Many organizations suffer "security paralysis," a condition in which it is impossible to prioritize areas for remediation due to limited resources. Others attempt to apply a set of best practices in the hope that what worked for another organization will work for them. Neither of these approaches is a rational strategy for protecting information assets or maximizing the value returned from investments in security, according to IT solutions provider CDW-G.
For many organizations, the best approach may be to pursue an internal cyber-security risk assessment. The company developed a five-step plan to help organizations lay the foundation for a meaningful security strategy. These steps, the company said, are ideal for organizations requiring simple guidance on getting started.
1. Identify information assets. Consider the primary types of information that the organization handles (e.g., Social Security numbers, payment card numbers, patient records, designs, human resources data), and make a priority list of what needs to be protected. As a guide, plan to spend no more than one to two hours on this step.
2. Locate information assets. Identify and list where each item on the information asset list resides within the organization (e.g., file servers, workstations, laptops, removable media, PDAs and phones, databases).
3. Classify information assets. Assign a rating to your information asset list. Consider a 1-5 scale, with the following categories:
1 - Public information (e.g., marketing campaigns, contact information, finalized financial reports, etc.)
2 - Internal, but not secret, information (e.g., phone lists, organizational charts, office policies, etc.)
3 - Sensitive internal information (e.g., business plans, strategic initiatives, items subject to nondisclosure agreements, etc.)
4 - Compartmentalized internal information (e.g., compensation information, layoff plans, etc.)
5 - Regulated information (e.g., patient data, classified information, etc.)
This classification scheme lets organizations rank information assets based on the amount of harm that would be caused if the information was disclosed or altered. The team should strive to be realistic here, and aim for consensus.
4. Conduct a threat modeling exercise. Rate the threats that top-rated information assets face. One option is to use Microsoft's STRIDE method, which is simple, clear and covers most of the top threats.
Spoofing of Identity
Tampering with Data
Repudiation of Transactions
Denial of Service
Elevation of Privilege
It is also worth considering using an outside consultant with experience in this area to facilitate conversation. Develop a spreadsheet for each asset, listing the STRIDE categories on the X axis. On the Y axis, list the data locations identified in Step 2. For each cell, make estimates of the following:
- the probability of this threat actually being carried out against this asset at the location in question
- the impact that a successful exploitation of a weakness would have on the organization
Use a 1-10 scale for each of the above (e.g., 1 is "not very likely" or "this would not have a large impact;" 10 is "quite probable" or "catastrophic"). Then multiply those two numbers together and fill them into the cells. The spreadsheet should be populated with numbers from 1 to 100. This activity will likely take a full day for smaller organizations and several days for larger ones.
5. Finalize data and start planning. Multiply all the cells in each of the worksheets by the classification rating assigned to the asset in Step 3. The result is a rational and comprehensive ranking of threats to the organization. It includes both the importance of the assets at stake and a broad spectrum of possible contingencies. A reasonable
security plan will start tackling the risks identified with the highest numbers.
Many organizations set thresholds as follows:
1-250: Will not focus on threats at this level
250-350: Will focus on these threats as time and budget allow
350-450: Will address these threats by the end of the next budget year
450-500: Will focus immediate attention on these threats
These thresholds are just examples, and in practice, the results will likely be skewed either toward the top or bottom of the scale, so organizations should adjust responses accordingly.
The goal of the risk assessment exercise is to lay a foundation for sensible security planning. Going through a risk assessment exercise alone will not actually fix security problems; the real work -- building protective, risk-reducing solutions -- still lies ahead.
Organizations should align security spending with specific threats and focus on cost-effective measures, CDW-G said. Having a prioritized list of threats enables organizations to focus their efforts on the areas that matter most and avoid spending on security technologies or activities that are less essential or irrelevant to fixing identified problems.
1. Definition & Objective
A threat could be anything that leads to interruption, meddling or destruction of any valuable service or item existing in the firm’s repertoire. Whether of “human” or “nonhuman” origin, the analysis must scrutinize each element that may bring about conceivable security risk.
