Relationships in the Cyber Era
The advanced persistent threat (APT) era is here. Attacks are becoming more common and the level of damage is increasing in severity. As CISOs, we must prepare for the APT era. We must commit to changing our attitude and not adopting only advanced technological tools.
The current awareness is not sufficient for this era, and in this article I will share my experience in increasing the ability of APT containment from a tactical strategic relationship (TSR) perspective.
“As CISOs, we must prepare for the APT era.”
Lateral Move has become an art form adopted by attackers. They work according to a regulated Play Book and every action is carefully calculated to stay under the radar. Using obfuscation tools and the fast deletion of traces of any operation make it very difficult for cybersecurity systems to detect.
Some of the goals in Lateral Move are to gain control over privileged accounts but, like any human, the attackers sometimes make mistakes. A random, irregular action can raise general (but insufficient) suspicion that links the incident to a hostile cyberattack.
Unfortunately, the current awareness plans applied by an enterprise with a global presence and thousands of employees are ineffective in the event of such an attack. Professional, ongoing relationships with strategic partners in and outside your organization should be created in order to link abnormal activity to an APT attack and contain the cyber event quickly.
Despite my extensive experience, I am not a great relationship expert and will probably still be in the learning stage for the rest of my life. But I do know however that there are a number of basic elements in any relationship that are mandatory for success.
“There are a number of basic elements in any relationship that are mandatory for success.”
Choosing a Partner
I give first priority to choosing the partner to build a relationship with. Time is precious; we cannot build many relationships, and certainly not in an enterprise that has tens of thousands of employees, hundreds of departments, and is located in numerous places around the globe.
We need to carefully select the relationships we want. I would choose them based on their criticality to the organization and their proximity to the areas we know are most vulnerable to attack. Sometimes, these partners sit outside the organization.
Major consideration, for example, is given to vendors who we need to drop in to the Battle Zone. IR teams and Threat Hunting teams rely on these deep, professional relationships, otherwise they suffer from the long curve of ineffectiveness.
Investment
When we want a relationship to succeed, we must invest in it. If we decide to invest, we will of course need the appropriate resources. First, create a dialogue with the department’s management. Make an effort to understand their business and build relationships with key employees.
Participate in and create joint meetings to ensure a continuous, mutual understanding of a common goal: protecting the organization. Stress the importance of paying attention to things that seem unusual. Become an advisor to help decrease the number of false positives. And keep at it. Without regular cultivation, assume that even a strong, well-built relationship will fail to identify and contain an APT event.
Routine
Routine is the enemy of every relationship. Falling into a routine creates a kind of numbness that breeds apathy and ill preparedness. As a result, keep relationships fresh. Cyberattacks are reported almost every day and are a source of interest to people.
We as CISOs can educate employees and give them the tools to avoid a cyberattack in the home or office. Schedule “Lunch and Learn” sessions. Invite your vendors to present. These activities create mutual added value and help you reach your ultimate goal: maintain a workplace that provides security for the organization, its employees, and their families.
There are very few indications that you’re under attack by an APT. When you do discover it, you need to react fast and smart. By maintaining a tactical strategic relationship with key players, you can alert and mobilize them quickly.
And when you “drop” an IR professional vendor into the Battle Zone, they will be more effective in a shorter period of time. The end result is containment and it’s attributable to the TSRs you’ve built and maintained.
“By maintaining a tactical strategic relationship with key players, you can alert and mobilize them quickly.”
Today, more than ever, the CISO’s role is complex; we are required to create a resilient and fast recovery system in the event of a cyberattack. A cyberattack’s impact is significant in terms of money and time. If we look around, we will see that organizations today lose tens of millions of dollars and more to these events.
Recovery times are prolonged, which drive costs up further. Sustained investment therefore in tactical strategic relationships with specific IT/Business teams and vendors will help us to act faster and contain the damage from these next-generation attacks.
Frequently Asked Questions
Cybersecurity Risk Management is a strategic approach used by organizations to identify, assess, and prioritize potential threats to their digital assets, such as hardware, systems, customer data, and intellectual property. It involves conducting a risk assessment to identify the most significant threats and creating a plan to address them, which may include preventive measures like firewalls and antivirus software. This process also requires regular monitoring and updating to account for new threats and organizational changes. The ultimate goal of Cybersecurity Risk Management is to safeguard the organization’s information assets, reputation, and legal standing, making it a crucial component of any organization’s overall risk management strategy.
The key components of a Cybersecurity Risk Management program include risk identification, risk assessment, risk mitigation, and continuous monitoring. It also involves developing a cybersecurity policy, implementing security controls, and conducting regular audits and reviews.
Organizations can mitigate cybersecurity risks through several strategies. These include implementing strong access control measures like robust passwords and multi-factor authentication, regularly updating and patching systems to fix known vulnerabilities, and conducting employee training to recognize potential threats. The use of security software, such as antivirus and anti-malware programs, can help detect and eliminate threats, while regular data backups can mitigate damage from data breaches or ransomware attacks. Having an incident response plan can minimize damage during a cybersecurity incident, and regular risk assessments can identify and address potential vulnerabilities. Lastly, compliance with industry standards and regulations, such as the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) standards, can further help organizations mitigate cybersecurity risks.
A risk assessment is a crucial part of Cybersecurity Risk Management. It involves identifying potential threats and vulnerabilities, assessing the potential impact and likelihood of these risks, and prioritizing them based on their severity. This helps in developing effective strategies to mitigate these risks.
Continuous monitoring is a vital component of Cybersecurity Risk Management, providing real-time observation and analysis of system components to detect security anomalies. This enables immediate threat detection and response, helping to prevent or minimize damage. It also ensures compliance with cybersecurity standards and regulations, allowing organizations to quickly address any areas of non-compliance. By tracking system performance, continuous monitoring aids in identifying potential vulnerabilities, while the data gathered informs decision-making processes about resource allocation, risk management strategies, and security controls.
Additional Resources