Detection, Assessment and Mitigation: A Trifecta Against Threats
A multitude of cybersecurity threats exist that attack information systems, business operations, and information privacy. Security practitioners must be diligent in utilizing the proper techniques and devices to protect data and infrastructure from being compromised and exploited by foreign and domestic cyber adversaries.
Knowledge is a powerful tool and is one of the most critical components for threat prevention. It is important to recognize that threats have the potential to cause significant damage to a computer system and severely hinder business operations. Remaining diligent and having best practice in mind is the key to protection and resilience.
Upon detecting a threat, an organization must consider two things: whether the attack is threatening, and if it is, what the threat is targeting. From there, threat isolation and mitigation are essential.
Once a threat is suspected, there are three general steps that must be taken:
- Identify the validity of the threat by detecting vulnerabilities and prioritizing them.
- Declare whether the type of threat is technical or physical.
- Determine the form of the threat, which can vary and include cybercrime, espionage, subversion, terrorism, and natural disaster.
Upon confirmation of a threat, an analyst must determine the purpose of the threat, the source of initiation, the origin, and the level of impact on the production environment. Useful tools that analysts employ include the MITRE ATT&CK framework, and vulnerability scoring metrics such as the Common Vulnerability Scoring System (CVSS).
CVSS, for example, is based on a number of factors such as vulnerability type, accessibility, and likelihood for success. CVSS scores provide a numerical (0-10) representation of the severity, with 10 indicating the most severe vulnerability. The ‘base metric’ gives an analyst insight into the level of exploitability and impact. This helps measure the attack vector based on the level of access required to maneuver the vulnerability, and the factors outside of the attacker’s control that are required to exploit the vulnerability.
Determining the ability of the attacker to work toward their end goal is based on the attack level surface. Deterrents are valuable in protection. Take for example, an attacker trying to crack a password. Because it takes several resources to break through passwords, the longer and more intricate they appear, the more likely the attacker is to move on to something else rather than invest the time and effort. A complicated password poses a barrier that likely saves a breach from happening.
Threat mitigation plays an imperative role in and is a subset to threat prevention. If there are proper security controls in place, mitigation will deter and even block threats from happening.
Defense in Depth is a concept related to lessening the attack surface in order to prevent threats. Methods of defense are embodied within the steps of the process. For instance, consider Defense in Depth to be designed like an onion. If an attacker slips through the firewall, the network IPS is right behind it. If the attacker continues to plow through, then a Host-based Intrusion prevention system will be the 3rd line of defense. So as the ‘onion’ continues to get peeled back, it will make it more difficult for an attacker to persist. It is hoped that the frustration incurred will stop the attacker from entering deeper into the network.
‘Zero Trust’ is another structure of defense. As its name suggests, this form of protection enlists extreme caution in trusting anything beyond its boundaries, and verifying what is allowed in. It confirms that continuous validation for security configuration and posture are being met before being granted or keeping access to applications and data. Zero Trust can come in the form of system hardening, risk management planning, and enforcing security policies through proper procedures.
Although information security has policies created to prevent logical threats, concerns about how physical threats can impact business operations and continuity are at the forefront of organizational defense.
Unintentional and Otherwise
Natural disasters are threats that occur inherently, such as tornados, hurricanes, typhoons, snow, hail, wildfires, and lightning blackouts. These environmental threats prevent systems from operating appropriately, thus hindering business continuity. Organizations must have systems integrated within the network to support redundancy and fail-over devices to prevent business operations from ceasing within the production network. For example, the use of a UPS (Uninterruptable Power Supply) will provide continuous power to critical operational systems and is a viable device for added support during a disaster.
There are unpredictable threats that stem from internal personnel. Such threats are often caused by a malicious insider or a disgruntled employee who left the company on negative terms. The disclosure of internal information is considered a threat to controlled yet unclassified information, or CUI. Such information doesn’t require a clearance to view or handle however is still proprietary to the business.