Cyber threat analysis is a process in which the knowledge of internal and external information vulnerabilities pertinent to a particular organization is matched against real-world cyber attacks. With respect to cyber security, this threat-oriented approach to combating cyber attacks represents a smooth transition from a state of reactive security to a state of proactive one. Moreover, the desired result of a threat assessment is to give best practices on how to maximize the protective instruments with respect to availability, confidentiality and integrity, without turning back to usability and functionality conditions.
Components of Threat Analysis as a Process
Scope gives info on what is included and what is not in the analysis. In terms of cyber security, items under consideration are those that must be protected. Although they need to be identified in the first place, the level of sensitivity of what is being guarded should be defined as well by analysis drafters.
b.) Data Collection
In every respectable organization there are some sort of policies and procedures. Those need to be identified for compliance purposes. In reality, almost one-fourth of the defensive capabilities corporations have in place fail to meet the minimum security standards. In the opinion of Art Gilliland, a senior vice president of security products unit of Hewlett-Packard, “[t]he reason for that is that they were often pushing to meet a policy – checkboxing for compliance.”
Amassing detailed information about real cyber incidents (e.g., URLs to malicious links, phishing email header and content, and uncovered hostile Command and Control (C2) infrastructure of domain names and IP addresses) is the first step. The focus should fall on targeted threats existing in reality, and scope settings need to filter out those perceived as such but not real, which can merely distract your attention from other ongoing security affairs.
An IT analyst must have unrestricted access to data in order to transform it into intelligence. Sources of information are, for example, intrusion incidents, detection system logs, firewall logs, the reverse engineering of malware, open source Internet searches, honeypots, digital forensic analysis, etc. Of course, one source simply cannot provide all of the information needed for a thorough threat analysis, and the analyst should incorporate multiple data wells seamlessly. Once all corporate policies and procedures are collected, they should be examined to show whether they match the compliance level in the organization. Consequently, logically processing vast amounts of data and thinking critically are qualities that will form a good cyber analysis.
c.) Threat/Vulnerability Analysisof Acceptable Risks
Here we test what is being gathered to determine the level of current exposure — most of all — whether the current defences are solid enough to neutralize information threats in terms of availability, confidentiality and integrity. This part should include as well an evaluation of whether the existing procedures, policies and security measures are adequate. Vulnerability analysis also encompasses penetration testing, which in turn seeks to acquire something valuable from the adversary’s arsenal like a classified document, code or password.
When a Cyber Attack Encircles the Rings of Protection
An important remark – threat analysis is a continual process that one should review once in a while to ensure that all safeguards work properly. The threat/risk evaluations are to be an integral part of the organization’s overall life cycle.
d.) Mitigation & Anticipation
When all previous steps are completed, a competent security analyst can use this corpus of threat data to arrange in groups activity patterns of close similarity, attribute each pattern to specific threat actors, promptly implement mitigation measures, and anticipate the emergence of similar cyber attacks in the future.
Threat Analyst and His Assessment Abilities
Based on both vulnerability and risk assessment, the analyst approaches to determine the level of risk within his organization. He further defines what security measures need to be taken or remove the ineffective ones. In addition, the analyst should be careful not to push ahead with a too overprotective security system, as it may prove unfoundedly costly to the organization.
HP’s Gilliland estimated that roughly 86% of security budgets available to cyber security teams are expended on warding off malicious attempts at the infiltration stage. Many organizations face the issue of avoiding false positives, an immanent occurrence in assessment of applications. The best way to mitigate the problem is to ensure that applications in question are up-to-date with latest patches and signatures.
Becoming a strong technical expert is a must. Glancing through tons of practice and reading countless of security books and blogs is perhaps the right kind of bushido code to master your skills – there is no substitution for hard work.
Additionally, the data in hand is often derived from intelligence products. Technical writing skills are necessary since analysts need to create security reports. Evidentially, the ability to construe security events and read off appliances are among the most important sets of skills an analyst should possess. At times this ability is not an exact science, it is more like an art where the person simply has to have a flair for it.
In this line of work, making a correct analysis comes hand in hand with the analyst’s technical knowledge. For instance, a security analyst who does not comprehend routing protocols and infrastructure cannot analyse what happens when a threat actor sends malformed TCP packets to a company’s servers. The same can be said for a situation where the analyst cannot tell the difference between an ineffective zero-day and a zero-day that can inflict real damage.
On the other hand, other persons sometimes produce a bad analysis that can be misleading. Therefore, the analyst’s ability to distinguish good from bad is critical here, even more important than creating a good product.
Threat metrics and models included in this part are supposed to help characterize specific threats, hereby fulfilling the purpose of threat analysis.
3.1. Threat Metrics
Adecent threat measurement can facilitate analysis through improved understanding of how trends and anomalies occur. It can also underscore the imminence of certain types of vulnerabilities and connect missing dots between threats and potential consequences. In other words, a qualitative threat measurement can yield accurate results concerning risk management. Unfortunately, defining and applying threat measures of proper quality is a practice that lacks maturity and consistence.
The notion “metric” denotes a unit of measure, while ‘measure’ stands for a given hallmark of performance. If we measure some event in a consistent way—using a good metric that is unambiguous and clear as well—the analyst will most likely improve his ability to understand that event (threat in our case), control, affect and defend against it to a certain extent. And if the nebulosity is not so dark, decision-making based on correct interpretation will be much simpler.
An example of a good quantitative portrayal in cyberspace would be the number of attacks per month. Measured for a long stretch of time, the count of cyber attacks can reveal the adversary’s capability and intent, allowing analysts in turn to calculate properly the risk and allocate needful resources to cope with it.
3.2. Threat Models
A stand-alone metric is oftentimes insufficient to encapsulate behavioural characteristics of complex systems/actors. A combination of metrics, the so-called “measurement framework”, might do the job.
A threat (in addition to the definition given at the beginning) is “a malevolent actor, whether an organization or an individual, with a specific political, social, or personal goal and some level of capability and intention to oppose an established government, a private organization, or an accepted social norm.” Whereas “[A] model is a simplified representation of something else.” Consequently, a threat model is a combination of these two definitions – it gives prominence to details relevant to a threat.
Uniform threat models promote consistency, and on the other hand, they reduce the negative effects of preconceived notions and personal bias. Furthermore, the index of success rate intensifies as the time goes by. For that reason, inter alia, the analyst is advised to store threat reports in a continuous manner in order to build up a reference database that can be used by other experts.
Threat Modeling Process
Sample № 1
Threat Modeling Process
Sample № 2
3.3. The Generic Threat Matrix
The generic threat matrix uses attributes of a threat that can help the analyst characterize the type of threat based on its overall nature. This kind of characterization allows analysts to describe the threat’s full spectrum without labelling it with preconceived notions. To get a new angle on the matter, we can say that “[t]he matrix is a framework or model for organizing a set of related metrics.” The threat matrix is graduated into levels of magnitude, with each level corresponding to a different kind of threat.
3.3.1. Threat Attributes
It is an independent feature of a threat. Normally, there are two major groups of threat attributes:
Commitment Attribute Group
The attributes in this group attest to the willingness of the threat to achieve its goal. A higher level of commitment means that these threats will stop at nothing on their way to the aim. Three attributes exist in this group:
1) Intensity (Question: How far the threat is willing to go?);
2) Stealth (Question: Do we have any confirmed information about the threat?);
3) Time (Question: How much time the threat is willing to invest?).
Resource Attribute Group
The attributes here indicate the amount of resources the threat is capable to deploy. Higher value means that a threat is more sophisticated and it may attain the goal easier. There are also three attributes in the resource family:
1) Technical Personnel (Question:
What is the number of individuals a threat is using to further its ends?)
2) Knowledge (Question:
What is the level of skill that propels the threat engine?)
3) Access (Question:
How good is the threat actor’s ability to compromise and infiltrate a restricted system?)
“Threat Matrix” Sample
3.4. Attack Vectors
This is the means or road used by a threat to access a device/system/network for the purpose of launching a cyber attack, information gathering, planting malware, etc. In essence, specific vectors used specific, associated attack metrics. Several attack vectors are as follows:
Unsecured Wireless Networks
Malicious Web Components
Viruses and Malware
3.5. Target Characteristics
Some targets are more attractive, vulnerable or simply more frequently hit than others. This is just another source of useful information that can be expressed in metrics.
