A Guide to Effective Cybersecurity Risk Management - Bitdefender TechZone

Cyber risk is often calculated using the formula:

Risk = Likelihood x Impact

where:

Risk assessment can involve various steps and matrices depending on the chosen methodology, or framework. In this document, for simplicity, we will focus on an approach where risk assessment involves considering the likelihood of a threat occurring and its potential impact. This can be represented in a simple matrix with four quadrants:

Low Likelihood, Low Impact: Monitor and review Low Likelihood, High Impact: Contingency planning. High Likelihood, Low Impact: Routine handling and mitigations. High Likelihood, High Impact: Immediate mitigation and remediation.

Let us consider how a supply chain attack depending on the different usage scenario can land into two different quadrants. In the first scenario, we can imagine a typical software supply chain attack where an attacker gained access to IT service management software. Through this compromised software, they could potentially compromise any company using this software. Such events are low likelihood but highly impactful. On the other hand, we have business email compromise (BEC) where threat actors attempt to manipulate employees into transferring funds or disclosing sensitive information. This kind of supply chain attack has a high likelihood and high impact.

It is often challenging to assess the risk accurately without understanding how different risks are interconnected. Imagine managing vulnerability solely based on the Common Vulnerability Scoring System (CVSS). If you are dealing with high-scored vulnerabilities, you might miss those with lower points that could lead to more critical consequences. For example, a vulnerability in a content management system (CMS) that allows for remote code execution (RCE) might have a CVSS of 9.8. The attacker may have initial access to a system but still need another vulnerability to escalate privileges and gain access to sensitive data or system control. In contrast, a vulnerability in a cryptographic library that allows for reading encrypted data might have a CVSS of 5.9 but can lead to significant data breaches.

Risk Management Framework provides structured methodologies for identifying, assessing, and mitigating risks, enabling you to prioritize security initiatives and allocate resources effectively.

They facilitate better communication and decision-making regarding cybersecurity priorities. Key frameworks include:

Implementing a framework helps structure your security programs by defining roles, establishing risk management processes, and developing incident response plans. Additionally, using frameworks allows you to benchmark your security posture against industry standards, promoting a holistic view that considers people, processes, and technology.

You should adopt a risk management framework that fits your needs. This involves:

For example, if you need a comprehensive approach to integrating security and privacy into your system development lifecycle, the NIST Risk Management Framework (RMF) is ideal. If you are focused on understanding adversary behavior and improving threat detection, the MITRE ATT&CK framework is better suited for developing advanced defense strategies based on real-world attack techniques.

In this document, we will focus on risk mitigation, specifically those enabled by Bitdefender products and services, as it offers the most proactive approach to treating risks. While risk acceptance, sharing, and avoidance are valid strategies, effectively mitigating risk through controls helps address both the likelihood and impact of potential threats.

Risk mitigation involves implementing measures to reduce these factors, allowing you to focus on strategies that align with the formula:

Risk = Likelihood x Impact

For example, considering the risk of a data breach due to a ransomware attack, implementing a patch management program reduces the likelihood of the attack by minimizing vulnerabilities potentially exploited by ransomware. Leveraging a Managed Detection and Response (MDR) service reduces the impact by enabling rapid threat detection and response, minimizing the time attackers have to operate within your environment to encrypt data.

To reduce likelihood, you can start with users. Through training and awareness, you can train employees to recognize and avoid phishing attempts and social engineering attacks. However, even the best-trained people can fail when faced with sophisticated attacks, especially as LLMs make these attacks increasingly difficult to identify. Therefore, additional layers of protection that are able to recognize this kind of attack are crucial. You can help your users by implementing Email Protection to prevent phishing attacks, spam, and other email-based threats from reaching their mailboxes. It can recognize LLM phishing attacks, impersonation attacks, and malicious links, even in email attachments.

Bitdefender Security for Email

Strong authentication is essential for modern security. While passwordless authentication (like FIDO2) is the future, it may not be feasible for all organizations at this time. To enhance security, implement multi-factor authentication (MFA) to add an extra layer of security. For organizations with multiple applications, Single Sign-On (SSO) and federation can streamline the login process while maintaining security. Even with strong authentication, using a reputable password manager can help securely store and manage complex passwords.

