Advanced threat actors have orchestrated attacks on some of the top government agencies and companies. So dangerous are these groups that the National Cybersecurity agencies across the globe issue warnings regularly, specifically describing these threat groups campaigns.

What separates an ‘advanced threat actor’ from an ordinary cybercriminal group may come as a surprise. It is not always the group’s technology because we find that these groups use standard tools and administration utilities like Powershell to establish and expand their presence. Of course, they lean heavily on social engineering attacks like phishing to gain access. Fundamentally what makes an ‘advanced threat actor’ dangerous has more to do with their approach to multiple modes of operating and tools they use than any element or method of attack. These groups are often very resourceful and nimble and work hard to compromise and maintain long term access to the organisations they target, even if their tools and techniques are not advanced or sophisticated. What makes these groups challenging to detect is their resourcefulness, flexibility, precision, and patience in carrying out operations; it sometimes is even more challenging to eradicate once compromised.

Understanding these groups’ modus operandi, which refers to their tactics, techniques, and procedures (TTP) is necessary, but not sufficient to prevent attacks. Organisations must also contextualise the information into their environment(s), including their network, data, users, devices, and now, more importantly, their supply chain. Understanding how a threat actor behaves and the organisation’s exposure to that threat can help us get ahead of dangers instead of reacting to them.

 

The whole of Ecosystem Approach

Most organisations choose traditional forms of threat defences, like firewalls and email gateways, intrusion detection and prevention software, data leak prevention, endpoint security tools, which are not sufficient enough in themselves to respond to more resourceful hackers. These traditional tools, taken separately, are powerful and effective; but for organisations that hope to prevent a more sophisticated threat group like APT10, an IT-centric ‘detect and block’ approach is often inadequate.

The latest threat from APT10 that targeted MSP networks shows us why approaches that focus on point-protection and ‘detect and block’ tools are not sufficient and up to the task of blocking advanced threat actors. Organisations should embrace a holistic approach to threat defence that encompasses protection from multi-vector attacks. Taking a ‘whole of ecosystem’ approach to defence means understanding the security of IT, network, data, users, devices that are owned and managed by the organisation, and those of third-party software and service providers and customers. Unfortunately, existing information security tools are ill-suited to holistic defence when siloed defences are still the norm at far too many organisations.

 

What Makes an Integrated Defence Model?

Organisations need comprehensive and integrated architectural models that deal with a specific threat to their environments. While not threat-specific, a working integrated model should account for all the foreseeable threats – cyber and otherwise – that an organisation might have to face.  It requires organisations to approach integration approaches specific to their networks, IT assets, data, users; and assess all the possible risks that might target them; and prioritise cybersecurity funding resources and attention to them.

An integrated fabric often allows organisations to filter out background “noise” from the threat landscape, easing threat intelligence analysts’ burden. However, they should also dynamically incorporate and correlate new information every day and make connections between new and existing threat intelligence that may highlight risks to an organisation, its employees, and assets. The purpose of the integrated model isn’t for internal staff to work more or less, but to work intelligently and more efficiently, more importantly in a more directed way that prioritises cybersecurity investments for proactive security.

 

Elements of an integrated model

CT Cyber believe that Cybersecurity should be adopted in a multi-layered approach, ensuring a robust integrated alignment between People, Process and Technology, intertwined with Principles, Risk and Controls across the environment. An integrated approach also ensures that Cybersecurity does not consider either one of them in isolation; if one is unsecured, the entire system is vulnerable. Implementing a reasonable degree of cyber protection requires several elements to be threaded together to allow a holistic approach. 

At CT Cyber, we understand that security must cover the entire system, not just individual devices, and it also must be the responsibility of all stakeholders. Our framework aligns with five fundamental cybersecurity principles, whose purpose is to provide strategic guidance on how organisations can protect their systems and information from cyber threats:

  1. Governance: The process of identifying and managing security risks across the organisation
  2. Detect: The process of identifying and detecting cybersecurity events
  3. Protect: The process of implementing adequate security controls to reduce security risks
  4. Respond and Recover: The process of responding to events and incidents to limit the damage.

Our model further determines these principles’ efficacy by identifying the essential controls aligned to meeting those principal objectives across devices, applications, data, communications, and users. Tied to this,  the critical Risk Matrix, which determines the likelihood and impacts of not having these principles and controls. CT further applies a maturity matrix to determine how far along an organisation is and plan its future path based on where it sits in our maturity cycle.

This integrated framework gives organisations a strong foundation that ties Cybersecurity to driving key business outcomes and risks and an opportunity for leaders to have meaningful discussions with executive leadership and boards.