With EoY and the new year upon us, most of us are doing our customary close-out/planning activities in both our personal and professional lives. For us in infosec, 2020 will surely be another doozie of a year, with breaches, data disclosures, tighter regulations, and plenty of shiny objects to keep us distracted.
There are so many predictions, celebrity threats, and ransomware fiascos that we often forget that there are some key fundamentals that will help drive significant maturity in your infosec programs. From knowing what you have, who may want it, and how they could get it, to what you’re doing to prevent, detect, and respond to threats and breaches, these 10 IDR resolutions for 2020 are sure to keep you busy:
1. Know what you have that is of value to attackers and where you keep it
Most breach incidents are financially motivated, so knowing what you have that attackers covet is the first step in determining where you need to invest in defenses. Do you have PII? PHI? Designs for the next big widget? Email addresses? Email addresses AND names? Passwords? Each of these pieces of data carries value in the black market.
To complicate things, some of these pieces of data are governed by regulations and laws. And, as if that weren’t enough, some data is governed by unwritten social contracts where your user base might abandon your brand because you shared usage information with third parties.
You cannot adequately build a security program if you don’t know what that security program is intended to protect, and at what level.
In 2020, we should resolve to know exactly what we’re protecting and the impact of losing it, then ensure all employees are trained on proper data-handling procedures.
2. Adopt the MITRE ATT&CK framework to guide your IDR investment strategy
The MITRE ATT&CK framework gives technologists and business leaders a language to discuss threats and incidents aligned to business impacts. It can help you justify and prioritize investments in the IDR program, as well as show ROI in impact reduction.
Almost every popular best practice or framework out there will help mature your IDR program, if implemented properly. However, they can be broad in their recommendations and don’t always offer a priority with which to implement the given advice.
With the MITRE ATT&CK framework, you can look at real attacker tactics and techniques, decide whether you are likely to be targeted based on the data you have, its value, and its location, then invest in technology, people, and processes. Further, as you build your programs around the MITRE ATT&CK framework, you can report on classification for threats and security incidents to justify prioritized investments in other areas.
In 2020, we should use a framework that allows us to invest and report on the ROI of our IDR program initiatives that disrupt real-world attacks.
3. Know and communicate your attack surface
With your first two resolutions this year, you’ve gained an understanding of what you have that attackers want and aligned your investment and reporting strategies to a framework that allows you to prioritize the prevention, detection, and response to real threats that impact you. Now, it’s time to gain an understanding of how the attackers are going to come at you.
There are 11 techniques listed under the “Initial Access” tactic of the MITRE ATT&CK framework, with hundreds of tools and procedures that could be effective against your protection. Will an attacker exploit a vulnerability on a server? Will an employee fall victim to a spear phishing attachment? Will a vendor become compromised and allow the attacker to inherit the trust you’ve given the vendor? Knowing how an attacker could come at you gives you another data point to prioritize investments in the security program.
In 2020, we should resolve to fully evaluate the attack surface and communicate the findings to business executives.
4. Rehearse regularly
Sports teams that practice the hardest often win the championships, and warriors that train the hardest often win the battle. We know that regular rehearsal of events significantly increases the effectiveness with which people can execute during the real thing. It is no different for all of the disciplines in IDR.
Many organizations perform annual tabletop exercises, and that is a great start. However, organizations also need to invest in red/blue team rehearsals to give the defenders some practice. Invest in testing data recovery and system restoration. Invest in testing the switchover to any hot sites. Invest in testing response to a breach in a cloud provider. The more diverse and cross-team the scenarios, the better. You also get the added benefit of improved work culture—rehearsals are way more fun than the day to day.
In 2020, we should resolve to perform four different rehearsals that exercise different parts of the response and recovery processes.
5. Make security a business problem
We know, this is easier said than done. However, the first four resolutions really do go a long way toward success in this area. Let’s play it out:
- Would your executives/board invest in “encrypting data at rest” (as suggested by a regulation) or “protecting our members’ Social Security numbers in the member database accessed by all employees?” (as you now know because you know what you have and where you keep it.)
