In the second quarter of the 21st century, we all find ourselves relentlessly facing cyber risks and an ever-changing threat landscape. With that said, while the Threat Actor (TA) tirelessly endeavours to be novel and innovative, little surprises us in the day-to-day business of cyber security. Indeed, we at Goaco take a leaf out of the “Big Book of Bomb Disposal Wisdom”, in that we borrow a pithy idiom often spoken by old[1] bomb disposal experts, that tells us to be “Left of Boom”. This turn of phrase alludes to the timeline of an explosion, or in our world, a cyber incident. What this teaches us is that it is better to prepare for but still expect an incident rather than finding ourselves having to pick up the broken pieces of a business when something goes “boom”.
But how do we stay “Left of boom”?
Managing the Risks. Back to basics: Risk is the product of Likelihood and Impact[2]. We at Goaco don’t lose sight of this fundamental when continuously managing both our own risks, as well as or our Clients’ project and operational risks. To provide clarity, consistency and compatibility with our Clients, we adopt the widely recognised NIST guidance[3] (National Institute of Science & Technology).
Starting from the fundamentals of risk assessments in NIST 800-30[4] and how to manage risks in NIST 800-39[5], through to NIST-800-37[6], which enables us to manage risk and integrate within a compliance-based environment (such as UK Government and Defence). Granted, at times we must adapt to local standards, such as the MOD’s JSP 892 [Risk Management]. However, we always start from a position of understanding the principles and adopt industry standards so that we reduce the need to re-engineer our approach when dealing with other Clients or 3rd parties.
Managing the Threats. Some more basics: Threat is the product of Capability and Intent[7]. If threats go unidentified or are wrongly assessed, then the measures to prevent a risk being realised are likely to be little more than a digital Maginot Line (a “well-worn metaphoric shorthand for any defensive measure firmly believed to provide excellent protection, but that is in fact quite useless. Actually, worse than useless – because building a Maginot Line creates the complacency of a false sense of security” [8]).
Presume Compromised. How do we avoid such complacency? One approach is to prioritise the detection of breaches and to appropriately respond by assuming a reality that bad things are already happening. This is where Threat Intelligence (TI) plays its part. Effectively and efficiently detecting suspicious behaviour within an environment is of paramount importance.
The good news is that we are fortunate that both the strategies and the techniques & tools of intelligence analysis have become widely adopted by those outside the defence and intelligence communities. By combining intelligence findings such as those from Open-Source Intelligence (OSINT), we can detect and rapidly respond (such as containment) to those suspicious events ‘within the wire’ and prevent the TAs from achieving their ‘action on objective’. Thankfully, the availability of OSINT as well as Commercial TI is better now than it has ever been[1]. Collaboration in this area makes us strong. Sharing TI is good for all of us. Indeed, our friends at the UK NCSC can help here with their “Early Warning” service[2].
Controls & Countermeasures. Threat and risk assessments are all well-and-good, but it can still be daunting to understand how to control risks and emerging threats. Once again standards are here to help us, including the ISO standard 27002[3] [Security Controls] and the (somewhat voluminous) NIST 800-53[4]. We here at Goaco appreciate that the level of security controls in NIST’s 800-53 (almost 500 pages!) can be intimidating and at times overly exhaustive for some organisations. Those of us who are not part of central government, defence or law enforcement could consider the ‘simplified’ controls presented in NIST’s 800-53B[5]. But here at Goaco we take a step further by recommending the 18 CIS Critical Security Controls[6] (based upon the SANS top 20). Not only do these controls offer a pragmatic approach, but they are also well cross-mapped, by the good folks at CIS, onto other recognised standards, including ISO 27001, the UK’s NCSC Cyber Assurance Framework (CAF) and the NIST Cyber Security Framework (CSF)[7]
So what? Simply put, Goaco is here to help – we suffer this level of detail, so that you don’t have to. Be it calling upon Goaco for help and advice for achieving Cyber Essentials Plus[8], upping your game by considering the benefits beyond this accreditation in terms of other frameworks such as the CIS Community Defence Model[9] (well worth considering); or possibly requiring experienced support in achieving ISO 27001 accreditation. Goaco is here to help.
- Just one thing? If you are beginning to take a look into managing your security posture, then start with the NCSC’s Cyber Essentials:
- Going Further? Our colleagues at the NCSC have helped greatly by publishing guidance on Risk Management. This is well worth a look and is a fine primer for further reading:
- Exercise in a Box? Do take a look at the NCSC’s Exercise in a Box. We here at Goaco love creating, running and participating in cyber tabletop exercises; as an aid to learning, understanding and practicing how to best respond to cyber incidents:
- Still Curious? The good folks at CIS produced an exceptionally useful and informative paper on pragmatically prioritising cyber security controls [TL;DR? – at least read page 29]:
Click here, to connect with our team of experts.
Sources:
[1] A related saying goes along the lines of: “Old ‘bomb doctors’ only become old because they are good at their job.”
[2] Risk Management Guidance – Risk Assessment; https://www.protectuk.police.uk/stage-2-risk-assessment
[3] NIST Special Publications Guidance; https://csrc.nist.gov/publications/sp800
[4] Guide for Conducting Risk Assessments; https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
[5] Managing Information Security Risk; https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
[6] Risk Management Framework for Information Systems and Organizations; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
[7] https://www.security.gov.uk/policy-and-guidance/secure-by-design/activities/sourcing-a-threat-assessment/
[8] Digital Network Resilience: Surprising Lessons from the Maginot Line; https://www.jstor.org/stable/10.2307/26267383
[9] https://github.com/hslatman/awesome-threat-intelligence
[10] https://www.ncsc.gov.uk/section/active-cyber-defence/early-warning
[11] Information security, cybersecurity and privacy protection – Information security controls; https://www.iso.org/standard/75652.html
[12] Security and Privacy Controls for Information Systems and Organizations; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
[13] Control Baselines for Information Systems and Organizations; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf
[14] The 18 CIS Critical Security Controls; https://www.cisecurity.org/controls/cis-controls-list
[15] [NIST] Cyber Security Framework; https://www.nist.gov/cyberframework
[16] Cyber Essentials; https://www.ncsc.gov.uk/cyberessentials/overview
[17] CIS Community Defence Model; https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0
