/*
Cyber Resilience – A Primer Part 2: Your IR Team Will Fail to Identify Threats and It’s Going to Be Your Fault

Cyber Resilience – A Primer Part 2: Your IR Team Will Fail to Identify Threats and It’s Going to Be Your Fault

Your Incident Monitoring team will fail to detect active threats to your business. Not because they are unskilled, lack specific tools, have limited visibility, or are resource constrained. They will fall short first because you failed to provide them with the focus they need to identify relevant cyber threats.

In my first post in this series, we talked about defining a mission statement with a set of business objectives to help focus your security team’s efforts. This post focuses on how to strengthen your team’s ability to identify the cyber-attacks against your business.

The task before all of us in the security field is growing in complexity with each passing year.

  • What are the business impacting events that could disrupt your company’s ability to execute its primary revenue sources?
  • Do you know what systems would be targeted by Threat Actors? Do you know what is the Threat Actors focus or “Actions on Objectives” will be?
  • Which Cyber Business Threats should your business focus on to enable your business to continue operations during a major security incident?
  • What Threat Actor methodology should your IR team focus on identifying within your environment?

Qualifier: If I asked you how good your threat detection capability was, the chances are you’d believe them to be better than average and would answer as such. Now, what if I were to ask you how confident you were in your team’s ability to detect a few specific threats: data exfiltration, sensitive data exposure, hacking attempts against your web applications, brute forcing of open ports, and use of compromise credentials on cloud services?

Still confident? You’re not alone. Kudelski Security’s IR team works with many clients who – at the beginning of an engagement – believe their detection coverage is significantly stronger than their actual capabilities. The confusion stems from a failure to understand the limitations of the technology stack, underutilized or unrealized technologies capabilities and “a lack of business defined threats that provide clear monitoring requirements against top business threats.”

Example: At a Fortune 500 company with around 10 billion in revenue (with a large security stack); the Security Lead confidently stated they had excellent detection capabilities and they regularly reported such to their stakeholders. After our review, we identified that they had less than 20 generic detection capabilities enabled through their SIEM, IDS and other detection capabilities. They lacked direction from their security leadership in identifying which cyber business threats were the most important, as well as the follow through to ensure that top threats were being monitored.

Evaluating the “Top Threats” to My Business?

Considering the impact each cyber-attack type can have on your business is a critical step to preventing, detecting and responding to cyber-attacks. Kudelski Security refers to these threats which are the opportunity for a Threat Actor to execute a Cyber Attack Campaign against any business. The Cyber Business Threats are grouped into categories based on attackers’ general sets of motives:

  • Cyber Espionage
  • Cyber Crime
  • Insider Threat
  • Denial of Service
  • Third Party Risk
  • Data loss and exposure
  • Business Process Manipulation
  • Corporate IT Resource Hijacking
  • Cyber Propaganda
  • Regulatory / Non-Compliance
  • Hardware / IoT Intrusion
  • Misconfiguration / Miscellaneous Error
  • Physical Theft

Selecting the top threats isn’t easy and takes a deep understanding of your business and the Cyber Threat Landscape. While going into the Threat Modeling process is outside the scope of this post, I recommend that you assume that two of the following listed will be within your Top 5 Cyber Business Threats list: Cyber Espionage, Insider Threat, Organized Cyber Crime and Third-Party Risk, four Cyber Business Threats prevalent within most organizations’ Top 5 lists.

Once you select your Top Threats to the Business, you can pass these along to your IR/Monitoring team. Little has been published in the security sector on the complex translation of these Top Threats into a comprehensive set of detection capabilities. To compound the problem of the lack of documentation, the security industry is still defining its terminology for referencing Cyber Threats, Threat Actors, Business Risks, Incident Impacts, and capabilities.

Example: A specific Threat Actor category is often referred to as “Insider” while the Threat faced by a business is referenced as “Insider Threat.”  How do we translate an “Insider Threat” into actionable requirements for the Incident Response Team? Consider that the Threat Actor “Insider” can be a Disgruntled Employee, Contractor or even a Trusted Third party. How do we accurately associate our existing detection capabilities with each threat type to ensure that we have adequate detection against these threats?

Kudelski Security recommends focusing on the following Threat Actors “Actions on Objectives” which can provide insight into their attack goals. To enable your IR/Monitoring team for success, consider the “Actions on Objectives” as part of the Threat Actors methodology. The Tactics, Techniques, and Procedures (‘TTPs’) used explicitly by Threat Actors to reach their goals should be the focal point around which threat detection and prevention is prioritized. Map out how each one can be executed against your critical assets and sensitive data stores; Financial Gain, Account Compromise, Business Disruption, Gain Industry Advantage, Damage Reputation, Obtain Indirect Access to Target, & Intelligence Gathering.

Now we will combine the Cyber Business Threats with the Action on Objectives to understand the specific risks to your business. This is not a one-time consideration that will outline all prevention and detection capabilities for all threats. The process of selecting your Top Cyber Business Threats and then viewing their specific Actions on Objectives will provide you with insight into how an attack could accomplish their objectives.  As your business changes, you will need to reevaluate how you are protecting the business.

