Laying the Groundwork

There’s no need to reinvent the wheel when laying the initial groundwork for an information security program. There are a few standards that can be of great use, which we’ll cover in Chapter 8. The National Institute of Standards and Technology (NIST) has a risk-based cybersecurity framework that covers many aspects of such a program. The NIST Cybersecurity Framework (CSF) 2.0 consists of six concurrent and continuous functions: identify, protect, detect, respond, recover, and govern. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.

Not only will a framework be a possible asset, but so will compliance standards. Although poorly implemented compliance standards can hinder the overall security of an organization, they can also provide a great starting point for a new program. We will cover compliance standards in more depth in Chapter 8. Of course, while resources like these can be a phenomenal value add, you must always keep in mind that every organization is different, and some aspects we cover may not be relevant to your case—there are recurring reminders of this throughout the book.

Establishing Teams

As with many other departments, there are virtues in having the correct staff on the correct teams with regard to security. Open cross-team communication should be a primary goal, as without it the security posture is severely weakened. While smaller organizations may combine several of the following teams (or not have some of them at all), this remains a good goal to populate a security department:

Executive team

A chief information officer (CIO) or chief information security officer (CISO) will provide the leverage and authority needed for business-wide decisions and changes. An executive team will also be able to provide a long-term vision, communicate corporate risks, establish objectives, provide funding, and suggest milestones.

Risk team

Many organizations already have a risk assessment team, and this may be a subset of that team. In the majority of organizations, security is not going to be the number one priority. This team will calculate risks surrounding many other areas of the business, from sales to marketing and financials. Security may not be something they are extremely familiar with. In this case, they can either be taught security basics on a case-by-case basis, or a security risk analyst can be added to the team. A risk framework such as NIST’s Risk Management Framework (RMF); the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) framework; or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) can assist with this.

Security team

The security team will perform tasks to assess and strengthen the environment. The majority of this book is focused on this and the executive team. They are responsible for daily security operations, including managing assets, assessing threats and vulnerabilities, monitoring the environment for attacks and threats, managing risks, and providing training. In a large enough environment, this team can be broken up into a variety of subteams, such as network security, security operations, security engineering, application security, and offensive security.

Auditing team

It’s always a good idea to have a system of checks and balances. This allows you not only to look for gaps in your security processes and controls but also to ensure the correct tasks and milestones are being covered. As with the risk team, the auditing team may be a subset of a larger group.

Again, it’s entirely possible that due to factors like budget or staffing constraints, a small- to medium-sized business may combine one or all of these teams into one. In those cases, we definitely commiserate with you. As the company grows, and hopefully the security program also grows, the separate roles can be planned and adequately filled.

Determining Your Baseline Security Posture

The unknowns in any environment are going to be scary, but that shouldn’t stop you from diving in. How will you know what level of success the program has had without knowing where it started? At the beginning of any new security program or any deep dive into an existing one, a baselining and discovery phase should be one of the first priorities for all teams. In this book, we will cover asset management several times in different ways. Establishing the baseline of the security of the organization is just another step in that management process. For this, you’ll want to gather information on all of the following:

• Policies, procedures, and incident response playbooks

• Endpoints—desktops and servers, including implementation date and software version

• Licensing and software renewals, as well as Secure Sockets Layer (SSL) certificate expiration dates

• Internet footprint—domains, mail servers, demilitarized zone (DMZ) devices, cloud architecture

• Networking devices and information—routers, switches, access points, intrusion detection/prevention systems (IDSs/IPSs), and network traffic

• Logging and monitoring

• Ingress/egress points—ISP contacts, account numbers, and IP addresses

• External vendors, with or without remote access, and primary contacts

• Applications—any primary software applications either maintained by your company or used in any aspect as primary business functions

Assessing Threats and Risks

As mentioned previously, establishing a risk team or role is an essential part of creating an information security team. Without knowledge of the threats and risks your organization faces, it is difficult to custom-fit technologies and provide recommendations for a suitable defense. How threats and risks are assessed will be different for each and every organization. Each internal and external footprint is unique when combined with the individual infrastructure involved. Assessment therefore requires both a high-level overview and in-depth knowledge of assets.

