Managing Digital Risk: 4 Steps to TakeJune 18, 2019
Organizations are finding it increasingly difficult to know where their data is stored and shared in today’s technology-forward, connected world. Although these new, digital technologies help organizations advance their business, they come alongside risks that can be difficult to manage.
In this blog, we walk you through the emergence of digital risks and key steps you can take to help your organization to securely achieve the benefits of digital transformation.
Defining Digital Risk
As organizations become more interconnected to their supply chain, customers, and partners, the assets that security teams have been trying to protect become exposed. Adversaries take advantage of this exposure, making use of weaknesses, leveraging exposed data, and impersonating online brands. Unmanaged, this leads to the loss of sensitive corporate data, violation of privacy laws, and damaged reputations for organizations. If we want to manage these new, digital risks, we need to start looking outside the traditional perimeter.
In order to securely achieve the benefits of digital transformation, organizations need to consider three core areas.
- Data Loss Detection
Imagine if your intellectual property was exposed online, your board minutes were inadvertently leaked, or your developers inadvertently exposed sensitive code. Attackers can leverage exposed data such as this as part of their campaigns, using it to exploit your organization and launch more targeted cyber attacks. Organizations need to continuously monitor for exposed data including credentials, sensitive documents, intellectual property, and third party exposure.
- Online Brand Security
As organizations turn to social media and other online platforms to engage with prospects and customers, attackers look to impersonate their brand. Cybercriminals do so by registering spoof domains, social media accounts, and mobile applications. If successful, phishing attempts against your customers can then impact your revenue, loyalty, and customer trust.
- Attack Surface Reduction
As your IT infrastructure continues to grow, it becomes more complex to have sufficient visibility into your attack surface. Adversaries take advantage by exploiting public-facing applications as part of their campaigns. Security teams need to monitor for exploited vulnerabilities on infrastructure, weak or expiring certificates, open ports, and misconfigured file sharing protocols.Security leaders rely on their teams to solve these problems, but they lack the capabilities to effectively visualize and manage these digital risks that exist beyond the perimeter of their organization. On top of this, they lack the tools and expertise to communicate these risks to the business.
So how can security practitioners protect against these threats to their businesses? Here’s four key steps you can take to help manage your digital risk.
How to Manage Your Digital Risk – 4 Key Steps
Step 1 – Identify Your Critical Business Assets
In order to properly manage digital risks, an organization needs to first determine what sensitive data it has, and how it might be used by threat actors or adversaries.
A good place to start is with thinking through common examples of critical business assets:
- People (customers, employees, partners, service providers)
- Organizations (peer organizations, service departments, common infrastructure)
- Systems and supporting critical applications (websites, portals, databases with customer data, payment processing systems, employee access systems, or ERP applications)
A best practice is to center your asset management activities around the critical business or economic functions of an organization. But with digital risk, there is an additional key step to think about: how are these assets referenced or how do they appear in the digital domain? In our Practical Guide to Reducing Digital Risk, we note that “it is a good practice to list a wide range of identifying text strings which may be helpful in identifying particular types of assets, be they technical watermarks, footers, domains or protective markings used to mark confidential documents.” This then assists with building a plan to identify them online.
By spending the time working these items out, you can begin to think about where your organization may be exposed, and how adversaries might access this information.
Of course it’s not a perfect science – for example, some companies may not find social media accounts to be of critical importance, but we continue to see these accounts targeted by adversaries. We recommend working with the regulator who will often mandate this themselves.
Step 2 – Understand the Potential Threats To Your Business
In order to best understand and calculate your risk, you need to understand the following potential threats and digital risks to your business.
- A threat’s behavior (tactics, techniques, and procedures)
Frameworks such as MITRE ATT&CK and others help provide a common language where security teams can gain insight into how defenses can be aligned to real-world threats. Collecting and understanding behavior data across a broad range of threat actors can give highly useful context to those responsible for protecting businesses. Either in deducing the likely next step in an observed attack, or in supporting decision making in putting in place defenses.
