Optiv's new Enemy Perspectives services offering is designed to help organizations understand the specific kinds of attacks likely to impact them, so that they can better prepare for them, and improve the speed and efficiency of responses to an incident.
Cybersecurity integrator Optiv Security has announced a new services suite, EnemyPerspectives@Optiv. It is designed to bring a fresh outlook to security by giving organizations a perspective on their defenses as seen by a potential threat actor, so they can better defend against specific types of attacks.
“Enemy Perspectives takes a different look at services like penetration testing,” said Jeff Wichman, managing security consultant at Optiv’s enterprise incident management practice. “Many organizations say that they don’t need pen testing, that they know where their vulnerabilities are. The problem is that attackers change operations on a somewhat consistent basis. Enemy Perspectives helps organizations get a sense of where the target is on your back. If you can find out what those are, it helps understand what real risk posture is. It’s about providing visibility for clients in terms of what attack group may be targeting them.”
The Enemy Perspectives service is not sufficiently granular to predict in detail what specific groups might attack a client. On the other hand, it does have the depth that it doesn’t just tell organizations the obvious.
“It’s very difficult to get down to a specific attacker, and this won’t identify whose figures are touching the keyboard,” Wichman said. “Our map shows attack groups, and how they focus on specific industries. A lot of this is how they attack industry verticals, but there is some additional information that can be gleaned. If all you do is say, go into financial services and say ‘your risk is you have money,’ that doesn’t help them very much, although there would still be specific types of guidance coming from that. However, if you know the attackers, their attack patterns and how they operate, it narrows down what you have to look at and helps you respond.”
Wichman explained how this provides value in incident response.
“One of the biggest struggles we see in incident response is clients not knowing how to respond or at least pull someone in to get assistance,” he said. “Knowing attack patterns by industry – that attackers are likely, for example, to target their Active Directory or to make changes to the mail server – helps them understand critical patterns that they may overlook. You have to be prepared before the attack happens, and if you don’t have a plan, you have chaos.”
Wichman said that without this preparation, even highly skilled consultants are limited in the help they can provide once an incident has happened.
“In my practice, we see two different types of use cases,” he said. “One is clients who have a retainer with us. We understand their business and know they have at least a limited ability to respond to an incident. The other is a client who doesn’t have a retainer, or a brand new client. These tend to call us out of the blue when they have a problem. We have no clue about their environment that would help us move along faster. So the idea is to get clients thinking about their response efforts beforehand.”
The EnemyPerspectives@Optiv services fall into three categories.
Threat Actor Profiling combines tailored threat intelligence, Threat Emulation, and drills of Breach Response War Games to help clients understand their adversaries, how they are likely to attack, and how best to respond when they do.
Optiv’s Orchestration and Automation, and Managed Detection and Response services improve resiliency with programmatic penetration testing, application security, and cloud-centric services, that improve an organization’s self awareness and allow for faster detection, recovery, and response.
Incident Response services designed for a proactive defense include enterprise incident management, breach simulation and digital forensics.
“We have built a dedicated forensics labs in a private space designed to deal with the fact that incident response teams can lose evidence on encrypted HDs,” Wichman said. “It’s only a matter of time before security firm will lose a hard drive, where the password is easily crackable, and that hurts the client much more than the security. Client evidence belongs in a secure lab. This one has five levels of physical security you have to go through to get to the evidence. Even Optiv employees can’t get to the data unless they are authorized.”