By monitoring for exposure and assessing the threat, organizations can develop a better idea of what to protect. Here are four steps organizations can take to begin managing their digital risk.
Step 1: Identify Key Assets to Protect
This first step is taking stock of the critical assets you wish to protect and how this data could appeal to adversaries. Start with people (e.g. customers, employees, partners, service providers); organizations (e.g. service departments, common infrastructure), and the systems and critical applications that support them (e.g. websites, portals, databases, payment processing systems, Enterprise Resource Planning (ERP) applications).
Consider how these assets relate to the organization’s vital business and economic functions, those that may generate profit, provide competitive advantage, or on which intangible properties such as trust, reputation and goodwill rely. The exposure of intellectual property - product designs, proprietary code, and patent information – often impacts competitive advantage. Exposed customer data may result in violations of compliance and privacy regulations. Employee credentials, private RSA keys, or exposed security assessments could fall into threat actors’ hands, enabling reconnaissance efforts.
Once these most important pieces are identified, organizations can begin to understand which actors are most likely to target this data.
Step 2: Understand the Threat
Understanding threat is a key part of calculating risk. CTI, when accomplished effectively, can provide practical insight into these threats. A recent shift towards a strategic focus on attacker behaviour provides a common language into how defences can be aligned to real-world vulnerabilities. However, behaviours are just one part of understanding threats. Organizations must also understand the circumstances threat actors most often exploit and reduce their opportunities.
Frameworks such as MITRE ATT&CK provide a way to describe attacker behaviour through observed tactics, techniques, and procedures (TTPs). By combining this behavioural information with threat modelling, organizations can then consider why a particular type of threat actor would target the organization, what they would hope to gain, and what their goals would be. By understanding the range of threat actor TTPs, and protecting against the exposure of data that could enable them, organizations can decisively reduce their risk profile.
Step 3: Monitor for Exposure
Detecting exposed assets across the open, deep, and dark web can be a daunting task. The typical exposure of a mid-sized organization served by Digital Shadows includes 290 spoofed domains or social media accounts, 180 certificate issues, 84 exploitable vulnerabilities, 360 open ports and 100 exposed business documents. There are plenty of tools to help. DNS Twist gives organizations a view into phishing sites using permutations of a company’s domain; Have I Been Pwned provides insight into exposed credentials; and the Google hacking database provides ways to detect exposed sensitive documents. Consider also making use of services used by marketing and brand management teams to monitor social media can provide a useful insight into what is being discussed about an organization online.
Step 4: Mitigation Strategies
Detecting exposure and understanding threats is important, but taking action to resolve and mitigate risks is critical. Mitigation strategies include immediate, tactical responses; operational responses that can be done on an ongoing basis; and strategic responses that may involve investment or directional influence. For example, an organization that has identified large numbers of exposed credentials may look at implementing Multi Factor Authentication (MFA). Similarly, providing more effective storage solutions may be advised if employees are backing up work on home computers.
While no single solution or approach can reduce digital risk, by understanding where assets are exposed, their value to attackers, and how attackers target this data, organizations can make better decisions about their defences and improve them over time.
Source: Security Week