I often like to compare this to both of us standing in a field with the countryside stretched out before us. I point to a spot in the distance and tell you, go there. If I place no limitations on the path you take, you are open to being as creative or straightforward as you want. In Cyber terms, attackers are continually discovering new paths never considered before which constantly keeps security several paces behind. The crucial part is to know what attackers are trying to accomplish within your organization and create the controls and detection capabilities to mitigate the risk.

Example: The Threat Actor category for Cyber Criminal and their Actions of Objectives for Financial Gain can have multiple paths to achieve their objectives. One consideration is that each of these examples has a different level of sophistication, as not all cybercriminals are created equal.

Here are a few examples:

1.) A spammed phishing campaign leads to ransomware on 10% of your computer systems which could leave your business at a standstill. Which controls are most effective in this scenario? 

2.) An open port is a brute forced by the Threat Actor, and the credentials are used to collect data from internal file shares. Then the Threat Actor extorts you for financial gain or he will release all the data publicly. Can you detect outbound data exfiltration? Could data be exfiltrated through a cloud service?

3.) Finally, Malware is installed into your cloud environment that utilizes a cryptocurrency that spikes your CPU cycles costing your business for those cycles. Considering the total level of effort for containment and remediation needed to ensure a secure environment. Would segmentation have limited a Threat Actor’s capability to access the file shares?

The approach outlined in this article can assist you with laying the foundation of your Cyber Strategy. Understanding which type of Cyber Business Threats your business is susceptible to can provide scope and direction to your program. The challenge is to stay focused on current cyber trends and ensure that your cyber strategy aligns with Threat Actors methodology.

 

Cyber Resilience – A Primer Part 1: Defining Your Security Program’s Mission Statement

Cyber Resilience – A Primer Part 1: Defining Your Security Program’s Mission Statement

What is the number one thing your security team can do for your organization? Take a minute. It’s hard to pick just one amidst the never-ending salvo of competing objectives that security teams are mandated to meet.

Day-to-day tasks, project management, ad-hoc assignments, side projects, departmental red tape, people who flat out ignore the security group – they all have the potential to derail the fundamental “raison d’être” of your security team.

Defining and communicating a mission statement for your cybersecurity program centers your team’s focus on what matters most to help prioritize competing objectives, manage stakeholder expectations, and, ultimately, better secure the enterprise.

Like an organizational mission statement, your cybersecurity mission statement should reflect the purpose of your team and what you’ve set out to achieve. In other words – why do you exist?

Don’t worry, this isn’t as existential as it sounds, and we’ve put together a straightforward set of guidelines to help you get there.

First, a good mission statement will contain the following components:

  • The team’s main function – what is it that your team does for the company?
  • Your primary customers – who is it that your team primarily serves?
  • Protecting the products and services that make up the revenue of your business
  • The geographic location in which you operate

The one thing your mission statement should not be: generic. Make it specific to your business and how your team fits within it. Otherwise, you risk developing a statement that is unused, stale, and ultimately ignored.

Reaching a business-specific statement requires alignment with overarching business objectives. Best case scenario: your executive team has clearly laid these out, making it easy (or easier) to build upon. Worst case scenario: your probing forces the issue to define these business objectives.

If the organization does not have their objectives set and well-communicated, each department is pulling in a different direction, chasing the next new thing rather than operating strategically. This lack of direction makes it difficult in tracking your teams progress towards any business relevant goals.

Here are few questions that can help you identify and align with business objectives:

  • What are the largest cyber threats to your business?
  • What does your company do that could be a target?
  • How does your business generate revenue?
  • What are the crown jewels of your business?
  • How big of a role does compliance play for your business?

For your team specifically, it’s important to ask:

  • How do you make security an enabler of business?
  • What is the culture you are trying to invoke within your team?
  • Who are the customers you are trying to protect? What of assets are you protecting?
  • What are the limitations and capabilities of your cybersecurity program? How is that reflected within your current team?

With a mission statement in place, you will be able to create a set of objectives that help you achieve your cybersecurity goals. For example, the mission statement “Protecting ABC Inc. and securing their assets from brand damaging cyber-attacks,” might have the following set of objectives:

  • Enable secure communications standards that protect our client’s interests.
  • Ensure an agile vulnerability mitigation process.
  • Hire and/or retain world-class resources to defend and respond to cyber threats.
  • Identify and respond with swift clarity to immediate threats to the business.
  • Be innovate in protecting and enabling our core business.

Each of these objectives provides clear direction for your security team – a north star to guide you when competing priorities, pressure from other groups in the organization, or the next “new thing” threatens to sidetrack you from success.

When evaluating Companies overall Incident Response maturity, a common theme has emerged.  Those who adopt a weak Mission Statement, often have similarly under developed cyber capabilities.  While I’m not stating a direct correlation, I have observed that this lack of specific focus translates to a company’s ability to response to Cyber Incident.

If you currently have a generic cyber security mission statement; we encourage you to develop a more meaningful and directionally engaging mission statement to drive your security program forward. If not, and you’d like guidance in moving forward, please do not hesitate to reach out to us at request@kudelskisecurity.com

Coming up next in the Cyber Resilience Primer series: defining what constitutes a security incident and the related risks they impose.