You can find much more detailed information by researching governance, risk, and compliance (GRC). As we can’t cover the entirety of GRC in this book, we’ll go over a general risk framework. There are a handful of risk management frameworks out there, but in general, they can be summarized in five steps: identify, assess, mitigate, monitor, and govern.

Identify Scope, Assets, and Threats

Organizations should be concerned with a large number of potential threats and risks that will cross industry verticals. Focusing on industry trends and specific threats will allow the security program to be customized and prioritized to become more efficient. Many organizations have put very little thought into what threats and risks they face on a day-to-day basis, and they will continue to do so until they fall victim to them. Invaluable resources in this case are available through Information Sharing and Analysis Centers (ISACs), which are brought together by the National Council of ISACs (NCI) to share sector-specific information security guidelines. The NCI describes these as follows: “ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.”

Not only should industry-specific threats be identified, but so should overall trending threats, such as malware, ransomware, phishing, and remote exploits. Three very important resources to make note of are the OWASP Top 10, the Center for Internet Security Critical Security Controls (CIS Controls), and the standards outlined by the Cloud Security Alliance (CSA). The majority of the items on these lists will be covered in more depth in this book, but keeping up-to-date with them year to year should be a key part of any strategic plan.

Assess Risk and Impact

After the potential risks have been identified, assess these risks to determine if they apply to your particular environment. Tasks such as internal and external vulnerability scans, firewall rule audits, authentication/user permission assessments, and asset management and discovery will help you paint a better picture of your overall risk exposure.

During the assessment step, you’ll want to analyze each identified risk to determine the likelihood of it negatively impacting the organization, how severe that impact might be, and what the attack would look like when executed. For example:

Threat: An attacker exploits a new vulnerability on a _______.

Vulnerability: Unpatched

Asset: Mail server

Consequence: Use remote code execution (RCE) to access and pivot to internal systems

Mitigate

Mitigation of risks is the meat and bones of why we’re all here; it’s also the purpose of the majority of this book. Options include avoiding, remediating, transferring, or accepting the risk. Here are some examples:

Risk avoidance

Dave decides that storing Social Security numbers for customers is an unneeded process and discontinues the practice.

Risk remediation

Alex starts turning off open ports, implementing stricter firewall rules, and patching endpoints.

Transferring of risk

Ian outsources credit card processing to a third party instead of storing the data onsite.

Accepting risk

Kate knows that a certain endpoint has no access to other endpoints and runs a third-party application. This application has a low-risk vulnerability that is required for it to function. While at this point in time the vulnerability cannot be remediated, the risk is currently low enough to accept.

Warning

You should only accept risk as a last resort. If a risk ever makes it to this point, request full documentation from the third-party vendors and the executive team, as well as documentation of processes that have been attempted prior to making this decision. Plan at least an annual review of any accepted risks to ensure they are revisited accordingly.

Monitor

Keep track of the risk over time with scheduled quarterly or yearly meetings. Throughout the year, many changes will take place that affect the amount and types of risk that you should consider. As a part of change monitoring or change control, determine if the current change being made is affecting risk in any way.

One way of tracking ongoing risk status is by using a risk register to document different scenarios, controls, and treatment plans. This can be combined with a vulnerability management program.

Govern

Governance in the context of risk management is a crucial step that ensures the continuous alignment of an organization’s security practices with its overall goals and regulatory requirements. This process involves the establishment of policies, procedures, and controls that guide the decision-making process regarding the handling of risks. It serves as the framework within which all risk management activities operate, ensuring consistency, accountability, and compliance across the organization.

Effective governance involves the active participation of senior management and stakeholders to set clear risk management goals, define roles and responsibilities, and establish the criteria for risk acceptance and tolerance. It’s about creating a culture of risk awareness where decision making is informed by a thorough understanding of risks and their potential impacts on the organization.

Key governance activities include:

Policy development and maintenance

Craft comprehensive policies that outline how risks are identified, assessed, mitigated, monitored, and reported. These policies should be regularly reviewed and updated to reflect the changing threat landscape and organizational priorities.

