Delivering personalised next generation cyber security If there is one thing the cyber security market is good at, it’s an ability to drive a belief that the next generation of technology will overcome the current great threat – built upon a promise that we all face the same macro threats in our daily interaction with the digital domain. This herd mentality is further reinforced by the ways cyber security frameworks are misused to show we all have to address the same threats.

The big picture

Models such as MITRE ATT&CK® – which is a framework for threat modelling, penetration testing, defence development and other cyber security exercises – lay out different avenues of compromise in a systematic and logical hierarchy. Organised into the different broad techniques attackers utilise to achieve their goals, each sub-technique is a specific type of adversary activity.
With 218 individual IT related sub-techniques modelled, and 88 further sub-techniques for defence of Industrial Control Systems components, ATT&CK provides an excellent reminder of the complete cyber threat landscape we face.
That said, it is a broad model designed to capture every eventuality in every environment. This means only a minority of techniques will have significant relevance to most of your IT systems, with the remainder being of such minimal probability or impact as to be irrelevant.
The correct way to use such a resource is to map it against the vulnerability of the assets being sought to be protected and, with due consideration of other known risks and acceptable levels of tolerance, highlight the areas of maximum concern. These may then be further developed in order to mitigate the most likely ways that the highlighted threats may damage your organisation.
Whether caused by limited experience or unscrupulous desire to drive up sales, this best practice is most often ignored.  Instead an absolute necessity to achieve complete coverage of the ATT&CK threat model is deemed necessary in order to be ‘good’. This is manifested at its very worst by either a percentage coverage score or traffic light dashboard which both infer that lack of coverage equates to unacceptable gaps in protection.
Interestingly, this approach can also generate a false confidence:  I am better than my peers because I have a better percentage coverage in my threat models! For sure, given unlimited resources and unlimited time, the ultimate aspiration is 100 per cent coverage – but reality is harsh and such resources and time never exist.
Thus the diluted focus causes those resources to do a little work on a lot of threats – and results in gaining a little bit of protection for many pretty insignificant threats.  But this is at the cost of too little effort spent on understanding and mitigating the threats that will actually do the damage.  The likely outcome? An unforeseen attack sneaks up and bursts the confidence bubble in an unpleasant surprise.

No one size fits all

Threats are personal and unique to each organisation. But cyber security vendors train their sales teams to persuade CISOs that their best solution is the same as their peers chose. If it worked for them, then you must have it!
To claim that two organisations in the same sector or market experience face the same threats is simply untrue. Your cyber security priorities are personal to your organisation, and probably pretty sensitive in places to discuss out in the open.
If you are using ATT&CK, you should be having a view per asset or solution and never a holistic view, and you should be focusing only on techniques that your own analysis has shown to be significant.  The same applies to use of all the other similar standards, models and frameworks that are out there.
Cyber security professionals must stop being drawn in by vendors’ promises of silver bullets and must go back to their grassroots. The effort to mitigate threats must be prioritised by criticality and probability of your organisation’s weak points. It should address all those things that keep you awake at night, whether that is the data in your latest and most exciting cloud hosted system or that mainframe somehow still ticking away in that third party data centre that no one dares touch.
It was Halloween last month. So please make sure your monitoring and defences continue to do something to protect your organisation’s skeletons in all those IT closets out there, and don’t be drawn in by the hype of conformity to the ways of the hordes.
Oh, and look out for that ghost behind you, it probably was salesman in a former life still trying to empty your pockets.

About the author
Chris Holt is National Cyber Mission Pre-Sales Lead at BAE Systems Applied Intelligence
Ransomware’s Perfect Storm

Explore Threat Intelligence Insights

Get the latest findings from our team

Understand the evolving threat landscape is a key part of maintaining robust defences. BAE Systems' Threat Intelligence team generate original insights through research and collaboration with customers and partners
Find out more

Recommended reading

Chris Holt

National Cyber Mission Pre-Sales Lead, BAE Systems Applied Intelligence