Life is filled with the best of intentions, such as wanting to win the lottery or keep the work emails to a manageable level. Large enterprises have the ability and budget (and occasionally the willpower) to create the necessary groups to handle all aspects of security, including the various components to identify threats before AND after they happen. This includes threat hunting, pentesting, education, architecture, incident response, research, development, engineering, access management, and several other security offshoots of IT resources. Having the best security program for your small organization might be your intention, but many obstacles such as money, time, or resources can prevent you from that perfect implementation.
While these resource suggestions won’t be a one to one replacement for having full-time resources hired to do the work, it can get you started, cover some of the missing links, and help build in that foundational baseline with a lack of time and monetary resources.
Threat Intelligence and Research
The intention of a Threat Intelligence group is to research what types of cyber-attacks are occurring against various individual, business, or government entities and to inform the business on where to prioritize and build their defenses. For example, a Threat Intelligence group within a utility company may have a different focus than a company in the healthcare industry.
There are several excellent (and free) resources that you can use to help inform you and your staff on the security risks in the world.
SANS NewsBites Newsletter
This often-published newsletter provides a great overview of what cyber security events are occurring around the world, including active attacks, breached companies, new types of malware, along with editorials, lessons learned, and links out to several other security websites for more information. You can either sign up for the emails at https://www.sans.org/newsletters/newsbites or view the newsletters on the site. All you need to do is sign up for a SANS account and select which emails you would like to receive.
Pros: Professional research and editorial work, free, timely and current with industry trends
Cons: Not focused for any particular industry, be prepared for SANS education advertisements
HSlatman’s Awesome Threat Intelligence Github
This curated list has a collection of publicly available resources to help with various free threat intelligence feeds (where the bad activity is sourced on the Internet), frameworks to help sort that information, and other back to basic resources to help start your threat intelligence group. Check it out at https://github.com/hslatman/awesome-threat-intelligence.
Pros: Lots of useful resources for threat intelligence, points to something for every budget and capability
Cons: Hasn’t received an update for a while, could be overwhelming for someone new to the threat intelligence space
Security Awareness and Education
Security awareness and education programs specifically cover training company employees how to protect their internal resources such as emails, usernames and passwords, computers, and their intellectual property.
ESET Cybersecurity Training
This antivirus vendor offers a free cybersecurity awareness training for employees that covers phishing, social engineering, two-factor authentication, and other handy security overviews. Check it out at https://www.eset.com/us/cybertraining/
Pros: Well-done training class, relevant information, provides completion certificate for potential audit purposes, free
Cons: Providing your name and email to an antivirus vendor. I haven’t received any spam however
This educational course work offers free online classes for new and experienced security professionals. They offer classes to help complete degrees such as the CISM and CISSP. In fact, I started my CISSP certification journey through their classes. Go to https://www.cybrary.it/, make an account, and start learning.
Pros: Excellent material (especially for being free), great for your cyber security or IT staff to get a basic or advanced level understanding of many security level subjects
Cons: Cybrary does have paid services for larger organizations, but it may be worth the cost. Check out the free classes first and see if it’s something that might work as your company gets larger
Penetration Testing / Red Team
The Open Web Application Security Project (or OWASP for short)
OWASP is a well-known group that formed for the specific purpose of providing unbiased information and improving web application security. They offer a large amount of information on how to both attack and protect applications. The OWASP Top 10 covers the most well-known threats that businesses can spend time and effort remediating. They also develop several pieces of software such as Zed Attack Proxy (ZAP) which is an open source web application scanner that many pentesters use, DefectDojo which is an application vulnerability tracker, and Juice Shop to safely practice your pentesting skills. Check it out at https://www.owasp.org/index.php/Main_Page
Pros: A huge wealth of community providing information, excellent tools for both work and education, information tailored for specific industries
Cons: Provided software may not be the fastest to update with the newest industry vulnerabilities
MITRE ATT&CK™ is a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” It is a free foundational resource that can provide various attack techniques that real attackers use in their attacks on a network. You can use this resource to either build example attacks to test defenses, or build new defenses against specific attacks that may affect your environment. It is located at https://attack.mitre.org/.
Pros: Collection of real-world attack methods, free, constantly growing and evolving to keep up with new threats, good way to start understanding about the red team
Cons: May not cover all known threats, but it is an excellent start
This is just a small sample of some things you can do to help bolster your security within your organization. There are additional security groups and resources to cover in upcoming blog posts, so stay tuned!