Cybersecurity Threats: How to Prioritize, Manage and Reduce Them

Addressing every potential threat has always been operationally infeasible. More so now, given the way digital transformation, cloud computing, hybrid work and other trends have expanded the attack surface (see also the From threats to CTEM tab). SRM leaders must focus their activity and resources on the most likely and impactful cybersecurity threats and threat exposures. These fall into the following three categories:

• Top threats. Threats that organizations are highly aware of and remain relevant year after year as a result of changing tactics.
• High-momentum threats. Threats that are growing, but for which awareness is lower than with the top threats.
• Uncertain threats. “Low signal” threats, which may be emerging and dangerous, or overhyped and a distraction — it’s up to the organization to determine which.

Several factors guide security leaders in determining whether to invest, or not, in responding to a specific threat, regardless of the category they fall into:

• Relevance: Could the threat impact our operational continuity?

• Urgency: Could the threat affect our ability to operate, and to what degree?

• Maturity: Do we have an effective response plan in case the threat affects us?

• Opportunity cost: Does the cost to address the threat outweigh the cost of the threat impact itself?

• Measurability: Can we demonstrate to business leaders the value of investing in protecting ourselves?

For the last decade or so, the same compromise types have resulted in the highest impact with the greatest frequency. Specifically, malware, phishing and credential abuse. Rallying support from business stakeholders for these familiar threats may be difficult if they believe the risks have already been addressed. Security and risk management leaders should instead emphasize that even if the macro-threat is the same, the microtrends associated with them change. For example:

Malware/Ransomware

Ransomware as a service (RaaS) enables attackers to use existing ransomware tools to execute cyber extortion attacks. Government agencies continue to collaborate in an effort to take down some of the larger malware infrastructures, but attackers simply pivot to new approaches. For example, ransomware operators are shifting from relying solely on encryption to other forms of cyber extortion, including nonrecoverable data corruption, hardware corruption, data theft and data mining. Organizations are also seeing more risks with paying ransom and less protection from cyber insurance due to tighter standards.

Evolving phishing tactics

Phishing involves using multiple channels, predominantly email, but also collaboration platforms, social media, text messaging (smishing), voice messaging (vishing) and even quick response (QR) codes to gather information.

Successful phishing is frequently the first step that leads to additional impacts such as data exfiltration, credential theft, reputation and financial loss for an organization. Attackers continue to evolve their techniques with improved targeted content, automation and more realistic impersonation. Phishing continues to be a top contributor to data loss incidents. Approaches are getting more sophisticated using social engineering that is hard to detect.

High-momentum threats represent high risk to the organization, but there is generally less awareness about them unless your organization, or another in your industry, has been attacked.

Adapting to high-momentum threats requires security leaders to increase their knowledge of the business assets likely to be targeted. Two examples are APIs and cyber-physical systems (CPS). An attack on these assets might not affect everyone in the organization, but will exploit areas of immaturity in the organization’s security posture. 

Examples of high-momentum threats include:

Customer account takeover

In customer account takeover (customer ATO), an attacker is able to log in as a customer of your services. Although applicable to any B2C service involving a customer login, this is most prevalent in financial services, digital commerce services that allow customers to store payment card details, cryptocurrency wallets and exchange accounts, and loyalty program accounts.

Social engineering continues to be a dominant attack method, although it has evolved beyond an attacker trying to obtain a victim’s credentials to authorized push payment (APP) fraud, whereby a victim sends money from their account under false pretenses. Security teams have difficulty detecting this because the victims themselves are logging on to their accounts. Brand impersonation carried out via websites, social media accounts or apps that imitate the genuine B2C brand is another method. 

Cloud risks

The breadth and attack surface of cloud services continue to expand as cloud usage increases. The biggest danger remains customers misconfiguring their cloud environments. When attacks against cloud providers of any scale are successful or infrastructure outages occur, the consequences can be widespread. Yet this is rare. The use of cloud appears to present a security and availability advantage to most end users. 

Uncertain threats are not supported by a strong fact base. They might be highly visible and recent, or older, but they are the most difficult problems to address, because they change year over year and are highly susceptible to excessive hype or uncertainty.

Uncertain threats fall into the following four categories:

• Nascent. These threats belong to emerging architecture and technologies that do not exist in production environments. For most organizations, these threats represent no production risk.

• Hyped. Hyped threats suddenly gain a lot of attention based on anecdotal evidence. They might present a risk, but the examples distract security leaders from the underlying and longer-term work. The ChatGPT-based attacks in the beginning of 2023 are good examples.

• Emerging. Security teams lack strong prevention, detection and response capabilities for threats from new technologies the business has adopted. 

• Latent. Latent threats share the common attribute of being below the radar for most organizations, based on the assumption that attackers will exploit easier targets.

Examples of uncertain threats include:

Attackers using AI

Gartner defines AI as applying advanced analysis and logic-based techniques (including machine learning [ML]) to interpret events, automate decisions and take actions. Attackers can, and do, use AI techniques to improve their attacks by either shortening the time to achieve the strategic objective or to circumvent security controls. Examples of actual uses are limited, however, and the closest indications of effective uses of AI come from forums frequented by attackers.

Potential methods include: social engineering using video and audio content; phishing, in particular with AI-generated phishing emails; semiautomated malware creation to accelerate malware development and get better at avoiding detection; security control bypass, such as using ML to create malware variants or to defeat image recognition; and password hacks using machine learning techniques to crack passwords.

Mitigating against cybersecurity threats is not just about prioritizing which threats to prepare for. It’s also about pursuing a threat management approach that acknowledges the growing attack surface across the organization’s on-premises and cloud resources. Gartner predicts that through 2026, nonpatchable attack surfaces will grow to include more than half of the enterprise. Traditional vulnerability management programs cannot keep up with that growth.

Security and risk teams are instead embracing continuous threat exposure management (CTEM), an integrated, iterative approach to prioritizing and continually refining security posture improvements. The objective of CTEM is to get a consistent, actionable security plan that business executives can understand and architecture teams can act upon.

A CTEM program is governed by five core stages:

Scoping

The attack surface encompasses an extended set of assets, from traditional devices, apps and applications, to less tangible elements such as corporate social media accounts, online code repositories and integrated supply chain systems.

To define the scope of the CTEM initiative, start by understanding what is important to business counterparts, and what impacts are likely to be severe enough to warrant remedial effort. Consider:

• External attack surface
• SaaS security posture
• Digital risk protection
• Dark and deep web sources to identify potential threats to critical assets

Discovery

After scoping, begin a process of discovering assets within that scope and their risk profiles. Include cybersecurity threats, misconfiguration of assets and security controls, as well as counterfeit assets or bad responses to a phishing test as part of the discovery of sources of vulnerability.

Prioritization

Many discovery processes uncover vulnerabilities that go beyond the initial scope. The prioritization step helps cut out the noise.

As with the threats discussed above, prioritizing for the continuous threat exposure management program should be based on the urgency, severity, ability to remediate and level of risk posed to the organization. Using a systematic prioritization method allows the team to clearly articulate which business-critical systems it will prioritize.