How to achieve actional cyber threat intelligence
With the dramatic rise of ransomware, nation state-sponsored threats and new zero-day vulnerabilities, cybersecurity teams are under siege. The European Union Agency for Cybersecurity (ENISA) recently published its 2022 Cybersecurity Threat Landscape which claimed that 10 terabytes of data are stolen monthly in ransomware attacks, says Bernard Montel, EMEA technical director and cybersecurity strategist, Tenable.
And it’s not just an organisation’s own infrastructure that poses a risk. The World Economic Forum (WEF) recently called out supply chain attacks as more visible in number and impact. This includes high-profile incidents, such as the SolarWinds attack, that WEF claimed had impacted thousands of companies and government agencies worldwide.
When a threat actor evaluates a company’s attack surface, they’re probing for the right combination of vulnerabilities, misconfigurations and identity privileges that will give them the greatest level of access the fastest.
Understanding all of the conditions that matter in today’s complex and dynamic environments help the organisation understand the full breadth and depth of its exposures, allowing security teams to take the actions needed to reduce them through remediation and incident response workflows.
But how can they do that?
A new dawn for cybersecurity
When we think of traditional network security, the goal has always been to fortify the perimeter to prevent threats outside of the network from getting in. However, the way we work today means this approach is no longer feasible. The perimeter is pervious, the devices we use are evolving and organisations are adopting hybrid infrastructure combined of on-prem and cloud. Underpinning all of this is connectivity.
Against this evolution, the security industry as a whole has remained focused on creating point solutions tailored to address very specific aspects of cybersecurity vulnerability management, Web application security, cloud security, identity security, and so on. The average large organisation uses more than 130 cybersecurity point solutions, each with its own analytics and reporting, with some that only focus on controls and detection rather than prevention. This can lead to duplicate efforts and unintended gaps in security programs. Security practitioners are unable to see the full scope of their cyber risk, have no clear path forward to tangibly reduce risk or succinctly communicate their organisation’s security posture. This leaves the organisation exposed and that threat actors can and do take advantage.
Securing the modern attack surface requires a new approach. One that provides an understanding of all the conditions that matter in today’s complex and dynamic environments.
With exposure management, security teams can go beyond siloed approaches to reclaim the narrative from the reactive, headline-grabbing breaches and attacks. It brings together data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications to help organisations understand the full breadth and depth of its exposures. Alongside this holistic visibility is context who is using the system, what they have access to, how it’s configured, and so on.
Exposure management gives an organisation a complete picture of their environment and its weaknesses, helping to map the attack paths that exist across their attack surface and detailing the blast radius should a breach happen. This provides actionable intelligence that security teams can use to take the actions needed to reduce them through remediation or incident response workflows. This ensures attack paths are closed off preventing compromise, malware infiltration, and/or exfiltration of data.
As bad as each other
Putting this together, let’s see exposure management in action.
An organisation has two laptops that both have a particularly bad vulnerability an example is Log4Shell (CVE-2021-44228) that affects Apache’s Log4j library. It would be reasonable to assume that both instances of the vulnerability are as bad as each other. But is that really true? Let’s look at the exposure evidence:
- Laptop A is used by the company’s Salesforce admin, who is not using multi-factor authentication (MFA).
- Laptop B is used by reception to check IDs, has access to nothing else, and both wifi and bluetooth capabilities have been disabled.
With this added context we can determine that the threat from laptop A is far greater than laptop B in reception. This context allows security to prioritise laptop A.
When communicating this risk to the business, security can either talk about Log4Shell and the risk it poses, or that Laptop A has access to the company’s customer and prospect database with a vulnerability that threat actors are known to target.
Communicating risk
Context-driven risk analytics enable security teams to anticipate and remediate threats long before they become problems. However, communicating these risks to the rest of the business, in language everyone understands, is key to secure senior management buy-in and support from the rest of the workforce.
Talking about the number of CVEs impacting servers, or the risk posed from SQL-injection to a web-server is meaningless to the majority of people within the business. But when that is translated, into language the business uses, the risk is instantly comprehensible.
Understanding the impact of cyber incidents requires business and security leaders to work in conjunction with each other. Security needs to understand the larger mission of the organisation and safeguard the tools and assets that enable staff to complete business critical activity, while also ensuring important data is safe-guarded. By examining cyber risk based on departmental or operational units allows collaboration among different constituencies, which saves time, improves investment decisions, supports insurability and drives improvement over time all while tangibly reducing risk to the organisation.
This unified view of cyber risk with clear KRIs and KPIs allows executives to measure progress over time and benchmarked comparisons against industry peers and within the organisation. This allows the business to answer the core question “How Secure Are We?”.
Preventing cyber attacks requires full visibility into all assets and exposures, extensive context into potential security threats, and clear metrics to objectively measure cyber risk. Modern, proactive cybersecurity requires the ability to: continuously assess the attack surface; understand the interconnectedness of users, assets and systems; and take steps to address vulnerabilities, fix misconfigurations and harden user identities and access privileges long before they’re on the radar of an attacker.
Organisations that can anticipate cyber attacks and communicate those risks for decision support will be the ones best positioned to defend against emerging threats. Everyone else is blindly hoping they’ll be okay.
The author is Bernard Montel, EMEA technical director and cybersecurity strategist, Tenable.
About the author
With over 20 years in the security industry, Bernard Montel is technical director at Tenable. His expertise includes cryptography, Identity & Access Management, and SOC domains. Bernard has published numerous articles and is regularly invited to speak about cybersecurity providing insight into current cybersecurity threats, cyber risk management, and cyber exposure.
Before joining Tenable, Bernard held the position of EMEA Field CTO for RSA, where he played a leading role within its Threat Detection & Response department. He has significant experience advising both large and medium size organizations on cybersecurity best practices.
Bernard holds a Master of Science in Network and Security and a Master 2 degree in Artificial Intelligence.
Comment on this article below or via Twitter @IoTGN