Protect Your Organisation - Know Your Enemy

Digitalisation has been a buzzword for a while, and many organisations have made significant progress towards digitalising the majority of their data and processes. Unfortunately, those digital assets are attractive to cyber criminals, too: they present a considerable cyber risk across a large attack surface. 

With the expansion of the Internet of Things, endpoints are becoming more distributed and diverse, prompting warnings that tomorrow’s attacks might include targets which were previously believed to be secure such as insulin pumps, pacemakers or connected cars. It’s no longer a matter of ‘if’ an attack takes place but ‘when’. Given the frequency, extended attack surface, and the severity of attacks, understanding where potential attacks might come from and how they could affect your organisation is more critical than ever.

Not only are cyber attacks happening at an accelerated pace, they are also becoming increasingly difficult to recover from and carry greater ramifications. The ransomware threat is now endemic, and the rise of crypto currencies has provided the means for cyber criminals to carry out anonymous, risk-free attacks. We’re beginning to witness the dawning of a new age. One where organisations are taking an ‘assume breach’ position and developing solid response and recovery capabilities with incident response, crisis management, and disaster recovery plans alongside their traditional cyber security programmes. 

Although critical, protection technologies are no longer enough. Being able to identify, protect, detect, as well as respond to and recover from threats is imperative: those capabilities form the basis of a comprehensive cyber resilience strategy. Cyber resilience, however, is also about reducing risk – knowing which cyber security events would have the greatest impact on your organisation and prioritising your defence measures accordingly. To improve overall protection, organisations need to know their ‘enemy’, ‘battlefield’, and ‘themselves’. 

Know Your Adversaries

More than just having a degree of familiarity, knowing your enemy is the most difficult aspect. You need a good understanding of the threat actors that are taking an interest in your organisation, and why they see you as a viable target. Gaining this level of knowledge requires answers to: what are their motivation and objectives, what are the tactics, techniques, and procedures (TTPs) used, how are they applicable to your environment, where would the attack most likely take place, and how could it compromise your business, your supply chain, or your customers?

There are several open-source resources available that provide insights into how threat actors operate. The MITRE ATT&CK database provides a library of known adversary tactics and techniques, and provides information on cyber criminals’ behaviour, reflecting the various phases of an attack lifecycle and the platforms they are known to target. The ThaiCERT also provides a useful encyclopaedia of threat actors. For the most up-to-date insights, security vendors monitor cyber criminals and publish their findings. For example, Datto’s Threat Management Cyber Forum provides threat profiles, signatures, and information on threats targeting the MSP community and their SMB customers. 

Know Your Battleground

To fully appreciate your exploitable surface, you need insight into the likelihood of being attacked via a particular attack vector. Organisations first need to evaluate which of their assets have the highest probability of being attacked. Second, they need to determine how valuable these assets are to the company or their customers. 

Being cyber attack ready requires a comprehensive cyber resilience strategy that consists of five components: identify, protect, detect, respond, and recover. Cyber resilience also encompasses reducing risk. Risk is a function of likelihood and adverse impact. For instance, an event that is likely to happen but has minor consequences, presents less overall risk than an event that is deemed unlikely, but would cause significant damage. Knowing which cyber security events would have the greatest impact and prioritising defence measures accordingly is essential to a risk-based approach. 

Know How To protect Yourself

Once you know which cyber criminals are lurking and their preferred battleground, you’re able to simulate their methods to determine where your greatest risks reside and what is needed to mitigate potential risk. By reverse engineering a cyber criminal’s past breaches, you can confidently prioritise and implement the most effective security controls against threat actor specific tactics and techniques. To test your configurations, there are several open-source free tools that emulate specific adversaries, such as Caldera (which leverages the ATT&CK model) or Red Canary’s Atomic Red Team.

Adversary emulation is different from pen testing and red teaming in that it uses a scenario to test a specific adversary’s TTPs. The goal is to determine whether the tactics can be either prevented or detected in your environment. Additionally, it’s important to examine technology, processes, and people to fully understand how your defences work in unison. This process needs to be repeated until you’re confident that you will prevail against this adversary.

Large organisations and MSPs should conduct adversary emulation on a quarterly basis, SMEs at least once a year or whenever there is a major new threat, and for enterprises, a threat-informed defence programme is an ongoing effort. Additionally, at a minimum, all organisations should follow the CIS Critical Security Controls – spending ample time on Implementation Group 1 (IG1).

While the processes may seem overwhelming, improving overall security is imperative and needs to be given the highest priority.

Ryan Weeks is CISO at Datto

You Might Also Read: 

Penetration Testing & Ethical Hackers: