Enhancing cyber capabilities using a threat-driven strategy

This blog post was authored by Ryan McCarthy, Senior Director, Security and Privacy on The Technology Insights Blog.

Senior leaders focused on cybersecurity recognise there is considerable guidance, best practices, frameworks, regulations and varied opinions on how programmes should design defensive capabilities. In addition, depending on the day, the various pressures in the organisation’s macro-environment may be greater or lesser and invite different priorities for time, team and budget. Despite these various pressures and guidance, there tend to be two schools of thought on how to approach the strategic path for a cyber programme: a risk management-based approach, and a threat-focused approach. Today we’ll explore both, when one may be more valuable than the other, and key principles for how to incorporate each of them into an overall programme.

Risk vs. threat

Risk is a word that we use daily in the security industry, specifically as we speak to our stakeholders including clients, shareholders, boards of directors, risk partners and, in some cases, regulators. This is because risk is generally well understood by these stakeholders and can be expressed in terms of likelihood and impact, and in some cases translated into dollar amounts (see Cyber Risk Quantification). The risk management approach to cybersecurity strategy focuses on the macro view of broad, consistent risks to technology and data, where best practice frameworks and regulatory guidance can be used to limit long-term likelihood or impact to the business from a cyber-attack, and then invests in areas where the programme is weak within those frameworks. This is where publications like NIST 800-53, and various ISO/CIS publications focus their control recommendations and many organisations spread those controls out like peanut butter across their environment to ensure broad protection.

Threats are also used often in our stakeholder conversations, though generally as a scare tactic of what could happen, rather than a deliberate discussion about an actor and their tactics and techniques that could be realised against the environment. Often, this is because the audience may not be as familiar with the specific threat actor groups, or the tactics, techniques and procedures (TTPs) those actors typically use within the MITRE ATT&CK framework. The threat-based approach takes a micro-view of the technology attack surface, the vulnerabilities across those assets, and how an attack could be conducted against those assets using frameworks like MITRE ATT&CK to evaluate where their controls are most critical and where gaps can be exploited. Advancements in threat intelligence feeds and tools have adapted MITRE ATT&CK as well, further enabling this approach.

Why is a threat-based approach valuable?

To state it bluntly, an attacker doesn’t care whether a company is compliant with the latest guidance on best practices or how it rates maturity against its favorite capability maturity model. They care that they can exploit a particular vulnerability using a specific series of TTPs to achieve an objective. By taking a threat-based approach to cybersecurity, and seeking to understand the attacker’s point of view, organisations can better anticipate their tactics and enhance defenses that specifically relate to those tactics. This allows the company to be very efficient with its resources as it invests heavily in controls that relate to threats, and less so in controls that simply align with best practices. This is not to say that best practices and control frameworks should be ignored or thrown out, rather they should absolutely be leveraged. However, companies shouldn’t limit efforts solely to meeting high-level control objectives or complying with the latest regulatory guidance which wasn’t designed specifically for the company.

When should a threat-based approach be used?

Most senior leaders looking to understand how they can most effectively move their team’s capabilities to the next level should start with an evaluation of their controls by leveraging one or more of the frameworks previously mentioned to ensure the most likely risks that all organisations face are covered. Without this coverage across the foundational security controls, moving to a threat-focused strategy is likely to waste resources that are desperately needed to close those gaps. The next step is equally critical, which is to ensure that the deployed controls have complete (or mostly complete) coverage across the environment. Too frequently, I see cyber leaders believe that their malware controls, or data leakage protections, or {insert cyber security capability here} are fully deployed across the environment, only to find out (hopefully not the hard way via an incident) that technology, business or other drivers prevented the implementation of the control for large areas of their network.

Once (near) complete coverage of foundational control capabilities is established, it’s a good idea to start incorporating a threat-based approach to determine where resources should best be deployed.

How to implement a threat-based approach

Convinced that the evolution to threat-based cyber security is the path to greatness? Here’s how to start the journey:

  1. Know which assets are most critical to protect – partner with business and technology partners to ensure that there is solid governance of asset inventory, and a clear understanding of the value of those assets. Layer in an analysis of how exposed certain assets are to threats, based on how the network is architected.
  2. Understand threats and prioritise them based on their impact on the assets. Are there specific threat actor groups being tracked that target this industry? Continuously monitor and assess these threats via intelligence gathering (and sharing) and use that intel to enable defensive teams.
  3. Replicate attacks frequently – leverage professional penetration testing services and red team methodologies to simulate threat actor TTPs and learn where the organisation is exploitable.
  4. Incorporate threat modeling into application development and architecture boards. By understanding threats before technology is fully deployed, the business will save a significant amount of money in remediation work.

Cybersecurity is a fast-paced industry, with an ever-evolving threat environment. By incorporating a threat-based cyber strategy to understand an attacker’s perspective, organisations can be more effective and more efficient in deployment of defensive controls, keeping the company off the front page of tomorrow’s newspaper.

To learn more about our cybersecurity and third-party risk management solutionscontact us.


Michael Pang
Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ...
Franklin Yeung
Franklin is a director with over 22 years’ experience in IT consulting, audit, and system implementation. He has experience in assisting organisations with IT/IS security, strategy, governance, risk management, internal controls, business continuity management, system ...