Determining the ROI of your security stack can often be a challenge, so it may come down to staying one step ahead of your competition, minimizing the “blast radius” in the event of a breach which ultimately reduces the financial impact to the organization, or simply providing enough layers of security that the threat actor moves on to another victim preventing financial, reputational, and customer impact all together.
Regardless of the motivation to invest in cybersecurity staff, or the latest new Data Security Posture Management (DSPM) solution for identifying, classifying, and segmenting your cloud data, reducing risk to an acceptable level should be a priority in the mind of the CISO.
Are We Going to be Targeted Today?
We’re all aware that it’s not a matter of if, but when. So much so that it has become cliché. We also can’t predict when we’re next on the list of threat actor targets or coming up on the automated reconnaissance script running nonstop from a remote botnet scrubbing for zero-day vulnerabilities.
Routine Risk Reduction
As CISOs we may follow a routine of updating policies, reviewing new compliance mandates, planning tabletop exercises, or the annual penetration test. We may prepare for the next board meeting by reviewing overall vulnerability remediation efforts, incident response metrics, KPIs, and KRIs, all to demonstrate our risk reduction strategy, but are we monitoring threat actor activity daily?
Targeted Risk Reduction
There is an array of threat intelligence tools to choose from such as Recorded Future, ThreatConnect, Mandiant, and the new CrowdStrike Counter Adversary Operations (CAO). There are also free intelligence feeds like the Information Sharing and Analysis Center (ISAC), Cybersecurity & Infrastructure Security Agency (CISA), and FBI InfraGard, to name a few. The data is out there so we should use it to become more targeted in our efforts. Below are recommended approaches for taking advantage of threat feeds and using them to reduce risk where it counts most, exactly where the threat actor is going to attack YOU.
Intelligence Analysis Recommendations
- Know your organization – what industry and where are you exposed?
- Understand who the most likely attackers are – RansomHub, LockBit, Lazarus Group, Blue Delta, North Korea, Iran, Russia, and China.
- Understand the most likely methods of attack – Social Engineering, Ransomware, Zero-Day Exploits, Supply Chain Attack or Business Email Compromise.
- Prioritize vulnerability remediation – Currently being exploited, exploitable, exploit available
- Who is currently being targeted – Identify whether your industry is a current target.
- Are your competitors being targeted – Have your competitors suffered a breach in the past year or two?
- Tactics, Techniques, and Procedures (TTP) – What methods are being used to attack your industry? Are they performing living off the land, utilizing remote exploits, or performing phishing attacks? How? Deep fakes, malicious Microsoft login screens, smishing for MFA codes following a credential theft, etc.
- Prioritize remediation and mitigation based on your threat intelligence findings.
Conclusion
Most CISOs are underwater when it comes to workload so sometimes it comes down to simply taking action to reduce the blast radius of an attack and minimizing the impact to the organization. While you work through your tactical and long-term strategies, it’s worth taking time each day to review threat intelligence feeds and act on the findings that may impact your industry or your organization itself.
By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA