Skip to main content

Building a threat informed defense: know your enemy, your battlefield and yourself

security
(Image credit: Image Credit: ESB Professional / Shutterstock)

In the current cyber threat landscape, understanding where potential attacks might come from and how they could hit your organization is more critical than ever before.

Cybercrime on a global basis has grown to create an over one trillion dollar drag on the world economy – a figure larger than the GDP of Belgium.

With organizations having digitalized the vast majority of their data and processes, those digital assets now present a concentrated risk that has a bigger attack surface than ever before.

Productivity, convenience, and efficiency have been the drivers of the digital revolution, shaping a world in which we're all interconnected and the online blends seamlessly with the offline. The colonial pipeline ransomware attack earlier this year was a stark reminder of how a cyberattack can affect the physical world by taking out the fuel supply on the East coast of the United States.

Security experts have already warned that hackers could target pacemakers, insulin pumps or connected cars. Endpoints are becoming ever more diverse and distributed. They are no longer just PCs and servers, but also phones, cameras, HVAC solutions, printers, watches, smart speakers and more. The ransomware threat is now endemic. And the rise of cryptocurrencies has provided the means for cybercriminals to carry out anonymous, risk-free transactions.

All of this taken together has created an environment of catastrophic risk potential. Cyber attacks are becoming increasingly difficult to recover from and have bigger repercussions. organizations need to get smarter and act faster to proactively address the threats they are facing.

Investment in protection technologies is not enough. We have already seen an ‘assume breach’ awakening amongst organizations – a transformation towards ramping up response and recovery capabilities in addition to traditional cyber security programs. Knowing that an attack is not a matter of ‘if’, but ‘when’, businesses need solid incident response, crisis management, and disaster recovery plans.

Being able to identify, protect, detect as well as respond and recover from threats is imperative: those capabilities are the building blocks of a comprehensive cyber resilience strategy. But cyber resilience is also about reducing risk – knowing which cyber security events would have the biggest impact on your organization and prioritizing your defense measures accordingly. You need a good understanding of your would-be attackers and their methods to develop a threat-informed, risk-based security program.

Be cyber battlefield ready

Risk is a function of likelihood and adverse impact. An event that is very likely to happen, but has minor consequences, presents less risk overall than an event that is unlikely, but would cause major damage.

Therefore, businesses need to firstly evaluate which of their assets have the highest probability of being attacked and secondly, how valuable these assets are to them. You can only fully appreciate your exploitable surface if you understand the likelihood of being attacked via a particular attack vector. Studying your adversary and how they operate is therefore a key part of this risk-based approach.

You need to know your enemy, your battlefield and yourself. organizations need to carefully examine their own inventory – data, systems and people; their battlefield – the network; as well as their potential attackers.

Knowing the enemy is the hardest part. Who are the threat actors taking an interest in your organization and why are they seeing you as an attractive target? What are their motivations and objectives? How do they work – what tactics, techniques and procedures (TTPs) do they use and how are these relevant to your own environment? Where would they most likely attack and how would they compromise your business or your customers?

Once an organization has gained this in-depth understanding, it can decide on risk-adjusted priorities for the right security controls and investments. Anticipating what the attacker might do will help identify gaps in your defenses and help decide where to ramp up protection. Conversely, it is impossible to build an efficient cyber resilience program if you don’t understand the methods that attackers are going to use against you.

Taking an offensive position starts with knowing your enemy

So how do you go about pinpointing and understanding your potential attacker? Threat Intelligence tools often promise to provide the answers, but while they can play an important part in any security program, they are ultimately reactive solutions based on indicators of compromise. They tend to include too much-unfiltered data, with threat indicators constantly changing. Studying an adversary’s TTPs on the other hand must be a proactive and targeted process. Fortunately, there are several open-source resources available to help organizations understand how threat actors operate.

The MITRE ATT&CK database is a good starting point, as a very accessible library of known adversary tactics and techniques. It includes information on cyber adversaries’ behavior, reflecting the various phases of an attack lifecycle and the platforms they are known to target, and provides a framework that is widely used by threat hunters, red teamers and defenders to classify and assess attacks.

The ThaiCERT provides another useful encyclopedia of threat actors. However, there is no single complete inventory of all attackers – and adversaries can often operate under different guises.

For some of the most up-to-date insights, security vendors monitor actors and publish this information. For example, threat profiles are available for free on Datto’s Threat Management Cyber Forum, where their threat management team shares threat profiles, signatures, and information on threats that target the MSP community and their SMB customers. Most recently added profiles include Russian state-sponsored hacker group APT29, also known as Cozy Bear and Dark Halo; the LockBit family of ransomware; and notorious cybercrime group Wizard Spider. 

Each profile contains an actor overview, their motives, TTPs, possible mitigations or defenses, detection opportunities and additional resources. The researchers have also mapped actors back to the MITRE ATT&CK framework and CIS Critical Security Safeguards to make the information easily actionable.

Put cyber adversaries in their place: understand, prioritize, protect, test

Once you have gained the necessary insights about which threat actors could be lurking, simulating their methods will help you figure out where you have the biggest risk exposure in your organization – and what you can do to mitigate this risk. By reverse-engineering their past breaches, you can confidently prioritize and implement the most effective security controls against specific actors.

To help test your configurations, there are a number of open-source free tools that emulate specific adversaries, such as Caldera (which leverages the ATT&CK model) or Red Canary’s Atomic Red Team.

Adversary emulation is different from pen testing and red teaming in that it uses a scenario to test a specific adversary’s TTPs. Can those tactics be either prevented or detected in your environment? It is important to probe technology, processes as well as people to fully understand how your defenses all work together. Repeat this process until you are ready to win the battle against this adversary.

SMEs should do this at least once a year or whenever there is a major new threat, larger organizations and MSPs quarterly, while for enterprises, a threat-informed defense program is an ongoing effort.

In addition, any organization should follow the CIS Critical Security Controls – as a minimum, spending enough time on Implementation Group 1 (IG1) controls for essential cyber hygiene.

The main thing is to simply get started. There is no need to feel overwhelmed by the task. Start with a step-by-step gap assessment against CIS IG1: Even investing an hour a week on a risk- and threat-based approach will help improve your overall security.

A good understanding of the bad actors in a business’s threat profile is essential to building an effective threat-informed security program that ensures cyber resilience. As businesses begin to think more like hackers, they will be able to make better risk-informed decisions and will be better equipped to protect themselves.

Ryan Weeks, CISO, Datto

Ryan Weeks, CISO, Datto.