Faced with the daily barrage of reports on new security threats, it is important to keep in mind that while some are potentially disastrous, many are harmless or irrelevant to individual organizations.
CISOs often find themselves needing to prioritize the specific threats they need to defend against. In addition, they must take stock of their security strengths and weaknesses so they can focus their efforts on relevant threats.
A major challenge to staying focused is media-driven distraction. CISOs who understand their security posture can ignore the media noise knowing that threat X is not a risk — either because it has been patched or because such an attack is highly unlikely to target an organization of their size or type.
The benefits of tailoring security skills training to specific threats are transparent and ongoing. It enables an organization to address relevant risks with vigor and focus, to craft clearly defined training goals, and to ensure all team members acquire the right skills to identify and defend against the most dangerous threats.
How to Tailor Training
The best starting point is to be strategic — to focus on the type of attackers that threaten or could threaten the organization, create a profile of these adversaries, and identify their tools and tactics. Next, it’s important to perform an honest and realistic assessment of the security team’s tools and skills for combating the attackers — and to improve them where holes and deficiencies exist.
Below are five broad categories of threat actors, ranked by their level of sophistication, along with the corresponding defense measures needed to protect against them.
These are typically amateurs or script kiddies who use publicly-available malware, credentials, and other TTPs that require low skills to use.
Defense needed: these actors can often be contained by automated machine detection using signature-based capabilities on an endpoint or network.
Prudent Threat Actors
Slightly more advanced than the first rank of criminals, these actors avail themselves of paid or publicly-available malware, credentials, and other TTPs that require low skills to use.
Defense needed: Automated detection works mostly, but sometimes an organization will need more complete configuration and log aggregation.
These criminals, often hacktivists, deploy modified public tools and paid tools. Many of the tools, such as Metasploit and Cobalt Strike, have potent, interactive capabilities.
Defense needed: Basic threat intelligence and behavioral signatures are needed for full coverage.
Here the actors are nation-states and high-level criminal gangs, who use internally developed tools and capabilities.
Defense needed: Behavioral and advanced threat detection.
These are high-level attackers working for nation-states. Their tools and capabilities consist of the best OPSEC for specific situations.
Defense needed: Behavioral detection supported by deep manual analysis of the environment.
Once an organization has determined which category or categories of threat actors they must defend against, the following best practices can be used to develop threat-centric security training.
Develop a detailed plan. Planning is always the bedrock of a good roadmap. The more time an organization takes to prepare a training plan — by researching its needs, critically assessing its resources, and by talking to partners and customers —the more likely its strategy will be successful.
Objectively assess new threats. Chances are, not all new threats will affect a given organization, either because it has been remediated by a patch or other control, or it is simply irrelevant to the organization’s size or vertical industry.
Use industry resources to identify threats to the organization/vertical industry. Some excellent resources are the major security publications, the Verizon data breach incident report, and industry specific ISAC threat intelligence feeds.
Collaborate with training partners to transform the plan into action. Partners can provide not just valuable insights but concrete advice on how to implement upskilling exercises, assessment and reporting.
The importance of tailoring security training to specific threats has never been more urgent, given the variety and volume of cyber risks facing the average organization. By focusing on attack tactics and techniques that pose clear and present danger to the business, a company can achieve the greatest return on its training initiatives.