Five Best Practices to Eliminate Imminent Threats

Apr 10, 2022

Cybersecurity requires interdisciplinary focus and security skills with operational efficiency. With limited resources, security teams are tasked with the challenge of identifying and more importantly, prioritizing ever-changing risks. This means that security stacks must always be assessed in terms of imminent risks and adversarial impact on the organization’s operational fitness. An organization typically deploys a list of tools to use in response to adversaries as they surface. With this approach, SecOps teams are on the receiving end of a steady stream of alerts without an addressable security context. As a consequence SecOps teams lose effective visibility and become less robust, losing the capability in defending against adversaries.

Today’s organizations are faced with the increasing sophistication of adversary actions. In particular, we have observed over the past year that unidentified damage occurs literally every minute that threat actors are able to breach systems and operate their actions within your business assets. The ultimate goal remains to prevent adversaries within the sight-array of the security stack; detection and response tools have some strength against cyber threats, but most of them are tuned for general-purpose use and are not configured to handle multi-staged sophisticated attacks.

This practice in the current security posture has led organizations in the wrong direction, and to invest in underutilized and complex solutions, resulting in unmatched structures with minimal progress. In this article, we define some best practices on how SecOps teams can gain insight into the actions within their existing processes, to identify and mitigate real imminent threats before they are breached.

Defining Imminent Threats

Imminent threats are identified as cyberattacks that have a high likelihood of occurring, that expose high-risk, and are urgent because they are either based on a short attack cycle (for example, ransomware) or because they are advancing the completion of the kill-chain. These types of threats are quick and require an immediate response. Common threats may represent a risk but are not resident in your environment yet. SecOps has time to mitigate these risks. It is crucial to be able to differentiate between common threats and imminent threats and prioritize them differently.

While the threat landscape inevitably evolves, organizations must confidently be able to answer these three key questions to prioritize imminent risks:

  • Where is the business exposed?

  • Where should we prioritize based on the likelihood of exploitation?

  • What is the impact on the business if a vulnerability is exploited?

An increasing number of SecOps teams proactively hunt for adversaries, predefining imminent risks to develop their hypotheses to create a sample of the behavior of threat actors within an infrastructure. Best practices like threat-centric approaches help you cut through the immense volume of imminent risks, giving you the precise focus you need to act swiftly and effectively and it gives you attacker-like focus on prioritizing imminent threats. Add the tie back that a threat-centric context delivers with actionable intelligence and you can mitigate those risks. Threat-Centric focused products support risk-based assessments to address imminent threats with actionable mitigation guidance.

Organizations are faced with subversive, dynamic, and aggressive challenges day in and day out. Threat-centric tools address this perplexity by helping SecOps teams improve their security posture via quick identification of gaps and providing quantifiable metrics related to high-profile imminent threats.

Understanding your risks is the key factor. But what is the best strategy and where do you go from there? Here are some key points:

How to Determine Imminent Threats

In April 2019, the new malicious kid on the block was Sodinokibi or also called REvil, a severe threat that hit many victims worldwide. Around this same time, the GandCrab team declared they would shut down their campaigns. Coincidence? No!, They never stop…

As in the same example of Sodinokobi, the ultimate goal remains to adapt and mitigate successfully against attacks. Before they are targeted, businesses must plan for the reality that these imminent risks will find their way into critical assets and fulfill their objectives.

Most security solutions have been made available to help SecOps teams find threats and have managed to avoid risks. Most of the security solutions have been tuned for a single purpose, and none of them are particularly well-suited to handle full kill-chain analysis on its own.

By assessing these threats in your controls, you’ll have the capability to confidently read into the effectiveness of your security posture. You’ll also close exposure gaps with finesse by having the right context to mitigate true imminent risks. The following section outlines the top five suggestions:

1- Assess the likelihood that a specific threat will occur

  • Identify the adversarial TTP posturing the most considerable risk to the organization

  • Map the identified TTP against a common framework, such as MITRE ATT&CK or Cyber Kill Chain, to identify the attack phase and urgency

  • Simulate threats to determine the likelihood that it can occur

  • Provide security effectiveness metrics for particular threat types

2- Anticipate attacks before they happen

  • Identify which threats are likely to target your organization or industry or region

  • Simulate current and imminent threats to determine exposure and technological risks

  • Prioritize mitigation and remediation actions based on exposure and risk of the threats

3- Cyber resilience: Adaptive security infrastructure to neutralize the cyber threat

As business shifts and becomes increasingly connected, it is no longer possible for infrastructure to remain agnostic to ever-changing cyber threats. Therefore, we need:

  • A continuous process of assessment, threat analysis, and mitigation based on up to date data

  • A feedback loop that constantly enables fine-tuning and adjustment of security controls

  • Validated security controls to ensure resilience

4- Security Programs should classify between Imminent and Common Threats

  • Some threats are more urgent than others and gradual risk reduction is only possible with air cover

  • So, we need to eliminate imminent threats in the first place

5-Cyber Security by prioritizing interconnected risks

  • Risks are cascading, and the threat landscape crafted by adversaries is augmenting and becoming increasingly interconnected.

  • Emerging vulnerabilities utilized by attack vectors are weaponized in many adversarial campaigns.

  • Strategic prioritization and smart mitigation can break the kill chain, even if we can’t remediate every issue.

Summary

The facts remain that we see complex business and technological risks alongside the sophisticated cyber-threat landscape. All of this increases the difficulty of defensive operations and impacts poor security judgment by decreasing security posture visibility. This article has argued that imminent threats must be determined and prioritized to control ever-changing risks.

Disclaimer

The information provided in the Arcane Security Advisory is provided "as is" without warranty f any kind. Arcane disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Arcane or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if Arcane or its suppliers have been advised of the possibility of such damages.

Tags: #risk #management #strategy

Have questions? Let's talk

Arcane experts are ready to answer your questions

Back to top