Four Steps Organizations Can Take to Begin Managing Their Digital Risk
The emergence of Cyber Threat Intelligence (CTI) has given organizations valuable intelligence into a myriad of attacker behaviors. Armed with CTI, companies can focus on their adversaries’ tactics and techniques, and use this information to inform their defense strategy to reduce digital risk. But for these strategies to be truly effective they must include an approach to both estimating and effectively managing organizational risk; assets that need to be protected, weaknesses present in internet-facing systems, and opportunities threat actors may exploit.
By monitoring for exposure and assessing the threat, organizations can develop a better idea of what to protect. Here’s four steps organizations can take to begin managing their digital risk.
Step 1: Identify Key Assets to Protect
This first step is taking stock of the critical assets you wish to protect and how this data could appeal to adversaries. Start with people (e.g. customers, employees, partners, service providers); organizations (e.g. service departments, common infrastructure), and the systems and critical applications that support them (e.g. websites, portals, databases, payment processing systems, Enterprise Resource Planning (ERP) applications).
Consider how these assets relate to the organization’s vital business and economic functions, those that may generate profit, provide competitive advantage, or on which intangible properties such as trust, reputation and goodwill rely. The exposure of intellectual property – product designs, proprietary code, and patent information – often impacts competitive advantage. Exposed customer data may result in violations of compliance and privacy regulations. Employee credentials, private RSA keys, or exposed security assessments could fall into threat actors’ hands, enabling reconnaissance efforts.
Once these most important pieces are identified, organizations can begin to understand which actors are most likely to target this data.
Step 2: Understand the Threat
Understanding threat is a key part of calculating risk. CTI, when accomplished effectively, can provide practical insight into these threats. A recent shift towards a strategic focus on attacker behavior provides a common language into how defenses can be aligned to real-world vulnerabilities. However, behaviors are just one part of understanding threats. Organizations must also understand the circumstances threat actors most often exploit and reduce their opportunities.
Frameworks such as MITRE ATT&CK provide a way to describe attacker behavior through observed tactics, techniques, and procedures (TTPs). By combining this behavioral information with threat modeling, organizations can then consider why a particular type of threat actor would target the organization, what they would hope to gain, and what their goals would be. By understanding the range of threat actor TTPs, and protecting against the exposure of data that could enable them, organizations can decisively reduce their risk profile.
Step 3: Monitor for Exposure
Detecting exposed assets across the open, deep, and dark web can be a daunting task. The typical exposure of a mid-sized organization served by Digital Shadows includes 290 spoofed domains or social media accounts, 180 certificate issues, 84 exploitable vulnerabilities, 360 open ports and 100 exposed business documents. There are plenty of tools to help. DNS Twist gives organizations a view into phishing sites using permutations of a company’s domain; Have I Been Pwned provides insight into exposed credentials; and the Google hacking database provides ways to detect exposed sensitive documents. Consider also making use of services used by marketing and brand management teams to monitor social media can provide a useful insight into what is being discussed about an organization online.
Step 4: Mitigation Strategies
Detecting exposure and understanding threats is important, but taking action to resolve and mitigate risks is critical. Mitigation strategies include immediate, tactical responses; operational responses that can be done on an ongoing basis; and strategic responses that may involve investment or directional influence. For example, an organization that has identified large numbers of exposed credentials may look at implementing Multi Factor Authentication (MFA). Similarly, providing more effective storage solutions may be advised if employees are backing up work on home computers.
While no single solution or approach can reduce digital risk, by understanding where assets are exposed, their value to attackers, and how attackers target this data, organizations can make better decisions about their defenses and improve them over time.