Effective cyber security needs to be tailored to an organisation’s specific needs and vulnerabilities, and not rooted in the ways of the masses. Chris Holt explains more

The big picture
Models such as MITRE ATT&CK® – which is a framework for threat modelling, penetration testing, defence development and other cyber security exercises – lay out different avenues of compromise in a systematic and logical hierarchy. Organised into the different broad techniques attackers utilise to achieve their goals, each sub-technique is a specific type of adversary activity.
With 218 individual IT related sub-techniques modelled, and 88 further sub-techniques for defence of Industrial Control Systems components, ATT&CK provides an excellent reminder of the complete cyber threat landscape we face.
That said, it is a broad model designed to capture every eventuality in every environment. This means only a minority of techniques will have significant relevance to most of your IT systems, with the remainder being of such minimal probability or impact as to be irrelevant.
The correct way to use such a resource is to map it against the vulnerability of the assets being sought to be protected and, with due consideration of other known risks and acceptable levels of tolerance, highlight the areas of maximum concern. These may then be further developed in order to mitigate the most likely ways that the highlighted threats may damage your organisation.
Whether caused by limited experience or unscrupulous desire to drive up sales, this best practice is most often ignored. Instead an absolute necessity to achieve complete coverage of the ATT&CK threat model is deemed necessary in order to be ‘good’. This is manifested at its very worst by either a percentage coverage score or traffic light dashboard which both infer that lack of coverage equates to unacceptable gaps in protection.
Interestingly, this approach can also generate a false confidence: I am better than my peers because I have a better percentage coverage in my threat models! For sure, given unlimited resources and unlimited time, the ultimate aspiration is 100 per cent coverage – but reality is harsh and such resources and time never exist.
Thus the diluted focus causes those resources to do a little work on a lot of threats – and results in gaining a little bit of protection for many pretty insignificant threats. But this is at the cost of too little effort spent on understanding and mitigating the threats that will actually do the damage. The likely outcome? An unforeseen attack sneaks up and bursts the confidence bubble in an unpleasant surprise.
No one size fits all
Threats are personal and unique to each organisation. But cyber security vendors train their sales teams to persuade CISOs that their best solution is the same as their peers chose. If it worked for them, then you must have it!
To claim that two organisations in the same sector or market experience face the same threats is simply untrue. Your cyber security priorities are personal to your organisation, and probably pretty sensitive in places to discuss out in the open.
If you are using ATT&CK, you should be having a view per asset or solution and never a holistic view, and you should be focusing only on techniques that your own analysis has shown to be significant. The same applies to use of all the other similar standards, models and frameworks that are out there.
Cyber security professionals must stop being drawn in by vendors’ promises of silver bullets and must go back to their grassroots. The effort to mitigate threats must be prioritised by criticality and probability of your organisation’s weak points. It should address all those things that keep you awake at night, whether that is the data in your latest and most exciting cloud hosted system or that mainframe somehow still ticking away in that third party data centre that no one dares touch.
It was Halloween last month. So please make sure your monitoring and defences continue to do something to protect your organisation’s skeletons in all those IT closets out there, and don’t be drawn in by the hype of conformity to the ways of the hordes.
Oh, and look out for that ghost behind you, it probably was salesman in a former life still trying to empty your pockets.
About the author
Chris Holt is National Cyber Mission Pre-Sales Lead at BAE Systems Applied Intelligence
chris.w.holt@baesystems.com

Explore Threat Intelligence Insights
Get the latest findings from our team
Understand the evolving threat landscape is a key part of maintaining robust defences. BAE Systems' Threat Intelligence team generate original insights through research and collaboration with customers and partners
Find out more
Recommended reading
- Enabling smarter cyber security at home. The pandemic has revolutionised our working practices but in doing so it’s also opened the door to increased cyber attacks. Sugee Bhanoo examines what can be done
- Conflict in the grey zone: Preparing ourselves against cyber opponents. When it comes to the cyber arms race, Miriam Howe says that preparation, collaboration and adaptability are critical
- Moving cyber into the diplomatic mainstream. What’s cyber got to do with diplomacy and development? Actually, a huge amount. Miriam Howe sits down with Will Middleton to hear about life as Cyber Director of the UK’s Foreign Office, and why cyber is now firmly entrenched on the frontline of national security
- Exploring a new role for cyber security in UK government transformation. A new study commissioned by BAE Systems Applied Intelligence has revealed that cybersecurity is both a major driver of IT modernisation and a significant barrier to adoption. Lorna Rea explains how the way forward will require a delicate balancing act - to manage cyber risk effectively, without hindering innovation and collaboration
- How the UK can be a responsible cyber power. The concept of a ‘responsible cyber power’ requires clearer definition and a broader, collective effort, says Mary Haigh
- Why cyber security is a team sport. Doug Brown explains why collaboration is the essential ingredient in ensuring resilience is embedded within an organisation