How to create a Threat Landscape and rock your customer meetings

How to create a Threat Landscape and rock your customer meetings

“Let’s talk about” is a series I have planned for a while, it will cover topics which are quite old but I find myself explaining them quite…

This post is maybe more relevant if you work in the security field as a consultant. When you engage with a new or potential customer you might want to raise the question if they do understand the threat landscape of their particular business or company. You can spike their attention quickly if they don’t know their threat landscape and even more if you come prepared.

So let’s take a step back, what is the threat landscape?
Basically speaking a company is always exposed to certain cyber security risk and threat. Their exposure varies dramatically based on their footprint in the world.

This exposure and which threats can evolve from this attack surface is the thing we reference to as threat landscape.

The threat landscape can come in various sizes and be as high level or low level as you want to put effort into creating it.

Let’s start from an example, lets call it ACME Group.

ACME Group is a medium size business mainly in the field of retail. While their main office in in Barcelona, they run retail stores all across Europe, with the largest customer base in Germany, France and Switzerland.

Most of this data will be publically available on their “About ACME” page somewhere on their website. If you are really lucky then they are also required to publish business reports, so you know there net value and investment strategies, you my find all their current locations and planed expansions, and last but not least all their brand names.

While you are anyway browsing their Internet Site you can also go deeper to find out the different technologies a company uses (hint: looking at their career page for technology Jobs and what skills they ask for might give you a good idea) and identify potential threats based on the technology. With this you can get familiar about vulnerabilities or issues they might face, as well as their current situation, nothing screams help like looking for a “DevSecOps — Full Stack developer with SIEM experience”.

Next we utilise MISP, especially the github page about known threat actors which you can find here or we look at MITRE

We can search the JSON for the keywords we have seen above:

• Barcelona (SPAIN)
• Retail
• and less weighted Germany, France and Switzerland

Our search on MITRE shows at least two Threat Actor groups which are well known to target the Retail Industry. This are actors to put on the overall Threat Landscape.

If you follow the breadcrumbs even further you may find that FIN 6 is using the FrameworkPOS software which gives you more information to put onto the landscape.

When it all comes together you might end up with one or several slides looking like this

With this method you are showing two things

1. You did your homework, you learned about their business and you thought about what could harm them, you can show that you understood the situation of the customer and that you can emphasize with the struggle of the CISO and the Security Operation
2. You know your stuff. You can show that you have oversight of the threats out there and that you understand security, as well as that you are willing

That’s it for today, hope that helped and please be excellent to each other