Understanding Cyber Threats in Today’s Digital World

Today’s vulnerability and cyber threat landscape are constantly evolving. Not only do modern organizations of all sizes face a growing number of cyber threats, they’re also increasingly complex, and there’s no one-size-fits-all formula for deciphering exactly what a cyber threat may be for one organization compared to another. However, understanding your cyber threat landscape, as well as how to prioritize cyber threats for remediation, is a great first step in establishing a cyber security program. As you understand more about the cyber risks facing your organization and their potential impact on your most critical operations, the more prepared you will be to adapt your cyber hygiene practices and mature your cybersecurity measures over time.

The National Institute of Standards and Technology (NIST) defines a cyber threat as a circumstance or event that could potentially negatively impact your operations. For example, the threat, if a threat attacker successfully exploits it, could result in your organization losing its ability to deliver products or services.

As a result, there could be far-reaching impacts on your relationships with your customers, your brand, your vendors, partners, key stakeholders, and, in some extreme cases, the market you're in as a whole. A cyber threat can also negatively impact your internal operations and staff, as well. In extreme cases, for example, if your organization is a critical infrastructure provider, there may even be the potential for negative impact on the nation from these threats.

In many cases, a successfully exploited cyber threat can result in a threat actor being able to successfully access a range of important and sensitive data for your organization which could be destroyed, made public, changed, or a denial of service.

The Cybersecurity and Infrastructure Security Agency (CISA) points out that cyber threats don't just come from unknown or known outside sources; they can also originate from within your organization by trusted users. These are often referred to as insider threats.

Often, when there are news-making threats for critical infrastructure or other important critical services, we hear about nation-state threat actors being in play.

CISA says that national governments as cyber threats could be anything as low-level as a nuisance created by web pages being defaced to life-or-death critical when critical infrastructure is involved.

"Only government-sponsored programs are developing capabilities with the future prospect of causing widespread, long-duration damage to U.S. critical infrastructures," CISA points out.

Another potential cyber threat actor may be what we'd refer to as a terrorist or an adversary to the nation. While their intent may be similar to those of national governments, they often don't have the same abilities as nation-state threat actors. They're tactics are likely to be less developed. CISA says terrorists only pose a limited cyber threat, however, this could be an increasing point of concern in the future as new generations join terrorist ranks with more technological experience.

Organized crime groups and industrial spies are also well-known for being cyber threat actors. While their threat isn't as high as a nation-state threat actor, they do carry some weight in their abilities to create disruption or damage via cyber-attacks. Often, they're focused on industrial espionage. They're also wanting to follow the money, knowing these attacks can be lucrative when targeting big business.

While a traditional hacker may be the most well-known type of cyber threat actor, there are also an increasing number of hacktivists joining the ranks. These threat actors are generally politically motivated and, according to CISA, had a medium-threat level. They may successfully carry out isolated attacks, but those attacks can be damaging. Unlike nation-state cyber threat actors who might be focused on destroying or disrupting critical infrastructure, hacktivists generally engage in cyber-attack activities that promote their agendas more so than causing harm.

And finally, we have those well-known hackers who generally operate alone or as part of small groups. These attackers pose a lesser threat; however, their threat opportunities are more widespread with varying potential for outcomes. Some hackers want notoriety. Some want fortune. Some just want to prove they can do it.

When speaking in terms of critical infrastructure, most lone hackers don't have the skills or resources to be a significant threat, however, because there are so many hackers around the world, they still have the ability to create a significant cyber event that could have lasting impact.

CISA identifies some of these sub-groups for hackers:

• Script kiddies: Use available research and tools to exploit vulnerabilities and exploit code

• Worm and virus writers: These are hackers usually writing worm and virus code, but not exploit code.

• Security researchers and white hat hackers: These are bug hunters and code exploiters looking to find weaknesses and usually financially benefit from their identification.

• Black hat hackers: Similar to bug hunters and code-exploiters, these hackers are often paid to write code or intentionally try to hack networks.

Yes. There are many types of cyber threats. While often thought of in terms of technology issues, vulnerabilities or weaknesses, cyber threats may also take the form of individuals who intentionally or inadvertently employ measures that cause your organization harm.

There are many types of cyber threats, and in our modern world, it's constantly changing and evolving, especially in the last several years as a growing number of organizations of all sizes crossing all industries are adopting and implementing new technologies, especially those that are now cloud-based, faster than ever before.

