Thirty years ago, the threat landscape was quite different. The internet was still a relatively new technology and, in the rush to utilise its benefits, security was often seen as an afterthought by application developers.
This lack of security resulted in threat actors targeting interesting, yet easy to exploit vulnerabilities. Think of the Samy worm, that targeted a cross-site scripting (XSS) vulnerability, which allowed attackers to alter MySpace profiles and involuntarily send friend requests back to the worm’s creator. To this day, it is still considered the fastest spreading virus of all time, but it wasn’t done with malicious intent, rather it was used by attackers to show their skills.
Fast forward to the present day, and organisations should be all too aware of the dangers of a cyber-attack. But despite this, not everyone has embarked on their cybersecurity journey, and many organisations still lack a deeper knowledge of their technology stack, the threat landscape (who is targeting them) and what they need to do to effectively protect themselves against such threats.
This blog aims to address those issues.
Getting to know your technology stack
A technology stack contains an operating system, web server, database and programming language used to develop the application, and supporting services. To configure these correctly, they require a certain degree of knowledge and need to be deployed with security in mind. Often, this configuration process is rushed, due to tight deadlines and project managers chasing the architects and developers, which can lead to component misconfigurations, as well as introduce vulnerabilities that a threat actor could use to compromise confidentiality, impact the integrity or attack availability.
As mentioned, many organisations don’t have a complete understanding of their technology stack. This lack of knowledge can result in outdated components being present, insecurely developed functionality, or redundant code in production. Not knowing the composition of the technology stack is not the fault of any one individual and multiple factors exist that could lead to blind spots such as internal role changes, component owners leaving without adequate handover, or continual development of functions without appropriate wider discussions.
Understanding your technology stack is therefore critical and organisations need to keep their knowledge up-to-date if they wish to implement effective cybersecurity measures. This applies to both those just starting out and to those that have been implementing improvements for some time.
But how do you get that clear picture of your tech stack?
Start by creating an asset register of what you have now, or at least what you know you have. This can then be built upon by utilising regular vulnerability scanning and by carrying out external infrastructure assessments. These will help confirm existing assets, uncover blind spots and alert you to potential vulnerabilities that could be exploited.
Following these initial discovery phases, further assessments could then be carried out to expand your knowledge of your technology stack, including security testing of specific web applications, internal infrastructure or even red team engagements.
Threat actors – who are they and what do they want from your organisation?
Simply put, threat actors are the individuals or groups that are targeting your organisation, your assets (physical and digital) and your employees to exploit useful, and often valuable information.
“Individual or group that conducts cyber-attacks.” – National Cyber Security Centre (NCSC)
“An individual or a group posing a threat.” – National Institute of Standards and Technology (NIST)
When most people picture a threat actor, they often think of an organised hacking group, or an individual in their house in a black hoodie with sunglasses on, the stereotypical ‘hacker’. Despite this image, there are many more threat actors, some of which may not come as a surprise and others that may not have crossed your mind.
The following table documents the types of threat actors and their potential motives:
Type
|
Motive
|
Nation State
|
Economic, Political or Military
|
Cyber Criminals
|
Financial Gain
|
Hacktavists
|
Disruption, Publicity, Revenge
|
Terrorist Groups
|
Support a cause
|
Thrill Seekers
|
Test skills, Recognition
|
Insider Threats
|
Revenge, Accidental, Intimidation
|
Threat actors vary in complexity, and certain groups will be more likely to target your organisation, depending on several factors. To understand the likely threats, you first need to ask yourself why they would target you.
For example, take a fictional organisation that supplies sporting equipment to athletes via a third-party e-commerce payment system. What type of threat actor do you think would be targeting them?
Nation states and terrorist groups would probably be a bit excessive, as targeting the organisation is unlikely to help them achieve their goals. Hacktivists may have an interest in disrupting the organisation if there were potential ethical issues within the company or its supply chain. However, cyber criminals would certainly be targeting the organisation.
Where there’s money to be made, cyber criminals will be there, looking to compromise the confidentiality of data for financial gain. Ransomware is often the attack route of choice for these criminals, whereby access to organisational data is restricted until a specific fee is paid, in addition threat actors could coerce the victim into paying so that they do not sell the data to competitors or further advanced persistent threat (APT) groups for further attacks.
Thrill Seekers, whilst not a primary threat may also pose a danger to the organisation, looking to target the organisation due to boredom, a desire for recognition, wanting to refine their skills or just for fun. Despite their typically lower skill level, this doesn’t stop them uncovering information and throughout the course of their attack they may compromise the confidentiality of data which could risk impacting other users, or sensitive documentation.
The final potential threat actor group would be the organisation’s employees themselves, insider threats. You may be thinking that employees wouldn’t leak data, carry out malicious activity, or try to negatively impact the organisation. Despite this, insider threats contributed to nearly 31% of data breaches last year. The success of attackers abusing insider threats could come from employees being disgruntled after being ill-treated, passed over for a promotion or a string of smaller events leading to their actions. Additionally, it could be a general lack of security awareness or a genuine mistake, such as interacting with a phishing email.
All these scenarios need to be considered by the organisation and measures need to be put in place to ensure that the most likely attacks can be detected and defended against, helping the organisation avoid any potential operational, financial or reputational damage that could result from a successful attack.
Improve your cybersecurity posture by putting it to the test
Understanding where security vulnerabilities may exist, who might be targeting you, and how they are likely to attack allows you to begin enhancing your cybersecurity posture.
This understanding can only be achieved when you start taking security seriously and conduct regular security assessments, such as penetration tests. To tailor these assessments to specific needs or concerns, it is important that the most critical aspects are dealt with first. This may result in multiple assessments, each focusing on different elements such as web applications, web services, external infrastructure, or internal infrastructure. Each assessment will simulate a threat actor’s actions and go beyond simple scans. Experienced consultants will use their skills to identify and exploit vulnerabilities, mimicking the processes of a real threat actor.
The findings of the assessments will be summarised in a comprehensive report, along with advice on how to mitigate the issues. Access to the consultants for further questions will also be provided so that any concerns following the test can be addressed. After introducing necessary changes, a reassessment of the identified issues can be scheduled, allowing you to understand their effectiveness and receive a new report on the status of the vulnerabilities.
By undertaking this security journey, you are taking steps to enhance your security posture and ensure a more secure environment.
If you want to understand the security posture of your technology stacks, whether it’s your first penetration test or a regular assessment, feel free to reach out and discuss your requirements with us.