A Safe IT Environment

An old wisdom “Know your enemies” is the basis for a secure IT environment. Understanding your enemies is done in two phases. The first phase revolves around identifying which threats and type of threat actors can harm the organization, this is recorded in a threat picture. 

Important is that you also look at the physical threats (for example, protesters entering a building), and what the potential impact of these threats are. 

The second phase is to identify possible types of groups/actors that could realize the organization's threats. This can be done by looking, across several axes, at the purpose of attackers (actors): financial gain, corporate espionage, disrupting the organization, etc. Types of actors include, for example, criminal organizations, nation-states or state-sponsored groups, as well as one's own personnel. Also, you can use the NCSC's National Threat Assessment (CSBN) or a sector-specific threat assessment derived from it. 

So, knowing your enemies provides a picture of the threats you should be defending against and what type of actors pose a potential threat. 

But, who really are the groups interested in attacking the organization? There are tools available that have already identified and described these groups. Using this information, you can now begin to determine which groups are potential attackers of your organization. One of the tools that Highberg experts use for this purpose is a composite knowledge base on the behavior of cyber attackers, the MITRE ATT&CK Framework.  Based on the previously found actors, this knowledge base can determine who the actual attackers (groups) are. 

After identifying the actual actors, we can look at how these actors attack an organization. We see that actor groups often use the same way of attacking. Because of this it is known how most groups operate. That is, what techniques they use, think phishing or brute force attacks, and how their actual attack proceeds for example through data extraction or data encryption. The MITRE ATT&CK Framework provides excellent insight for this, through comprehensive and readily applicable descriptions.

Once it is determined what the strategies of the actor groups are, which can attack the organization, you can set up the cyber defense in strategic places. The goal here is to block the actors in an effective way, such that they cannot enter via their preferred routes. Generally speaking, a detour for an attack takes more effort, many actors will not do this because it will not yield enough. This allows you to efficiently set up your security systems to specific parts of your environment. 

Of course there are exceptions, especially when it comes to espionage by state actors (they have more people, equipment and money at their disposal), in these cases you will have to secure the alternative routes as well. 

Once you have implemented defense within the organization using various resources and systems, they together form the complete security of your environment. For these to function optimally, the organization is responsible for properly setting up monitoring for correct operation. Only then is there sustainable effective security. Also, attack techniques and vulnerabilities are very dynamic, so there are constant changes. By periodically redoing the threat analysis, determining the enemies and their strategies, you can keep your defenses continuously current.

How do I know if I am secure enough?
It is the most important question; by continuously using the analysis method described, you can determine if all risks from attackers are sufficiently covered. 

Am I on the right track?
From the analysis, you know who your attackers are and how they attack. Then you can determine if you have deployed sufficient systems/resources. If not, then corrections and/or adjustments must be made. 

Am I doing enough on information security?
What is good enough? From the analysis method a clear answer will emerge as to what and where you need to deploy security. Note, the world keeps changing so periodically reviewing the threat assessment and subsequent steps remains evident.

Interested in how Highberg security experts can help you to determine what your real threats are and whether you are secure enough? Then you're always welcome to contact us.