While not all-encompassing, here are a few examples of common cyber threats:

• Exploitation of misconfigurations and unpatched systems

• Phishing: Sending fake emails that look like they're from real sources to trick people into revealing information like usernames, passwords and payment info.

• Credential stealing: Because people often use the same usernames and passwords across many sites, attackers can collect usernames and passwords from one breach and then use them to access other sites.

• Malware: Malicious software that gives attackers system access.

• Denial of Service (DoS) and Distributed Denial of Service (DDoS):

• Flooding attacks to use up bandwidth so systems can't respond to actual service requests.

• Cross-Site Scripting (XSS): Putting malicious code on websites to target visitors.

• Man-in-the-Middle (MitM) attacks: Compromising users through unsecure networks like public Wi-Fi.

• SQL Structured Query Language (SQL) Injection: Putting malicious code on a server and then using SQL to access sensitive information that otherwise wouldn't be accessible.

• Zero day exploits: Exploiting a system after a threat is publicly announced but before a patch or other fix is released.

• Spam: Attackers send unwanted and unsolicited messages, usually in great volume, with the intent of luring a user into clicking a malicious link, downloading a malicious file, or giving up sensitive information, such as credentials.

• Cloud vulnerabilities: A cloud security vulnerability is a weakness within a cloud computing environment, for example an insecure API, poor access management, or system misconfigurations.

• Misconfigured code: A growing number of hackers are successfully finding security weaknesses within code where a misconfiguration early on is missed during code development and testing, opening the door for an attacker to exploit that weakness.

• Insider threats: While many inside threats take the form of a disgruntled employee or employee who has been lured (for example, by financial incentives) to commit actions that may harm an organization, unintentional actions by your employees or connected partners may also introduce insider risks to your organization.

• Malicious links: These links are generally part of emails or websites where a would-be attacker has intentionally created a link that leads to things such as viruses or malware to enable them to access devices or convince a user to provide credentials.

• Lost or stolen assets: Lost or stolen assets, especially those that are not protected with passwords and/or encrypted are cyber threats for your organization. This isn't just a lost smartphone or laptop, it can include a range of devices that might contain data, for example a tablet, an external back-up drive, thumb drive, etc.

• Unencrypted data and devices: If your devices are unencrypted, a threat actor may be able to read and access your unprotected data.

• Social engineering: Social engineering is a cyber threat because the tactics trick people into releasing confidential or sensitive information that attackers can then use for fraudulent activities.

• Unpatched vulnerabilities: Attackers love unpatched systems. Often, known vulnerabilities for software and devices go unpatched and attackers can employ known tactics to exploit those weaknesses and often get access to systems and networks.

• No continuous vulnerability monitoring: Without continuous vulnerability monitoring, your organization lacks insight into any new potential risks or vulnerabilities as your environment changes, potentially introducing new cyber threats you don't know exist.

Tenable's 2021 Threat Landscape Retrospective identifies these five vulnerabilities as top cyber threats for 2021:

1. Proxylogon, Microsoft Exchange Server

2. PrintNightmare, Windows Print Spooler

3. VMWare, VSphere

4. Pulse Connect Secure

5. Zerologon, Windows Netlogon Protocol

Cyber Exposure is a discipline that helps organizations see, predict, and act to identify and address cyber threats. Cyber exposure management and cyber risk management are often used interchangeably, both helping to identify cyber threats and then prioritize which have the greatest potential impact on your operational resilience and how you should remediate those issues.

The Cyber Exposure Lifecycle aligns with the cybersecurity lifecycle and creates a framework you can use to continuously seek out cyber threats and mature your cybersecurity practices.

In simple terms, cyber exposure management helps your organization unify your security goals and objectives with those of the business so you can make better informed business decisions based on a range of risks, for example, cyber threats, so you continuously assess your security practices and improve your cyber hygiene.

The three components of the Cyber Exposure Lifecycle include:

• See: Identify and map all of your assets for visibility across your environment

• Predict: Use threat intelligence and business context to discover which vulnerabilities attackers may be most likely to exploit

• Act: Remediate or mitigate your critical cyber threats

While the terms cyber threat and cyber risk are often used interchangeably, there are differences. A cyber threat encompasses the possibility a cyber-attack may occur. A cyber risk, however, takes into account the risk associated with that cyber threat and helps your organization determine what the potential impact may be from that threat. It’s also important to clarify here that the cyber-attack attack is often used in these related discussions. A cyber-attack, although interrelated, is the actual action a threat actor may take to successfully exploit a security issue.

