by Jennifer Lyn Walker

Cyber defense may seem complex and overwhelming, but it doesn’t have to be. For years I have recommended “mastering the basics” for improving cybersecurity posture. Whether you use WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities (my personal favorite), CIS Critical Security Controls, the Australian Cyber Security Centre’s Essential 8, etc., applying basic fundamentals goes a long way to bolstering your cyber defenses. Cybersecurity doesn’t have to be about the next shiny (expensive) thing to be effective. While the basics are especially valuable for less resourced organizations, they also provide a sanity check for more cyber mature entities – even ones that can afford all the shiny things. However, I understand that even the basics don’t necessarily help organizations prioritize – with the exception of asset inventory, but that’s for another post!

What to do next

As I stated above, a comprehensive asset management program is undeniably the universal number one cyber recommendation for what to do first – pardon the overused cybersecurity parlance, but it’s true, you can’t secure what you don’t know about. So, once you know what you have, what’s next?

When it comes to cyber attacks, time is typically not on the side of the defenders. For organizations that have unaddressed vulnerabilities, it’s common for attackers to discover those vulnerabilities within five hours, and then another five hours to exploit them and gain full access to the network. Fortunately, we have some insight on which attack vectors are most commonly exploited by threat actors, and that is one approach defenders can use to help prioritize cybersecurity efforts when applying the basics or the shiny things.

Get to know the enemy’s behaviors

Understanding the attack vectors that most attackers succeed with is extremely valuable. Yes, there will always be that unknown behavior or exploit that we may not be able to protect against – likely from that highly resourced and determined adversary –  but for the most part, attackers are creatures of habit and stick to what works. Results from the latest SANS survey (sponsored by Bishop Fox), Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries, provide insights from 300 ethical hackers (penetration testers) on their most successful methods. Likewise, those results mirror observations and intelligence from real-world cyber attacks. The survey report provides many valuable charts and tables for a quick-look review of the findings that can be used for prioritizing cyber defense. For example, the various vectors threat actors (good and bad) prefer are social engineering (including phishing), followed by exploiting technical methods, such as vulnerable configurations, exposed web services, and vulnerable software (access the report for more). Additionally, attackers typically don’t use fancy/expensive/shiny tools. They prefer freely available open-source tools and public exploit packs. As summarized by Eduard Kovacs (SecurityWeek), “The goal of the survey is to gain insight into how attackers think, how fast they are, and the tools they use, as well as to obtain information that could be useful to defenders looking to improve their security posture and refine their defensive and offensive strategies.”

By using the various vectors listed above (and in the report), members can focus efforts on what we know is being used against us. Other resources to help prioritize cyber defense strategy by focusing on known adversary behaviors would be CISA’s Known Exploited Vulnerabilities Catalog and the MITRE ATT&CK® Framework. Finally, consider getting to know the enemy better, perhaps through a penetration test, before they get to know you and your vulnerabilities. It’s better to proactively fix the vulnerabilities and threats than react to the exploit/compromise. For more highlights, visit Bishop Fox.