How to explain cyber threats to your CEO and others. Learn more about the potential for risk.
What is a cyber threat? To explain what a cyber threat is to your CEO, you have to remember what your CEO cares about most: shareholders, revenue and profit, brand equity, company data – and speak in analogies (every CEO I have met speaks in analogies). It is no accident that we speak of a “Cyber War,” and when we face a cyber threat we are involved in a battle that shares many similarities to a war fought between armies. Throughout history battles have varied in scope and complexity, strategy and tactics, but common to all battles is an adversary leveraging infrastructure and capabilities to attack another. The same holds true for cyber threats, where a cyber threat is the capability of an adversary, leveraging infrastructure to exploit a victim’s vulnerabilities. As with armies in battle, each adversary leverages different tactics, techniques and procedures; and logistics, communication and knowledge of the battlefield become key.
You can’t describe a battle without citing the strategy and tactics of the adversaries, the weapons they use, the logistics used for supply, and the communications and control systems that provide knowledge of the battlefield. The same holds true for cyber threats. The only thing that makes them more difficult to understand is that their effects are often less obvious. However, their uses, intended effects and goals are mostly the same – power, control, exploitation, revenge, and financial gain. Cyber threats often have additional goals such as damaging the reputation of a company or a person, stealing product designs and patents, and influencing political and governmental outcomes and events. Cyber threats can be just as deceptive and toxic for civilians and the organizations for which they work. Threats can cause just as much destruction to infrastructure and economies; they can control power grids and systems, industrial control systems, payment systems, civilians’ private data and organizations’ intellectual property.
In most cases, multiple threats are used in conjunction with a specific campaign to exploit a company’s vulnerabilities and access their assets. As an example, malware can be used to steal credit card and personal data; and can persuade the servers it is installed on to participate in distributed denial-of-service (DDOS) attacks or to be used as a phishing site. And just as one threat can open the doorway for another, the same cyber threat can be used in multiple campaigns as in domain spoofing of the World Anti-Doping Agency (WADA); spearphishing emails attacking the journalism site, Bellingcat; and breaches to the Democratic National Committee, to name a few.
Like attacks in battle, cyber threats move quickly, happen simultaneously and take many forms – malware, phishing, authentication attacks, application attacks, ransomware. Breaches occur, not because a defense solution is inefficient, but because adversaries find ways to penetrate networks in-between the very tools, processes, and teams put in place to keep them out. The Verizon DBIR points out, “Playing a part on the blue team in information security can, to a very small degree, be compared to the lot of a hapless soldier. The soldier is told to guard a certain hill and to keep it at all costs. However, he is not told who his enemy may be, what they look like, where they are coming from, or when (or how) they are likely to strike.”
The external threat landscape is diverse. There are 160 potential threat categories that organizations must deal with each day. As shown in the DBIR, they vary in scope, capability, tactic, technique, and procedure. According to the Department of Defense-derived Diamond Model for Intrusion Analysis, every threat harbors the capability of an adversary leveraging infrastructure to target a victim. By introducing categorization, classification, and taxonomies to the vast array of threats, you can map assets to these and assess risk, vulnerability, and prioritize actions. A cybersecurity platform provides visibility across your high volume of security data, helps determine the relevance and reliability of that data, and creates clear processes in detecting, triaging, and remediating that data. By having a threat management system of record, you can quickly, accurately, and measurably identify, prioritize, and respond to threats.
Over the last decade the detection deficit has continued to rise – meaning the gap is widening from the time it takes adversaries to compromise networks and the time it takes those organizations to discover the attack. The logical question your CEO will ask is, “Why are my current security tools not helping? And what actions can we take to minimize this gap?” As you can imagine, there is no one answer to that question. I would argue that fragmentation of information and resources plays a major role in widening the detection and decision gap. Most armies that do not have good battlefield intelligence and a fragmented, uncoordinated deployment of their troops and weapons, will struggle to be successful. A 2015 Survey by Dark Reading and InformationWeek found the biggest challenge faced by security teams was not preventing data breaches, but managing the complexity of security itself.
In battle, the best way to improve cohesive strategy is to identify and implement a process, choose the best intelligence sources, connect intelligence to vulnerabilities, controls and risk, organize knowledge, improve its visibility and distribute the knowledge across systems. As armies strengthen the efficiency and skills of their troops with continual training and after action reviews, successful organizations follow suit from a cybersecurity perspective – whether it’s implementing and promoting best practices for employees or sending cyber teams to professional development programs like those at the SANS Institute. When asked by your CEO how to defend against cyber threats, your answer should be: with coordination and synergy, as in successful battles; across teams, the processes they have, and the systems they use.