Which cyber actors are targeting you?
While there is quite the buzz around needing more cyber security by virtually everyone in the business sector, one of the rarely asked questions is who and/or what the security is aiming to keep out.
The easy, and unhelpful answer, is all unwanted actors. But different people have different motives and require different security to prevent the damage they can cause.
In EY's Managed SOC report, includes the following info-graphic, which I'm going to break down slightly differently
LOW: Lone casual opportunistic attackers, for curiosity, mischief, malice in order to perform website defacement or opportunistic hacking.
LOW-MEDIUM: Anonymous, ideological "hactivism," for disruption, humiliation, political aims by performing denial of service, social media intrusion and/or data breaches.
MEDIUM: Organized criminals for financial gain via online fraud and extortion by way of mainstream malware, Trojans and ransomware.
MEDIUM-HIGH: advanced persistent threats to steal intellectual property and/or financial gain via espionage using targeted malware for the purpose of corporate espionage.
HIGH: nation-state-sponsored cyber attack aimed at large-scale intellectual property theft and/or critical infrastructure disruption for purposes of diplomatic espionage and/or cyber sabotage.
To reference a previous article I wrote on how much improvement an organization requires, I'm going to discuss what sort of defenses to bring to bear against each of these attackers.
For the low and low-medium threats, an organization will likewise need to have burgeoning or middling levels of cyber security to be hardened enough to keep undesirables out. Opportunists can largely be kept out of your organization by having a penetration test and/or continuous vulnerability scanner and patching known CVEs in IT infrastructure, having a simple perimeter defense and log aggregation with limited rules built around common indicators of compromise.
To prevent intrusions by medium risk threats, an organization will need a hardened SOC. Dedicated personnel and a thoroughly defended attack surface are what is required to have a fighting chance against organized criminal elements utilizing tools available for purchase on the dark web.
In order to counter-act medium-high and high threats, an organization is going to need a mature SOC. Nation-states such as Russia utilize psychological profiles when targeting social engineering against individuals. Combine that with malware designed specifically to target known weaknesses in a specific organization and a cache of zero-day exploits stored by the FSB means that virtually no SOC is safe. Protecting 100% of the threat surface, 100% of the time requires constant vigilance (24/7/365), threat-hunting and regular penetration testing.
One question that needs to be asked is how big of a target is your organization? A small to medium-sized business isn't likely to face-off against wizard-class hackers or nation-state actors. Conversely, best-of-breed organizations that are leaders in their field should consider themselves to be very appealing targets to organized criminals. Power-grids and electronic voting machines should be considered prime real-estate for nation-state actors, and there are whispers that the Equifax hack was performed by an as-yet unnamed nation-state. The vulnerability that led to the Equifax intrusion was reasonably targeted within 24 hours of the CVE's publication.