Companies manage risk. Whether financial, health and safety or reputation, the methods are the same; identify events, evaluate impact and likelihood, plan risk reduction measures, assign responsibilities for follow-up, prioritize. This process works and allows us to navigate uncertainty without paralysing our ability to operate, to try new things. Yet, many companies do not manage cyber risk this way. Instead they often do nothing, or buy into the magic pill sales tactics of some security vendors.
What are your most valuable assets?
Before you can manage threats, you need to know what you want to protect. Your organization must have a mission, and some core business processes to make that mission attainable. Identify the most important inputs, processes and outputs for each process, and then use this to figure out what IT and organizational assets are required to make the core business processes work. One technique you can use to make this overview is SIPOC.
Who are the attackers?
You are attacked every day online by criminals who don’t care who their victims are. The motivation is money. Phishing, ransomware, credit card fraud are keywords. That type of cyber threat can be viewed as “internet noise”. Although it is not sophisticated it can still be devastating if you lose a lot of money.
The other category is that of the targeted attack. Here, a threat actor is actively trying to gain access to your assets, or stop you from delivering your services. Knowing why they attack, and how they are likely to do it, can help you spend your resources more wisely. As it can be hard to know in detail who these criminals are, it is sufficient for our purposes to use broad categories. Keeping track of threat actors and their methods, with focus on how they threaten your organization and value chain is known as strategic threat intelligence.
For risk assessments it is usually good enough to focus on broader categories. One such category is hactivists; these are activists who use cyber attacks as part of their activism to force policy change or draw attention to a cause. The most well-known group of hacktivists is Anonymous. Typical attack patterns include denial of service, web page defacement, social media account takeover and theft and leak of confidential data.
Another category is organized crime. These are criminals with more resources and skills, and they can pull off longer running campaigns. Spear-phishing, industrial espionage and extortion are tools of the trade for such groups. They can also offer their services to other criminals in underground markets.
Do you need to worry about nation states? That depends on your business; if you are involved in the defense value chain, critical infrastructure, the energy sector or advanced technology, you are a target for state-sponsored actors if not the states themselves. You probably should assume that you have been compromised, and design your risk mitigation around damage minimization.
An often overlooked category is the insider threat. They are difficult to defend against, because they do have legitimate access, and your organization won’t be a very nice place to work if everyone is treated as a threat. The motivation of an insider threat can be anger against the employer, it can be financial gain, or the employee may be subject to external pressure.
You don’t need details on all these categories to create a risk assessment for your business, but knowing what to expect in terms of motivation and methods is quite helpful. Cybehave can help create such an overview based on open source intelligence.
If you hear discussions in the information security, there is a lot of talk about “thinking like the adversary”. This can be a good approach but it is surprisingly difficult if you don’t have a lot of practice. Because of this, various methodologies have been developed to assist with risk assessments. They often focus on the vulnerability because that is easier to tie to an asset directly. Our goal is to define risks so that we can manage the ones that pose the biggest threat in terms of both impact and likelihood, so vulnerability is not alone. In many cases it is better to identify threats by focusing on motivation first, before discussing what vulnerabilities must be in place and what attack vectors can be deployed to achieve that goal from the adversary’s point of view.
If you are the CEO of a big tech company delivering software to law enforcement agencies. You can expect criminals to want to gain access to your communications. One such asset is your email account. The motivation could be to read your emails to gain information on who is buying your system and who your contacts are. How could an attacker achieve this?
- Getting access to the email account by stealing username and password and logging in using a web mail portal
- Install malware on the computer to gain remote access or exfiltrate emails
- Install malware on your smartphone to collect the data
- Bribe or pressure a system administrator to create a backdoor for the hacker or exfiltrate the data on the hacker’s behalf
- Steal the computer and read the data from the hard drive
Are these attack vectors “advanced”? Is it likely that organized crime groups could perform such actions and succeed with it? That would be very likely, as all of these are known methods used by skilled criminals. With this number of different attack vectors, combined with the potentially devastating consequences of such a breach, this event would be a high risk event – and one should spend some energy on reducing the risk.