Cyber threat management is important because it can help you understand how to use technical data, automation tools, and other resources to make better business decisions.

The reality for modern business is that our threat landscape is constantly evolving. As it rapidly changes, it's also becoming more complex. Our systems are no longer just servers and networks. Today's business operations span a range of devices, systems, and locations, from on-premises assets to the cloud, and for many, even beyond into operational technology, internet of things (IoT), and industrial internet of things (IIoT) devices.

Unfortunately, many organizations still take a compliance-driven approach to the cyber threat management practices, instead of one driven by cyber threats and their potential threats to the organization. Instead of building proactive and flexible programs, some organizations focus on meeting minimum requirements for their compliance and regulatory bodies. While that might keep you out of compliance crosshairs, it may not be enough to protect you from the evolving, sophisticated attack methods hackers employ today to exploit a range of cyber threats.

While meeting compliance and other regulatory standards is paramount, it should not be the single-most driving factor for your cyber threat management program. That may mean you're just not secure enough.

Without a comprehensive and well thought-out cyber threat management program, it can be nearly impossible to keep up with all of your assets and all of their related vulnerabilities and other security issues. A cyber threat management program can help you identify and inventory all of those assets, identify your critical operations and services, know all of your vulnerabilities and weaknesses, help you prioritize which ones you should address first, and then continuously have insight into all of your risks as your environment scales and evolves.

Also, another important benefit of cyber threat management is it can help you build a strategy that proactively accesses areas where you may be at greatest risk so you can always stay one step ahead of attackers.

Often, organizations that don't have mature cyber threat management programs don't find out where they have potential exploits until it's too late—either after an attack is underway, which can go unnoticed for months and months, or when faced with an audit or investigation into a potential issue.

Cyber threat management is a framework you can use to close up these security gaps. Organizations who don't have this type of cyber threat program in place often discover they have no comprehensive into their entire threat landscape. They aren't able to track all of their security issues quickly, accurately and efficiently; and they can't create reports that align their cyber goals with business objectives to build a culture that encourages everyone to take part in the ongoing battle against cyber threats.

And, sadly, as we see already in an industry where it's difficult to find, attract, and retain skilled, qualified professionals, programs that don't have efficient cyber threat management practices in place often end up with overworked, burned out, exhausted IT and security team members. Those issues can negatively affect focus and vision, creating another unique set of cyber threats for your organization.

There are some best practices your organization can employ to help you better identify cyber threats for your organization.

First, you need insight into what today's threat landscape looks like. While many organizations try to do this by keeping their security teams involved in industry news and research, you may find it more effective to partner with a resource such as Tenable Research. Your teams are already busy seeking out weaknesses and trying to remediate them. It's almost impossible for a small team or an already busy team to identify all of today's biggest threats. Instead of using your team's time and resources for that big-picture research, a team like Tenable can help ensure it's delivered to you, right within your Tenable product of choice. That way, you can focus your team's attention on figuring out which of those important vulnerabilities are applicable to your environment and how to prioritize which ones to address first.

And, it's not just about threats within your organization. Cyber threats are always evolving externally as well, so you'll need a good read on what those are so you know where to focus your attention.

Next, once you're familiar with what today's threat landscape looks like, you need visibility across your entire environment and through all of your assets. Remember, it's no longer just about IT assets on site. Your teams likely have a gamut of mobile devices to monitor, as well as software-as-a-service applications, and other cloud-based solutions.

Visibility into all of your assets, which is supported by an accurate (and hopefully automatically updated) asset inventory is key. Without knowing which assets you have, as well as when and how they are used, you can't identify where you have weaknesses. Asset inventory, as well as identification of critical services and operations is a key early step in identifying cyber threats for your organization.

Once you know where all of your assets are and how they're being used, you'll need help identifying all of your potential vulnerabilities, misconfigurations, unpatched systems, and other security issues. Consider using a tool that automates vulnerability identification for you, such as Tenable Nessus.

Nessus Network Monitor, for example, gives you continuous insight into vulnerabilities in your environment. And, unlike having your team go out and try to discover all potential security issues manually, you'll have access through Nessus to almost 70,000 CVEs, more than 168,000 plugins, with 100 or more new plugins added weekly.

Once you have a tool with ongoing, continuous detection capabilities in place, you'll need more information to help you prioritize which of the discovered security issues need your attention first.

Tenable One, for example, is an exposure management platform, that will help you determine not just where you have those cyber threats, but the risk they pose to your organization. It's a way to know your cyber exposure status at any time, no matter how your environment changes.

