On a day like this in October, what better time to write a few lines about the importance of knowledge in your cybersecurity work – it is Cyber Security Awareness Month, after all.
Safety always starts with knowledge and it involves knowledge in several different areas.
In this blog post, Mats Wernolf, Security Architect at Softronic, shares his knowledge in the field.
Knowledge of our IT environment
We need to know what hardware and software is in our networks. Without knowledge of what we have in the network, it becomes impossible to maintain good cyber hygiene with functioning patch and life cycle processes. Cybercriminals love forgotten servers and systems with old software that has not been updated, as software and hardware with security holes become an excellent gateway to our networks or can be used to move further in the network and escalate their rights.
Knowledge of our opponents
We need good intelligence on who our adversaries are, how they think about monetizing our information (almost all cybercrime is after money), and what their modus operandi is (usually referred to as TTP; Tools, Tactics and Procedures). Many times, we may not understand that our information has value if we do not have sufficient knowledge of how the criminals convert our information into money.
Cybercriminals are often opportunistic. This means that if, for example, we have a particular kind of application that they like to target because it is easy to breach, we may well be targeted even though we have nothing that we think would be worth anything to them. If they encrypted all our information, we will soon find out that we it was quite valuable to us and might be prepared to pay a penny to get it back.
Knowledge of vulnerabilities and threats
Good “Threat Intel”, i.e. knowledge of what vulnerabilities exist in the software and hardware we use in our business, is a must if we are to be able to plug the security holes that appear in them. New vulnerabilities appear every day, and many times they are so-called 0-days, i.e. vulnerabilities for which there are no fixes yet and where we need to find other ways to mitigate their effects, which means that we cannot just rely on following the suppliers’ update cycles.
Often it is difficult to have time to correct all vulnerabilities and threats that emerge, therefore Threat Intel also needs to include the knowledge of which vulnerabilities are actively exploited by cybercriminals, a knowledge that is needed to know how to prioritize our actions to mitigate or eliminate the threats.
Knowledge of what is happening in our networks
We need to collect telemetry from our networks so that we have a good understanding of what is happening in them. Without this knowledge, we can’t identify anomalous patterns and find and evict potential attackers. We need to know what indicators to look for (so-called IoC; Indicators of Compromise) and actively look for signs of intrusion in our environments.
Knowledge of countermeasures
Last but not least, we need to know what countermeasures we need to put in place if we find cybercriminals in our networks. When we find signs that we are under attack, there is no time to start thinking about how to kick them out and restore normality. It is therefore important that we have our processes, playbooks, already developed and documented and the knowledge of where to find them spread to everyone who may need to access it. Well-defined, and tested, playbooks are an important part of incident management and a knowledge that everyone needs to invest in.
Contact us
If you would like to take advantage of our collective knowledge in the field of cybersecurity, you are welcome to contact me and my colleagues in cybersecurity at Softronic and we will do what we can to help you fill your knowledge gaps.
Safety event on October 18 – places left – register here!
Blog post written by: Mats Wernolf, mats.wernolf@softronic.se
