Cybersecurity

Enhancing Cyber Capabilities Using a Threat-Driven Strategy

Ryan McCarthy
April 11, 2023
5 min read

Senior leaders focused on cybersecurity recognize there is considerable guidance, best practices, frameworks, regulations and varied opinions on how programs should design defensive capabilities. In addition, depending on the day, the various pressures in the organization’s macro-environment may be greater or lesser and invite different priorities for time, team and budget. Despite these various pressures and guidance, there tend to be two schools of thought on how to approach the strategic path for a cyber program: a risk management-based approach, and a threat-focused approach. Today we’ll explore both, when one may be more valuable than the other, and key principles for how to incorporate each of them into an overall program.

Risk vs. threat

Risk is a word that we use daily in the security industry, specifically as we speak to our stakeholders including clients, shareholders, boards of directors, risk partners and, in some cases, regulators. This is because risk is generally well understood by these stakeholders and can be expressed in terms of likelihood and impact, and in some cases translated into dollar amounts (see Cyber Risk Quantification). The risk management approach to cybersecurity strategy focuses on the macro view of broad, consistent risks to technology and data, where best practice frameworks and regulatory guidance can be used to limit long-term likelihood or impact to the business from a cyber-attack, and then invests in areas where the program is weak within those frameworks. This is where publications like NIST 800-53, and various ISO/CIS publications focus their control recommendations and many organizations spread those controls out like peanut butter across their environment to ensure broad protection.

Threats are also used often in our stakeholder conversations, though generally as a scare tactic of what could happen, rather than a deliberate discussion about an actor and their tactics and techniques that could be realized against the environment. Often, this is because the audience may not be as familiar with the specific threat actor groups, or the tactics, techniques and procedures (TTPs) those actors typically use within the MITRE ATT&CK framework. The threat-based approach takes a micro-view of the technology attack surface, the vulnerabilities across those assets, and how an attack could be conducted against those assets using frameworks like MITRE ATT&CK to evaluate where their controls are most critical and where gaps can be exploited. Advancements in threat intelligence feeds and tools have adapted MITRE ATT&CK as well, further enabling this approach.

Why is a threat-based approach valuable?

To state it bluntly, an attacker doesn’t care whether a company is compliant with the latest guidance on best practices or how it rates maturity against its favorite capability maturity model. They care that they can exploit a particular vulnerability using a specific series of TTPs to achieve an objective. By taking a threat-based approach to cybersecurity, and seeking to understand the attacker’s point of view, organizations can better anticipate their tactics and enhance defenses that specifically relate to those tactics. This allows the company to be very efficient with its resources as it invests heavily in controls that relate to threats, and less so in controls that simply align with best practices. This is not to say that best practices and control frameworks should be ignored or thrown out, rather they should absolutely be leveraged. However, companies shouldn’t limit efforts solely to meeting high-level control objectives or complying with the latest regulatory guidance which wasn’t designed specifically for the company.

When should a threat-based approach be used?

Most senior leaders looking to understand how they can most effectively move their team’s capabilities to the next level should start with an evaluation of their controls by leveraging one or more of the frameworks previously mentioned to ensure the most likely risks that all organizations face are covered. Without this coverage across the foundational security controls, moving to a threat-focused strategy is likely to waste resources that are desperately needed to close those gaps. The next step is equally critical, which is to ensure that the deployed controls have complete (or mostly complete) coverage across the environment. Too frequently, I see cyber leaders believe that their malware controls, or data leakage protections, or {insert cyber security capability here} are fully deployed across the environment, only to find out (hopefully not the hard way via an incident) that technology, business or other drivers prevented the implementation of the control for large areas of their network.

Once (near) complete coverage of foundational control capabilities is established, it’s a good idea to start incorporating a threat-based approach to determine where resources should best be deployed.

How to implement a threat-based approach

Convinced that the evolution to threat-based cyber security is the path to greatness? Here’s how to start the journey:

  1. Know which assets are most critical to protect – partner with business and technology partners to ensure that there is solid governance of asset inventory, and a clear understanding of the value of those assets. Layer in an analysis of how exposed certain assets are to threats, based on how the network is architected.
  2. Understand threats and prioritize them based on their impact on the assets. Are there specific threat actor groups being tracked that target this industry? Continuously monitor and assess these threats via intelligence gathering (and sharing) and use that intel to enable defensive teams.
  3. Replicate attacks frequently – leverage professional penetration testing services and red team methodologies to simulate threat actor TTPs and learn where the organization is exploitable.
  4. Incorporate threat modeling into application development and architecture boards. By understanding threats before technology is fully deployed, the business will save a significant amount of money in remediation work.

Cybersecurity is a fast-paced industry, with an ever-evolving threat environment. By incorporating a threat-based cyber strategy to understand an attacker’s perspective, organizations can be more effective and more efficient in deployment of defensive controls, keeping the company off the front page of tomorrow’s newspaper.

To learn more about our cybersecurity and third-party risk management solutions, contact us.

Ryan McCarthy

Senior Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
8 Apr

Join our experts on April 25 as they delve deep into the strategies and practices essential for safeguarding customer trust, ensuring a stellar user experience, and adhering to privacy and data security standards. Register today! https://ow.ly/fumH50R4fbw #DataPrivacy

Reply on Twitter 1777336025301254502 Retweet on Twitter 1777336025301254502 Like on Twitter 1777336025301254502 Twitter 1777336025301254502
protivititech Protiviti Technology @protivititech ·
5 Apr

Find out how businesses can use #AI technologies for real use cases in #Quantum sensing, simulations and migration to post-quantum cryptography during the latest podcast episode with guest @paul_kassebaum. https://ow.ly/Wy7u50R9t8M

Reply on Twitter 1776309432592330940 Retweet on Twitter 1776309432592330940 1 Like on Twitter 1776309432592330940 4 Twitter 1776309432592330940
protivititech Protiviti Technology @protivititech ·
5 Apr

Protiviti’s Kim Bozzella explains how technology and #Automation in the #Manufacturing industry has—and will continue to—improve productivity and quality enhancement. Read more from the Forbes Technology Council. https://ow.ly/nTPy50R7WYC

Reply on Twitter 1776249003769803111 Retweet on Twitter 1776249003769803111 Like on Twitter 1776249003769803111 Twitter 1776249003769803111
protivititech Protiviti Technology @protivititech ·
1 Apr

Organizations who are part of the Department of Defense supply chain must understand, identify and protect controlled unclassified information, often called #CUI in their environments. Here’s what you need to know: https://ow.ly/bjbW50R59Ke #ProtivitiTech

Reply on Twitter 1774769203540566390 Retweet on Twitter 1774769203540566390 Like on Twitter 1774769203540566390 Twitter 1774769203540566390
protivititech Protiviti Technology @protivititech ·
29 Mar

A global hospitality company is well positioned to leverage the latest AI technologies after hiring Protiviti to establish and implement a comprehensive AI governance standard. Read our latest client story: https://ow.ly/Ir7R50R4nrh #ProtivitiTech #ClientStory

Reply on Twitter 1773772540306919718 Retweet on Twitter 1773772540306919718 Like on Twitter 1773772540306919718 1 Twitter 1773772540306919718
Load More