- Opportunities Available to the Threat Actor
Adversaries will exploit opportunities and will prioritize their attacks accordingly, targeting the lowest hanging fruit or the shortest path to success. Adversaries will make use of online exposure; using exposed credentials to conduct account takeovers, assessing the digital footprint, impersonating the brand to launch phishing attacks, and exploiting vulnerabilities in external infrastructure. The first stages of any attack use reconnaissance techniques to reveal the most effective path to exploiting the target. Professional red teams have developed techniques based upon OSINT (Open Source Intelligence), hostile reconnaissance techniques to enumerate their targets without touching a computer to prepare an effective campaign.
Step 3 – Monitor for Unwanted Exposure
To detect exposed assets, organizations should consider a wide range of sources and prioritize those that are most relevant to them across the open, deep, and dark web, including:
- Git repositories
- Misconfigured online file sharing services
- Paste sites
- Social media
- File-sharing sites
- Criminal forums
- Dark web pages
If you’re interested in a list of free tools to help monitor for digital risks and exposure, make sure to check out our free Practical Guide to Reducing Digital Risk. We share tips and tools that can help your team monitor for exposed employee credentials, exposed sensitive documents, customer accounts, sensitive code exposure, and more.
While detecting your online exposure is key, you also need to ensure you have a mitigation strategy in place. It’s important to consider tactical, operational, and strategic approaches to mitigation.
While there’s not always the option of an immediate response, these can help with more strategic investment considerations. Here are some examples of tactical mitigations:
- Attack Surface Reduction – Our team advises clients to look at their technical infrastructure with an “attacker’s eye view”. Teams should retire and deprecate services wherever possible so that there is less to attack.
- Removal of offending content from websites – There are many means for removing offending content from the internet. Takedown requests require review, but from our own experience, it is possible to takedown a large proportion of offending content with social media sites, ISP abuse notification processes, and legal notices that offer tools for this removal.
- Networking blocking actions – With squatted sites of phishing attempts, work on policies to either block the domain, IP or offending content using existing proxy, firewall, or perimeter controls. For organizations fortunate enough to have a ticketing system or, even better, security orchestration and automation – then take common use cases for commonly observed behaviors and implement blocking actions.
It is important to also have an ongoing view of your digital risk to help with detection strategies. Here are some examples of operational mitigations.
- Implement a monitoring strategy – Start with domain monitoring and add further capabilities over time by use case. This continued coverage will help build confidence in your digital risk management.
- Integrate with incident response processes – Determine which risks to monitor for, implement your detection strategy, conduct investigations, contain the risks, remove any issues, and review.
- Embed in security operations – Security operations teams need to consider context when reviewing external digital risk incidents. SecOps should have a view of the entire attack surface to understand all exposure points online.
To implement a strategic digital risk management strategy, security teams should also work on more strategic investment in defenses. Some examples include:
- Updating risk and threat models – The deeper the understanding you have of the inputs, the more accurate the model. Make sure your risk assessments account for critical digital assets, including those associated with third party and supply chains.
- Measuring, managing, and reporting digital risk – The more visibility you have into your digital risk, the better you can measure your exposure and severity level of incidents. We recommend integrating into incident management processes to help streamline opportunities to communicate risk to the rest of the business. This then helps show confidence in a full digital risk picture, and provides justification for investment in the area of digital risk management.
Building a digital risk management strategy takes time and effort across the business; it’s no easy feat. Teams must include detection, integration, and remediation for helping to build maturity into their processes. Security teams can look to build digital risk capabilities internally, utilize free tools online, or invest longer-term in external enterprise solutions.
No matter which way you decide to take your organization for managing its digital risk, have a look at our Practical Guide to Reducing Digital Risk, which offers free ways to get started and progress over time.
We hope this has been helpful as you consider your digital risk management strategies, and welcome any feedback to improving this guide.
If you’re interested in our digital risk solution, SearchLight, we’ve opened up our tool to use for 7 days free. You can gain an idea of your organization’s online exposure across the open, deep, and dark web, plus have a look at our intelligence library where we give insight into threat actors and campaigns.
Get started for free here 👇👇👇