How Reconnaissance Transforms Cyber Security from Reactive to Preventative

What is the best way to address human-centric attacks on an organization’s information systems?  How best to augment existing investments in cyber security and truly achieve success in protecting against data breaches and their costly consequences? 

Virtually every organization, from the small and mid-sized business to the largest enterprise (as well as governmental, NGOs and non-profit orgs.) already has some combination of software, automation, and services – in-house or outsourced – arrayed to achieve cyber security objectives.  Whether it involves a state-of-the-art tech stack, a dedicated team of security experts (employees or managed services) or some combination of both, the statistics show these efforts are not enough to stem the tide of data breaches and other cyber-crimes.

As Privacy Bee for Business white papers consistently illustrate, the root cause behind the current epidemic of data breaches lies in the failure to protect an expansive and presently unguarded attack surface – the Social Engineering Attack Surface.  [Read more on the Social Engineering Attack Surface in this PB white paper.]

Beyond the heavily fortified physical and digital attack surfaces traditionally focused on safeguarding internal data, it is the human element most vulnerable to social engineering and credential compromise where the greatest risk presently exists. A conclusion supported by the highly regarded Verizon 2024 DBIR (Data Breach Investigations Report).

While InfoSec leaders have been focusing efforts on detection and response to cyber-attacks, most have yet to embrace the only effective preventative tactics, techniques and procedures for addressing the human element.  Most do not recognize the fundamental importance of MITRE ATT&CK® technique T1592 which lies at the heart of external data privacy management and is the essential element in fielding the only proven-effective preventative cyber security practice.

This paper shares some of the latest thought leadership when it comes to mitigating the risk of breaches originating from human error.  First, it examines the “as-is” state of contemporary cyber security practices.  Then it enunciates innovative solutions and strategies for achieving reductions in human-centric attacks, defines MITRE ATT&CK technique T1592 and explains how the technique transforms cyber security from reactive to preventative.  And lastly, the document will offer suggestions for ways external data privacy protections can be integrated with the most popular contemporary cybersecurity disciplines.

Contemporary Cybersecurity Methodologies

Like a game of cat and mouse or an arms race between competing superpowers, the battle for information security swings like a pendulum.  Advantage constantly moves back and forth between the protectors – CIOs, CISOs and tech experts working on software and service strategies to keep systems secure – and threat actors.  The threat actors – some privateers seeking financial gain and others, very well-funded government-backed adversaries of western powers – continuously seek weaknesses and vulnerabilities to exploit in cyber security.  They consistently drive innovative methodologies and find surprisingly creative ways to achieve their criminal goals.

Typical of all things in the field of technology, the advancements and innovations move at a blistering pace.  Security measures that prove effective when they’re launched are quickly defeated as criminal elements find novel ways to disable or circumvent them.  Examination of a pair of the more recent methods adopted by InfoSec leaders does a great job of illustrating this dynamic.

SIEM and SOAR Without External Data Privacy Elements

Security Operations Centers (SOCs) have long been a feature of cyber security programs within large organizations.  These teams of IT and security professionals are tasked with protecting their organizations by monitoring, detecting, analyzing and investigating cyber threats.  The evolution of the SOC and the technologies developed to aid its efficacy provides a good example of the cat and mouse dynamic between protectors and threat actors. 

2005 SIEM Strengthens Cyber Security Efforts

SIEM (security information and event management) is a branch of computer security that integrates security information management (SIM) and security event management (SEM) to facilitate real-time analysis of security alerts from applications and network hardware. SIEM practices and associated technologies originally arose circa 2005.  It was Gartner that coined the term “SIEM” to describe the new and dynamic approach to network security.  One that provided enhanced visibility into the overall operating environment. 

SIEM played a crucial role in aiding SOCs, that were struggling to identify, investigate, and address security incidents as network traffic grew and firewalls became less effective. The expanding and varying nature of thousands of new networks coming online in the early 2000s overwhelmed the existing intrusion detection systems and produced an overwhelming number of false positives wasting SOC time and resources.  SIEM technology enabled security teams to become more efficient and effective as they tackled ever-increasing volumes of traffic across complex IT infrastructure. At the same time, threat actors increased the volume and variety of attacks leveled against these systems.  Working tirelessly to find and exploit vulnerabilities in code, applications, etc. 

By 2015, SIEM had evolved to include Big Data analytics and other AI/Machine Learning mechanisms to improve the interpretation of live and historical data.   Despite these advances, the volume of cyber crime and threat actor activity kept pace with the massive expansion and explosion of data and data systems.  In particular, the rate of human-centric, social engineering cyberattacks began to mushroom.  Struggling against this rising tide, cyber security professionals set out to find means for automating the repetitive tasks associated with managing SIEM in the SOC. Enter “SOAR”.