Mobile devices are often an overlooked risk. Constantly connected to the internet and used for both personal and professional tasks, they become susceptible to data breaches, unauthorized access, and cyberattacks, posing a threat to sensitive information. Mobile security focuses on risk identification, threat detection, remediation, and reporting. Leveraging Mobile Threat Detection (MTD), it detects both known and unknown threats, including zero-day, phishing, and network attacks even when the mobile device is not connected to a corporate network safeguarding against a range of anticipated and unexpected threats.

Mobile Security Dashboard

You can reduce the likelihood of security incidents by conducting regular vulnerability scans and applying patches using Patch Management. Depending on your patch management strategy, you can utilize manual or automated patch deployment through predefined Maintenance Windows policies. For systems that cannot be patched, consider implementing additional security controls like network segmentation or increased monitoring to mitigate risks.

GravityZone Risk Management

While we have focused on user-centric measures, it is essential to remember that there can still be potential attacks due to misconfigurations in the operating system, computer configuration settings, and application vulnerabilities. For example, a publicly accessible application with a vulnerability that could lead to Remote Code Execution (RCE) can serve as an entry point for attackers to gain initial access to a system. Endpoint Risk Management is essential for identifying and addressing these misconfigurations using automatic or manual mitigation actions.

When threat actors use "Living off the Land" (LOTL) tactics, utilizing legitimate system tools and processes, they blend their malicious actions with normal operational activities. Proactive Hardening and Attack Surface Reduction (PHASR) proactively analyzes user and application behavior, creating behavioral profiles for each user-machine combination and comparing these profiles against known threat actor playbooks to prevent malicious activities. Instead of simply blocking entire applications, which could disrupt legitimate business operations, PHASR can implement granular, action-level blocking. For instance, while PowerShell itself might be necessary for administrative tasks, PHASR can identify and block specific high-risk PowerShell commands, such as those used for downloading remote files commonly associated with attacker playbooks. This reduces your attack surface and minimizes the risk of successful LOTL attacks before they even happen. Through a continuous learning cycle, it analyzes user actions, adapting to new user behaviors by modifying existing monitored rules or providing you with new recommendations.

Bitdefender PHASR dashboard

You can't completely eliminate the risk, even with the best Risk Management strategy; you can only reduce it. Compromised devices can serve as entry points for further attacks, making their protection critical. You can safeguard internal devices by implementing Endpoint Protection Platforms (EPP). EPP offers multi-layered security, including malware protection, network protection, exploit protection, ransomware protection, and advanced features such as advanced machine learning technologies. It will safeguard them against a wide range of threats, including malware, ransomware, and other malicious attacks.

Bitdefender GravityZone Configuration Policy

Bitdefender EDR incorporates anomaly detection to identify unusual or suspicious activities that deviate from normal patterns of behavior within your IT environment. What is unique and important to highlight is that our custom machine-learning models used in anomaly detection are trained individually on each customer's system. This is not a mistake, your environment has its own unique machine-learning model, just as distinct as your IT environment itself. These models leverage data from endpoint sensors, correlating events, extracting, and processing features such as user login times, network connection durations, process creation patterns, and other relevant data, to create a behavioral baseline. Any deviation from your baseline can be considered potentially malicious. For instance, if a user who has never previously used PowerShell suddenly attempts to execute a PowerShell command, this could be flagged as an anomaly. All identified anomalies are communicated to you for further investigation and response.

The main reason for the evolution from Endpoint Detection and Response (EDR) to Extended Detection and Response (XDR) was to gain visibility beyond just the endpoints. With Sensors in GravityZone XDR you can actively monitor your IT infrastructure, including devices, networks, cloud environments, identities, and productivity applications, for potential threats such as ransomware attacks. Sensors enhance your visibility across the entire attack lifecycle, starting from the initial point of compromise and extending to all impacted resources. For example, XDR can provide you with a comprehensive view of an attack, starting from a phishing email that's used to steal user credentials. It can track the attacker's actions as they leverage these credentials to gain privileged access, move laterally within the network, and ultimately encrypt sensitive data or exfiltrate it to external systems.

Bitdefender GravityZone Extender Root Cause Analysis

As organizations increasingly operate in hybrid environments, combining on-premises infrastructure with cloud services, it is crucial to address the unique security challenges associated with this shift. The adoption of cloud computing offers organizations numerous benefits such as scalability, flexibility, and cost-effectiveness however migrating to the cloud also introduces new security risks such as misconfiguration or excessive rights that can lead to data exposure or unauthorized actions. For instance, a common misconfiguration in cloud environments is leaving storage buckets publicly accessible. This can expose sensitive data to unauthorized individuals. Cloud Security Posture Management (CSPM+) plays a vital role in addressing these challenges by continuously monitoring configurations to identify and address misconfigurations and permissions within your cloud environment.

Bitdefender Cloud Security Posture Management

While internal security measures are essential, it is equally important to address the security of publicly exposed assets. These assets can have weaknesses, such as open ports, exposed services, and vulnerabilities. This is like leaving a back gate unlocked, making them a prime target for attackers who constantly scan for exposed systems to leverage publicly accessible information to identify vulnerabilities and gain initial access to your systems. For example, an attacker could discover an exposed database server on your network and exploit a known vulnerability to gain unauthorized access to sensitive data. To reduce the external attack surface, you need comprehensive visibility across your external assets before attackers can exploit them. External Attack Surface Management (EASM) continuously monitors your external-facing assets such as web applications, network infrastructure, and cloud services to identify and address vulnerabilities before they can be exploited.

Bitdefender External Attack Surface Management

Risk analytics provides a holistic view of organizational risk by aggregating and analyzing data from various sources. This enables the identification of patterns, trends, and potential threats, including attack paths. By correlating findings across User Risk Management, Endpoint Risk Management and Cloud Security, it pinpoints root causes of incidents and reveals related security risks. For example, if an incident resulted from a user's credentials being used in unencrypted communication, Risk Analytics would report this along with other identified root cause risks and the top five most severe risks. This information can be used to reduce the likelihood of similar incidents by implementing measures like mandatory multi-factor authentication and securing communication methods through encryption.

Our goal is to correlate more findings, for example vulnerabilities and EASM to trace the sequence from initial discovery to lateral movement and data exfiltration. Also, by correlating identities based on their attributes, we can create a comprehensive risk profile across the entire environment. Network Anomaly Detection will enable us to identify and prevent network-based attacks and analysis also considers the involved users and relevant files.

If you are using our Managed Detection & Response (MDR) service, the Cyber Threat Intelligence (CTI) team, which is part of it, also helps mitigate the risk. The CTI team assesses information gathered from a wide variety of sources including various cyber intelligence gathering tools, scouring the dark and deep web, gathering data from various law enforcement organizations around the world, gathering threat information from the Bitdefender Labs team, and reviewing information from various reliable news authorities. Furthermore, the CTI team actively leverages Threat Intelligence to monitor for credential leaks/email exposures or monitor for domain abuse or insecure code repositories. Their findings are discussed with the MDR SOC analysts and action plans are custom tailored to your environment, the businesses’ field of activity, and details of the identified potential threat.

Bitdefender MDR

While the above security controls provide a solid foundation for mitigating risks, a proactive approach to security also involves actively hunting for potential threats. Offensive services, are designed to proactively assess security gaps in your environment, whether on-premises, cloud, or hybrid. Offensive security services, conducted by ethical hackers who mimic real-world attacks, go beyond simply testing your prevention. They stress-test your entire security posture, prevention, protection, detection, and response mechanisms. Penetration Testing identifies vulnerabilities and risks by simulating real-world attacks, helping you understand your security posture of specific assets. Red Teaming takes it a step further by simulating real-world attacker behavior across interconnected assets, allowing you to test your detection and response capabilities against advanced threats like ransomware.

Even with the most robust security measures in place, it is inevitable that threat actors will eventually find a way to breach your defenses. While we can strive to minimize the likelihood of a successful breach, we must assume that an incident will occur and focus on promptly detecting and responding to threats.

One of the most effective ways to reduce the impact of a data breach is to encrypt sensitive data at rest. Without encryption, sensitive data is vulnerable to theft. For example, if a laptop containing sensitive data is stolen, the thief could potentially access the information. Full disk encryption of hard drives, external drives, and other storage systems provides you a robust defense against data breaches, significantly reducing the potential impact of unauthorized access to sensitive information. It also helps you meet some of the regulatory compliance requirements such as GDPR and HIPAA.

