Anything is hackable. It’s an understated rule in security for a reason: not every threat actor intends to breach your business. For example, treating each security alert like a bear attack flare instead of a visitor stepping off the path at Yellowstone decreases the importance of urgent threats and increases harmless ones.
Anticipate intent
Anticipating cyber criminal intent often catches detail other approaches miss. If the visitor steps off the path for a closer look at the acid pools, park rangers should be nervous. Intent identifies why a threat actor hacks (and why not all visitors return from Yellowstone). If a business assumes every person entering and exiting a physical or web domain is a threat, smaller indicators are buried in favor of a resource-heavy approach.
Cyber technologists use many equations to quantify threat. The Department of Homeland Security’s is probably the most well-known: Intent x Capability = Threat. Most organized threat actor groups are capable of breaching any security platform, similar to a skilled pen tester. The real question surrounds whether a hacker or hacking group intends to breach an organization.
Quantify risk to your business
Analyzing threats is both an art and a science in cybersecurity. If the latest headlining hacking group doesn’t have observed intent to breach your organization, they likely won’t. Instead, assess threats by analyzing why and how someone could hack your organization. A large insurance company with top-down cybersecurity measures in place might draw fewer successful hackers. Even though the asset creates a strong incentive, the effort needed to breach strong boundaries acts as deterrence.
Start by detailing your organization’s security profile. Which hackers or threat actors consistently target your industry? What technology software or platforms do you use? How old is your software? How large is your company? Do you secure sensitive data through on-premises servers or cloud security?
Consider threat actor intent
Protecting valuables no one wants to steal wastes resources instead of conserving them. Don’t just identify assets. Instead, ask questions highlighting your business’s spot on the threat chain. Mid-sized manufacturing companies with legacy servers and outdated infrastructure typically draw hackers because the asset is high gain, and the outdated security makes a breach low risk.
What type of attacker would target your organization? Consider data behind recent industry attacks, especially of other organizations your size. Who instigated the attacks? What methods did the threat actors pursue? How did authorities resolve the incident?
Gathering external and internal data directly informs cybersecurity-related business decisions. Most upper-level IT and C-suite leaders reach the point of budget investment by trusting analysis supporting a request. Weed through cyber news, reporting on relevant, not just hot-button, concerns to your executives. For example, Log4j vulnerability still effects companies across the world, but if your organization does not and has never used Java, that headline shouldn’t influence budget decisions or cyber strategy.
Motivation to breach
SEIM (Security Event and Incident Management) software flags unwanted boundary testing before a hacker bypasses security measures. If your IT staff has the capability, create automation and data storage workflows so alert patterns are flagged and recorded. If you do not have the internal bandwidth, consider contracting outside help before investing in more security software. Asking for an outside expert opinion could save your organization time and money.
Use data gathered from your organization’s or a Managed Services Security Partner’s SOC (security operations center) to inform threat actor intent. A larger organization’s trends are harder to follow, but in the long term, a team of analysts will provide the intelligence analysis a software plug in does not.
Business analysis + technology expertise
Analyzing the organization’s size and industry provides the context needed to quantify risk. Ascent’s MITRE ATT&CK MasterClass provides real-time threat analysis of your business and industry. Our experts suggest steps to improve your security posture. Without business analysis boundaries, IT spending can be a black hole. Instead of spending money and resources protecting the wrong asset, pause to consider threat intent. Reach out to MITRE@meetascent.com to learn more.
