Organizations are under tremendous pressure to be agile and resilient. A key part of building a mature cybersecurity posture to enable the goals of the organization is conducting ongoing risk assessments and then implementing risk-prioritized measures.
Organizations contact us during this process to ask what emerging threats to guard against. Our answer always includes a list of the issues that have already emerged and that are still causing incidents. We call this “compromise threat intelligence” – identifying the causes behind actual incidents affecting organizations. Focusing on risks that are identified in a lab but are not being exploited “in the wild” may not be the best use of time and resources, especially if it distracts from efforts to combat the risks that are frequently exploited. No one is happy if you spend time guarding against fraud from deep fakes if an accounting employee is tricked by a spoofed email into wiring a large sum to a criminal.
So, effective use of compromise threat intelligence means identifying why known risks continue to be exploited in addition to looking around the corner at what may be coming. You can then account for frequency, order of magnitude of post-incident financial consequences, and scenarios in which regulatory inquiries and litigation are more likely to build an industry specific hierarchy of risk. You can separate the risks into two categories – theft of data and business continuity. You may see threats and conditions that enable those threats to be exploited present in both categories, which helps with prioritization. The threat groups that are stealing data, deploying ransomware and then threatening to release the stolen data unless the ransom to obtain the encryption key is paid is a good example of this.
This risk assessment and prioritization process helps identify the threats likely to be exploited and how they can be exploited. There are security solutions that address many different risks, but most organizations are not in a position to purchase them all let alone properly implement, use, and maintain them. For example, if you are a business that accepts payment cards in person, an attack by one of the “fin” groups that targets payment card data is a primary theft of data risk. If a successful attack steals data from 50,000 cards, after providing notification to individuals and the payment card networks, there may not be any further developments. If the attack involves over 1 million cards, you may face assessments from card networks in the $4-$5 per card range, lawsuits by individuals and issuing banks, and regulatory scrutiny. Enabling EMV at the point-of-sale (POS) device does not prevent a fin group from stealing payment card data although it does impact what data is accessible. But having EMV does reduce chargeback liability from fraud and make the business eligible for a safe harbor from assessments by the payment card networks. Using a properly implemented point-to-point encryption (P2PE) payment application prevents payment card data from being present on a POS device, so even if a threat actor breaks in, there is no payment card data available to be stolen. While P2PE may prevent theft of payment card data, if the threat actor that gets in deploys ransomware that encrypts data on the POS device, no card data is at risk – but the ability to continue to make sales is. So should that business enable EMV to avoid chargebacks and gain eligibility for the assessment safe harbor, implement a P2PE application to prevent there being any card data available to be stolen, deploy an advanced endpoint detection and response (EDR) tool to prevent theft of data and ransomware deployment, or outsource everything to a vendor?
Our 2020 BakerHostetler Data Security Incident Response Report contains data from 950 of the 1,000+ incidents we helped clients address in 2019. You can use the report to help build your hierarchy of risk and make risk-prioritized decisions on where to invest your organization’s limited time and resources. The report contains a “History of Problems” feature that lists the areas of risk that have remained constant and considerations about what threat actors may do next.