Advances in artificial intelligence and new ways of thinking about cybersecurity are leading to new approaches that will better protect organizations from costly attacks and more effectively manage risk. To help IT professionals gain understanding of these coming changes, here is a list of terms that are relevant to how cybersecurity will be managed in 2023 and beyond.
Artificial Intelligence (AI) Reasoning Engine
Artificial intelligence (AI) is an umbrella term encompassing different computer-based technologies that replicate human problem solving or decision making. Within the cybersecurity world, machine learning is the most widely used AI based approach. Machine learning is based on the statistical identification of hidden patterns within a large amount of data, and so it is applied to anomaly detection, log analysis and behavioral based attack detection.
Machine reasoning is a well-developed AI technology that many of us use in our daily lives (think of personal assistants like Siri and Alexa) but this branch of AI has not found widespread application to cybersecurity, but this is changing. Machine reasoning systems represent data by semantic knowledge graphs that allow the machine to understand the meaning of the data through the semantics encoded in the graph, and to draw conclusions about that data by analyzing the graph of concepts and projecting them onto the new data. The reasoning engine applies knowledge of attack techniques to a representation of an IT environment to simulate what attack techniques can be successfully used to steal, damage or destroy assets.
Orchestra Group has developed an AI reasoning engine based on the MITRE ATT&CK framework. This engine is used to run millions of attack path simulations (APS) against the Digital Cyber Twin of the real network. The result is an accurate identification analysis of cyber exposures, risks, and how to efficiently mitigate the most significant exposures. These three key components – the reasoning engine, attack path simulation and the Digital Cyber Twin provide a breakthrough approach for enterprises seeking efficiently manage and reduce risk.
Attack Path Scenario
An Attack Path Scenario (APS) is the set of steps a cyber attacker can follow to gain unauthorized access to an asset. An APS begins with the initial breach of a system which is then leveraged to access other systems, eventually arriving at the target asset. The initial breach may occur due to an improperly secured host exposed to the internet, by an end user opening a malware infected email attachment, or via prior compromised 3rd party software being used in the IT infrastructure. The ability to effectively simulate Attack Path Scenarios provides the foundation for:
- Measuring and understanding the cyber risks and exposures facing an organization.
- Identifying the highest priority and most impactful protective measures needed to reduce risk.
- Maintaining a posture of cyber resilience.
To learn more about how Orchestra Group uses Attack Path Scenarios to identify cyber risk and exposure, read the article from our CTO, Jacob Ukelson in Pipeline Magazine:
The attack surface is best defined as every possible point where an adversary can gain entry into your network or system. As evidenced by the diverse list of attack vectors, the attack surface is not limited to the network perimeter. Attackers have many means of accessing internal systems without needing to first breach a perimeter, internet facing device.
An attack vector is a method that cyber-attackers use to compromise a system. Attack vectors take many forms, but the most common attack vectors are:
- Vulnerability Exploit
- Compromised Credentials
- Supply Chain Vendors
Attacker’s Eye View
The attacker’s eye view is a cybersecurity approach that attempts to understand exactly how an attacker could successfully carry out an attack. The value of an attacker’s eye view is this: By identifying how attackers could breach a network, security personnel gain the information they need to take remedial action before attackers exploit the identified exposures. This is the philosophy behind penetration testing and breach and attack simulation – that one cannot be sure of the effectiveness of defenses without subjecting those defenses to realistic attacks. However, effectively taking an attacker’s eye view across an entire IT infrastructure is highly complex. The combination of hosts, assets, s connectivity, attack methods, vulnerabilities and so on make it impossible to holistically achieve an attacker’s eye view without applying AI driven attack simulations across the entire infrastructure. Running comprehensive breach and attack simulations against a live network is not a practical approach due to the likely impact on operations. Thus a Digital Cyber Twin of the actual network is a key element of successfully implementing an attacker’s eye view.
Attack techniques are the methods attackers apply to breach IT systems. Techniques are different from attack vectors. An attack vector is specific to how a system can be compromised. Attack techniques do not necessarily involve compromising a system. For example, reconnaissance is one attack technique described by the Mitre Organization – it is a precurser to finding attack vectors. Mitre has identified 193 techniques and 401 sub-techniques used to target enterprise networks:
Mitre is a non-profit organization dedicated to making the world a safer place. It is a leader in furthering advances in cybersecurity.
“MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.” https://attack.mitre.org/
Cyber exposure refers to the vulnerabilities and risks associated with an organization’s enterprise network, systems, and data. A comprehensive measure of cyber exposure provides an organization with better understanding of its security posture relative to cybercrime, data breaches, and other threats.
Organizations are increasingly adopting an approach to cybersecurity based on the assumption that breaches cannot be completely prevented. Therefore, cybersecurity needs to focus not just on preventing breaches but also on minimizing the impact of breaches. Reducing impacts can take several forms, such as reducing mean time to recovery. As further evidence of the growing emphasis on resilience, the 2023 -2025 strategic plan issued by CISA (Cybersecurity and Infrastructure Security Agency) focuses on resilience as a primary goal for US Federal government agencies:
To learn more about cyber resilience read our blog: https://orchestragroup.com/blog/threat-susceptibility-achieving-cyber-resiliency-goals/
Digital Cyber Twin
The Digital Cyber Twin is an approach from Orchestra Group that uses advanced network discovery to build a virtual replica of an enterprise network. This Digital Cyber Twin includes the hosts (servers, end points, network gear), software versions and patch levels, configuration information and security controls. Orchestra uses the Digital Cyber Twin to conduct comprehensive, simulated attacks (Attack Path Scenarios) across the full (virtual) infrastructure. This provides a holistic view of the cybers exposures and risks, along with identifying the most efficient and cost-effective measures needed to mitigate the risks.
For more information, read our blog: https://orchestragroup.com/blog/the-digital-cyber-twin-the-difference-maker-in-knowing-your-cyber-exposure/
Risk is the product of Threat x Vulnerability x Consequences. Put another way, risk can be thought of as the likelihood (probability) of an event (e.g. a successful cyberattack) times the cost or financial loss that will result from the event. For more information about risk, read the blog from our chief scientist, Shawn Riley: