Every day worldwide, CISOs grapple with the daunting challenge of addressing security issues while simultaneously assuring their teams that attack patterns seamlessly align with established controls. This emphasises the importance of a multifaceted approach in identifying and addressing vulnerabilities within an organisation. This article by Recorded Future, an independent threat intelligence cloud platform, delves into a common yet critical narrative of responding to inquiries on the latest cyberthreats. It highlights the security team’s responsibility of summarising risks, mapping, monitoring and mitigating cyberthreats specific to an organisation.
It’s a Friday afternoon. As the CISO for a large manufacturing company, you receive a message from a board member with the subject line: How are we affected by [insert the latest] cyber attack?
Despite the end-of-the-week fatigue, you explain that the Cyberthreat Intelligence (CTI) team has already incorporated the attack patterns into existing controls. A member of the infrastructure team updated the email security platform to quarantine the malware-infected file. Credentials recently stolen from RedLine Stealer have already been reset within your Identity Access Management (IAM) platform.
In addressing a common scenario of tackling a query regarding the latest cyber news headline, the security team is tasked with efficiently summarising the risks identified in the email. This entails the meticulous mapping, monitoring and mitigation of cyberthreats that are pertinent to your organisation.
Map your company assets
Cybersecurity writings often use the phrase ‘defending your castle walls’ but in this scenario, let’s envision strategically placed barbed wire fences. As a security team, you prioritise the broken sections instead of rebuilding the entire fence (wall) at once. A good place to start mending your fence is understanding the information that is freely available about your company. Amateur open-source sleuths can now discover connections previously available only to those with specialised access. A crowdsourced example includes the discovery of a disgraced Russian general’s location based on the photo analysis of trees and a stone patio. Are there old domains still accessible that should be decommissioned? Security teams can use tools to discover subdomains that are potential candidates for subdomain takeovers.
Also important is understanding what assets are critical to your business functions. If you work for an e-commerce company, any domains that handle payments should be prioritised as any downtime could result in monetary losses. Executives with and without a social media presence should be monitored for fake accounts that could post inflammatory comments and potentially impact stock prices.
If locked out of your house, you do not immediately resort to climbing onto your roof to look for an open window. Instead, you (hopefully) try to find another ground-level entrance or the key you hid by the ceramic gnome. Threat actors will often follow a similar path with less resistance.
Monitor what you discovered
Based on your mapping exercise, your next task is to monitor the prioritised domains, executives and most vulnerable attack vectors.
Understanding your company’s password policy provides helpful context. But more important is monitoring for stolen credentials that can log into company systems. Intelligence providers that collect from these malware logs and integrate into IAM platforms increase the speed of detecting and resetting passwords before improper use. According to the 2023 Verizon Data Breach Investigations Report, more than three-quarters of breaches involved external actors, with nearly half of those external breaches involving stolen credentials.
Threat actors do not typically use stolen credentials immediately. Instead, Initial Access Brokers (IABs) package and sell these credentials to other actors who plan to use them. Monitoring for direct and indirect company references (when your company as a target is implied) will provide another opportunity to detect threat actor activity.
Using AI to generate a Threat Map
A Threat Map that analyses past attacks and understands current vulnerabilities provides security teams with a short-list of actors to prioritise for monitoring.
There’s no need for analysts to spend their time manually researching and creating their own Threat Maps, thanks to Recorded Future AI. Threat actors can now understand their ‘why’ for choosing to exploit a vulnerability in a particular organisation based on their opportunity for success. For example, if your company is still susceptible to the MOVEit file transfer vulnerability, a threat actor will take advantage.
Emotional response
Threat actors have feelings too. When Spain’s Prime Minister met with Ukraine’s President, a hacktivist group called NoName057(16) targeted the Spanish government’s websites in a DDoS attack. Recognising when a current event may prompt even a low-level attack can improve defences.
Fix what is broken
Mitigation is where the ‘action’ takes place. Which steps did the security team take to improve security controls? ‘Detection rules’ or a pattern-matching search against security logs can quickly notify analysts of potential malicious activity. If the malware is typically spread via a ZIP file, a detection rule can trigger an alert when there is a match in your company’s logs. Your intelligence provider should produce the detection rules associated with the malware and threat actors most likely to impact your company, ideally via your unique Threat Map.
Some mitigation plans are based on compliance audits or security guidelines, such as NIST. Companies need to not only monitor for stolen passwords, but also prevent users from creating new passwords that have been previously leaked. Analysts should monitor and request takedowns for fake login pages targeting an organisation. Takedowns are never an easy process. Using a provider with a high success rate will save security teams going back and forth with domain registrars. (A trusted partner will also steer you away from a takedown that will likely not be successful).
Summing it up
Understanding a company’s most important assets is a critical stepping stone to prioritising what to monitor and mitigate.
We haven’t forgotten about the fictitious CISO. If your team has properly mapped assets, installed appropriate monitoring services and enabled mitigating controls, that next Friday afternoon email should be easier to write. You may use Generative AI to produce an outline of the attack patterns used and how your company could be impacted. However, don’t forget to mention areas that need improvement. It is worthwhile to include how the social engineering aspect of the attack is more difficult to combat. You may not receive an on-the-spot promotion for your email summary, but your team’s well-crafted response will prove the importance of having the data, platforms and people to answer the board’s next security question.
Click below to share this article
