Companies are facing an uphill battle to protect their systems from increasingly sophisticated cyberattacks and will need to get smarter about how they prioritize and invest in cybersecurity. With limited resources, it can be difficult to know which controls matter most. As such, it is essential for companies to focus their limited cybersecurity investments on the controls that are most important for their respective business profiles.
One way to do this is by using the ATT&CK (Advanced Threat Tactics and Techniques) framework developed by MITRE Corporation. This framework provides a comprehensive overview of the tactics and techniques used by modern attackers. It can help organizations identify the threats they face from different types of attackers, such as nation-state actors, criminal groups, and hacktivists, as well as the specific techniques they may use to compromise systems.
Using this framework, companies can assess which threat techniques are most likely to target them based on their business profile. For example, if a company has a lot of legacy infrastructure, they should go over the techniques listed in the framework that relate to exploiting outdated operating systems. They can then prioritize the security controls necessary to defend against those threats.
Once the threats have been identified, companies can use a threat-modeling approach to evaluate which controls are necessary to defend against those threats. This involves analyzing the existing environment and visualizing the attack surface to identify potential points of compromise. This step helps organizations understand their weaknesses and helps them decide where to allocate resources to improve security.
Finally, organizations should not forget to regularly test their security measures to ensure they are working as intended. The same threat-modeling process described above can also be used to focus testing efforts on emulating relevant threat techniques. For example, the threat actors responsible for the Solar Winds breach used PowerShell and Windows command line throughout the entire campaign. Companies should test their security controls against these techniques to ensure they are adequately protected.
Overall, companies can use the ATT&CK framework to get an understanding of the threats they face and the risk they pose. They can then use a threat-modeling approach to evaluate which security controls are necessary and focus their testing efforts on emulating those threats. By being strategic about their limited cybersecurity investments, companies can ensure they are taking the right steps towards protecting their valuable assets.