In many situations associated with cyber security, in particular defending an organization, it is easy to get overwhelmed with not only the sheer number of issues but also the complexity of the interconnections between them. Technical issues are inextricably linked with social, cultural and political issues. Confronted with this sea of obstacles, it’s easy to succumb to security nihilism: “nothing is ever good enough”, “offense always wins” or “security is a losing battle”. As a defender, it is crushing to see how even an average Red Team can rip apart your defences, another successful engagement for Team Red as your passwords tumble helplessly out of the Domain Controller!
It’s a truism, if not a platitude, that “perfect is the enemy of good”, but I believe that this phrase takes on a new meaning in the world of cyber security. The answer to security nihilism is the art and science of prioritization. Since defenders cannot protect everything to an equal standard, trade-offs have to be made. Difficult decisions must be taken. But where to start? I would argue that the best place to start is with the reality of protecting your organization. By which I mean, a pragmatic focus on:
- The critical assets that your organization has
- The credible threats to those assets
Threat modelling exercises are useful heuristics for roughly figuring out the critical assets and the credible threats. An organization that handles payment card data will have a different set of assets and threats compared to another organization that handles sensitive government data to another organization that may regularly store Protected Health Information (PHI). An organization’s security posture should be appropriate for the types of threats that they realistically face.
In order for these threat modeling exercises, which are often table-top exercises, to have meaning, they must be grounded in reality. Not all threats that organizations face wield NSA-grade 0days. Not all organizations are routinely attacked by APT groups. But understanding how attackers you are facing actually operate is essential. As The Grugq is fond of saying, “increase attacker costs!”. As defenders, we need to understand what tasks are costly for attackers and how to make those tasks even more expensive.
Let’s see how standard TTPs (tactics, techniques, and procedures) used by a wide-variety of different threat actors can be made more expensive. We’ll start with a phishing campaign:
Outside in, network-based attacks are also widely-used:
Most organizations have key employees who are high-value targets for attackers and most organizations have externally facing systems, in particular Web applications. These assets are a good place to start. By understanding how attackers operate, we can establish some priorities about which actions as defenders we should take based upon the assets that we have and our knowledge of how attackers operate. As our capability matures, our assets can become more specific and nuanced and our understanding of attacker tradecraft similarly develops. Robust fundamentals, however, never go out of style!
To get the latest threat intelligence news and research, subscribe to our email list here.