Organisations must continuously adopt new technologies and expand their ecosystem of 3rd party partners to stay competitive. This can create conditions that benefit threat actors. Liberty Mutual has created a framework to provide the insurance, risk, and security communities a way to use today’s data to take a proactive approach to tomorrow’s cyber risk. The framework has five lenses: threat access, culture, resilience, planning and engineering, and partnerships. Looking through these lenses enables us to simplify both how we understand the conditions threat actors exploit to achieve their goals, as well as how we can invest to control those conditions.
Lens 1: Threat access
To minimise the time and cost to achieve their goals, threat actors want to take the path of least resistance. To gain initial access to systems and data, threat actors benefit from conditions such as the use of default or weak credentials, a lack of multi-factor authentication (MFA), the absence of email filtering to counter phishing, incomplete asset inventories, inconsistent vulnerability management and patching cycles, and the absence of endpoint protection for workstations and servers.
To protect against threat access, there are four main areas organisations need to focus on
- Safeguarding credentials themselves - and minimising the impact of a compromised credential by deploying MFA and monitoring for signals of compromise.
- Countering phishing attacks that aim to harvest credentials or download malware by deploying email protections such as filtering and sandboxing, and ensuring users have an easy way to report suspicious emails so they can be investigated.
- Minimising the number of internet- facing assets that threat actors can use to gain access to a company’s resources and keeping them up to date
- Blocking persistent malware from being able to run on machines.
Lens 2: Culture
Threat actors benefit from gaps in organizational culture where there are inconsistencies in alignment, decision-making criteria, and information flows about either what security measures are implemented and how. These can manifest as implementing security measures as a compliance checkbox, bypassing IT and security processes without documenting exceptions, and treating security as a purely technical concern. The more gaps there are, the greater opportunity threat actors have to maximise disruption.
Where employees are empowered with the right information, decision-making criteria, incentives, and tools for their role then organisational gaps are limited and opportunities for disruption are minimized.
Implementing a threat-resistant culture is a multi-faceted effort that involves stakeholders ranging from the executive leadership to teams in product management, application development, legal and procurement. It requires explicit frameworks that formalise governance and investment decisions, so that trade-offs are clear at the right levels of management.
Lens 3: Resilience
When an incident impacts a business process, its level of resilience can be measured by the speed and cost to return to normal operations. Threat actors benefit from fragile systems where even small impacts require a lot of time and effort to return to normal. As severe security incidents are something organisations experience rarely, threat actors also benefit where their targets must work out how to respond without existing playbooks that establish roles, communication flows, and steps to take to safely return to operations.
To improve their resilience, organisations can run tabletop exercises to evaluate how they would respond to credible impact scenarios, practice incident response by running simulated threat exercises, and test Disaster Recovery in circumstances that simulate what teams would experience during an attack. These activities enable preparedness by identifying if there are process issues or technical constraints that need to be addressed to mitigate severe or lengthy disruption. They can also identify where there are missing partnerships with 3rd parties or incident response firms.
Lens 4: Planning and engineering
Planning and engineering support resilience by designing systems and services to prevent high frequency, high probability attacks from causing severe incidents. They also ensure systems are built to facilitate threat detection and incident response.
Threat actors benefit when systems are built in a way that is hard to defend, or where inconsistent defences block some paths but leave others open. They also benefit when security capabilities that should be present are missing or not operating correctly.
By implementing guidelines, reference architectures, and security services that can be applied to build and maintain secure systems, organisations can block the paths threat actors take most frequently. Assurance processes that test and measure the coverage, configuration, and operational status of defences then ensure they are functioning as expected.
This raises the level of effort for threat actors across all easy paths and avoids a situation where threat actors find nine out of ten doors closed, but one easy or unmonitored door open that lets them reach their target.
Lens 5: Partnerships
Threat actors benefit when security processes are not tightly implemented with procurement, where there is no inventory that tracks the systems and data 3rd parties have access to, and where there is no contingency planning for compromise of a supplier or business partner.
They also benefit where there is a lack of proactive planning with partners on how to respond to an incident, and established agreements with service suppliers (including forensic firms and legal counsel) to manage a breach if it occurs.
By gaining visibility of their 3rd party supply chain, working with suppliers and vendors on joint plans for incident response, and collaborating with vendors and insurers, organisations can be better prepared for impacts to their 3rd party supply chain.
By looking through these five lenses, organisations can identify how the data they have today can help them reduce risk. We are excited to share more over the coming months with our clients and the industry on how looking at cyber security through these lenses can improve the landscape for our community and reduce the threat and cost of disruption from a cyber-attack.