![]() ![]() ATT&CK also maps each technique to a corresponding security countermeasure, helping to align investments with threats. Companies can use ATT&CK to familiarize themselves with the threat techniques they need to defend against based on their business profile. The MITRE Corporation’s Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework is the most comprehensive, authoritative approach to cataloguing threat actors, their motivations and TTPs that is openly available today – and it’s free to use. It is much more difficult for attackers to change their underlying methodologies, known as tactics, techniques, and procedures (TTPs). It’s easy for threat actors to change the signatures of an attack (things like malware code that antivirus systems can detect). With this in mind, we can focus on controls that defend against those threats. As with Covid-19, ransomware is a risk that applies universally, but some organizations (e.g., technology providers) also need to be concerned that they could be targeted as steppingstones into customer environments, as in the recent widely-reported 3CX hack. Where should companies start? In the same way that doctors use patient profiles to prioritize preventive measures, and diagnostics and therapies to manage patient-specific risks, we can use business profiles to help us understand the spectrum of potential threats. Controls That Defend Against Threats in Impactful Ways With this in mind, we can break cybersecurity investments into three categories: 1) controls that defend against threats in a particularly impactful way, 2) measures that validate that these controls are operating as intended and 3) capabilities that automate the other two. We also need to be precise about the attack surface we address with a particular control.ĭifferent defenses will apply depending on the type of attack surface: laptop operating systems, web servers, remote-user-assist technologies, cloud technologies, or user-productivity-software like browsers and email, all of which can be compromised by bad actors to achieve initial access to your company’s systems.Įxploring the challenges and the solutions. That said, these frameworks typically define practices at a high level of abstraction (“remote access is managed” … how?) and need to be married with a more detailed analysis of likely threat techniques to ensure that security defensives accurately map to these threats. National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO) that are repeatable and auditable. Transparency comes from using authoritative security frameworks from places like the U.S. ![]() The Elements of a Good Cybersecurity Program ![]() As Michael Chertoff recently noted, good cybersecurity programs operate with a high degree of transparency, accuracy, and precision. Given that cyber risk operates within the context of a highly dynamic threat, business, and technology environment, it’s important to set some context for how we will measure cybersecurity performance. ![]() So how can companies focus their limited cybersecurity investments on the controls that matter most? With the prospect of a 2023 recession, reporting suggests that chief information security officers (CISOs) will increasingly see budgets constrained. For example, payments-processor NCR recently experienced a ransomware attack that caused downstream outages across numerous restaurant back-office and point-of-sale systems. And yet, well-established global companies continue to be victimized by cyber attacks. Recent research indicates that organizations with 10,000 or more employees typically maintain almost 100 security tools. ![]()
0 Comments
Leave a Reply. |