Incidents are unavoidable. Incidents are the new normal. Incidents suck. Security practitioners understand this. So they construct their security programs knowing that an incident is inevitable.

Reality check: according to Forrester, nearly sixty percent of security professionals with decision making authority experienced a breach with data exfiltration in 2020.

Gone are the days of perfect no-incident security. No one, not on the business side or on the security side of the organization, can or should reasonably hold on to such expectations. Today’s security programs must be designed with the mindset of not when but how many incidents will be experienced.

Prevention is great. It’s a lofty aspiration that must form the foundation of any security program. However, while the security professional focuses on prevention, the adversary simultaneously is focused on his attack. Unlike the security professional, who strives to achieve the perfect defense, the attacker isn’t focused on achieving an impeccable offensive campaign. He is instead focused on his relentless pursuit of the weakest link in the cybersecurity chain, which as we all know full well happens to be the human element but that’s a discussion we’ll save for another time.

Fact: perfect defense is impossible! What is possible is for the adversary – given enough time – to identify and exploit the flaws in the organization’s security. Flaws will eventually be discovered, no matter how buttoned up that security program may be. That too is a fact.

The MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. According to the ATT&CK Enterprise Matrix, there are 14 tactics and underlying techniques used by adversaries in connection with incidents that lead to breaches and, ultimately, exfiltration of sensitive data.

1. Reconnaissance (10 techniques)
2. Resource Development (7 techniques)
3. Initial Access (9 techniques)
4. Execution (12 techniques)
5. Persistence (19 techniques)
6. Privilege Escalation (13 techniques)
7. Defense Evasion (40 techniques, yes 40)
8. Credential Access (15 techniques)
9. Discovery (29 techniques)
10. Lateral Movement (9 techniques)
11. Collection (17 techniques)
12. Command and Control (16 techniques)
13. Exfiltration (9 techniques)
14. Impact (13 techniques)

The intrusion takes place at step 3, but it takes the adversary another 10 steps to get to and exfiltrate data. That’s a lot of effort for the attacker, but his reward, in the form of sensitive data with monetary value, is sweet. That’s why cybersecurity remains an unsolved problem and why adversaries remain unrelenting in their pursuits. It’s also why organizations go from 100% secure to 0% secure when the adversary is able to make it to step 13.

But it’s not all calamitous. There are ways to help yourself and to turn 13 into your lucky number. We’re all largely familiar with multifactor authentication (MFA), which we use as a security enhancement requiring two pieces of evidence – user credentials – when logging into an account. We all know the benefits of MFA and how MFA is used to mitigate the adversary’s ability to gain access to user accounts. We also know that MFA is convenient for the user. It’s not too much to ask the user to tap a button on a smartphone app given the added security benefits that come from that tap.

What you may not be familiar with is multifactor encryption (MFE). Similar to MFA, MFE requires the user to tap a button on a smartphone app. Unlike MFA, however, which grants the user wholesale access to everything to which that user has been permissioned, MFE is object level control. Tapping the MFE button unlocks one file only. Every other file, which is encrypted with its own unique encryption key, remains encrypted.

Within the context of the MITRE ATT&CK, the adversary has exerted all that effort to get to the crown jewels, number 13. He’s close, he can taste the sweet reward, his eyes on the prize. But when he exfiltrates the data, it’s encrypted. Each file encrypted with its own AES 256 bit encryption key. It becomes agonizing to the adversary. Because he’s overcome steps 1 through 12, he can see and access the files. But he still can’t decrypt them. What happened he asks himself? He did everything right, took his time, remained clandestine, but to no end. His attack has been thwarted. Not by prevention at the perimeter, or by honeypots, or false accounts and credentials. No, he was thwarted by good old encryption that instead of relying on user credentials to decrypt files, relies on MFE. Oh, lucky number 13.

When we designed Atakama, we knew we couldn’t build an encryption solution that failed for the same reasons most encryption solutions fail to prevent data exfiltration. Relying on user credentials to decrypt files does not work. Instead, Atakama relies on secondary devices belonging to those users who have access to the sensitive data. They tap their phones to decrypt files. The file is decrypted locally on the user’s machine, while remaining encrypted within the backend storage location, on-prem or in the cloud.

Here's the reality, if you’re not using MFE for file encryption, you’re not protecting your sensitive data. Don't fool yourself. It’s a matter of time until your data gets exfiltrated. Don’t succumb to old superstitions, number 13 can indeed be your lucky number, but you'll need MFE to get you there.

Contact us to learn about Atakama or request a demo.