By Alan Decelis – Head of Supervisory ICT Risk and Cybersecurity, MFSA

At this time of the year, it is common practice for renowned organisations in the cybersecurity and technology fields to issue threat landscape reports with their observations about relevant threats, trends, techniques, actors, incidents, key findings, and mitigating measures. The ENISA Threat Landscape (ETL) report released in October and the Europol Internet Organised Crime Threat Assessment released in November are two very suitable examples. These reports provide an invaluable learning opportunity and financial entities should seek to use them effectively.

This year, we have seen Ransomware dominating the threat scene, increasing its layers of extortion. We have also experienced emerging threats like supply-chain attacks, as well as misinformation and disinformation. The circumstances brought by the COVID-19 pandemic have been factored within cyber attack vectors, but they also gave rise to human errors and system misconfigurations as organisations rushed their technology adaptation strategies to sustain their businesses. As money remains the most relevant motivator behind cyberattacks, we have seen the crime-as-a-service market proliferate and the emergence of the hacker-for-hire business model.

Financial entities should develop their own cyber threat intelligence practices, taking into consideration their size, risk profile, reliance on information and communications technology, and the services and products that they provide. The contents of Threat Landscape Reports should then complement the established cyber threat intelligence practices.

Threat Landscape Reports should be used by organisations to ensure that they have good visibility over the threats, and that they understand their relevance to their particular businesses. They should help organisations gain more clarity in identifying who the threat actors are, the interest they have in their businesses (threat actors can also be inside an organisation), and how they can capitalise on the threats and be of substantial risk to their businesses. Organisations should assess whether they have mechanisms in place and update them with regard to any developments associated with the relevant threats. Intelligence from these sources should feed into the risk management framework, the processes of which should also take into consideration information assets, existing controls and vulnerabilities in conjunction with the threats. Organisations should also ensure that their vulnerability management practices are responsive to emergent threats while ensuring that signature-based defence systems continue to be updated. At a tactical level, organisations should engage in exercises like threat hunting.

The best manner in which an organisation can assess the effectiveness of its preparedness against relevant threats is through testing. The industry has developed intelligence-led testing or red-teaming methodologies such as TIBER and CBEST. Such testing (advanced digital operational resilience testing) is expected to become mandatory under the Digital Operational Resilience Act against the principle of proportionality. Nevertheless, financial entities engaging with security testing service providers do need to see that the testers are following industry-standard methodologies within their testing processes and that they do take into consideration the relevant threats.