Home  |  Sarah  |  Services  |  Blog  Contact

Monday, 14 Sep , 2015

Back To The Cyber Risk Future – Responding to new threats and vulnerabilities

Share this article

The cyber headline says 'JUMP', do you say 'How high?' Here we suggest turning red-teaming on it's head to raise awareness of the defence status quo and build confidence in the response to new nasties.

Graffiti_in_Shoreditch,_London_-_Back_to_the_Future_by_Graffiti_Life_(9422243113)Something is wrong if you are hearing “JUMP!” then saying “HOW HIGH?!” in response to CVEs, SIEM/DLP alerts, threat intelligence reports and excited ‘cyber’ headlines.
The ability to quickly and realistically respond to new vulnerabilities, threats, or exploits is totally dependent on expertise, experience and data available to those responding…or a pimped up, quantum enabled DeLorean.
The path of least resistance is to act immediately, but in incident response and intel assessment that is frequently far from the right thing to do. The answer in two words…flux capacitor…no, sorry…risk assessment.

The Holey Threat & Vulnerability Picture

We still have no standard benchmarks for threat severity and CVSS scores for vulnerabilities are typically 2 dimensional (here’s Ben Rothke on getting value out of CVSS scoring). Even with 2 dimensions, how many apply a “That’s about right” yardstick when writing up reports?.
What you are frequently missing:

  • The local vulnerability picture – The number and and location of bits of kit, software and processes that may have the newly reported holes (or other characteristics that make them a target for threats).
  • How that maps to key assets – Tracking up, down and sideways from vulnerabilities to valuable data stores and network elements that underpin critical operations.
  • Potential impact – IF those assets get hit, what is the potential impact of compromise?
  • Exploit ease and likelihood – The means and motive story for current threat actors as relevant to your business. Are exploits in the wild? Are they doable by script kiddies vs cyber spies? Do the groups who can have a go, have a motive to have a go at you?
  • Compensatory controls – How all existing layered defences work to detect, slow and/or stop likely exploits.
  • Cost of mitigation – Not just the man hours, but the potential downtime. Plus temporary or more permanent limitation on BAU activity caused by banging in that fix.
  • The 3rd party story – Getting the same view for suppliers, partners, or just websites frequented.

I explored the problem with that partial picture in more detail in this article: Dynamic Cyber Threat Intelligence – Pretty but potentially pointless and here’s Bryan Simon (President & CEO of XPloit) on taking data at face value: The Truth About DLP & SIEM: It’s A Process Not A Product
But why worry about the knowledge gaps? It rather depends on whether you want to mature security. To quote Jason Clark in his article for CSO Online “Decoding Threat Intelligence“;

“Answering these types of questions moves your business along a security journey that begins in the hell of ad hoc approaches and ends at the nirvana of a business-aligned security program” 

An Overwhelming Task

Overwhelmed yet? Your security team probably are too. Leading us straight back around to that urge to fix and be damned. Is that really so bad? Not if you have a bottomless budget and the whole business dances to security’s tune.
If you live in the real world and a fix might take down or limit use of key systems and data stores….not such a happy picture. You’ll need a meaty justification to get past road blocks and without the bulleted bits above you’ll struggle to articulate it. Cue delays or poorly informed (often completely informal) risk acceptance. Something often only robustly questioned when something risk accepted gets implicated in a later incident.
So what can you do? Who has all the kit, contracted services, bodies and local risk insights to quickly put all that together? The sales pitch to acquire what you need can also be scuppered by the same lack of data – a chicken and painful egg situation, much like time paradox pitfalls in the 3rd instalment of the movie.
This is usually the part where you get a pitch for a new GRC tool, threat intelligence consultancy service or a.n.other niche fix. Instead a very people centred suggestion to tackle some of the above pain:

Back To The Cyber Risk Future

Starting with Marty holding a picture of Doc Brown’s gravestone and working backwards a.k.a Reverse red teaming a.k.a. Turning the usual incident response exercise on its head:

Start at an imagined point. One where you already know the impact and which threats exploited which vulnerabilities. Pretend it’s a given that those holes definitely allowed a chosen catastrophe. Just pick highish profile scares. Don’t (at this stage) even think about threat actors, tech details, or the potential kill chain. Instead focus on impact related pain:

  • Data getting wiped, exposed or nicked Vs something critical going down
  • That painful customer, partner and/or regulator notification process for IP, personal data and payment card data
  • The internal and media noise
  • The immediate market and partner reaction
  • The longer term hit on customers, partners, sales, reputation, strategic aspirations and CXO job security.

Then put the vulnerabilities and threats back on the table and explain how they do (or don’t) lead to the nightmare you’ve described.
Someone will likely pipe up to say vulnerability A and threat B are really unlikely to result in the described impact. Going on to explain that control X, Y or Z would spot, curtail and/or stop the exploit. Maybe adding it’s much more likely Fred from X company plugged something in he shouldn’t, Jane in HR set a horribly weak password she reused on a recently compromised dating site, or Pete clicked on a link in a suspect mail.

You spend enough time doing this kind of panic dampening when the latest breach hits the news, so why not turn it into proactive, positive effort?

All the value in doing this comes from bringing key business players along for the ride. The exercise quickly and necessarily jumps outside a pure tech focus. Engage with the folk you will talk to if it hits the fan. Tell them how a range of recently reported vulnerabilities and logoed exploits work and show them why they would (or would not) result in feared catastrophic impact for you…step, by step.
In other words: Prove or disprove your cybersecurity risk hypotheses before you’re forced to.

Potential Outcomes:

Every turn of that handle builds everyones’ security awareness, risk knowledge and ability to moderate reactions when new nasties land. The intelligence gathered (if you diligently record it) is invaluable.
It can reinforce justified confidence in current controls, existing intel and security function expertise. By the same token, it will flag related gaps and for once dependencies and limitations have context…the guys who call the shots see the impact of missing information and lack of means to gather it.
Bonus benefit? The security team gain a better more holistic view of what concerns their many and varied stakeholders, business-wide incident related pain and how ‘scary’ threats and vulnerabilities stack up against the grand scheme of business risks and priorities.
If you twin that kind of experience with a view of effort and disruption caused by knee-jerk fixes and persistently accepted risks, it can dramatically improve future conversations and relationships.
So while threat intelligence remains a bit of an oxymoron and vulnerability ratings are very variable, getting to the bottom of what’s doable with current tools and intel isn’t a bad idea.
And next time a logo-worthy threat or vulnerability hits the news…something that screams “URGENT – FIX ME – NOW!”?…
…less FUD and blamestorming, better informed first steps, measured concern and appropriate urgency. All tempered by new found confidence that the security team is doing their best with the tools available.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...