Your Incident Monitoring team will fail to detect active threats to your business. Not because they are unskilled, lack specific tools, have limited visibility, or are resource constrained. They will fall short first because you failed to provide them with the focus they need to identify relevant cyber threats.
In my first post in this series, we talked about defining a mission statement with a set of business objectives to help focus your security team’s efforts. This post focuses on how to strengthen your team’s ability to identify the cyber-attacks against your business.
The task before all of us in the security field is growing in complexity with each passing year.
- What are the business impacting events that could disrupt your company’s ability to execute its primary revenue sources?
- Do you know what systems would be targeted by Threat Actors? Do you know what is the Threat Actors focus or “Actions on Objectives” will be?
- Which Cyber Business Threats should your business focus on to enable your business to continue operations during a major security incident?
- What Threat Actor methodology should your IR team focus on identifying within your environment?
Qualifier: If I asked you how good your threat detection capability was, the chances are you’d believe them to be better than average and would answer as such. Now, what if I were to ask you how confident you were in your team’s ability to detect a few specific threats: data exfiltration, sensitive data exposure, hacking attempts against your web applications, brute forcing of open ports, and use of compromise credentials on cloud services?
Still confident? You’re not alone. Kudelski Security’s IR team works with many clients who – at the beginning of an engagement – believe their detection coverage is significantly stronger than their actual capabilities. The confusion stems from a failure to understand the limitations of the technology stack, underutilized or unrealized technologies capabilities and “a lack of business defined threats that provide clear monitoring requirements against top business threats.”
Example: At a Fortune 500 company with around 10 billion in revenue (with a large security stack); the Security Lead confidently stated they had excellent detection capabilities and they regularly reported such to their stakeholders. After our review, we identified that they had less than 20 generic detection capabilities enabled through their SIEM, IDS and other detection capabilities. They lacked direction from their security leadership in identifying which cyber business threats were the most important, as well as the follow through to ensure that top threats were being monitored.
Evaluating the “Top Threats” to My Business?
Considering the impact each cyber-attack type can have on your business is a critical step to preventing, detecting and responding to cyber-attacks. Kudelski Security refers to these threats which are the opportunity for a Threat Actor to execute a Cyber Attack Campaign against any business. The Cyber Business Threats are grouped into categories based on attackers’ general sets of motives:
- Cyber Espionage
- Cyber Crime
- Insider Threat
- Denial of Service
- Third Party Risk
- Data loss and exposure
- Business Process Manipulation
- Corporate IT Resource Hijacking
- Cyber Propaganda
- Regulatory / Non-Compliance
- Hardware / IoT Intrusion
- Misconfiguration / Miscellaneous Error
- Physical Theft
Selecting the top threats isn’t easy and takes a deep understanding of your business and the Cyber Threat Landscape. While going into the Threat Modeling process is outside the scope of this post, I recommend that you assume that two of the following listed will be within your Top 5 Cyber Business Threats list: Cyber Espionage, Insider Threat, Organized Cyber Crime and Third-Party Risk, four Cyber Business Threats prevalent within most organizations’ Top 5 lists.
Once you select your Top Threats to the Business, you can pass these along to your IR/Monitoring team. Little has been published in the security sector on the complex translation of these Top Threats into a comprehensive set of detection capabilities. To compound the problem of the lack of documentation, the security industry is still defining its terminology for referencing Cyber Threats, Threat Actors, Business Risks, Incident Impacts, and capabilities.
Example: A specific Threat Actor category is often referred to as “Insider” while the Threat faced by a business is referenced as “Insider Threat.” How do we translate an “Insider Threat” into actionable requirements for the Incident Response Team? Consider that the Threat Actor “Insider” can be a Disgruntled Employee, Contractor or even a Trusted Third party. How do we accurately associate our existing detection capabilities with each threat type to ensure that we have adequate detection against these threats?
Kudelski Security recommends focusing on the following Threat Actors “Actions on Objectives” which can provide insight into their attack goals. To enable your IR/Monitoring team for success, consider the “Actions on Objectives” as part of the Threat Actors methodology. The Tactics, Techniques, and Procedures (‘TTPs’) used explicitly by Threat Actors to reach their goals should be the focal point around which threat detection and prevention is prioritized. Map out how each one can be executed against your critical assets and sensitive data stores; Financial Gain, Account Compromise, Business Disruption, Gain Industry Advantage, Damage Reputation, Obtain Indirect Access to Target, & Intelligence Gathering.
Now we will combine the Cyber Business Threats with the Action on Objectives to understand the specific risks to your business. This is not a one-time consideration that will outline all prevention and detection capabilities for all threats. The process of selecting your Top Cyber Business Threats and then viewing their specific Actions on Objectives will provide you with insight into how an attack could accomplish their objectives. As your business changes, you will need to reevaluate how you are protecting the business.
I often like to compare this to both of us standing in a field with the countryside stretched out before us. I point to a spot in the distance and tell you, go there. If I place no limitations on the path you take, you are open to being as creative or straightforward as you want. In Cyber terms, attackers are continually discovering new paths never considered before which constantly keeps security several paces behind. The crucial part is to know what attackers are trying to accomplish within your organization and create the controls and detection capabilities to mitigate the risk.
Example: The Threat Actor category for Cyber Criminal and their Actions of Objectives for Financial Gain can have multiple paths to achieve their objectives. One consideration is that each of these examples has a different level of sophistication, as not all cybercriminals are created equal.
Here are a few examples:
1.) A spammed phishing campaign leads to ransomware on 10% of your computer systems which could leave your business at a standstill. Which controls are most effective in this scenario?
2.) An open port is a brute forced by the Threat Actor, and the credentials are used to collect data from internal file shares. Then the Threat Actor extorts you for financial gain or he will release all the data publicly. Can you detect outbound data exfiltration? Could data be exfiltrated through a cloud service?
3.) Finally, Malware is installed into your cloud environment that utilizes a cryptocurrency that spikes your CPU cycles costing your business for those cycles. Considering the total level of effort for containment and remediation needed to ensure a secure environment. Would segmentation have limited a Threat Actor’s capability to access the file shares?
The approach outlined in this article can assist you with laying the foundation of your Cyber Strategy. Understanding which type of Cyber Business Threats your business is susceptible to can provide scope and direction to your program. The challenge is to stay focused on current cyber trends and ensure that your cyber strategy aligns with Threat Actors methodology.
- 7 Red Flags to Look for in Your MSSP Relationship - February 8, 2021
- Through an Assessor’s Lens: Discovering the Value of a NIST CSF Assessment - September 22, 2020
- MSS is dead; Long live MSS! - February 26, 2018