This blog walks cybersecurity professionals through the logical steps to create a practical and actionable cybersecurity strategy.
“Forewarned, forearmed; to be prepared is half the victory.”Miguel de Cervantes
As you work to develop a cybersecurity strategy and to improve your organization’s capabilities, always be sure to look down the road to what threats you can expect to experience in the near- and long-term.
When looking to determine the threats your organization is likely to face, it goes without saying you should be looking both at the broad picture as well as what you can expect to see from threat actors based on your industry or geography.
Analyzing adversary Tactics, Techniques, and Procedures (TTPs) is a key type of threat trend that organizations should focus on in terms of evaluating (or re-evaluating) their cybersecurity architecture, operations and, ultimately, their cybersecurity strategy.
Regardless of whether you’re in the public sector or private sector, whether you are in health, retail, banking or located in the U.S. or France or Japan (or multiple locations), you need to remember one cardinal rule about threats:
It may sometimes be about nation states, but it’s certainly always going to be about the money.
It is very rare – outside of direct military conflicts – that cyber attacks will be for purely malicious reasons. With few exceptions (e.g., a nation state looking to disrupt a rival state’s critical infrastructure) the vast bulk of threats boil down to e-crime and making money. Even nation states are looking to leverage their attacks to “profit” by it on one way or another (e.g., espionage, upsetting the operation of government, stealing IP to use for their own industries, etc.).
You’ll remember when I posted Step 1 (Who Are You?), I asserted it was critical to understand your organization and what distinguished it from others – where it derives its value. That is fundamental to accurately identifying what projected threats and threat trends you need to be aware of – both globally and specific to you. Which threats would have the biggest impact to your organization, in terms of value lost? What threats would cause you to lose the most value fastest? When researching projected threat trends, always keep in mind what your organization values most and what assets it must protect above all others. This will help to focus on and prioritize those threats that can directly impact your most highly valued assets.
Bad actors have shifted their efforts in recent years from malware attacks to harvesting user credentials, typically through phishing attacks. This includes targeted attacks on the C-Suite. Anticipating this trend has allowed numerous organizations to devise strategies around more robust Identity and Access Management and enhanced protection around privileged (e.g., executive, administrative, etc.) credentials.
Industry- and Region-Specific Threats
A great deal of available research provides insights into threats that target specific industries and regions in addition to those that are global and indiscriminate. For example, industries such as mining, manufacturing and utilities will be very concerned about preparing for threats to their Operations Technology (OT) infrastructure, as much or more so than their Information Technology (IT) infrastructure and would accordingly direct focus on those. In addition to industry, it is important to be aware of any threats that are specific to the region or country in which you’re located.
Many industries have a dedicated Information Sharing and Analysis Center (ISAC) for cybersecurity awareness and coordination to ensure that members of that industry are informed of and preparing for threats that are of particular importance. Please refer to the Industry-Specific Sources Section below for some examples.
Verizon regularly publishes its Data Breach Investigations Report (DBIR) and provides insights into the degree to which regions around the world have been attacked as well as the nature and motives/objective(s) of these attacks. This report also calls out attack patterns by industry to provide an outline of the degree to which various industries were attacked and the nature of those attacks. This is one example. Please refer to the Suggested Resources section below for more ideas for research sources.
In addition to independent reports, most governments provide services and threat reports to aid and support efforts by local organizations to strengthen and protect their information ecosystems. This is a valuable resource to leverage when conducting threat and threat trend research. Please refer to the National Sources Section below for some examples.
The Cybersecurity and Infrastructure Security Agency (CISA) is operated by the U.S. federal government with the goal of strengthening the information ecosystems of all U.S.-based organizations, regardless of sector or industry. Canada has a similar agency: the Canadian Centre for Cybersecurity. Be sure to check out the guidance provided by your own federal government’s agency(ies).
When considering current and projected threats and threat trends, never lose sight of those threats or risks that can emanate from within the organization. Whether accidental or intentional, insider threats and trends must be included in your research. One prominent example is potential threats from the rise in overall employee stress levels as a result of the COVID pandemic. The impact of potential job loss, health concerns, working remotely, and social isolation caused a massive increase in anxiety. This resulted in potentially drastic changes in the behavior of employees and necessitated planning to address the risks involved.
There are many places to go to research current and projected threats and threats trends. If you’re looking for some ideas, here are a few places I would recommend:
Some general sources for researching current and projected threats and threat trends are outlined here. Some also includes recommendations for remediation of these threats and threat trends. Be aware, you will be asked to register for most of these.