We’ll get back to the protection afterwards, but first let us see how we could go about analysing the “email account” asset with respect to threats from organized crime. We have concluded that they are motivated to gain access to the email inbox of the CEO. In some cases this could be enough to start the discussion on how to protect that email inbox, by googling “how to secure email from hackers”. If we want to be slightly more systematic we can use guidewords to try and identify the likely attack vectors. First, we should think about how the user can access the email:
- Webmail from a browser
- Mail client on smartphone
- Mail client on computer
Then we can establish a common understanding of how the user achieves the goal of reading his or her own emails:
- User connects to the mail server and authenticates with credentials
- Authentication is performed and access granted
- Emails are made available
We can then use guidewords to come up with potential threats. These guidewords can be combinations of threats and vulnerabilities, the only purpose is to trigger the right ideas in a brainstorming session and to help with the “think like the adversary” part of the discussion.
- Social engineering
- Insider abusing legitimate access
- Value chain trust exploitation
- Network sniffing
- Network redirection or spoofing
- Denial of service
- Authentication bypass
- Authorization bypass / privilege escalation
- Information disclosure
- Denial of service
- Command injection
- Unauthorized hardware
Based on these guidewords we would readily identify the threat vectors discussed above for the email account of the CEO. We would perhaps also find other vectors in that discussion, such as network based Monkey-in-the-Middle or the deployment of hardware keyloggers on the CEO’s docking station in the office.
Defending your turf
You know the threat landscape. Now, you need to act to reduce the risk. The most secure solution is not to do any business at all – and there is a trade-off between security and usability – or productivity. There is also a tradeoff between security and cost. And often between security and privacy. “Maximum security” is most often not the right answer to anything. If you make things too hard to use, people will get angry – which increases the insider threat potential and reduces productivity overall. Find the balance but at a risk level the organization can live with. Let’s return to the email case – how can we reduce risk here? From risk management standards we know the typical list of actions twe can take:
- Avoid the risk
- Transfer the risk
- Reduce the risk
Avoiding the risk would mean not using email, probably not an option. Transferring risk? The cost can be transferred for example by buying insurance, but that probably won’t help with lost relationships and trust. Reducing the risk means reducing the likelihood of the adversary achieving his or her goal of gaining access to the CEO’s email, or reducing the impact if this should occur. Both are valid approachs, and probably should be combined.
Let’s start with: “adversary steals credentials and logs in”. Credential theft is primarily done in one of the following 4 ways:
- Phishing with a link sending the victim to a fake web site asking them to log in with their username and password (by far the most common)
- Reusing passwords from known data breaches – e.g. by buying credentials on the dark web
- Using malware that can steal passwords when they are being typed or from computer memory. Such malware if often called “banking trojan” because it is commonly used by criminals to steal login information for online banking applications.
- Brute-force attacks where the attacker is running various auotmated “password guessing” attacks on the login forms exposed on the web.
We want to protect against these attacks. Here are some actions we could take:
- Educate users on phishing threats and how to detect phishing emails
- Buy email and endpoint protection from security vendors to try and stop people from visiting phishing links
- Turn on two-factor authentication for email so that a lost password will not give the hacker access
- Use threat intelligence solutions to monitor for credential leaks on the dark web and pastebins
- Rate-limit login attempts, add lockout after x failed attempts
- Deploy antivirus against malware threats
- Ensure computers and phones are always up to date to minimize risk of malware exploiting known vulnerabilities
- Log all login attempts and have analysts review logs frequently to detect attempts of attacks and unusual logins. If available turn on “behavior based” alerts for unusual login attempts.
The list of mitigations can go much longer. The point is to introduce controls against the biggest threats and to avoid more disruption of workflows than necessary. As stated above – it is a tradeoff.
When selecting counter measures, make sure to evaluate the following to figure out if it is a good fit for the organization:
- Effectiveness in protecting against attacks
- Friction for the organization’s workflows
- Management overhead
Making threat management part of corporate governance
We’ve discussed how to approach risks from adversary’s to digital assets in this post. To make digital risk management effective over time it has to be an integrated part of your governance system. To achieve this, we should agree on annual objectives for risk improvement, track risk exposure using a few but highly relevant metrics, and assign budget to implement mitigations that is tied to the overall strategy and risk apetite of the company.
Cybehave has deep expertise in management of adversarial threats to digital value chains, and can provide highly efficient threat intelligence based advisory and organizational awareness training – whether automated using our intelligence risk management software or in a traditional face-to-face advisory fashion. Contact us today if you want to learn more about how we can help.