Social media, mobile computing, cloud services and the Internet of Things (IoT) have changed the way we do business. Adversaries have changed too and are no longer merely watching networks and endpoints to determine how they will attack. Instead, they have a lot of information that they can use to their advantage and are capitalising on the fact that as we take advantage of new technologies we leave behind a digital footprint – an electronic trail of activities.
Not all digital footprints are bad – indeed a good online reputation is hugely positive. However there is a subset of a digital footprint referred to as a digital shadow which can reveal exposed personal, technical or organisational information that is often highly confidential, sensitive or proprietary. This is what adversaries are looking out for and many actively survey the digital shadows that organisations unknowingly cast and use this information to their advantage – seeing vulnerabilities and launching attacks.
To truly understand which threat actors pose a viable threat to your assets and business operations, as a security professional you need to a better understanding of your organisation’s attack surface and own set of unique threats. You need an attacker’s eye view.
While organisations have relied on cyber threat intelligence (CTI) to gain a better understanding of threats and threat actors, we need to do more. Data feeds, vulnerability feeds, indicators of compromise (IOCs) and profiles of threats and research reports will continue to be pertinent. But what’s lacking is cyber situational awareness that provides a more holistic and specific view of threats and vulnerabilities relevant to your organisation. With this view, you can think like an attacker and more effectively address potential threats, instances of sensitive data loss or compromised brand integrity.
So how do you move your security practices in this direction? This three-staged approach can help. And at each stage you’ll see real benefits.
Stage 1: Perception – Building on the internal information and CTI feeds you already gather to understand threats, the focus of this first stage is to understand how you are perceived by hostile threats. By knowing where key information assets, employee credentials and sensitive documents are being exposed online, you can understand where it is likely to be most vulnerable. Information is gathered by examining millions of social sites, cloud-based file sharing sites and other points of compromise across a multi-lingual, global environment spanning the visible, dark and deep web. Cyber situational awareness also analyses and provides information on which malicious actors might be targeting an organisation or industry, why and their methods of attack. The perception stage provides the basis for better cyber situational awareness and in and of itself provides significant new insights that you can immediately act upon to address vulnerabilities or behaviors that violate policies.
Stage 2: Comprehension – With data about yourself and your attackers, the next step is to apply context to understand what information is relevant and meaningful to your specific circumstances. You do this by ensuring that the intelligence directly references your organisation’s brands, assets, concerns and weaknesses, systems and defences (i.e., those things most relevant). Through this lens you can identify which threats pose the greatest risk and use this information to guide security investment decisions and strategies.
Stage 3: Projection – The highest level of cyber situational awareness involves making educated and informed assessments about what might be around the corner to reduce uncertainty and determine what action to take to mitigate the threat. Techniques include analysis of past behavior to predict future behavior, identification of trends, geopolitical analysis and understanding pre-cursors of previous attacks.
In the short-term, complete cyber situational awareness can prevent and mitigate harmful events. By gathering the facts about a breach, you can do damage control and close gaps, such as resetting passwords and generating takedown requests from social media and code-sharing sites. In the longer-term it can be used to help prioritise threat protection investments and policies. For example, an organisation that has been deferring an investment in data loss prevention (DLP) technologies, armed with the understanding of a particular problem with data leaks, can re-prioritise.
Cyber situational awareness doesn’t happen overnight, but with the right approach you can see what an attacker sees, think like an attacker thinks, and better protect against cyber-related incidents today and in the future.