Something is wrong if you are hearing “JUMP!” then saying “HOW HIGH?!” in response to CVEs, SIEM/DLP alerts, threat intelligence reports and excited ‘cyber’ headlines.
The ability to quickly and realistically respond to new vulnerabilities, threats, or exploits is totally dependent on expertise, experience and data available to those responding…or a pimped up, quantum enabled DeLorean.
The path of least resistance is to act immediately, but in incident response and intel assessment that is frequently far from the right thing to do. The answer in two words…flux capacitor…no, sorry…risk assessment.
The Holey Threat & Vulnerability Picture
We still have no standard benchmarks for threat severity and CVSS scores for vulnerabilities are typically 2 dimensional (here’s Ben Rothke on getting value out of CVSS scoring). Even with 2 dimensions, how many apply a “That’s about right” yardstick when writing up reports?.
What you are frequently missing:
- The local vulnerability picture – The number and and location of bits of kit, software and processes that may have the newly reported holes (or other characteristics that make them a target for threats).
- How that maps to key assets – Tracking up, down and sideways from vulnerabilities to valuable data stores and network elements that underpin critical operations.
- Potential impact – IF those assets get hit, what is the potential impact of compromise?
- Exploit ease and likelihood – The means and motive story for current threat actors as relevant to your business. Are exploits in the wild? Are they doable by script kiddies vs cyber spies? Do the groups who can have a go, have a motive to have a go at you?
- Compensatory controls – How all existing layered defences work to detect, slow and/or stop likely exploits.
- Cost of mitigation – Not just the man hours, but the potential downtime. Plus temporary or more permanent limitation on BAU activity caused by banging in that fix.
- The 3rd party story – Getting the same view for suppliers, partners, or just websites frequented.
I explored the problem with that partial picture in more detail in this article: Dynamic Cyber Threat Intelligence – Pretty but potentially pointless and here’s Bryan Simon (President & CEO of XPloit) on taking data at face value: The Truth About DLP & SIEM: It’s A Process Not A Product
But why worry about the knowledge gaps? It rather depends on whether you want to mature security. To quote Jason Clark in his article for CSO Online “Decoding Threat Intelligence“;
“Answering these types of questions moves your business along a security journey that begins in the hell of ad hoc approaches and ends at the nirvana of a business-aligned security program”
An Overwhelming Task
Overwhelmed yet? Your security team probably are too. Leading us straight back around to that urge to fix and be damned. Is that really so bad? Not if you have a bottomless budget and the whole business dances to security’s tune.
If you live in the real world and a fix might take down or limit use of key systems and data stores….not such a happy picture. You’ll need a meaty justification to get past road blocks and without the bulleted bits above you’ll struggle to articulate it. Cue delays or poorly informed (often completely informal) risk acceptance. Something often only robustly questioned when something risk accepted gets implicated in a later incident.
So what can you do? Who has all the kit, contracted services, bodies and local risk insights to quickly put all that together? The sales pitch to acquire what you need can also be scuppered by the same lack of data – a chicken and painful egg situation, much like time paradox pitfalls in the 3rd instalment of the movie.
This is usually the part where you get a pitch for a new GRC tool, threat intelligence consultancy service or a.n.other niche fix. Instead a very people centred suggestion to tackle some of the above pain:
Back To The Cyber Risk Future
Starting with Marty holding a picture of Doc Brown’s gravestone and working backwards a.k.a Reverse red teaming a.k.a. Turning the usual incident response exercise on its head:
Start at an imagined point. One where you already know the impact and which threats exploited which vulnerabilities. Pretend it’s a given that those holes definitely allowed a chosen catastrophe. Just pick highish profile scares. Don’t (at this stage) even think about threat actors, tech details, or the potential kill chain. Instead focus on impact related pain:
- Data getting wiped, exposed or nicked Vs something critical going down
- That painful customer, partner and/or regulator notification process for IP, personal data and payment card data
- The internal and media noise
- The immediate market and partner reaction
- The longer term hit on customers, partners, sales, reputation, strategic aspirations and CXO job security.
Then put the vulnerabilities and threats back on the table and explain how they do (or don’t) lead to the nightmare you’ve described.
Someone will likely pipe up to say vulnerability A and threat B are really unlikely to result in the described impact. Going on to explain that control X, Y or Z would spot, curtail and/or stop the exploit. Maybe adding it’s much more likely Fred from X company plugged something in he shouldn’t, Jane in HR set a horribly weak password she reused on a recently compromised dating site, or Pete clicked on a link in a suspect mail.
You spend enough time doing this kind of panic dampening when the latest breach hits the news, so why not turn it into proactive, positive effort?
All the value in doing this comes from bringing key business players along for the ride. The exercise quickly and necessarily jumps outside a pure tech focus. Engage with the folk you will talk to if it hits the fan. Tell them how a range of recently reported vulnerabilities and logoed exploits work and show them why they would (or would not) result in feared catastrophic impact for you…step, by step.
In other words: Prove or disprove your cybersecurity risk hypotheses before you’re forced to.
Every turn of that handle builds everyones’ security awareness, risk knowledge and ability to moderate reactions when new nasties land. The intelligence gathered (if you diligently record it) is invaluable.
It can reinforce justified confidence in current controls, existing intel and security function expertise. By the same token, it will flag related gaps and for once dependencies and limitations have context…the guys who call the shots see the impact of missing information and lack of means to gather it.
Bonus benefit? The security team gain a better more holistic view of what concerns their many and varied stakeholders, business-wide incident related pain and how ‘scary’ threats and vulnerabilities stack up against the grand scheme of business risks and priorities.
If you twin that kind of experience with a view of effort and disruption caused by knee-jerk fixes and persistently accepted risks, it can dramatically improve future conversations and relationships.
So while threat intelligence remains a bit of an oxymoron and vulnerability ratings are very variable, getting to the bottom of what’s doable with current tools and intel isn’t a bad idea.
And next time a logo-worthy threat or vulnerability hits the news…something that screams “URGENT – FIX ME – NOW!”?…
…less FUD and blamestorming, better informed first steps, measured concern and appropriate urgency. All tempered by new found confidence that the security team is doing their best with the tools available.