Regulatory compliance

Ensure that the organization’s risk management practices comply with applicable laws, regulations, and industry standards. This includes keeping abreast of regulatory changes and adjusting policies and procedures accordingly.

Risk communication and reporting

Establish clear lines of communication to ensure that all levels of the organization are informed about risk management activities, findings, and decisions. Regular reporting to stakeholders, including executive leadership and the board of directors, ensures transparency and supports informed decision making.

Training and awareness

Develop and deliver training programs to enhance risk awareness among employees and ensure they understand their roles and responsibilities in mitigating risks. Promote a culture that values security and risk management as fundamental components of the organization’s success.

Continuous improvement

Implement a feedback loop to learn from past incidents, audits, and assessments to continually improve the risk governance framework. This involves analyzing the effectiveness of risk management strategies, identifying areas for improvement, and adjusting practices to better meet organizational objectives.

By effectively governing its risk management processes, an organization can ensure that it not only protects its assets and minimizes losses but also optimizes its operational effectiveness and maintains trust with customers, partners, and regulators. Governance is the capstone of the risk management framework, bringing together the efforts of identifying, assessing, mitigating, and monitoring risks into a coherent, strategic approach that drives organizational resilience and success.

Prioritizing

Once threats and risks have been identified and assessed, they must be prioritized from highest to lowest risk percentage, to plan for remediation (with a concentration on ongoing protection). This doesn’t always have to be an expensive venture, however. Many defensive mitigations can be performed at little or no cost to an organization. This enables many opportunities to start a security program without having a budget to do so. Performing the due diligence required to get the program off the ground for free should speak volumes to an executive team.

This book is not intended to be taken as a sequential list of security tasks to complete. Prioritization can differ greatly from environment to environment. Just remember, if the environment is already on fire and under attack, don’t start by creating policies or reverse-engineering malware. As a fire marshal, you shouldn’t be worried about looking for the arsonist and point of origin when you haven’t put out the fire yet.

To determine the priority of some risks, you can use a risk matrix, where the overall risk level is calculated by taking “Likelihood × Impact,” as illustrated in Figure 1-1.

Figure 1-1. A risk matrix

Creating Milestones

Milestones will take you from where you are to where you want to be. They represent a general progression on the road to a secure environment. This is heading a little into project manager (PM) duties, but in many cases companies do not have dedicated PMs. Milestones can be broken up loosely into four lengths, or tiers:

Tier 1: Quick wins

The earliest milestones to meet should be quick wins that can be accomplished in hours or days and address high vulnerabilities—one-off unused endpoints that can be eliminated, legacy devices that can be moved to a more secure network, and third-party patches all could fall under this category. We will mention many free solutions in this book, as the procurement process in some organizations can take a significant amount of time to complete.

Tier 2: This year

Higher vulnerabilities that may require a change management process to address, create a change in process, or be communicated to a significant number of people might not end up in tier 1. Major network routing changes, user education implementation, and decommissioning shared accounts, services, and devices are all improvements that require little to no budget to accomplish, but they can take a little more time due to the need for planning and communication.

Tier 3: Next year

Vulnerabilities and changes that require a significant amount of planning or that rely on other fixes to be applied first fall into this tier. Transitioning entire business functions to a cloud service, domain upgrades, server and major infrastructure device replacements, implementing monitoring, and authentication changes are all good examples.

Tier 4: Long-term

It may take several years to accomplish some milestones, due to the length of a project, lack of budget, contract renewals, or the difficulty of the change. This might include items such as a network restructure, primary software replacement, or new datacenter builds.

It’s helpful to tie milestones to critical controls and risks that have already been identified. Although starting with the higher risks and vulnerabilities is a good idea, they may not be easy fixes. In many cases, not only will these items take a significant amount of time and design to fix, but they may also require budget that is not available. All of these aspects need to be taken into account when planning each tier.

Use Cases, Tabletops, and Drills

Use cases are important for showcasing situations that may put critical infrastructure, sensitive data, or other assets at risk. Brainstorm with data owners and leaders to plan ahead about how to handle malicious attacks. It’s best to come up with around three different use cases to focus on in the beginning and plan on building security mitigations and monitoring around them. Possible use cases include ransomware, distributed denial of service (DDoS) attacks, disgruntled employees, insider threats, and data exfiltration. After several use cases have been chosen they can be broken down, analyzed, and correlated to each step of any one of the security frameworks that are covered in this book, or additionally others that may end up being created after we’re done writing. One example of a common framework used to map use cases is Lockheed Martin’s Intrusion Kill Chain (aka Cyber Kill Chain).

