How to Wrap Your Cybersecurity Plan around an Attacker’s Mindset

Is an attacker interested in your organization? Probably. Deconstructing the PoV of cyber attackers is key to defending your turf.

Ermetic Team By Ermetic Team
How to Wrap Your Cybersecurity Plan around an Attacker’s Mindset

Have you ever wondered why an attacker might be interested specifically in your organization? In this post we deconstruct the attacker’s PoV and what you can do to defend against it.

Understanding the attacker’s point of view is key for protecting your organization from cybersecurity attacks. By gaining insight into who may seek to attack you and their motives, you can more easily build a prioritized security plan – and get management’s buy-in to it.

When attempting to get inside an attacker’s head and build a defense plan, the most important thing to remember is: there is no template! While basic to-dos (“don’t give full admin access to all users,”...) are recommended across the board, in the end, an effective defense plan comprises creativity and people. Forgive the cliche but out-of-the-box thinking is key to reducing the attack surface of your complex environment and protecting it from an attacker whose entire modus operandi is thinking outside the box.

Acting this way means breaking common practices, bringing in a diverse set of people and resisting the temptation to pile on security tools by their cookie cutter category or vendor scare tactics (we’re a vendor, so we’re blushing with some mea culpa).

In this post, we’ll take you through the first steps in the journey toward thinking differently. Let’s look at who the attackers are, why they do what they do and actionable steps for governing the situation.

We’ll cover:

Types of Cyber Attackers
Which Organizations Do Attackers Target?
Risk Management: How to Minimize the Blast Radius
Quick Cybersecurity Wins
Incorporating Security Tools

For a more in-depth explanation on each section you can watch the “Deconstructing the Attacker Mindset” webinar, on which we’ve based this blog post. Watch here.

Types of Cyber Attackers

While Hollywood and Netflix may depict cyber attackers as lonesome, male geeks sitting in a dark room in a hoodie, think again. Broadly speaking, there are three main types of cyber attackers: government or nation state actors, cyber criminals and private-sector offensive actors. Let’s dive into the characteristics of each one.

- Governments and Nation State Actors

Governments commonly spy on other nations. This gathering of intelligence takes place through various methods, like satellites, tapping into phones and the efforts of human spies, as well as through cyber attacks. A government might coordinate such an attack itself, or support and back another actor to do its “dirty” work.

These actors are not to be taken lightly. A recent survey among 800 IT decision-makers in Australia, France, Germany, India, Japan, the UK and US found that 86% of respondents believe they have been targeted by a nation-state attacker.

- Cyber Criminals

Cyber criminals are individuals or gangs who attack systems. Their main motive is usually financial gain, although cases exists of cyber criminals operating for political, religious or social causes. Cyber criminals have fewer resources than governments but usually cause more damage.

Lapsus$, for example, is a high profile ransomware gang known for breaching NVIDIA, Microsoft and Samsung Galaxy. In March 2022, a number of people were arrested in London in connection with a Lapsus$ investigation.

- Private Sector Offensive Actors

The third, less known, type of cyber attacker is private-sector actors. These are individuals and groups who offer “cyber attacks as a service.” They provide attacking capabilities to other organizations and individuals for a price. These actors usually operate as semi-military organizations and consist of ex-military individuals; their sophistication level is, accordingly, very high. Private-sector offensive actors usually focus on intelligence gathering.

When working on their cyber-defense strategy, enterprises need to take all three cyber attacker groups into consideration.

Which Organizations Do Attackers Target?

Sadly, no organization gets a “get out of jail free” card. All types of organizations are potentially targeted by cyber attackers or can be negatively impacted by the shell shock and true damage of an attack. This includes enterprises, SMBs, startups, non-profits, governmental entities and more.

Organization are usually targeted based on one of three conditions:

Critical infrastructure related. Critical infrastructure organizations are always of interest to cyber attackers. The notorious Colonial Pipeline incident impacted oil pipeline management in the US and forced payments of millions of dollars in ransomware (partially retrieved later). But even less known cases, like attacks on water supply facilities or energy corporations, show the breadth of such plants and enterprises being targeted.

Supply chain related. Cyber attackers often attempt to infiltrate organizations through the weak links in their supply chain. Solarwinds, for example, was attacked because it supplied IT software and services to the US federal government. Unless you operate in a silo, you are also part of someone’s supply chain, making you a potential target.

