Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

Vince Lombardi, one of the greatest coaches of all time said, “The achievements of an organization are the results of the combined effort of each individual.” Think about the most successful coaches and you’ll see a common thread – the ability to bring players and staff together and use their talents effectively and intelligently to defeat opponents. Phil Jackson accomplished this with different NBA franchises and Joe Gibbs with different quarterbacks. They didn’t count on any one “star” to carry the team. Nor did they focus their efforts defending against one big threat. They led their teams to victory by looking at the big picture and understanding how to strategically apply capabilities to defeat whatever the opposition pulled out of their bag of tricks.

Wouldn’t it make sense to follow a similar approach to defeat adversaries and mitigate digital risk, the risk associated with expanding our digital footprint as we increase business activities on the internet and via cloud solutions? But, typically, we don’t.

Just as great coaches know they’re up against an entire team that can vary their plays and draw on different skills with the sole aim of defeating them, the risks as you digitally transform your business come from all kinds of adversaries and places beyond the boundary. Individually, you don’t just have a dark web problem, or an open source problem or a social media problem. You have a problem with ALL external digital risks and threat actors seeking to do your business harm. 

Digital risks include cyber threats, data exposure, brand exposure, third-party risk, VIP exposure, physical threats and infrastructure exposure. Often these threats and risks span data sources and cannot be detected in full context by any point solution or even by multiple solutions used in isolation. You need insight across the widest range of data sources possible to mitigate digital risk and better protect your organization. Here are three examples.  

1. We all know organizations struggle to keep up with patching, and this challenge isn’t expected to go away any time soon. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. Addressing every vulnerability as soon as a patch is issued isn’t possible for most IT teams. But determining which vulnerabilities to patch first can be problematic. By monitoring open, deep and dark web forums as well as social media you can learn which vulnerabilities are being discussed as popular vectors for attack. These sources can also reveal which exploit kits are using specific vulnerabilities and even if those exploit kits are being used to target your industry. Armed with this information, you can make more informed decisions about which systems and applications to patch first and more effectively and efficiently mitigate risk. 

2. Ideologically motivated, hacktivists are far from quiet. They typically use social media to promote their cause and garner attention and often announce their targets on Facebook or Twitter. They also use Internet Relay Chat (IRC) to orchestrate attacks in real-time. Monitoring social media and open source IRC channels for an uptick in hashtags and traffic is a leading indicator of whether a cause is gaining traction. Mentions of your company, key executives or IP addresses will help you determine if you’re being targeted so you can proactively boost security controls. 

3. A more complex example, but one that has been in the spotlight recently, is database extortion. In this scenario, attackers look for publicly exposed databases, for example on Amazon S3 buckets. From there, they may be able to find information allowing them to remotely connect to a server or desktop to infiltrate your organization further. Or, as in the case of the MongoDB extortion pandemic, they can replace data with a ransom request for bitcoin payment in exchange for restoration of the database. Should the ransom request go unheeded, attackers may then apply pressure on the CEO by posting a message to Pastebin or via social media. In this scenario there are several points of compromise and several ways to gain a deeper understanding of the attack. To learn the entire sequence of events, the impact to your organization and how to mitigate digital risk in the future you need more than visibility into S3 buckets. You need access to hacked remote server and remote desktop protocol (RDP) sites to look for mentions of your IP addresses. Access to Pastebin and monitoring social media channels will allow you to check for mentions of your company and/or executives. The dark web can provide information on threat actor profiles to understand their motivation and gauge credibility.

In each of these three examples, tracking just one source, or even all sources but in isolation would not give you the full context for any one of these threats. Like a coach, you need to be able to see the big picture with an approach that monitors the entire Internet for risks to your business. Only then can you take the right actions to keep your business and reputation intact and mitigate digital risk in the future.