Common security practices must be implemented to prevent compromising threats within an organization. Some of these include:
- Performing thorough employee background checks
- Separation of duties, which assures due diligence and lessens the threat of collusion
- M of N or Dual Control – Both methods embrace the idea that, although each employee must participate in solid security practices, the number of personnel having access to secure information is well-managed.
- M of N refers to a system where a certain number (N) of people or devices must take some action in order to complete a task. For example, in a "3 of 5" system, a varying mix of three of the five people or devices can take the necessary action to complete the task. This is used to enlist involvement of multiple people or devices in the process, increasing security and reducing the risk of unauthorized access.
- Dual control, also known as "two-man rule" or "two-person rule," is a security measure that requires two people to complete a task together. This is used to make sure that more than one person is involved in the process, increasing security, and reducing the risk of unauthorized access.
- Mandatory vacations help to reduce the risk of insider threats and collusion. Giving employees a break provides opportunity for detecting suspicious activity and helping to reduce accidents and incidents related to burnout and overworking.
- Allowing for less privilege overall, without feeling pressure that each employee needs to have access to each aspect.
- Rotating job roles is good for employees as well as for defining whether workers are following standard procedures or taking short cuts. Managers might assign personnel to different components of the job role so that the department isn’t solely dependent on one worker to get tasks accomplished. If that employee is out sick, operations will avoid halting, and will continue to proceed with other employees who are familiar with how to fulfill particular tasks. This can also help train future managers in becoming familiar with each individual’s role within their job position.
- Separation of duties – By dividing responsibilities among different people or groups of people, the risk of errors or fraud is reduced. The goal of separation of duties is that complete control over a process or system isn’t given to one person or group of people, thus making it difficult for a sole individual to take unauthorized actions. An example of this might involve a network operator who is in charge of closing unused ports on a switch. The employee isn’t allowed to initiate the function and manage the HAIPE (High Assurance Internet Protocol Encryption) device that is assigned by the security administrators. Or, simply put, an HR manager cannot directly manage payroll time and money. Half of that duty is the responsibility of the accounting department to separate the full scope of the task.
Preventative measures in security are taken to avert an attack or security breach from occurring in the first place. These measures are designed to make it more difficult for an attacker to gain access to a system or data. Examples of basic preventative measures include implementing strong passwords, installing firewalls, and using encryption.
Business cybersecurity initiatives require specialized tools and strategic readiness preparation planning both technically and operationally. Such resourcefulness helps to secure, preserve, protect, and remediate problematic issues of business assets as quickly and as seamlessly as possible. Some higher-level technical resources of security protection include:
- Intrusion Detection System (IDS)- enlists monitoring to continuously watch a system or network for patterns or rules that appear malicious. When suspicious activity is detected, the IDS will provide an alert. A challenge with this method of detection is its limitations in being able to only identify a potential threat and report it, rather than being able to stop or block it. An IDS sits behind the firewall.
- Intrusion Prevention System (IPS) – also enlists monitoring, however, has the capability to automatically take action to prevent the activity from occurring. The challenge with an IPS is that at times, they do generate false positives and false negatives. An IPS blocks traffic in-line with the firewall. Traffic mustn’t be accepted or rejected but rather vetted by the system administrator.
- Parameterization - Parameter tampering is a dangerous yet simple attack that targets the applications’ business logic. It then exploits the hidden or fixed field of the programmers’ code. Depending on what the attackers seek, they can divulge user information such as user names and passwords for the back-end database. By using parameters, a system or application can separate the input data from the rest of the code, which can make it more difficult for an attacker to inject malicious code.
There are many avenues within cybersecurity that business can take to remain diligent and enlisting the right tools will help to align a good offense with a solid defense.
The ability to be one step ahead of a cyberattack is a critical position to have. Tony Broughton, a Cayuse Cybersecurity Operations Lead Analyst explains “Business cybersecurity initiatives require specialized tools and strategic planning in readiness preparation to secure, preserve, protect, and remediate problematic issues of business assets that organizations continue to face, both technical and operational, as quickly and seamlessly as possible.”
Whether managed within your company or enlisted through the expertise of a partner provider, being proactive in the scope of threat detection, assessment, and mitigation is vital in protecting company data, resources, and personnel.