- Would your executives/board invest in “a MITM web content filtering technology” or “technology that mitigates thousands of known attacks across 30% of tecniques and 45% of tactics used by attackers, several of which already cost us hundreds of man hours in the last quarter?”
- Would your executives/board invest in “a program that reduces the average time to patch a critical vulnerability” or “a program that reduces the probability of a business-impacting breach by 25% by disrupting 12 known attacker techniques?”
Executives are more likely to invest in programs that evoke strong feelings. For security, we rely on evoking strong negative or fearful feelings. Tabletop exercises that bring executives and board members together to rehearse how they would respond to a significant data breach are some of the most effective tools we have to get our executives to care.
In 2020, we should resolve to build our security programs around business outcomes so that we can better justify investment and reporting of ROI.
6. Use technology to automatically squash low-hanging fruit threats
Security technology gives you visibility and can perform actions on your behalf to prevent threats from becoming incidents. Technology will be hugely helpful in preventing known threats from causing a serious business impact and will allow your people to focus on identifying threats that technology cannot easily prevent. If you have aligned your IDR program investment strategy to the MITRE ATT&CK framework, you can use its specific techniques to select and evaluate the best technology solution for the threat you are building defenses against.
In 2020, we should resolve to add technology based on a demonstrated reduction in the attack surface.
7. Use people and technology to detect threats that cannot be prevented
People complement our technology investment strategy by making up for the times the technology fails or hasn’t been purchased. Until all workstations are protected with antivirus, for example, the IT staff will be busy cleaning up infected operating systems. Until a firewall is put in place, the IT staff will be resetting passwords for accounts locked by attackers brute forcing credentials. Until 2FA is put in place, IT staff will be resetting passwords for stolen credentials.
The more we invest in technology to solve problems that technology can solve, the more our people are challenged (and happy!) to solve more complex problems. The opposite is also true: Lack of investment in technology forces people to make up for it and creates unhappy and underskilled resources.
In 2020, we should resolve to replace repeatable human processes with technology and uplevel our humans with new knowledge.
8. Respond quickly and restore normal business operations
The goal of any security program must be to reduce the impact of cyber-threats and security breaches to the business. As such, we must do everything we can to reduce the impact, whether financial, reputational, liable, or operational. This includes our response processes, which should be aimed at restoring normal business processes as quickly as possible.
In 2020, we should resolve to focus part of our investments on response technology that moves to reduce the amount of time between threat detection and remediation. Security technologies such as Endpoint Detection and Response (EDR) and Security Orchestration, Automation, and Response (SOAR), IT technologies such as asset management, as well as processes such as system imaging and DevOps make sure it all works without a hitch.
9. Educate the user
Threats, attackers, and our world in IDR evokes confusion and fear in most of our users. The reality is that they’re already equipped to understand how to make the right decisions—they just need to gain confidence in their knowledge. As infosec teams, we owe it to our users to know when they need to engage us for help. We owe it to our users to understand how they want to use IT and how we can instrument the IT to be safe from unauthorized use.
In 2020, we should commit to reaching out to our users to understand how they’re using our IT and cloud-based assets, and educate them on the value of the data contained within and the impact of mishandling valuable data.
10. Share tactical threat intelligence
Consuming tactical threat intelligence community content is a key component of any strong IDR program. Sharing tactical threat intelligence to communities requires a certain degree of maturity of both technology and processes supported by knowledgeable people, which will help drive maturity in other aspects of your IDR programs. For example, in order to share tactical threat intelligence in certain communities, you must encapsulate the IoCs extracted from your detection and response activities within a definition language such as STIX, Yara, and OpenIOC, and store them in a threat intelligence platform.
In 2020, we should roadmap how to achieve tactical threat intelligence sharing from our own detection and response activities into a community.
If we remember to keep our focus on knowing how attackers might target us, focus our technology to prevent known threats from disrupting business operations, align our people with our technology to detect threats that cannot be prevented, and respond to breaches using processes aimed at restoring normal business operations, we can effectively reduce the impact of cyber-threats and breaches on our organizations.