Security Think Tank: Identify, assess and monitor to understand attack paths
This article was first published in Computer Weekly
Maintaining digital risk management in today’s connected world requires updating security processes and procedures to identify the levels of risk that the more traditional approaches fail to identify. This means understanding your applications and the interconnection between technologies across your supply chain/alliances and/or partners. You also need to understand the data processes.
That means data flow mapping – “knowing” your data; “who” has got access to “what”; “how” do they access it and “how often”; and the physical locations that could be under different local regulation and legislation. This should be accompanied by work to build mature commercial obligations between you and your suppliers to achieve the levels of risk mitigation you require.
The source of threats and inherent risk can be identified through several means, including threat intelligence mapping of the organisation’s digital footprint or attack surface and the threat actors targeting your organisation or sector.
Threat hunting exercises should be carried out regularly, for example looking for subdomain takeover opportunities or attackers that are targeting organisations by purchasing typo-squatting domains.
Penetration testing can set out specific risks to systems, but remember this is at a specific point in time, networks and applications and these risks should be mapped to key regulations and good practice standards, including GDPR, NCSC Cloud Security Principles, NIST and ISO 27001.
However, we should also consider what continuous proactive measures are available to reinforce this activity.
Advances in technology provide the opportunity to address risk across wide, complex IT ecosystems. Combining a blended mix of threat intelligence and attack surface protection measures allows organisations to discover, evaluate, and provide actionable intelligence. This will tell them what they don’t know, rather than focusing on what they already know.
These platforms can provide scalable analytical frameworks that enable organisations to quickly and efficiently find unusual attributes across bulk unstructured data and across internal and exposed internet-facing infrastructure.
These new technologies provide the ability to quickly identify assets that require more security attention than others across the IT domain. This provides a way to prioritise threats that need to be addressed in the immediate, medium and long term, enabling a more efficient and effective use of pressed resources.
Advances in artificial intelligence (AI) are also helping to build in prediction and the ability to rationalise better and take appropriate action in response to risk. This technology is now available as a business-wide solution to monitor key systems and data to protect business operations, revenue, reputation and profits from cyber and digital risk 24/7.
Test cyber defence detection and response capability
It is also important to carry out cyber incident exercises to establish how resilient organisations are to cyber attacks and practise their response in a safe environment. Exercises also help to create a culture of learning within an organisation and provide an opportunity for relevant teams and individuals to maximise their effectiveness during an incident.
Creating bespoke exercises is a way to tailor them to reflect the organisation’s values, and the unique challenges, constraints and threats it faces.
One example of this is CBEST, which was developed by the Bank of England as an approach to operational resilience testing and compliance. It differs from other types of security testing because it is threat intelligence-based and is less constrained as it takes a holistic view of the entire organisation, rather than a narrow focused penetration test of a specific system. It also focuses on the more sophisticated and persistent attacks against critical systems and essential services.
The inclusion of specific cyber threat intelligence ensures that the tests replicate, as closely as possible, the evolving threat landscape and therefore remain relevant and up to date. The feedback from the test then outlines actions that can be taken to improve defence capabilities and increase operational resilience.
This type of adversarial testing is generally referred to as Red Team testing, with the penetration test company simulating the attackers who are then pitched against the organisation’s detect-and-respond capability – the Blue Team. A more collaborative approach between attackers and defenders is commonly referred to as a Purple Team exercise, which is generally carried out iteratively to provide continuous improvement of the detect-and-respond capability. Attacks – either real or simulated through testing – should be detected and an adequate and timely response set in motion.
Given the complexities and interconnection of modern business technology, it is critical that IT teams deploy the full range of defences to understand and monitor their vulnerabilities and put actions in place to minimise the risks they identify.