Attack Disruption: Reflections from Cyber Expo 2023
Elmore’s Rupert Hills and Charlie Sorby contributed to a round table at the recent International Cyber Expo. The topic was: ‘Traditional security operation centres (SOCs) are too passive to stop threat actors. Attack disruption is the new frontier of cyber defence’. Here are some of the observations from the discussion.
Security Operation Centres (SOCs) mainly focus on detecting and responding to security incidents, for which they use a variety of tools and techniques to identify suspicious activity. However, the traditional approach is now often deemed insufficient because threat actors are becoming more sophisticated and resourceful. As a result, attacks may go unnoticed until they cause damage.
As detection is the primary line of defence for SOCs, they must wait for an attack to happen before they can act. This is a passive approach, and by the time an attack is detected, it can be too late.
Traditional SOCs typically respond to individual incidents, which means they lack a complete view of the threat landscape. This makes it difficult to identify and disrupt attack patterns. Also, as they are often understaffed and overworked, SOCs struggle to keep up with the ever-evolving threat landscape.
Prevention through disruption
‘Attack disruption’ is a new cyber defence strategy that can help SOCs outwit threat actors. The aim is prevention rather than cure, using tools and techniques to disrupt the attack lifecycle. Attack disruption can be implemented at different stages of the lifecycle, known as the cyber kill chain, such as reconnaissance, weaponization, delivery, exploitation, installation, command and control.
Attack disruption has several important advantages:
- It is more proactive than the traditional SOC approach. Attack disruption teams will constantly look for and disrupt attack activity, thwarting attacks before they cause damage.
- Attack disruption teams have a holistic view of the threat landscape, enabling them to identify and disrupt attack patterns that would be invisible to traditional SOCs.
- Attack disruption teams are typically more specialised than traditional SOC teams and have the skills and expertise to disrupt attacks at different stages of the attack lifecycle.
Examples of attack disruption techniques
- Threat intelligence can identify and track known threat actors and their tactics, techniques, and procedures (TTPs). The information can be used to disrupt attacks before they happen.
- Network traffic analysis identifies suspicious activity on networks. The information can be used to investigate and disrupt attacks.
- Endpoint detection and response (EDR) pinpoints and responds to attacks on endpoints, isolating infected endpoints to prevent malware from spreading, and collects evidence of attacks.
- Deception can be used to deceive threat actors and disrupt their attacks. For example, by creating fake honeypot servers to attract threat actors and collect intelligence on their TTPs.
The benefits of attack disruption
It’s clear that traditional SOCs are often too passive to stop threat actors and that attack disruption is a useful line of cyber defence in today’s ever-evolving threat landscape. There are three main benefits:
- Fewer security incidents because potential attacks are forestalled
- Cost savings because the damage from security breaches is avoided
- Stronger security posture to deter and thwart threat actors
The benefits of cyber insurance
Both SOCs and attack disruption are examples of cyber security solutions that can be implemented in networks. Cyber insurance provides a layer of defence and can provide benefits such as:
- Pre-incident support
- Cyber extortion negotiation and ransom costs
- Cyber business interruption
- Costs arising from cybercrime
- Costs arising from security and privacy breaches
- Post-incident support
To find out more about cyber insurance, please contact us now