With a tool like Tenable One you can also easily prioritize which of these cyber threats you should focus on first. Tenable's proprietary Vulnerability Priority Rating (VPR) gives you an easy-to-understand score so you know what to focus on first.

So, now that you've identified where you have vulnerabilities and prioritized which ones your team should address first, it's time to put your response actions into play. While playbooks, policies, and procedures are critical here, a tool like Tenable can help automate your response based on your preset parameters or industry recognized best practices. A platform like Tenable One can help you quickly alert and notify key team members based on their roles and responsibilities, again, helping you stay ahead of attackers before they have a chance to exploit a weakness you didn't know was there.

While many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize their cyber threat remediation processes, many find it difficult to work through. That's because many CVSS come back with a vulnerability rating of critical or high, without taking into account your organization's specific environment or business needs. As a result, teams find themselves buried beneath a mountain of vulnerabilities they just can't work through, all the while new vulnerabilities are discovered with similar ratings. Where do you focus?

Instead, consider using Tenable's Vulnerability Priority Rating (VPR) to better manage your vulnerability prioritization processes. Using Tenable's Predictive Prioritization technology, your organization can get more accurate insight that will help you more effectively and efficiently improve your remediation strategies.

Each vulnerability gets a VRP based on severity of either Critical, High, Medium, or Low. However, the VPR also takes into account technical impact as well as the threat, meaning what's the likelihood an attacker might exploit that weakness and what would its impact be on your operations if successful. This is based on research that draws on recent threat activity, but also potential future threat activities.

This differs from the traditional CVSS approach for prioritization because it takes into account more than just technical severity. VPR also considers risk. VPR also takes into consideration vulnerabilities with known exploit codes. That's because those with publicly available exploit codes are more likely to be used in a cyber-attack. Those that have a higher maturity for exploit code are more likely to be rated critical or high through VPR, making it more effective than prioritization scoring through CVSS.

As demonstration of the differences between CVSS and VPR scoring, on average, VPR rates about 700 vulnerabilities as critical, whereas there may be tens of thousands of vulnerabilities scored as critical through CVSS. With fewer vulnerabilities rated as critical through VPR, it's easier for your organization to know where to focus remediation efforts first.

Want to know more about VPR and CVSS and how they're different? Read this blog for a deeper dive.

Your organization's strategy to mitigate or remediate cyber threats is contingent upon a range of information that's unique to your business and goals. However, there are some best practices you can employ to mitigate some of these threats.

Here are a few recommendations:

• Complete an asset inventory and update it regularly. You can't identify all of your cyber threats without knowing where your assets are and how they're used.

• Conduct routine risk assessments using a best practice risk management framework.

• Consider using a vulnerability assessment solution that automates many of your routine processes, including role-based alerts and notifications.

• Know your current security posture.

• Identify security gaps. Prioritize remediation and develop plans to address security weaknesses.

• Establish a target security profile and routine evaluate, modify, and update your processes to mature your cyber hygiene practices.

• Update software. There are often known, unmediated vulnerabilities in software systems that must routinely be updated to address. Consider automating these processes if you can.

• Adopt identify and access management policies and procedures. Consider enabling least possible access controls that enable users to complete required tasks, but not access other information. Be sure to have systems in place that automatically remove users from your systems if they depart from your organization or change roles.

• Establish network access controls, such as zero trust.

• Employ endpoint security.

• Set up firewalls.

• Enforce password management best practices, including secure steps to reset passwords and other credentials.

• Maintain and manage approved software lists, as well as their management of trusted certificates for those approved solutions.

• Use additional security measures such as multi-factor authentication, especially for users that have elevated privileges.

• Consider employing encryption technologies.

• Develop, test, and routinely update your system recovery plans.

• Employ a continuous network monitor so you have instant insight into any potential network intrusions.

• Employ antivirus and anti-malware solutions.

• Educate and train your staff on cyber threats and conduct routine exercises to determine where you may have potential weaknesses (For example, send a test email with what looks like a potential malicious link. Do you have users who routinely will click those links or download unknown attachments?)

• Conduct phishing exercises to see if you can successfully exfiltrate credentials or other sensitive data from your staff.

• Conduct internal and external penetration tests to identify security weaknesses and ensure your security defenses work as intended.

• Partner with a team like Tenable so you're always updated on current cyber threats.

• Employ vulnerability assessment and vulnerability management best practices.

• Develop a system back-up plan and routinely test it against a variety of potential disruptive scenarios.