As described in the Lockheed Martin whitepaper, the Intrusion Kill Chain is “a model for actionable intelligence when defenders align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise,” and it is composed of seven steps:

1. Reconnaissance

Research, identification, and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies.

2. Weaponization

Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable.

3. Delivery

Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads…are email attachments, websites, and USB removable media.

4. Exploitation

After the weapon is delivered to [the] victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.

5. Installation

Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.

6. Command and Control (C&C)

Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C&C channel. APT malware especially requires manual interaction rather than conduct[ing] activity automatically. Once the C&C channel establishes, intruders have “hands on the keyboard” access inside the target environment.

7. Actions on Objectives

Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration, which involves collecting, encrypting, and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network.

This whitepaper has a good amount of information that can be used for creating use cases as well.

Table 1-1 is an example of a step-by-step kill chain use case we’ve created for a ransomware attack without deploying expensive software or hardware for a company with time for implementing open source projects.

Table 1-1. Ransomware use case

Kill chain step	Malicious action	Defensive mitigation	Potential monitoring
Reconnaissance	An attacker obtains email addresses and information on technologies used and creates an organizational profile based on that information.	Create policies around sharing internal information on sites such as LinkedIn or using corporate email addresses for nonbusiness use. After any major breach is reported in the news, run a password reset. Even though they shouldn’t, employees will reuse passwords for other services and sites.	Have corporate emails been seen in breaches elsewhere? How many emails are found with open source intelligence (OSINT)?
Weaponization	An attacker creates a malicious exploit to send to the victim or uses a current exploit.	Knowledge and awareness of threats currently being used by attackers will allow for better constructed and tuned mitigation steps.	N/A
Delivery	A user receives a phishing email.	Assess which attachment types are needed in the organization. File types such as .js can be extremely harmful and are rarely exchanged from external sources. Implement mailing block lists and graylists such as Spamhaus, DNSBL.info, or other Domain Name System (DNS) block lists to block known malicious mail servers.	Instill the idea of “trust but verify” in your users. Implement blocking of file types of a certain size known to be malicious and associated with ransomware (e.g., flag .scr files over 22 MB and .js files over 15 MB).
Exploitation	An endpoint downloads a JavaScript file or Word document with a malicious macro.	Disable macros and malicious filetypes via group policy. Ensure any endpoint protection is up-to-date and installed.	Monitor proxy logs for unexpected file retrievals (e.g., JavaScript is the first file fetched from that host, host is on a threat intelligence list, etc.). Use proxies or an intrusion detection system (IDS) (if clear text) to monitor for known deobfuscation strings.
Installation	The payload is executed on the end user’s device. (Lucky, Cerber, and CryptoWall use the built-in Windows Crypto API to handle the encryption.)	Keep backups (that are not permanently attached) so that encrypted files can be restored easily. Depending on the OS, you can use “filesystem firewalls” such as the Little Snitch Network Monitor to permit access to files on a per-process basis. That means that you can permit read access to MS Word but not IE, for example. There are experimental techniques that can be used to block crypto-based ransomware (e.g., Decryptonite).	Watch for a large increase in Windows Crypto API activity over a short amount of time, excessive numbers of characters in a domain, or a low percentage of meaningful strings in a domain.
Command and control (C&C)	The ransomware contacts a C&C server on the internet to transmit the decryption key.	Implement DNS sinkholing and autoblock outbound connections to known malicious IP addresses using dynamic block lists (DBLs).	Monitor for connections to known C&C servers.
Actions and objectives	The malware starts encrypting the files on the hard disk, mapped network drives, and USB devices. Once completed, a splash screen, desktop image, website, or text file appears with instructions for the ransom.	Implement honey directories, so when the ransomware goes into C:\$$ it sees another $$ directory, when it goes into C:\$$\$$ it sees another $$ directory, and so on.	Advanced file auditing can be enabled for alerting on an extreme increase in filesystem changes.

