By Dan Williams
The journey to better cybersecurity begins with understanding what exactly it is that your organization has to fear most and what is perceived as the weakest link in the chain.
In a previous article that discussed the three types of assessments of an organization’s security posture, stood out as the most representative of real-world threat simulation. The ability to provide compelling evidence of security gaps in people, processes, and technologies that support business logic can be the catalyst to appropriately address cybersecurity concerns.
Get started on your cybersecurity degree at American Military University.
Blindly following “best practices” as well as laboring under the detrimental assumption that simply meeting regulatory compliance leaves high-value assets exposed to more threats than executive leadership may like to think. Keeping a tight grasp on the company purse may be beneficial when introducing efficiencies to business processes, but cybersecurity risk is not a liability served well by small budgets.
There is little choice between spending the company budget on the latest cybersecurity silver bullet or letting all the holes slowly sink the ship.
Companies Can Cultivate Core Tenets of Red Team Engagements in-House
Fortunately, the core tenets of Red Team Engagements can be cultivated in-house to bolster the efforts of IT personnel to realign priorities. This creates an opportunity to reduce expenses associated with irrelevant security controls when budgetary constraints are keeping the door open for threat actors to enter.
Users: Every Organization’s Favorite Scapegoat
The human element is important to consider as part of executive leadership’s need to understand the impact of a successful security breach. Why exactly? Annual or semi-annual security awareness training is expected to assuage stakeholders’ concerns. That ensures stakeholders that corporate personnel have been properly trained to identify and react accordingly to a threat agent’s attempts at circumventing their organization’s expensive security controls.
Threat agents taking the path of least resistance may not always include an elaborate technical attack that mirrors Hollywood blockbuster films. Straightforward tactics that often pay off big for threat agents include low-tech attacks that gain access by phishing, emails or no-tech attacks such as social engineering.
Relying on the User Domain as a Front-Line of Defense Has One Fundamental Flaw
Placing the responsibility on users is an unsatisfactory, passive means that organizations may rely on when contending with a seemingly overwhelming, evolving threat. The paradox of relying on the user domain as an improvised front-line of defense has one fundamental flaw: Users must interact with networked information systems to do their jobs.
Sending Employees Back to Work
Leadership that argues about a limited budget that does not provide for better security controls is an expected reaction when suggesting non-technical personnel not be deputized as first responders of cyber incidents so they can do the job they were hired to do.
This does not mean employees shouldn’t be vigilant about threats to an organization’s infrastructure; this is still a crucial requirement. We should see more accountability on behalf of IT personnel as more of a strategic repositioning of key assets to do what they do best, not what we wish they could do.
Two rules in cybersecurity recognize the need to focus more attention on monitoring and event management regardless of who let in the boogie man:
- Rule 1: Systems fail. Period.
- Rule 2: There is nothing you can do about Rule 1.
Testing monitoring effectiveness through Red Team Engagements is not strictly limited to measuring how fine-tuned and accurate our Intrusion Detection System rules are, or whether we have every asset accounted for in our alarms.
We are testing the reactions and the timing of our entire organization. This gives executive leadership a much more accurate metric of survivability following a security breach. Stretching an already tight budget to purchase an infrastructure-wide security incident and event management (SIEM) tool may be well beyond the means of many organizations.
Threat modeling provides an effective means of breaking down known or suspected threats into a company’s basic elements to determine the conditions necessary for success as well as applicable Indicators or Compromise (IoCs). Becoming familiar with techniques, tactics, and procedures (TTPs) and their corresponding IoCs allow teams to prioritize threats they may suspect have compromised or potentially could compromise their networks.
Placing the burden of proof on security teams for justifying budgetary requests or strategic reprioritization of countermeasures is a fruitful product of threat modeling efforts.
Resources for Developing an Effective Threat Modeling Program
Knowing where to begin the threat modeling process can seem bewildering at first. Once an organization’s assets have been inventoried and an accurate topological mapping of its networks has been accomplished, the organization will need to engage in scenario development to determine probable methods of attack actors gaining initial access into those networks.
The scenario that is a cost-effective, game-like means of conducting Red Team Engagements “on paper” is known as tabletop exercises. Frameworks founded upon curated knowledge of known TTPs such as The ATT&CK Framework from the Mitre Corporation can provide examples of successful, observable adversarial attacks.
Teams can leverage meaningful intelligence from the ATT&CK Framework to conduct their tabletop exercises and fill their cybersecurity playbook. The ATT&CK Framework can aggregate an organization’s attack scenarios into an attack library. These attack libraries act as viable, historical databases that can identify inherent vulnerabilities in an organization’s infrastructure, whether guarded by human or machine.
Translating risk into defined security requirements is a necessary measure of due care that does not need to be an impossible or even expensive task.
This refers back to the influence that threat modeling can have on executive leadership’s perspective of imminent threats to their business and requisite IT infrastructures. Placing adequate trust in your organization’s IT professionals’ learning potential should not feel like a haphazard leap of faith, it should be a natural decision.
Professional Red Team Engagements are conducted by highly-skilled, experienced cybersecurity operators, but by empowering the human capital we already have on the payroll they can germinate even rudimentary threat modeling programs. That gives them an opportunity to grow professionally and add value to the organization.
Threat modeling and Red Team Engagements are not meant to embarrass or demoralize an organization’s executive leadership; they are merely an effective means of answering the question “how could we do this better?” before their organization ends up as another statistic of failure.
About the Author
Dan Williams is an Information Security consultant with experience as a five-year veteran of the U.S. Marine Corps with over 15 years in IT Operations. Dan’s career has spanned various specializations to include systems analysis, network monitoring and defense, software development, and cloud engineering solutions, all with a central theme of security administration and strategic cyber intelligence.
He has a bachelor’s degree in Information Systems Security, a master’s degree in Cybersecurity Studies, and is a Systems Security Certified Practitioner through the (ISC)2. More recently Dan’s focus as a consultant has been on conducting research regarding DevOps security practices and cloud infrastructure penetration testing and vulnerability assessments to maintain pace with threats towards advancing and quick-adopting technologies. On a volunteer basis, Dan mentors future and junior cybersecurity personnel in both an academic setting and in the workplace to offer guidance to the next generation of Information Security professionals.