2017 SOAR Further Automates SOC Workflows

Gartner is again credited with coining the term SOAR (security orchestration, automation, and response) not long ago in 2017.  The idea behind SOAR was to automate the functions of personnel working in the security operations centers (SOC) many large organizations maintain as part of their cybersecurity infrastructure.  It’s worth noting here that at present, most SOCs do not adequately address external data privacy as a key driver of risk.  Neither do the practices of SIEM or SOAR.  More on this point a bit later.

One of the experts involved in producing and promoting SOAR as a strategy is Gorka Sadowski who co-authored Gartner’s first research on the topic, “Innovation Insight for Security Orchestration, Automation and Response” back in late 2017.  The simple idea was that the repetitive nature of security tasks being performed over and over by SOC personnel could benefit from being automated.  Freeing up these human resources for more strategic purposes (addressing external data privacy for example) in pursuit of better security.

Sadowski says, “SOAR was born as a tool that could centralize security orchestration, automation and response for SOCs (security operations center). For good measure, we also specifically called out case and incident management, and operationalization of threat intelligence in support of the SOC’s mission — both of which do require automation, orchestration etc.”  He noted that with enough time and effort, nearly all SOC activity could be automated.

The idea was sensational, and SOAR was widely adopted.  By 2023 the security orchestration automation and response solutions market size reached $1.6 billion and was projected to exhibit CAGR growth of 15% to reach $5.7 billion by 2032 according to Global Market Insights’ Security Orchestration Automation and Response Market Report.  

Yet, the rosy predictions were perhaps a bit premature. By 2024, articles began proliferating in tech media saying, “SOAR is dead”.  Gartner’s Sadowski characterized the reports of SOAR’s demise as the proverbial “hangover after the party” in his insightful 2024 article in Medium magazine.  And Gartner itself, in its 2024 Security Operations Hype Cycle report for IT service management, considered SOAR to be in the “trough of disillusionment” stage of the hype cycle.  Worse, Gartner suggested SOAR would be obsolete before it reached the plateau of productivity. 

Without delving too deeply into why Gartner arrived at this conclusion regarding SOAR, it is enough to note that like many other purportedly transformational technologies, SOAR vendors promoted the idea that it was the solution to all SOC issues and would be easy to deploy and run across entire organizations.  Sadowski concluded that CISOs and CIOs ultimately came to terms with the fact that SOAR was not simply a tech solution.  Rather it was a people, process and technology play.  One that provided some significant ROI through automation, but one that could not fully automate everything in the SOC.  He concluded that most organizations could continue to leverage SOAR features in the tools they already have in their tech stack.  Mostly notable of those being the SIEM and CloudSec tools. 

As noted earlier though and as evidenced by the ongoing and unfettered growth of human-centric social engineering attacks, none of these strategies or tactics has been effective in protecting against record numbers of data breaches.  Breaches affecting even the largest organizations with robust SIEM and SOAR serving their well-provisioned security operations centers.

Cybersecurity leader, Crowdstrike, in its 2024 Global Threat Report reveals a 75% increase in cloud intrusions and 76% spike in data theft!  Clearly, there is a missing element from contemporary cybersecurity practices.  That element is external data privacy and the reconnaissance techniques necessary to proactively lower the risk of human-centric attacks.  What follows is insight into how to plug this gap and transform existing cyber security practices from reactive to preventative.

The Critical and Overlooked Tactic for Infusing Cyber Security with EDP

It is hard to dispute today, that threat actors and hackers have the upper hand in the ongoing back and forth between security and criminality.   However, Privacy Bee for Business has been proving the efficacy and virtual necessity of adopting a proactive, preventative posture when it comes to cybersecurity.  Cybersecurity experts here have zeroed in on the fundamental factor propelling the success of threat actors using social engineering to circumvent powerful SIEM, SOAR and other tools widely in use in SOCs: external data privacy (EDP).

Cyber Defense magazine says, “While most companies invest heavily in cybersecurity, it’s not comprehensive for today’s ecosystem. The next step to stay ahead of threats is External Data Privacy (EDP). This allows an organization to audit and secure data that is already outside of the organization which could be used in a malicious way.”

Accomplishing this objective requires increased focus on performing reconnaissance.  That is, finding and eliminating (to the extent possible) the unsecured external data on the employees of an organization. The unsecured external data easily obtained by threat actors and hackers and routinely used to craft the increasingly sophisticated and effective phishing, and other social engineering schemes driving most breaches and ransomware infections today.

The tactic of reconnaissance is not necessarily new even though beyond the current client list of Privacy Bee for Business, few organizations are aware of the benefits.  And fewer yet are doing anything to pursue the strategy.  However, the practice of performing reconnaissance to prevent criminals from being able to find and use unsecured external data was first developed and published by MITRE ATT&CK in 2020. 

