Protect Your Organisation - Know Your Enemy

Digitalisation has been a buzzword for a while, and many organisations have made significant progress towards digitalising the majority of their data and processes. Unfortunately, those digital assets are attractive to cyber criminals, too: they present a considerable cyber risk across a large attack surface. 

With the expansion of the Internet of Things, endpoints are becoming more distributed and diverse, prompting warnings that tomorrow’s attacks might include targets which were previously believed to be secure such as insulin pumps, pacemakers or connected cars. It’s no longer a matter of ‘if’ an attack takes place but ‘when’. Given the frequency, extended attack surface, and the severity of attacks, understanding where potential attacks might come from and how they could affect your organisation is more critical than ever.

Not only are cyber attacks happening at an accelerated pace, they are also becoming increasingly difficult to recover from and carry greater ramifications. The ransomware threat is now endemic, and the rise of crypto currencies has provided the means for cyber criminals to carry out anonymous, risk-free attacks. We’re beginning to witness the dawning of a new age. One where organisations are taking an ‘assume breach’ position and developing solid response and recovery capabilities with incident response, crisis management, and disaster recovery plans alongside their traditional cyber security programmes. 

Although critical, protection technologies are no longer enough. Being able to identify, protect, detect, as well as respond to and recover from threats is imperative: those capabilities form the basis of a comprehensive cyber resilience strategy. Cyber resilience, however, is also about reducing risk – knowing which cyber security events would have the greatest impact on your organisation and prioritising your defence measures accordingly. To improve overall protection, organisations need to know their ‘enemy’, ‘battlefield’, and ‘themselves’. 

Know Your Adversaries

More than just having a degree of familiarity, knowing your enemy is the most difficult aspect. You need a good understanding of the threat actors that are taking an interest in your organisation, and why they see you as a viable target. Gaining this level of knowledge requires answers to: what are their motivation and objectives, what are the tactics, techniques, and procedures (TTPs) used, how are they applicable to your environment, where would the attack most likely take place, and how could it compromise your business, your supply chain, or your customers?

There are several open-source resources available that provide insights into how threat actors operate. The MITRE ATT&CK database provides a library of known adversary tactics and techniques, and provides information on cyber criminals’ behaviour, reflecting the various phases of an attack lifecycle and the platforms they are known to target. The ThaiCERT also provides a useful encyclopaedia of threat actors. For the most up-to-date insights, security vendors monitor cyber criminals and publish their findings. For example, Datto’s Threat Management Cyber Forum provides threat profiles, signatures, and information on threats targeting the MSP community and their SMB customers. 

Know Your Battleground

To fully appreciate your exploitable surface, you need insight into the likelihood of being attacked via a particular attack vector. Organisations first need to evaluate which of their assets have the highest probability of being attacked. Second, they need to determine how valuable these assets are to the company or their customers. 

Being cyber attack ready requires a comprehensive cyber resilience strategy that consists of five components: identify, protect, detect, respond, and recover. Cyber resilience also encompasses reducing risk. Risk is a function of likelihood and adverse impact. For instance, an event that is likely to happen but has minor consequences, presents less overall risk than an event that is deemed unlikely, but would cause significant damage. Knowing which cyber security events would have the greatest impact and prioritising defence measures accordingly is essential to a risk-based approach. 

Know How To protect Yourself

Once you know which cyber criminals are lurking and their preferred battleground, you’re able to simulate their methods to determine where your greatest risks reside and what is needed to mitigate potential risk. By reverse engineering a cyber criminal’s past breaches, you can confidently prioritise and implement the most effective security controls against threat actor specific tactics and techniques. To test your configurations, there are several open-source free tools that emulate specific adversaries, such as Caldera (which leverages the ATT&CK model) or Red Canary’s Atomic Red Team.

Adversary emulation is different from pen testing and red teaming in that it uses a scenario to test a specific adversary’s TTPs. The goal is to determine whether the tactics can be either prevented or detected in your environment. Additionally, it’s important to examine technology, processes, and people to fully understand how your defences work in unison. This process needs to be repeated until you’re confident that you will prevail against this adversary.

Large organisations and MSPs should conduct adversary emulation on a quarterly basis, SMEs at least once a year or whenever there is a major new threat, and for enterprises, a threat-informed defence programme is an ongoing effort. Additionally, at a minimum, all organisations should follow the CIS Critical Security Controls – spending ample time on Implementation Group 1 (IG1).

While the processes may seem overwhelming, improving overall security is imperative and needs to be given the highest priority.

Ryan Weeks is CISO at Datto

You Might Also Read: 

Penetration Testing & Ethical Hackers:

 

 

« CYRIN Enters A Strategic Alliance With Cyber Ireland
Lithuania & Poland Issue Cyber Attack Warnings »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: How to build and implement an effective endpoint detection and response strategy

ON-DEMAND WEBINAR: How to build and implement an effective endpoint detection and response strategy

Discover how you can implement endpoint detection and response (EDR) tools into your security strategy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Centre for International Governance Innovation (CIGI)

Centre for International Governance Innovation (CIGI)

CIGI research areas include Conflict Management & Security which encompass cyber security and cyber warfare.

NLnet Labs

NLnet Labs

NLnet Labs is a not-for-profit foundation with a long heritage in research and development, Internet architecture and governance, as well as security in the area of DNS and inter-domain routing.

Kymatio

Kymatio

Kymatio are pioneers in Artificial Intelligence applied to adaptive staff strengthening, cultural change and predictive internal risk analysis.

GV

GV

GV provides venture capital funding to bold new companies in the fields of life science, healthcare, artificial intelligence, robotics, transportation, cyber security and agriculture.

Symantec Ventures

Symantec Ventures

Symantec Ventures is an active, strategic partner at key stages of a startup’s growth. We are dedicated to helping visionary entrepreneurs protect the Cloud Generation.

Seavus Accelerator

Seavus Accelerator

Seavus Accelerator's goal is to create an enabling and stimulating environment for start-ups growth and provide continuous high quality acceleration and investment support.

Crypsis

Crypsis

Crypsis was built based on a shared vision of creating a more secure digital world by providing the highest quality incident response, risk management, and digital forensic services.

ProcessUnity

ProcessUnity

ProcessUnity is a leading provider of Third-Party Risk Management software, helping companies remediate risks posed by third-party service providers.

Crypto International

Crypto International

Crypto International offers comprehensive services for the operation of our customers’ IT and communication infrastructure, with a focus on cybersecurity and encryption solutions.

Pentesec

Pentesec

Pentesec is a security specialist offering professional services, managed security services and expertise within an extensive range of security technologies.

Vantea SMART

Vantea SMART

Vantea SMART have decades of experience in cybersecurity resulting in an approach of proactive prevention - Security by Design and by Default.

Paradyn

Paradyn

Paradyn-managed security services can provide a holistic view of your business environment, no matter how simple or complex it is.

DatChat

DatChat

DatChat Inc. is a blockchain, cybersecurity, and social media company that focuses on protecting privacy on our devices and also protecting our information after we have shared it with others.

Cyber Security Services

Cyber Security Services

Cyber Security Services is a cyber security consulting firm and security operations center (SOC).

BIRD Cyber

BIRD Cyber

BIRD Cyber is a program to promote collaboration on cybersecurity and emerging technologies aimed at enhancing the cyber resilience of critical infrastructure.

Interactive

Interactive

Interactive are a leading Australian IT service provider with services in Cloud, Cyber Security, Data Centres, Business Continuity, Hardware Maintenance, Digital Workplace, and Networks.