Written by: Candan Bolukbas, CTO and Founder
Contributor: Ferhat Dikbiyik, Chief Research and Intelligence Officer
As Sun Tzu said almost 3000 years ago, “To know your enemy, you must become your enemy.” While he was referring to military strategy, the same concept applies in the world of cyberattacks.
Shifting your mindset to start thinking how “the enemy” thinks can make all the difference in how you approach risk management. Looking at your tech ecosystem from the perspective of a malicious hacker can help you understand how to better protect yourself against cyber threats and proactively lower risk.
3 Ways to Look at Your Ecosystem from a Hacker’s Perspective
So, how do you get into the head of an attacker who might try to break into your systems? Since I have spent much of my career as an ethical hacker, I have deep experience testing security controls from the “outside” in. Here are three common threads that I’ve seen throughout my work in offensive security:
1. Reconnaissance is an important early stage in a cyberattack.
When tasked with breaking into a system as an ethical hacker, my team always prioritized reconnaissance: quietly scoping out an organization’s existing controls and looking for gaps. Doing our research made the attacks go much more quickly and efficiently once we started executing them.
In some cases, we found direct weaknesses in the organization’s infrastructure. More commonly, we uncovered weak points in the organization’s surrounding ecosystem, including third-party vendors. Because so many companies entrust their critical data and aspects of their operations to third parties, a weakness in one of these vendors’ systems can quickly become an entry point into the company itself.
But can your team do anything to identify these types of cascading risks early on? Well, it can be extremely valuable if your team performs the same kind of reconnaissance on your ecosystem and then makes decisions based on what you find.Here are a few findings that might grab the attention of a bad actor:
Unpatched vulnerabilities
Company/brand secrets accidentally left open to the public
Lack of code- or server-level security controls on an organization’s infrastructure
Breached credentials of users / employees
Of course, there are many more, so make sure you think holistically and broadly about how and where a hacker might find a weakness in your systems, applications, vendors, employees, and beyond.
2. Motivations for choosing targets are often complicated.
When you’re trying to get into the mindset of a malicious hacker, the first motivation that often comes to mind is financial gain. And this is often the driving factor behind attacks. However, some threat actors attack for entirely different reasons. For example, nation-state-sponsored hackers may want to gain unauthorized access to critical infrastructure/government systems to spread political/social messages or otherwise damage political/social targets. During my time working for the Presidency in Turkey, we primarily focused on defending against these types of attacks.
With all these factors in play, predicting exactly which organizations will be targeted when and by whom is nearly impossible. But when you have the right intel and adopt the mindset of an attacker, it’s very possible to predict whether or not a given organization would be eye-catching to certain types of attackers.
For instance, active mentions of an organization’s name and/or assets in hacker forums could show that it is more likely to become a target. As another example, ransomware groups tend to look at specific factors such as a company’s size, revenue, location, and industry when they choose a target. Understanding these factors can help you predict whether you or one of your vendors is likely to experience a ransomware attack and proactively set up defenses.
3. Compliance doesn’t matter to threat actors.
While compliance likely comes up a lot in security team meetings, most threat actors have probably never said the word “compliance” aloud in their lives. Malicious hackers will target a business that will further their causes, regardless of whether or not the business is compliant with certain regulations.
Although it’s important for legitimate businesses to meet compliance requirements to stay on the right side of the law, compliance does not equal security, and hackers know this. If you want to actionably defend your business against attackers, don’t rely on compliance certifications to prove your systems and defenses are airtight. Instead, pay attention to indicators that something in your ecosystem could be an intriguing target for attackers (e.g., a high level of exploitability, mentions on hacker forums, precious information, etc.).
Introducing, TrueInsight, 360° Degree View of your Third Party Risk
Heighten's TrueInsight TPRM-as-a-Service is a fully managed approach to assessing and quantifying the potential impacts of identified risks inherent to your relationships and integrations with your providers and other third-party partners.
TrueInsight leverages both intelligence scraped from dark web, internet and technical scanning sources, as well as AI/ML enabled processing of artifacts (e.g. compliance audit reports and vendor assessment questionnaires) both uploaded by your organization or already crowdsourced by our technology partners.
At Heighten we take a no-nonsense approach to information security, delivering effective solutions tailored to your needs.We focus on right-sized solutions that balance strong security with practicality, ensuring that your operations stay efficient and protected. With continuous monitoring, incident response planning, and regular audits, we empower your organization to confidently navigate the evolving threat landscape. Providing the highest level of managed security services we can confidently ensure your organization and its most valuable assets are protected- indefinitely.
Elevate your cybersecurity by having a conversation with one of our experts. We are ready to help you take your security from vulnerable to relentless.
Original Black Kite Blog : https://blackkite.com/blog/think-like-a-hacker-for-successful-third-party-risk-management-tprm/
Comments