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK is open and available to any person or organization for use at no charge.

MITRE started ATT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks. It was created out of a need to document adversary behaviors for use within a MITRE research project called FMX. The objective of FMX was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.

ATT&CK catalogs the tactics, techniques and procedures proven to be effective in detection and analysis of threats. Within the ATT&CK framework:

Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.

Techniques represent “how” an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique.

Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the “Procedure Examples” section of technique pages.

MITRE ATT&CK Technique T1592

ATT&CK T1592 did not directly call for the scan and removal process that characterizes Privacy Bee for Business and its proven-effective solution.  However, it did correctly perceive that the gathering of victim host information was at the root of social engineering efficacy.  T1592 falls under the ATT&CK heading of “Gather Victim Host Information” and is described by MITRE thusly [internal MITRE links left intact for extra context and pertinent definitions]:

Adversaries may gather information about the victim’s hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.  Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

The “gathering of victim host information” is what Privacy Bee for Business solutions are designed to interrupt.  What MITRE refers to as victim host information is what Privacy Bee for Business calls “unsecured external data”.  That is, highly contextual personally identifiable information (PII) available for sale from Data Brokers, People Search Sites, and on the dark web.  It also includes enormous volumes of PII available for free by scrubbing social media sites, public records, corporate websites and numerous other publicly available sources.

The graphic below illustrates where reconnaissance falls, at the very inception point of deploying a successful cyberattack.  It clearly shows how reconnaissance enables detailed planning that presages an intrusion attempt and likely data breach.  Most importantly, it illustrates how contemporary cyber security – in the absence of EDP management – is at a distinct disadvantage.

Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

MITRE ATT&CK offers mitigation guidance to defeat Technique T1592, suggesting mitigation efforts must occur pre-compromise. This may seem elementary; however, most cyber security programs do not yet have any mechanisms in place to preemptively defeat the gathering of victim host information a.k.a. unsecured external data.  ATT&CK says, “This technique (T1592) cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

That last part of the passage is rendered untrue by the Privacy Bee for Business solution.  Privacy Bee for Business has developed a uniquely effective methodology which can be easily and cost-effectively integrated with existing SIEM/SOAR programs.  Or in the case of SMBs which may not have these automations in place, the methodology can just as easily be integrated into the people, processes and technologies at work in their SOCs.  The Privacy Bee for Business solution is so effective, it could ostensibly help propel existing SOAR solutions upward from the Trough of Disillusionment toward the Plateau of Productivity. 

For ALL contemporary cybersecurity services and technologies, the fundamental flaw is the ease with which hardened digital and physical attack surfaces are sidestepped by attacks on the unguarded social engineering surface.  It is why, despite the great sums invested in state-of-the-art cyber security tools, data breaches and other cyber-crimes still occur untrammeled.  How does Privacy Bee for Business deliver pre-compromise mitigation?

Tools for Preventative Action

Managing and protecting access to the PII of every single employee and those of all third-party affiliates (like vendors and other partners) may seem like an overwhelming challenge.  Knowing there are 450+ People Search Sites and data brokers, dozens of social media platforms, powerful search engines and tons of publicly searchable data makes it an even more sobering prospect.  Yet, to swing the pendulum back towards those working to protect cyber security organizations mustn’t sit around waiting for defenses to fail.  Here are some of the broad solution elements from Privacy Bee to help immediately begin diminishing the gathering of victim host information and shrinking the social engineering attack surface back to within acceptable tolerances.

Privacy Bee’s Employee Risk Management (ERM) solution is an easy but powerful way to get visibility into your External Data Privacy risk. After just a few minutes to load and configure information on all relevant employees (those with secure systems access) into the platform (usually via an exported .CSV from your HCM software), Privacy Bee automatically begins scanning thousands of external sources, searching for any exposed privacy risks on each employee. Any discovered exposures of unsecured PII are flagged and affect that employee’s aggregated Privacy Risk Score.

ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures. This privacy intelligence platform is 100% free for all businesses, powered by Privacy Bee.

Privacy Bee’s External Data Privacy Audit (EDPA) lets an organization build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across your company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy management.  This scan is also offered at no cost to organizations.

The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.

Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside the organization but who may have a degree of access to its sensitive information systems. This solution evaluates all vendor/partner organizations for Electronic Data Privacy risks.  It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance.   Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all the organization’s 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company at no cost to you.

While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface.  While this is a function an organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee.  Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.

Contact Privacy Bee for Business to learn more about this innovative solution and how it can be integrated with existing cybersecurity infrastructure like SIEM and SOAR to help give your SOC the upper hand.