compromise point and scope the breach. Defenders should trust trained analyst intuition during complex investigations, empowering them to find adversary activity.
Testing Security Controls Against Real-World Attacks
Rather than relying just on audits and point-in-time assessments, organizations need to regularly test defenses against realistic attack simulations. The report recommends leveraging red team exercises, purple teaming, and penetration testing to validate controls proactively. Testing also prepares security teams to effectively respond when real attacks occur.
For critical infrastructure, safely testing OT systems without operational impact requires expertise. Combining network and component testing with simulation and emulation verifies defenses at each layer while avoiding downtime. Testing reveals complex issues before attackers exploit them and build responder readiness.
Tailoring Incident Response for Industrial Control Systems
When responding to breaches in operations networks, the report warns that taking typical IT actions like stopping processes or removing systems can severely impact uptime and safety. Detailed planning and practice is needed to avoid this.
It advises building specific incident response plans for industrial control systems and unique tools they rely on. Organizations must rehearse responses with third parties that remotely access or manage OT networks and vendor systems. Understanding attackers’ goals allows informed decisions on containment that balance business risk.
Implementing New Security Guidelines for Critical Infrastructure
The US Cybersecurity and Infrastructure Security Agency (CISA) recently issued Cross-Sector Cybersecurity Performance Goals to provide a baseline for reducing risk across critical infrastructure sectors. The report says organizations should adopt these guidelines as a starting point but engage experts to map goals to their specific environment.
Sharing frontline insights and challenges helps cyber defenders maintain their advantage against emerging attack trends. But organizations must leverage guidance like the CISA goals and industry best practices to continually evolve security programs.
Noted Key Take Away From the Report
Here are a few key takeaways from the Defender’s Advantage Cyber Snapshot report:
- Organizations should move beyond traditional passwords and multi-factor authentication (MFA) towards stronger authentication methods like passwordless authentication. This involves leveraging mechanisms like biometrics, tokens, and certificates that don’t rely on passwords.
- When applying for cyber insurance, work closely with legal counsel and risk management to carefully review policies. Look for exclusions or sub-limits that may impact coverage. Treat insurance providers as partners in overall risk management.
- Understand relevant cyber threats, especially tactics, techniques, and procedures (TTPs), to better detect attacks. Focus threat hunting on IT/OT intersections where attacker presence is high but the consequence is not yet critical.
- Rigorously test security controls with red teaming, purple teaming, and penetration testing. Validate controls proactively before an incident happens.
- Tailor incident response plans for OT environments. Practice response and involve third parties that manage vendor systems. Tools and procedures differ from typical IT responses.
- The CISA Cross-Sector Cybersecurity Performance Goals (CPGs) provide a baseline of practices that can help reduce risk. Organizations should view CPGs as a starting point and engage experts to map goals to their unique environment.