THREAT INTELLIGENCE INFORMED RISK MANAGEMENT
The driver of present-day security strategy
Sheikh Rashedul Islam | Saturday, 23 November 2024
In today's digital-first economy, financial institutions are navigating an unprecedented level of complexity and risk. The arrival of new technology and platforms has brought to the fore digital banking, online investment platforms, electronic payment systems, and digital financial products and services.
The government of Bangladesh is committed to providing financial services at the doorsteps of citizens in an easy, faster and low-cost manner. This digital transformation has made financial services more accessible and convenient. However, the shift to digital platforms has also introduced new challenges like cyber security, fraud, money laundering, terror financing and other criminal activities by abusing financial institutions and their services. Financial institutions handle a lot of money and sensitive data, making them an attractive target for cybercriminals.
With the Electronic Know Your Customer (e-KYC) solution getting more integrated and popular for customer on-boarding, protecting sensitive data, preventing financial loss and maintaining customer trust, regulatory compliance and strong security control, the role of cybersecurity is critical for the industry and sustainable development goal.
The cybersecurity landscape is constantly evolving and industry experts need to work with the leadership team and community together to manage a wide range of threats in the following threat domains: Malware and Ransomware, Phishing and social engineering attacks, financial crime, Data exposure, transaction services, Cloud, DDoS, insider threat, API vulnerabilities and supply chain.
From expanding digital assets to global supply chains, the attack surface has grown exponentially. Meanwhile, cyber adversaries are becoming more sophisticated, leveraging vulnerabilities, stolen credentials and event typo-squatted domains to launch devastating attacks.
Threat intelligence is the art of how to present cyber security risks to senior leadership with appropriate control development requiring experience and deep understanding. Sometimes there are challenges like how the technical team communicates those risks to senior leadership and demonstrates immediate value to the board.
Risk is the product of probability and impact. By focusing on real-world threats, organisations can prioritize their resources towards the area that will significantly reduce their risk profile and prioritise remediating the most damaging vulnerabilities.
Cybersecurity risk management as a discipline is immature and subjective. Due to a lack of visibility or clarity, most senior leadership teams want to do the essential things to defend their organisation, but not too excessively.
It is unclear to most senior leadership teams what needs to be done to defend information systems and if their organisation is doing those things. The bottom line is no organisation wants to compromise or have a data breach. it is not so much that the leadership team doesn't want to be on the front page of the newspaper, they don't want that embracement.
We also need to understand the mindset of senior leadership. What are they looking for from the cyber security expert? Senior leadership wants to know that they have a trustworthy team that is effectively and proactively defending their information system.
Cybersecurity is no longer just an IT issue - it's a boardroom priority, a compliance mandate, and a customer trust imperative.
Threat-intelligence-informed defence is becoming a key component of a modern cybersecurity strategy. It is an innovative approach to cybersecurity that can change the game for the defender. It is a systematic application of a deep understanding of adversary tradecraft and technology. Using a specific and widely-available framework and globally accessible knowledgebase an organisation can improve the ability to protect against, detect or mitigate adversary behaviour and attacks. It will change your perspective of how you thought about defence all alone.
It is about giving an organisation a foundation to continuously manage their risk and exposure. Organisations need to implement a threat-informed defence that starts with understanding the threats that are relevant to the organisation and then aligning the defences to those threats. Threat-informed defence is not intended to replace a baseline security programme but rather threat informed defence enhances that baseline programme and gives it a focus. It enables organisations to enhance their defences proactively by focusing on understanding adversaries.
Threat-led risk framework (TLRF) is a framework that uses threat intelligence to reduce and control those risks. This approach driven by risk management denotes a more advance cybersecurity posture than one that is more a compliance drive. This will also influence the cyber security requirements and focus on prioritizing critical issues and risk factors.
With a risk-based approach we need to develop Threat-led Risk Framework which should consist of Enterprise risk, Risk scenarios, Threat Attack Scenarios, threat data, Asset Data, Mitigation data.
The RISK Scenario involves Data Loss, Denial of Service, Identity Management and access abuse, Malware/Ransomware, Supplier Compromise, Supply chain compromise, and Vulnerability Compromise.
We also need to do Threat level calculation equation - Threat domain + Capabilities + likelihood of target = Threat Level. This can help us figure out severity of the threat (high, medium or low)
Leveraging knowledge of cyber threats and Tactics, Techniques, and Procedures (TTPs) prioritises the allocation of limited resources which is one of the most impactful and efficient ways to reduce overall risks.
Threat intelligence informed defence allows for a more targeted approach to cybersecurity, eliminating the need to address every possible threat equally. By understanding the adversary, you can prioritise your defences and continually assess them to identify gaps in your defensive programme.
Enhanced response capabilities: An organisation can develop more effective incident response plans and strategies by clearly understanding the threat they face.
Building a threat-informed defence programme presents several challenges, we need the breakdown of risk scenarios, Threat Attack scenario, Attack Path, Attack permutation, Asset class, Attack Procedure, Attack Technique and Adversary details.
Aside from the initial compromises in 2016-18 against Bangladesh by APT38/Lazarus which targeted Alliance servers, reported attacks against SWIFT focused on obtaining operator credentials to initiate fradulence. Risk of SWIFT compromise relies on attacks getting access to Alliance Access servers where they can do transaction manipulation and database:
* Port monitoring to understand transactions and message types
* Deletion of records from Alliance access database to hide transactions
Future of cybersecurity is no longer about achieving a "Perfect" state of security - it's about continuous risk management. Threats are evolving and so much our defences. An organisation needs to stay ahead of threats, prioritise precision and demonstrate resilience. A technical team needs to provide clear and actionable insights into the company leadership team to better create a company's security posture. An organisation needs to build better security strategy to safeguard their reputation, their customers and their future.
This article provided the value of threat intelligence-led cyber security strategy and risk framework and how executives and leadership can benefit from it. It will provide early detection and response, reduce risk and improved compliance, better allocation of resources, improved decision-making, increased confidence and trust, improved visibility and situational awareness, better risk management, improve communication and collaboration, increased stakeholders confidence and trust.
Great people build great products. Defenders are expected to continuously protect the financial institution from threat, vulnerability and threat actors. Effective mitigation and detections to stop bad things from happening are not possible without having the right Threat Led Risk Framework backed up by intelligence and data.
Sheikh Rashedul Islam is an IT, telecommunications, and cyber security professional with work experiences in consulting and engineering projects within large corporations, government agencies and financial sector globally. [email protected]