Many different defensive mitigations and specific detections can be added at each step of the kill chain for an overall decrease in risk at each layer.

Following the creation and implementation of security controls around use cases, tabletop exercises and drills can serve as proofs of concept and help you build up a collection of playbooks. A tabletop exercise is a meeting of key stakeholders and staff who walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low-stress scenario. A drill is when staff carry out as many of the processes, procedures, and mitigations that would be performed during one of the emergencies as possible.

While drills are limited in scope, they can be very useful to test specific controls for gaps and possible improvements. A disaster recovery (DR) plan can be carried out to some extent, backups can be tested with the restoration of files, and services can be failed over to secondary cluster members.

Tabletop exercises involve several key groups or members:

• During a tabletop exercise, there should be a moderator or facilitator who will deliver the scenario to be played out. This moderator can answer “what if” questions about the imaginary emergency, as well as leading discussion, pulling in additional resources as needed, and controlling the pace of the exercise. They should inform the participants that it is perfectly acceptable not to have answers to all questions during this exercise. The entire purpose of tabletops is to find the weaknesses in current processes so they can be mitigated prior to an actual incident.

• A diverse set of participants should be included, including representatives from finance, human resources (HR), legal, security (both physical and information), management, marketing, and any other key department that may be required. Participants should be willing to engage in the conversation, challenge themselves and others politely, and work within the parameters of the exercise.

• One member of the group should evaluate the overall performance of the exercise, as well as create an after-action report. This evaluator should take meticulous notes and follow along with any relevant runbook or playbook to ensure accuracy. While the evaluator will be the main notetaker, other groups and individuals may have specific knowledge and understanding of the situation. In this case, having each member provide the evaluator with their own notes at the conclusion of the tabletop is a good step.

Possible materials to use in the tabletop include:

• A handout to participants with a description of the scenario and room for notes

• A current runbook of how security situations are handled

• Policy and procedure manuals

• A list of tools and external services

Postexercise questions and actions include:

• What went well?

• What could have gone better?

• Are any services or processes missing that would have improved resolution time or accuracy?

• Are any steps unneeded or irrelevant?

• Identify and document issues for corrective action.

• Change the plan appropriately for next time.

Expanding Your Team and Skillsets

Finding a dedicated, passionate, and intelligent team can be one of the most difficult aspects of any professional’s life. 

What can you and your team do to expand your knowledge and skillsets? Here are a few ideas:

• Encourage staff to set up a home lab, or provide a lab for them. Labs can be used for testing out real-world scenarios, as well as practicing skills and learning new ones. You can set one up at a relatively low cost by buying secondhand equipment or by utilizing various cloud offerings. The best way to learn for the majority of people is hands-on, and with a lab there is no risk introduced into a production environment.

• Compete in or create capture the flag competitions (CTFs). CTFs are challenging, and they can provide training and team building as well as improving communication skills. Most information security conferences have CTFs. If you’re looking to expand a team, CTFs are also a wonderful place to find new talent. Not only will participants be showing off their level of knowledge, but you’ll also be able to get an idea about their communication skills, how well they work with others in a team, and their willingness to help and teach others.

• Find or create a project. Identify a need and fill it. Whatever skillset you want to exercise, there will be a project out there that needs help. Documentation is needed on nearly all open source projects, or you can automate something in the enterprise.

• Attend, organize, volunteer, speak, sponsor, or train at an industry conference or local meetup. There are hundreds of them across the US, and they almost always need volunteers. Just attending a conference has its benefits, but truly immersing yourself will push you further to learn and experience more. Many careers have been started by having a simple conversation about a passion over lunch or a beer. Keep in mind, though, that while networking is a game changer in our industry, it’s not a silver bullet for everyone. You can network all you want, but unless you are a desirable candidate it won’t matter. A willingness and desire to learn, listen, and collaborate and the ability to think for yourself are all ideal traits in such a fast-paced industry.

• Participate in mentoring. Whether as a mentor or mentee, structured or unstructured, mentoring can be a valuable learning process both on and off the job.