With the daily deluge of reports of new security threats, it’s important to remember that while some are potentially catastrophic, many are benign or irrelevant to individual organizations.
CISOs often need to prioritize the specific threats they need to defend against. They also need to take stock of their security strengths and weaknesses so they can focus their efforts on relevant threats.
A major challenge to staying focused is media-driven distraction. CISOs who understand their security posture can ignore the media noise, knowing that threat X poses no risk—either because it has been patched or because such an attack is highly unlikely to target a company of its size or type .
The benefits of tailored security training for specific threats are transparent and ongoing. It enables an organization to address relevant risks with vigor and focus, formulate well-defined training objectives, and ensure all team members acquire the right skills to identify and defend against the most dangerous threats.
How to tailor the training
The best place to start is to be strategic – focusing on the type of attackers that are or could be threatening the organization, profiling those adversaries and identifying their tools and tactics. Next, it’s important to conduct an honest and realistic assessment of the security team’s tools and skills to combat the attackers – and improve on them where gaps and deficiencies exist.
Below are five broad categories of threat actors, ranked by their sophistication level, along with the corresponding countermeasures needed to protect against them.
These are typically amateurs or script kiddies using publicly available malware, credentials, and other TTPs that require little knowledge to use.
defense needed: These actors can often be contained by automated machine detection with signature-based capabilities on an endpoint or network.
Prudent Threat Actors
These actors are a bit more advanced than the first line of criminals, utilizing paid or publicly available malware, credentials, and other TTPs that require little knowledge to use.
defense needed: Auto-discovery works most of the time, but sometimes an organization needs more complete configuration and log aggregation.
These criminals, often hacktivists, employ modified public and paid tools. Many of the tools, like Metasploit and Cobalt Strike, have powerful interactive capabilities.
defense needed: Basic threat intelligence and behavioral signatures are required for full coverage.
Here the actors are nation-states and high-level criminal gangs, using internally developed tools and skills.
defense needed: Behavior-based and advanced threat detection.
These are high level attackers working for nation states. Your tools and skills consist of the best OPSEC for specific situations.
defense needed: Behavioral detection supported by in-depth manual analysis of the environment.
Once an organization has determined which category or categories of threat actor it must defend against, the following best practices can be used to develop threat-centric security training.
Develop a detailed plan. Planning is always the foundation of a good roadmap. The more time a company takes to create a training plan—by researching its needs, critically evaluating its resources, and talking to partners and customers—the more likely its strategy will be successful.
Assess new threats objectively. There is a chance that not all new threats will affect a specific organization, either because they have been fixed by a patch or other control, or because they are simply irrelevant to the organization’s size or industry.
Use industry resources to identify enterprise/industry vertical threats. Some excellent resources include top security publications, the Verizon Data Breach Report, and industry-specific ISAC threat data feeds.
Work with training partners to put the plan into action. Partners can not only provide valuable insights, but also concrete advice on how to implement upskilling exercises, assessments and reports.
Given the variety and scope of cyber risks facing the average organization, tailoring security training to specific threats has never been more important. By focusing on attack tactics and techniques that pose a clear and current threat to the organization, an organization can derive the most value from its training initiatives.