- Microsoft Digital Defense Report (MDDR): Microsoft Digital Defense Report and Security Intelligence Reports
- Crowdstrike Global Threat Report: 2022 Global Threat Report (crowdstrike.com)
- Verizon Data Breach Investigation Report (DBIR): 2021 Data Breach Investigations Report | Verizon
- FireEye Threat Intelligence Reports: Cyber Threat Intelligence Reports | FireEye
- Mandiant Threat Intelligence Directly From the Front Lines: Threat Intelligence Platform | Threat Intelligence Tools | Mandiant
- IBM Security X-Force Threat Intelligence Index: IBM Security X-Force Threat Intelligence Index | IBM
- Gartner Top Security and Risk Trends for 2022: Gartner Top Security and Risk Trends for 2022
- McKinsey Cybersecurity trends: Looking over the horizon: Cybersecurity trends: Looking over the horizon | McKinsey
- SNAS NewsBites: https://www.sans.org/newsletters/newsbites/
- Splunk Top 50 Security Threats: Top 50 Security Threats | Splunk
- MITRE ATT&CK: MITRE ATT&CK®
- MITRE D3FEND (currently in early beta): Resources | MITRE D3FEND™
- McAfee Labs Threat Report: McAfee Labs Threats Reports – Threat Research | McAfee
- Perch MSP Threat Report: 2021 MSP Cyber Threat Report | ConnectWise
- Digital Attack Map (Top Daily DDoS Attacks Worldwide): https://www.digitalattackmap.com/
Many of the above sources also provide more targeted data about industries and global regions as well.
Some samples of industry-specific sources for researching current and projected threats and threat trends are:
- Financial Services Information Sharing and Analysis Center (FS-ISAC): Financial Services Information Sharing and Analysis Center (fsisac.com)
- FS-ISAC Annual Global Intelligence Report: Navigating Cyber 2022 (fsisac.com)
- Health Information Sharing and Analysis Center (H-ISAC): Health Information Sharing and Analysis Center | H-ISAC
- National Critical Infrastructure Resilience (Part of H-ISAC): National Critical Infrastructure Resilience – Health Information Sharing and Analysis Center | H-ISAC
Some examples of national government sources for researching current and projected threats and threat trends are:
- U.S. Cybersecurity and Infrastructure Security Agency (CISA): Homepage | CISA
- Alerts: Alerts | CISA
- Canadian Centre for Cybersecurity: Canadian Centre for Cyber Security
- Reports and Assessments: Reports and assessments – Canadian Centre for Cyber Security
- Australian Cyber Security Centre (ACSC): https://www.cyber.gov.au/acsc/view-all-content
- United Kingdom National Cyber Security Centre: National Cyber Security Centre – NCSC.GOV.UK
- Advice and Guidance: https://www.ncsc.gov.uk/section/advice-guidance/all-topics
Putting It All Together
Once you have complied and reviewed the findings from your research (i.e., from global, region and industry-oriented sources), you will see recurring themes through the material. These common threads will arise and provide you with an understanding of what are the most likely and impactful threats and threat trends to anticipate. When you couple this with an understanding of what assets are of most value to the organization (as discussed at the top), you will then be able to prioritize and account for them in your strategic planning.
One final note: It is critical to remember that the identification of threat trends should also cover current and rapidly rising threats. While it is vital to keep an eye to the future, never forget bad actors are looking to leverage every crisis for their gain. And they are usually able to do so in depressingly rapid fashion. Always be aware of new developments and how they can affect your organization. Needless to say, this will require you to pivot and adapt your cybersecurity strategy as well.
The onset of the COVID pandemic was rapid and unexpected, catching organizations around the world completely off-guard. The associated rise of remote work across the globe as a result of the quarantines presented the drastic threat trend of workers being compromised from their own home networks and allowing bad actors to subsequently gain access to corporate resources. While the crisis did not allow much time for organizations to anticipate and prepare for this situation, many enterprises were able to quickly assess the risk and deploy solutions to further secure their remote employees’ access to corporate resources (e.g., Zero Trust, MFA, Patch Management, Secured VPN, DDoS Protection, etc.). Even now, two years later, this threat trend is not going to go away any time soon.
Thank you for your time. Be sure to stay tuned for the next posting in this series: Cybersecurity Strategy Step Four – What’s in It for Me? (Determining your Organization’s Priorities, Business Value Drivers and Principles).
Special thanks to Wesley Kuzma, Justin Yost and Jörg Finkeisen for their contributions to this blog post.