Bitdefender GravityZone console

When threat actors gain access to your system, they can execute encryption software to lock your data and demand a ransom. The Ransomware Mitigation module monitors endpoints and blocks processes that attempt to alter the data. This technology encompasses three primary areas: operating system level, files, and cloud support. For example, it analyzes specific portions of the file in usage and applies statistical formulas, including entropy and chi-square tests, to detect indications of file encryption. When a ransomware attack is detected and blocked, it will report to you information about the user session on the endpoint and the files that have been impacted, with the possibility of file restoration either manually or automatically. The backup process is performed in real time and triggered only when necessary. Ransomware mitigation technology does not rely on the shadow copy mechanism for backup; instead, we developed our own internal mechanisms. This approach protects data, as malicious actors often target shadow copies and backups before encryption and ensures that there is minimal impact on the overall system performance.

When a threat is detected, an incident is automatically created to initiate a forensic investigation. Understanding how an attack occurred is crucial for containing the threat and preventing further damage. With Incident Advisor, you can significantly reduce the time required to investigate and contain threats. By correlating data from multiple sources and presenting it in a clear and concise format, Incident Advisor streamlines the investigation process, allowing you to focus on identifying the root cause of the incident and taking timely corrective actions. This comprehensive overview of the incident, including its cause, effects, and potential risks, enables you to make informed decisions and implement effective incident response action for example, you can block suspicious AD users and isolate the host where the incident started.

Bitdefender GravityZone Incident Advisor

Additionally, you can gain valuable insights by leveraging Threat Intelligence when a suspicious file or connection is detected, or a threat is identified. All files can be analyzed to check their reputation, and if it is an unknown file, it can be sent to a sandbox for further analysis. Using IOCs, you can search for the threat actor and, knowing their TTPs, create custom detection rules to isolate endpoints when specific files, processes, or connections are detected. Threat intelligence can also be used to search for threat actors targeting your industry. This proactive approach allows you to create custom detection rules in advance based on the IOCs assigned to threat actors. You can also use live search functionality based on the OSquery to create finely tuned and organization-specific detection patterns. For example, if a YARA rule is designed to detect a specific malware signature within files, on-access scanning would trigger an alert whenever a file with the matching signature is accessed or executed in real-time by any user or process.

Bitdefender Custom Detection Rules

A key strategy for reducing the impact of a cyberattack is to leverage a Managed Detection and Response (MDR) service. If you are running a business but lack a dedicated security team, MDR provides invaluable assistance. By partnering with an MDR team, you can effectively leverage expert security knowledge and resources to enhance your incident response capabilities and minimize the impact of cyberattacks, even with limited in-house security resources. MDR teams actively hunt for threats, including advanced threats, zero-day exploits, and insider threats, that may have evaded traditional security controls. They can quickly detect and respond to security incidents, minimizing dwell time and reducing the potential damage caused by attackers. Furthermore, MDR teams conduct in-depth investigations to identify the root cause of incidents and collect forensic evidence , while recovery and remediation efforts focus on restoring affected systems.

Clear responsibility and ownership during each phase of the incident are crucial. The security team, typically led by the CISO, coordinates with IT, legal, and other departments to ensure an effective response. A well-defined Incident Response Plan outlines clear processes and responsibilities, ensuring everyone knows their role. The key phases include:

For example, imagine a scenario where a phishing email compromises an employee's account, allowing attackers to gain initial access to the network. With an MDR service in place, this could be detected rapidly, enabling security teams to quickly isolate the compromised system and prevent further lateral movement within the network.

Incident response works in tandem with Business Continuity Planning (BCP) to ensure operational resilience during and after an incident. Minimize downtime by identifying critical business functions and ensuring backup systems are ready. Assign clear ownership of continuity tasks to relevant teams. Regular testing and updates to both the incident response plan and BCP enhance resilience. Ensuring teams are prepared to act quickly reduces financial and operational impacts. Conduct a post-incident review to identify areas for improvement. Document lessons learned to update the existing incident response plan and better mitigate future risks.