As Security Professionals our job is to prevent attackers from compromising our people, facilities and systems. It’s largely defensive, though there is a lot of discussion about making our role more offensive. That will be tackled on another day, but we can look at our job as defensive specialists. There are many tools and practices that we can employ to improve our defensive posture. You can find them with simple google searches or through any online security magazine. However, before we do any of that, we need to get in the right mindset. We need to think like the threat.
If you know anyone who has been trained as an intelligence officer in the military or within a government, one of the first things they learn is how the threat fights or operates. This sets the stage for them to recommend solutions that are effective and not outdated. Similarly, as security professionals, we need to know the threat. How do they operate? What are their tactics, techniques and procedures? What vulnerabilities do they look for?
Let’s look at some suggestions:
Study Threat Attacks. If we are professionals, then we have to take our craft seriously and understand our threats. We need to study their methods and their practices. We need to understand what they look for and how they attack people, facilities, and systems. This will allow us to build defenses in-depth and to prioritize issues for remediation.
Read Case Studies. After high profile attacks, there is generally an assessment done. Read these. Additionally, in some cases that go to court, read the Affidavit. These go into great detail about how an attack happened.
Host / Set Up Analytical Exchanges. We can also learn by recognizing what we don’t know. Identify our own gaps and seek out people to learn from. Host analytical exchanges with other organizations in both the public and private sectors.
War-game. If you want to think about the right defenses, set up a war-game exercise. This is an underappreciated element of threat protection. Pit someone to play the role of the defense and someone to play the role of the attacker. Establish rules and go forth. Keep the process limited to action/reaction and then move on to the next action/reaction. This will help you identify most likely and most dangerous courses of action. Additionally this should incorporate all three elements of security – physical, personnel and information security. A good attacker will use any of them to identify vulnerabilities so you should too.
Conduct a Vulnerability Assessment. Following up on war-gaming, you need to know where you are weakest. It’s great if you know this already, but you should conduct annual vulnerability assessments to ensure you are working to improve your gaps. And consider an external organization to do this. You might already know the areas that need addressed, but someone else might see it differently. Look to use Pen-Testers and social engineers. Vary it up and then learn from them. Ask questions. Walk around while they do the assessment and see what they see.
Share What You Learn. The worst thing about learning about the threat is keeping it all to yourself. Plan and prepare your team and your leadership for what the threat does. Document what you learn. Share relevant stories, educate your employees, create a positive security culture.
These are just some things you can do to be better prepared and implement better defenses for our organizations.