It’s Friday, I’m [Writing That Typical CISO Email]

Posted: 17th January 2024
By: Kathleen Kuczma
It’s Friday, I’m [Writing That Typical CISO Email]

It’s a Friday afternoon. As the CISO for a large manufacturing company, you receive a message from a board member with the subject line “How are we affected by [insert the latest] cyber attack?”

Despite the end-of-the-week fatigue, you explain that the Cyber Threat Intelligence (CTI) team has already incorporated the attack patterns into existing controls. A member of the infrastructure team updated the email security platform to quarantine the malware-infected file. Credentials recently stolen from RedLine Stealer have already been reset within your identity access management (IAM) platform.

This is a response to a familiar situation: quickly answering a question about the latest cyber news headline. To summarize the risks in that email, the security team needs to properly map, monitor, and mitigate cyber threats specific to your organization.

Map Your Company Assets

Cybersecurity writing often uses the phrase, “defending your castle walls”. Instead, let’s envision strategically-placed barbed wire fences. As a security team, you prioritize the broken sections instead of rebuilding the entire fence (or wall) at once. A good place to start mending your fence is understanding what information about your company is freely available. Amateur open-source sleuths can now discover connections previously available only to those with specialized access. (A crowdsourced example includes the discovery of a disgraced Russian general’s location based on the photo analysis of trees and a stone patio.)

Are there old domains still accessible that should be decommissioned? Security teams can use tools to discover subdomains that are potential candidates for subdomain takeovers.

Equally as important is understanding what assets are critical to business functions. If you work for an e-commerce company, any domains that handle payments should be prioritized as any downtime could result in monetary losses. Executives with, and without, a social media presence should be monitored for fake accounts that could post inflammatory comments and potentially impact stock prices.

If locked out of your house, you do not resort to immediately climbing onto your roof looking for an open window. Instead, you (hopefully) try to find another ground-level entrance or the key you hid by the ceramic gnome. Threat actors will often follow a similar path of least resistance.

Monitor What You Discovered

Based on your mapping exercise, your next task is to monitor the prioritized domains, executives and easiest to exploit attack vectors.

Understanding your company’s password policy provides helpful context. But more important is monitoring for stolen credentials that can log into company systems. Intelligence providers that collect from these malware logs and integrate into IAM platforms increase the speed of detecting and resetting passwords before improper use. (According to the 2023 Verizon Data Breach Investigations Report, more than three-quarters of breaches involved external actors, with nearly half of those external breaches involving stolen credentials.)

Threat actors do not typically use stolen credentials immediately. Instead, Initial Access Brokers (IABs) package and sell these credentials to other actors who plan to use them. Monitoring for direct and indirect company references (when your company as a target is implied) will provide another opportunity to detect threat actor activity.

Using AI to Generate a Threat Map

A Threat Map that analyzes past attacks and understands current vulnerabilities provides security teams a short-list of actors to prioritize for monitoring.

There’s no need for analysts to spend their time manually researching and creating their own threat maps, thanks to Recorded Future AI. Threat actors understand their “why” for choosing to exploit a vulnerability in a particular organization based on their opportunity of success. For example, if your company is still susceptible to the MOVEit file transfer vulnerability, a threat actor will take advantage.

Emotional Response

Threat actors have feelings, too. When Spain’s Prime Minister met with Ukraine’s President, a hacktivist group called NoName057(16) targeted the Spanish government’s websites in a DDoS attack. Recognizing when a current event may prompt even a low-level attack can improve defenses.

Fix What Is Broken

Mitigation is where the “action” takes place. Which steps did the security team take to improve security controls? “Detection rules,” or a pattern-matching search against security logs, can quickly notify analysts of potential malicious activity. If the malware is typically spread via a ZIP file, a detection rule can trigger an alert when there is a match in your company’s logs. Your intelligence provider should produce the detection rules associated with the malware and threat actors most likely to impact your company, ideally via your unique threat map.

Some mitigation plans are based on compliance audits or security guidelines, such as NIST. Companies need to not only monitor for stolen passwords, but also prevent users from creating new passwords that have been previously leaked. Analysts should monitor and request takedowns for fake login pages targeting an organization. Takedowns are never an easy process. Using a provider with a high success rate will save security teams going back and forth with domain registrars. (A trusted partner will also steer you away from a takedown that will likely not be successful.)

Summing it Up

Understanding a company’s most important assets is a critical stepping stone to prioritizing what to monitor and mitigate.

We haven’t forgotten about the fictitious CISO. If your team has properly mapped assets, installed appropriate monitoring services and enabled mitigating controls, that next Friday afternoon email should be easier to write. You may use generative AI to produce an outline of the attack patterns used and how your company could be impacted. However, don’t forget to mention areas that need improvement. It is worthwhile to include how the social engineering aspect of the attack is more difficult to combat.

You may not receive an on-the-spot promotion for your email summary. But your team’s well-crafted response will prove the importance of having the data, platforms and people to answer the board’s next security question.