For those tasked to stand up, operationalize and maintain PCI DSS compliance, a key component that your QSA will want to get assurance on is your defined vulnerability management processes and understanding of risks and threats facing your organization.
In other words, you must understand and manage your PCI threat landscape to get started on your PCI journey.
“How do you know your PCI-focused threat landscape, and what are you doing about it?”
This line of questioning intends to help in the following ways: First, it encourages organizations to understand the myriad of malicious acts levied by adversarial forces (e.g., threats) that can disrupt or negatively impact their business. Secondly, once organizations know their risks and threats, they are better prepared to manage risks/threats from materializing and are subsequently better positioned to protect their PCI environment.
Bottom line: PCI requires you to identify, triage, treat, reduce risks and mitigate threats facing your organization.
Then how do you stay informed and identify your weaknesses? There is a constant stream of new vulnerabilities and common adversarial methods observed in the wild (see Verizon’s 2022 Data Breach Investigation Report). In addition, organizations can keep fresh on PCI-related threats by monitoring and tracking prominent payment card breaches or incidents.
Here are notable highlights within the past couple of years.
- Cloud and software supply chain attacks (e.g., AWS/Azure platform misconfigurations, Solarwinds, Kaseya, Log4j/log4shell)
- Magecart (e-commerce skimming) malware
- Emerging threats to containerized environments (e.g., Kubernetes misconfigurations)
Keeping up with trends, techniques, and procedures from adversaries gives orgs the ability to take action to stop intrusions early on, as stated in Red Canary’s Threat Detection Report, “Examined holistically, the list of prevalent techniques showcased in this report suggests that if you can detect threats relatively early in the intrusion lifecycle, you’re much less likely to face the consequences of a significant cyber-attack. This principle has saved many of our customers from immeasurable grief over the years.”
Organizations can consider the following steps to get started and be able to effectively canvas and manage your PCI-focused threat landscape:
- Step 1: Start with your PCI asset inventory and network map. The reality of the matter is that you must have sufficient and current inventories of your environment (including software bill of materials and third-party dependencies in your code) as well as an accurate diagram of your environment to be able to protect them.
- Step 2: Create a threat model, which is a diagramming of your organization with potential attack vectors (e.g., your employees, your applications, networks, your cloud service provider, infrastructure, etc.)
- Step 3: Leverage security industry frameworks such as MITRE ATT&CK that give organizational leaders as well as security practitioners the common language needed to better understand and classify adversarial techniques, tactics and procedures (TTPs).
The goal of understanding your threat landscape and implementing controls is to be able to detect, prevent, and build cyber resilient organizations that can stop adversaries from executing the cyber kill chain carte blanche. Practitioners are able to learn tried and true adversary actions and to put in countermeasures from a defensive perspective to stop intrusions before they escalate to impactful events such as being ransomwared or falling victim to card data exfiltration. Leaders can collaborate with practitioners to identify gaps, understand current capabilities, and develop a roadmap to inform your investments in new tools and personnel to improve coverage and strengthen your security posture.
With proper due diligence and mitigation into reducing your attack surface, you have less susceptibility to compromise. You can set yourself up as a highly resilient organization that repels attackers so they may focus their malicious intent elsewhere.