No matter the use case on which your organization is focused for security, you’ll likely waste time and funds—making sub-par decisions—if your analysis does not start with a firm understanding of your unique threat landscape. Use cases such as phishing protection, vulnerability management, alert prioritization, and threat hunting can all help you make necessary decisions about allocation of resources, but only when they are considered in the correct context.
There is a tendency for business leaders is to jump right into the universal view of threats. This is made up of a massive volume of threat intelligence sources that are generally focused on threats that may or may not be specifically applicable to their organizations at the same level of risk as the authors designate. The major issue with that approach is that they almost immediately face a big data problem due to the overwhelming amount of data from the many available sources of information, including:
Frameworks like MITRE ATT&CK
All of these provide leaders with data to incorporate into their analyses to keep up with emerging threat information and trends.
Focusing instead on the junction between this overall threat universe and your organization’s own infrastructure will allow you to arrive at a reduced, comprehensible threat landscape, that is directly applicable to your organization—the landscape that should truly drive your decision making.
Taking a look at risk-based vulnerability management because of its ubiquitous applicability for all organizations’ security focused teams, the number of new Common Vulnerabilities and Exposures (CVEs) brought to light every year has grown steadily since 2017. In 2022, it reached a record high at 25,227. This was a 25% increase over the number reported the previous year, and is too large a pool of vulnerability data to plug straight into your threat analysis.
Designing a defense is much simpler across a more narrow threat landscape.
Let’s determine which vulnerabilities you should really focus on. First, we need to establish context by looking at the internal information provided by your infrastructure and other assets. You can create a list of your assets and use that as your reference throughout the rest of the process. Second, filter out the vulnerabilities that are not being actively exploited (at this point in time, as this analysis needs to take place regularly), also filtering out those not applicable to your industry.
Additional filtering is possible according to your organization’s risk tolerance—the threshold of risk that your organization is willing to simply accept rather than addressing it through mitigation, transference, or avoidance. Setting appropriate context creates a threat landscape with much smaller “acreage,” so to speak, and helps you identify the top types of adversaries that are the greatest threats. Designing a defense is much simpler across a more narrow threat landscape.
Focusing on your particular threat landscape, and the associated—and smaller—population of adversaries, helps you more fully define their tactics, techniques, and procedures (TTPs). That, in turn, allows you to identify which vulnerabilities in your environment those attackers have been known to exploit. By focusing on a smaller population of vulnerabilities and threat actors, you can then focus on particular indicators of compromise in threat hunting and the particular defenses in which your organization should invest. You’ll be able to proactively patch vulnerabilities that are the highest priorities. If and when you do identify evidence of exploitation of vulnerabilities in your environment you can then also map to the MITRE ATT&CK framework and use it as a guide to determine the courses of action that will be best to take.
This whole process is made much simpler when you bring in the expertise of virtual Chief Information Security Officers (CISOs) such as those your organization can hire from Webcheck Security. Contact us today to schedule a discussion of your business needs related to security and how we can help you most efficiently address them.