Mandiant recently published the latest edition of The Defender’s Advantage Cyber Snapshot report. This recurring report aims to arm cybersecurity teams with practical insights from Mandiant’s frontline experience responding to breaches worldwide. The goal is to help defenders maintain their advantage against constantly evolving threats.
This new report provides guidance across five key topics organizations are focusing on: moving beyond traditional passwords to more secure authentication methods, navigating the cyber insurance process, detecting attacks by understanding adversary techniques, testing defenses proactively, planning effective incident response, and implementing new security guidelines for critical infrastructure.
By sharing challenges and recommendations learned from real-world attacks, the report enables security leaders to make more informed decisions. Organizations can leverage The Defender’s Advantage findings to continuously strengthen cyber defenses. The report is one way Mandiant supports the broader security community with knowledge and intelligence to stay ahead of emerging threats.
Here are the key highlights from The Defender’s Advantage Cyber Snapshot report:
Move beyond passwords to stronger passwordless authentication using biometrics, tokens, and certificates.
Involve legal and risk teams when applying for cyber insurance. Review for exclusions or limits.
Understand attacker techniques to better detect intrusions between IT and operations networks.
Proactively test defenses with simulations of real attacks like red teaming and penetration testing.
Tailor incident response plans for industrial control systems. Practice with third parties that access them.
Adopt new security guidelines like NIST and CISA Critical Infrastructure Performance Goals. Map to your environment.
Share frontline insights on challenges to help cyber defenders maintain their advantage against threats.
The report highlights that many organizations still rely solely on passwords for authentication, which leaves them vulnerable to stolen credentials. It advises adopting stronger “passwordless” options like biometrics, security keys, and logins tied to devices instead of passwords alone. This is more secure because it uses factors connected to a user’s physical identity or possessions.
Companies should first build off existing multi-factor authentication methods before going fully passwordless. This involves integrating passwordless technologies like FIDO2 and WebAuthn into single sign-on solutions. With proper planning for rollout and recovery, passwordless authentication significantly reduces the risk of phishing, password theft, and account takeovers.
As cyber attacks have increased, insurance coverage has become essential to offset costs. But the report cautions that policies can be complex with exclusions or sub-limits that impact coverage. It recommends involving legal counsel and risk management early when applying for cyber insurance.
Carefully review specimen policies for exclusions related to ransomware payments, legal costs or long-term recovery expenses. Also, research incident response providers to ensure they will be covered if a breach occurs. Treat insurance providers as partners in risk management by implementing controls like multi-factor authentication which can positively impact premiums.
The report stresses that understanding how adversaries break-in is crucial for detecting them early. Security teams should become deeply familiar with the tactics, techniques, and procedures (TTPs) used in targeted attacks. Then leverage that knowledge to hunt for those TTPs between IT and operations systems, where threat activity is high but the impact is lower.
With supply chain attacks especially, suspicious events often get detected later since malicious code is trusted initially. But analyzing attacker behaviors can uncover the initial compromise point and scope the breach. Defenders should trust trained analyst intuition during complex investigations, empowering them to find adversary activity.
Rather than relying just on audits and point-in-time assessments, organizations need to regularly test defenses against realistic attack simulations. The report recommends leveraging red team exercises, purple teaming, and penetration testing to validate controls proactively. Testing also prepares security teams to effectively respond when real attacks occur.
For critical infrastructure, safely testing OT systems without operational impact requires expertise. Combining network and component testing with simulation and emulation verifies defenses at each layer while avoiding downtime. Testing reveals complex issues before attackers exploit them and build responder readiness.
When responding to breaches in operations networks, the report warns that taking typical IT actions like stopping processes or removing systems can severely impact uptime and safety. Detailed planning and practice is needed to avoid this.
It advises building specific incident response plans for industrial control systems and unique tools they rely on. Organizations must rehearse responses with third parties that remotely access or manage OT networks and vendor systems. Understanding attackers’ goals allows informed decisions on containment that balance business risk.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently issued Cross-Sector Cybersecurity Performance Goals to provide a baseline for reducing risk across critical infrastructure sectors. The report says organizations should adopt these guidelines as a starting point but engage experts to map goals to their specific environment.
Sharing frontline insights and challenges helps cyber defenders maintain their advantage against emerging attack trends. But organizations must leverage guidance like the CISA goals and industry best practices to continually evolve security programs.
Here are a few key takeaways from the Defender’s Advantage Cyber Snapshot report:
Organizations should move beyond traditional passwords and multi-factor authentication (MFA) towards stronger authentication methods like passwordless authentication. This involves leveraging mechanisms like biometrics, tokens, and certificates that don’t rely on passwords.
When applying for cyber insurance, work closely with legal counsel and risk management to carefully review policies. Look for exclusions or sub-limits that may impact coverage. Treat insurance providers as partners in overall risk management.
Understand relevant cyber threats, especially tactics, techniques, and procedures (TTPs), to better detect attacks. Focus threat hunting on IT/OT intersections where attacker presence is high but the consequence is not yet critical.
Rigorously test security controls with red teaming, purple teaming, and penetration testing. Validate controls proactively before an incident happens.
Tailor incident response plans for OT environments. Practice response and involve third parties that manage vendor systems. Tools and procedures differ from typical IT responses.
The CISA Cross-Sector Cybersecurity Performance Goals (CPGs) provide a baseline of practices that can help reduce risk. Organizations should view CPGs as a starting point and engage experts to map goals to their unique environment.
In summary, the report provides practical guidance across key cybersecurity topics to help organizations improve their security posture and readiness against threats. Sharing frontline insights is crucial for defenders to maintain their advantage against attackers.
We hope this post helps you know what is there in Mandiant’s Defender’s Advantage Cyber Snapshot Report- Issue 3. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.