• Patch applications and operating systems where you can and employ a patch management schedule.

• Employ a security platform that gives you insight across your entire attack surface, from traditional IT to the cloud and into IoT, IIoT, and OT operations.

The coronavirus pandemic, which accelerated technology adoption and remote workforce opportunities for many organizations beginning back in 2020, has introduced a growing list of cyber threats for modern business. In no specific order, here are some of the biggest cyber threats facing organizations today:

• Ransomware

• Malware targeting mobile devices

• Supply chain and third-party vendor risks

• Social engineering

• Phishing schemes

• Cloud security weaknesses

• Misconfigurations

• More attacker focus on critical infrastructure and operational technologies

• More application security issues, for example Log4j

• Staffing shortages in IT and cybersecurity

• More advance persistent threats (APTs)

• Work-from-home security risks via unsecure networks and devices

Yes. There are cyber threat frameworks you can use to build and mature your cyber threat management program. For example, the U.S. government developed a cyber threat framework to help organizations understand what a cyber threat is, providing a common language to identify and discuss cyber threats. This framework aligns threat actor objectives with a threat lifecycle, focusing on stages of preparation, engagement, presence, effects and consequences.

One of the most widely used frameworks is the NIST Cybersecurity Framework (NIST CSF). This is recognized as a best practice approach to help organizations identify cyber threats and manage cyber risks. By employing NIST CSF, your organization can get better insight into all of your vulnerabilities and cyber threats, as well as their potential impact, and then reduce these risks and make response and recovery plans.

According to NIST, today, 16 critical infrastructure sectors use NIST CSF, as do 30% of all U.S. organizations. More than 20 states do too.

Depending on your industry, location and business-type, here are some other cyber threat-addressing frameworks to consider:

• ISO 27001

• ISO 27002

• SOC2

• NERC-CIP

• FISMA

• HIPAA

Tenable's risk-based vulnerability management platform is a great way to identify, prioritize, and remediate your cyber threats.

Unlike legacy vulnerability management practices, risk-based vulnerability management is more than just discovering vulnerabilities in your enterprise. It enables you to identify your assets and their associated risks, but also go beyond that and get practicable, understandable information that helps you understand which cyber threats pose the greatest risk to your organization, so you can make plans to remediate those that matter most first.

With Tenable One, for example, you can eliminate a fragmented approach to exposure management and get complete visibility into your entire attack surface, starting with Infrastructure as code (IaC), and all of your traditional IT assets, your cloud environments, OT, web apps, Active Directory, and more.

Tenable One continuously analyzes more than 20 trillion threat aspects and vulnerability and threat data using machine-learning algorithms. It helps you see where you have cyber threats across your entire enterprise and helps you prioritize them in a way that makes most sense for your specific business.

With Tenable's cyber threat research and tools, you can close your cyber exposure gap and better secure your evolving attack surface. And remember, it's not just about identifying your cyber threats. It's about getting insight into which of those threats may have the greatest risk to your organization now and in the immediate future and helping you prioritize and remediate those risks as quickly and accurately as possible.

Tenable Lumin, for example, will generate a Cyber Exposure Score (CES) that can help you calculate, communicate, and compare the risks related to your relevant cyber threats. Within its dashboard, Lumin gives you insight into your current CES and quantifies your risk level, assessment maturity, and remediation maturing. You can even compare your program effectiveness by benchmarking internally and against your industry peers.

With risk-based exposure scoring and prioritization, you'll always have insight into your biggest cyber threats—not just in general, but specific to your organization and your unique environment.

Tenable enables you to apply business context to all of your cyber threats. That not only helps you prioritize and remediate, but also builds a bridge between your IT and security teams by helping them speak a language your executives and key stakeholders understand. With that support, your cyber threat management program is no longer just about tech terms and scary possibilities. It enables you to quantify the risks of those cyber threats in a way that has meaning to your organization. And ultimately, this type of communication can help build executive engagement with your program, helping to support your needs for additional personnel, tools, time, and resources as needed.

Vulnerability Management: A Fundamental First Step to Improve Cyber Hygiene and Reduce Cyber Risk

Boosting Confidence in Governments’ Cybersecurity

Why Food and Beverage Companies Should Crack Down on Industrial Cyber Threats

Think Like An Attacker to Take Control of Your Active Directory Defenses

Exposures 2022: We Predict One or More of These 5 Cyber Trends Will Really Matter to Your Business This Year

The Threats, Vulnerabilities, Attacks and Incidents That Made 2021