In our work together with organisational security practitioners and organisations seeking to improve their security culture, we’ve seen first-hand the importance of learning from one another and sharing our experiences. At the same time, learning and sharing in this space can be tricky and is uneven–practitioners have highlighted the need for knowledge and skill sharing, including more consistent documentation and reporting of incidents.
Earlier this year, we published a toolkit for organisation security practitioners, which includes a tool that can be particularly useful for practitioners interested in sharing their learnings in more effective and safer ways–a guide for building attacks archetypes & case studies. This resource offers practical steps on how to draw broader learnings from specific cases, while being mindful of different contexts. It allows practitioners to turn specific information about a threat or attack into a shareable format.
What are attack archetypes and impact case studies?
We use the term attack archetypes to reference common threat patterns and scenarios that can impact an organisation due to the nature of their work. For example, one attack archetype might illustrate a particular kind of attack that organisations working towards strengthening LGBTQ rights in a particular country might expect, giving what similar organisations have seen. By referencing archetypes, human rights organisations can identify recommended digital protection practices, based on their profile and the type of attacks they are experiencing (or might one day experience due to the nature of their work). We use case studies to capture the details and lessons learned from real-world attacks and mitigation tactics and share them with support practitioners and civil society organisations.
By illustrating threat patterns and common scenarios, these tools help orgsec practitioners analyse digital security attacks and help organisations to identify which digital protection practices are better for their contexts.
The relevance of sharing threats and attacks
A few weeks ago, our Tech Team Lead, Paola Mosso, facilitated a workshop about sharing threats with the orgsec community as part of the Threat Information series of webinars organised by Internews. In the session, we reflected on what practitioners have learned from analysing previous attacks and how that led to better support.
One participant shared that by analysing threats organisations faced in a specific region, they transitioned to a data-driven risk reduction approach. Through documentation, they were able to identify patterns over time, which allowed them both mitigate attacks in the short term and create a long-term support strategy based on contextual needs.
One practitioner in the conversation shared that many people struggle to decide what practices to prioritise in their organisation, given the high volume and wide variety of resources available. By referencing structured information, like archetypes and case studies, practitioners are able to provide more targeted support. In some organisations, reviewing aggregated and structured information has become the primary way of learning about attacks.
Finally, practitioners in the webinar shared the importance of effective storytelling when supporting organisations in their organisational security journey. By using a narrative approach when sharing threat trends–using, for example, descriptive case studies to tell a story–has helped practitioners themselves understand how attacks unfold and has helped onboard new staff within organisations.
Sharing information safely
Sharing threat information is a complex process that should be done responsibly, mindfully of potential risks. Since sharing details about attacks might bring harm to organisations, it is important to do it safely. Therefore, a key aspect to consider, as one practitioner put it in the webinar, is to assess if (and how) sharing information will contribute to developing protection strategies.
Some practitioners start with a risk assessment frame: What risk does sharing this information bring to us as an organisation, what risks does it bring to the organisation we are supporting or others that are part of the same community?
Definitions of how sharing must be done may vary according to different contexts and to the needs of groups and individuals. Our guide gives recommendations about sharing these tools in ways that preserve the integrity of organisations, such as tips on protecting identities and on taking precautions regarding the level of detail provided in these analyses.
If you’re interested in learning more about these topics, take some time to explore our toolkit and check out the resources that were shared by participants during our workshop:
- A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web, by Usenix.
- A Methodology for Developing Attacker Personas, by Andrea Atzeni, Cesare Cameroni, Shamal Faily, John Lyle, and Ivan Flechais.
- A first look at digital security, by Access Now.
- MITRE ATT&CK framework for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
- Resource for learning about attack methodology in different countries.