Cyber attack globalization. Finally, cyber attacks aren’t always confined. Rather, their blast radius affects other companies in the immediate surroundings. So if an organization you have a connection with, such as one you work with or that has a common supplier, is attacked, you may be impacted as a side effect of them being attacked. Cyber attack globalization, if you will.

Risk Management: How to Minimize the Blast Radius

While we’re all vulnerable, this doesn’t mean organizations should just surrender and accept the fact that they will be breached. While you probably will be, managing cybersecurity risk can help minimize the blast radius and reduce any collateral damage that would otherwise result from attacks. For example, cybersecurity tactics can help prevent sensitive data from being exposed, avoid compliance fines, etc. Businesses can thrive even in this modern age of cyber attacks.

What does this mean from a practical point of view? We believe in a “baby steps” approach: taking one step at a time to improve security posture without overwhelming your organization.

Step 1: Map Your Stack and Attack Surfaces

The first thing to understand is where you stand. Start by identifying your critical assets (the “crown jewels”). Map your technological stack and network, especially if you are a large enterprise with a substantial architecture.

Keep a watchful eye out for:

  • Public interfaces
  • Technologies used
  • Infrastructure - whether cloud-based or on-premises

By understanding which technologies and components you use, you will have an easier time identifying which areas need to be secured and choosing security products that are relevant to helping defend your network.

Step 2: Invest in Your Team

A strong security team is the key to a successful cybersecurity strategy. Therefore, security leaders who invest in their team by training them in the relevant technologies and mentoring them will be able to innovate and protect the organization from dangerous threats.

We recommend conducting regular training sessions, as well as consuming the learning available through external outlets: free resources, online courses, external advisors. All these means will help keep your team up-to-date and constantly improving their security know-how.

In addition, promoting skillset diversity across the team will also help you in building and executing on your security plans and solutions. For example, a team that has both an offensive and a defensive mindset will bring in a wide variety of skills: analytical thinking, a methodical approach to carrying out tasks, the ability to make strategic decisions and break boundaries, and experience in a wide variety of programming languages.

Step 3: Build Relationships and Influence from Within

Working inside an organization requires building relationships and influence. This inside networking framework is key to being able to advance and leverage internal processes. Whether the security team needs to implement a new security tool, get engineers on board for running new security protocols during development or introduce security best practices across the board, having internal influence can help ensure cooperation and implementation.

Step 4: Hire an External Team to Test Your Cybersecurity Resiliency

Finally, we’re all human, so subject to the “streetlight effect”: making decisions based on what’s familiar and easier. But vulnerabilities may well lurk in the dark. Working with an external team unfamiliar with the ins and outs of your organizational network may uncover new risky areas that could be exploited. Bringing in outside minds can help you remediate risk on time.

Quick Cybersecurity Wins

While you implement the “baby steps” plan, we realize you may need to show some quick wins to your leadership. Therefore, we recommend doing the following:

  1. Identify the most crucial assets
  2. Try to get unauthorized access to those assets
  3. Present your findings to management and get resources to fix the vulnerabilities

You can focus these efforts on complex configurations, like technologies that don’t get regular updates and may have bugs and issues; open source technologies in use that may be vulnerable; scanners that may be showing up in your logs, etc.

These three steps will show the impact of your capabilities and of cybersecurity on the organization. Once you’ve convinced management, you can move on to more advanced methods and solutions.

Incorporating Security Tools

Finally, after achieving a working degree of organizational and team maturity, it’s time to incorporate open source and commercial security tools and build your cloud security maturity. Security tools bring value by enabling security teams to run fast when they are detecting and mitigating threats.

Security tools can provide visibility, automation and remediation, and customizable workflows and policies that support security and engineering when combating attackers. These tools take into account the attacker’s point of view and leave security teams time to invest in more complex, sophisticated situations where they are required for defense – and free up development and others from manual security tasks. Such tools also provide depth and breadth in network and attack surface analysis, which is usually beyond the ability of mere humans.

Together, security teams, security stakeholders (including development and IAM) and security tools, working in unison, can help prevent even the most creative and sophisticated attackers from having their way.