In this industry perspective, Thomas Hofmann of Flashpoint says that sensational coverage of advanced persistent threat (APT) actors does little to help small and mid sized firms defend their IT environments from more common threats like cyber criminals. The key to getting cyber defense right is understanding the risks to your firm and prioritizing investments to protect critical IT assets.
Advanced persistent threats (APTs) are widely viewed as the most sophisticated and feared type of cyber operator, with most carrying out espionage attacks, while some such as Stuxnet and Shamoon, causing physical damage to machinery or hardware.
Understandably, many businesses invest abundant resources into fighting APTs. But is this approach blinding them to the less-sophisticated but more prevalent threats facing their networks? Although APTs pose a credible danger to their targets, they are also highly selective; most small- and medium-sized businesses are unlikely to ever become such a target. And naturally, the more resources a business exhausts on APTs, the fewer it has left for combating phishing, ransomware, and business email compromise, among many other more common threats. So is our focus on APTs blinding us to other, more common threats?
Looked at one way: just because a threat is rare, doesn’t mean it should be ignored. At the same time, businesses can’t realistically worry about every threat. Prioritization is key, but identifying which threats are truly relevant to your business can be challenging.
[Like what you’re reading? Check out “Taking the Long View of Breach Fallout“]
Here are some suggestions on where to start prioritizing your own threat response:
Consider: what are my assets?
Every business has high-value assets that could be targeted by a malicious actor. Before you can determine which threats are relevant to your business, you need to identify and prioritize the assets that could make your business a target in the first place.
In other words, what does your business have that would be worth stealing? Adversaries typically consider critical assets to be of the highest value. These are assets on which a business relies. They can range from intellectual property to product road maps, to physical and technical infrastructure that provide operational continuity, to proprietary data and information.
It’s also crucial to remember that assets exist throughout the business, not just within security or IT functions. Identifying and prioritizing them effectively requires engaging with stakeholders across all departments and truly understanding the business and how it operates.
Who might be motivated to go after my assets?
After identifying your business’s critical assets, you should consider what types of adversaries might want to obtain them and why. If you’re aware of adversaries or groups that are known to target the kinds of assets your business has, start there.
Cybercriminals, for example, are usually financially motivated and known to seek personally identifiable information (PII), financial information, login credentials, and other types of generally common assets that they can then monetize within various schemes. Since most businesses possess such assets, they have some degree of appeal to cybercriminals.
Some businesses are targets for highly sophisticated APT actors, and it’s important to understand why. For businesses in the defense industrial base, it may be due to their work with the government. For those in the pharmaceutical and manufacturing industries, it may be due their proprietary technology. And for financial services institutions, it may be due to their role in critical infrastructure. While the threat of APTs is real, the critical assets and businesses they target depend on the end goal of their operation.
How might adversaries try to obtain my assets?
Just because your business’s assets might appeal to an adversary doesn’t mean a compromise is inevitable. This is why it’s crucial to be familiar both with the tactics, techniques, and procedures (TTPs) an adversary might use to compromise your assets and the strengths and weaknesses of your security program.
For example, let’s say one of your business’s critical assets is customer PII, which is often desired by cybercriminals for its value on the black market. What tactics, techniques, and procedures might a cybercriminal use to access your business’s database of customer PII? Asking that question will lead you to focus on a smaller subset of TTPs such as phishing and social engineering attacks or insider threats while ruling out others. Generally speaking, conducting an intelligence operation is the most effective way to gain insight into emerging cybercriminal TTPs, especially those relevant to your business and assets.
Keep in mind that regardless of the asset, adversaries almost always seek the path of least resistance in order to access it. If your business’s assets are extremely well protected and your security controls difficult to penetrate, adversaries will look for alternate routes, such as malicious insiders or third-party vendors. It’s not always feasible to identify every TTP an adversary might use, but being as familiar as possible with relevant adversaries and TTPs can go a long way toward helping your business allocate security resources effectively.
Countless cyber threats exist, so you need to have a plan that defines your business’s threat environment and prioritizes the most dangerous and pertinent threats for you. After all, the extent to which a threat is sensationalized says little about how relevant it is to your business. Businesses that exhaust their resources defending themselves from the adversaries they fear rather than those they are most likely to face often end up as the victims of security blind spots.
So don’t be blinded by the bright lights shining on APTs. Look first to your assets to determine which types of threats can feasibly impact them, why and how. Then prepare for the adversaries you’re the most likely to face rather than those you fear the most.