IT leadership and security folk alike struggle with accurately quantifying and acting on the IT risk to their organizations. A poll by the FAIR Institute, an organization dedicated to improving risk measurement, found that risk practices in IT security are “immature.”1 The F5 and Ponemon report, The Evolving Role of CISOs and their Importance to the Business, includes an example of this. Respondents were asked to rank the “top threats to their security ecosystem” and the results were:
- Advanced persistent threats (APTs)
- Distributed denial-of-service (DDoS)
- Data exfiltration and insecure applications (including SQL injection)—tied for third place
- Credential takeover
The number one threat (ranked 8.8 out of 10) was advanced persistent threats, followed by DDoS attacks (ranked 8.3 out of 10). Yet, let’s look at these reported top risks versus reality. A simple perusing of today’s headlines shows most breaches come from unpatched vulnerabilities in web applications and successful phishing campaigns. F5 Labs’ own research, Lessons Learned from a Decade of Data Breaches, uncovered that:
- Applications were the initial targets in 53% of breaches
- Identities were the initial targets in 33% of breaches
Our research also found that breaches that initially targeted a web application resulted in 47% of the total breach costs, but they only represented 22% of the total breached records. These attacks against applications and identities are the most impactful for an organization, yet they were ranked third- and fourth-level threats in the CISO survey.
So, where are the APTs in this? Paul Graham once remarked, “Specialists can tell you what to worry about. True experts can tell you what not to worry about.”2 As a security specialist, I’m telling you not to worry about APTs until the more likely and impactful risks are solved first. Perhaps APTs are behind some of these large breaches, but the attack techniques they’re using aren’t very advanced or persistent. Phishing and unpatched application vulnerabilities are known, manageable risks, but they have to be prioritized and worked on.
Unfortunately, some security leaders react to the headline “threat of the day” or build defenses based on auditor compliance findings. Not only is such a reactive security strategy (if it can be even called a strategy) a waste of resources, but it can miss the large, looming threats that cause serious problems.
So, how does a CISO build a master plan tied to the concrete risks of their organization? First, let’s be clear on our terminology: risk is made up to two primary variables: the likelihood of something bad happening and the size of the impact if that something bad occurs. Both factors are important. Something that’s likely to happen, such as a website suffering an hour-long DDoS attack, may be a low risk if the impact is minor, because it’s a brochure website and can be offline for a few hours. The same goes for something highly impactful, like an APT attack, with a low probability of occurrence, because your organization is a medium-sized online merchant not worthy of an APT’s efforts. The risk factors you should focus on first with your large security projects are the ones that are both “high impact” and “likely to happen.”
When measuring these two factors of risk, look at the nature of the threat for clues. What are the attackers after (to help determine effects and impacts), and what are the threat’s capabilities (to determine likelihood of breaching your controls). In general, there are two major categories of adversarial threats: the opportunistic attackers looking for quick wins, and the targeted attackers, also known as APTs, who have singled you out for trouble. The most common are the opportunistic attackers, which flood the Internet with malware, scans, and phishing emails. This is the base level that you need to defend against before moving onto the rarer, targeted attackers. As we already pointed out, the defenses you need to build should focus on the attackers’ most likely initial vectors of compromise: applications and identities. The impact of those attacks can be determined by reviewing your assets and looking for the impacts that can truly hurt your organization.
The next step in a risk-based approach is to go beyond basic attack prevention and consider what happens when a threat has caught you off guard and breached your defenses. This is called Assume Breach3 and it’s a safe bet to plan for it. This requires having controls and defenses for detecting and containing breaches and attacks in progress. Again, we can tie this back to major risks. We know that identities are a primary target, so an assume breach control regarding this would be to segregate duties and use least privilege in assigning rights. How bad would things get if a system administrator has their account stolen? Limit their access to the minimum necessary for their job function and monitor the heck out of their activity. We also know applications are commonly targeted, so if attackers go in, what could they get? Identify your important data and encrypt it, both in transit and in storage.
Finally, you need to make sure you’ve looked at the right risks and your leadership understands what you’re doing and why. This means communicating laterally (to the other business units) as well as upstream (to executives). Because of the nature of technology, business, and attacker techniques, risks shift over time. It’s important to monitor things to make sure your defenses remain relevant to the risks at hand. This is where on-going threat intelligence can help fill in those blanks and keep you up to date.