How to Leverage Cyber Threat Use Cases to Counter an Attack

Organizations and their third parties face a significant challenge when it comes to understanding the increasing number of cyber risks posed to their ecosystems. But a great way to overcome this challenge is to measure your security, as well as the security of your third parties, against cyber threat uses cases.

By analyzing real-world events and known community concerns against your and your third party’s controls, you can better understand the potential impacts of various security incidents, and identify and prioritize risk. Further, comparing threat use cases against existing cyber security controls will enable your organization to have informed conversations about gaps in controls that could lead to security incidents.

Here are three use cases that can be used to identify opportunities to proactively improve your risk posture.

• Point-of-Sale (POS) Breach: A third party vendor is phished months before the attack on the victim. The phishing campaign allowed the attacker to gain the vendor’s credentials, which were then used to access the victim network. The attacker then installed POS malware to steal payment card information on millions of customers.

• Stolen Intellectual Property: An insider uses authorized access to gather proprietary data. The insider then leaves the organization and takes this information and uses it at a new position for a competitor, thereby decreasing the competitive advantage of the former employer.

• Distributed Denial of Service (DDoS) Attack: An attacker executes DDoS attacks against multiple financial institutions, thereby disrupting their ability to conduct business and preventing legitimate customers from accessing banking sites.

By improving or implementing security controls around these use cases, you can effectively prevent or counter an attacker’s moves. For example, if we look closer at the DDoS use case example, we can identify insights on how to counter the steps a DDoS attacker may take:

An attacker states their intent on the dark web to execute a DDoS attack against specific banks.
Countermeasure: The bank leverages threat intelligence to monitor for threats that may impact their business.

The attacker creates a plan and method for the DDoS attack.
Countermeasure: The bank shares threat intel through its information sharing program with its third parties.

The attacker initiates the DDoS attack against the bank.
Countermeasure: The bank and its partners have implemented technical DDoS mitigation controls to limit the impact of the attack.

Your organization's understanding can be improved by applying multiple threat analytical models to map threat actor techniques and identify security controls that can be effective in preventing, detecting, and correcting security incidents. By understanding threat actor motivations and techniques, we can help prioritize limited resources towards protecting against the greatest risks you are facing.