3.6. Attack Trees
Attack trees bring to the table another way to analyze information threats. An attack tree appears as a logical diagram, and it can be used either as a source of metrics or as a separate attack model. It is a structured and hierarchical way to collect and document the potential attacks on a given organization. The tree breaks down the types of attacks threat agents utilize, which is a reusable representation of security problems that facilitates focused efforts.
Creating Attack Trees
Benefits of attack trees:
- The power of deduction can be harnessed here to bring good results
- They provide a transparent and direct mode for analysis of attacks/attackers
- They are pliable enough to cover the entire spectrum of attacks and threats in the wild
- The data generated can be combined with another threat models
3.7. Attack Frequency
Attack frequency is an indicatory metric that can be coupled with the data on the type or sophistication of an attack; pairing attack frequency metric and vulnerability index is not a bad idea as well.
4. Conclusion: “Final Analysis”
In April 2014, the U.S. DOJ Antitrust Division and the FTC released a joint statement on creating a uniform policy for mutual threat information exchange. This policy has the potential to enhance “the security, availability, integrity, and efficiency of the nation’s information systems” without raising antitrust concerns because “the sharing of cybersecurity information is highly unlikely to lead to a reduction in competition and, consequently, would not be likely to raise antitrust concerns.” So exchanging threat information has been looked upon with a favourable eye, but that should be generally accepted practice for all entities in a particular field. Most of all, organizations should remember that not performing a threat and risk analysis will leave them open to cyber pests that can damage their business for good. Nothing is more detrimental in the world of cyber security than the feeling of invulnerability or trusting that your lucky star will extend by all means its reach to magically patch up the holes in your system through which threats are waiting to get in.
Apple Inc. Risk Assessment and Threat Modeling. Retrieved on 07/08/2014 fromhttps://developer.apple.com/library/ios/documentation/Security/Conceptual/Security_Overview/ThreatModeling/ThreatModeling.html
Cyber Squared Inc. Cyber Threat Analysis, not just for the Military. Retrieved on 07/08/2014 from http://www.cybersquared.com/2012/02/cyber-threat-analysis-not-just-for-the-military/
Goel, S. & Chen, V. (2005). Information Security Risk Analysis – A Matrix-based Approach. Retrieved on 07/08/2014 from http://www.albany.edu/~GOEL/publications/goelchen2005.pdf
Hughe, J. & Cybenko, G. (2013). Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity. Retrieved on 07/08/2014 from http://timreview.ca/article/712
Hulme, G. (2014). CSOs need to more precisely understand the actual threats facing their organization. The fix? Threat modeling. Retrieved on 07/08/2014 from http://www.csoonline.com/article/2134353/strategic-planning-erm/can-threat-modeling-keep-security-a-step-ahead-of-the-risks-.html
Mateski, M., Trevino, C., Veitch, C., Michalski, J., Harris, J., Maruoka, S., Frye, J. (2012). Cyber Threat Metrics. Retrieved on 07/08/2014 from http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-065.pdf
Microsoft. Threat Modeling Principles. Retrieved on 07/08/2014 from http://msdn.microsoft.com/en-us/library/ff648644.aspx
MSM. Cyber Intelligence Threat Analysis. Retrieved on 07/08/2014 from http://measurablesecurity.mitre.org/directory/areas/threatanalysis.html
Richards, K. (2014). RSA 2014: HP exec says security threat analysis should guide strategy.
Retrieved on 07/08/2014 from
SANS Institute (2002). An Overview of Threat and Risk Assessment. Retrieved on 07/08/2014 from http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
Tripwire Guest Authors (2014). Developing Your Cyber Intelligence Analyst Skills. Retrieved on 07/08/2014 from http://www.tripwire.com/state-of-security/security-data-protection/developing-cyber-intelligence-analyst-skills/
White & Case LLP (2014). DOJ & FTC Release Cybersecurity Threat Information Exchange Policy. Retrieved on 07/08/2014 from
Fig. 2 is based on the Figure 5. “The three ingredients necessary and sufficient for cyber-physical vulnerabilities to exist” in Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity by Hughe, J. & Cybenko, G. Retrieved on 07/08/2014 from http://timreview.ca/article/712
Fig. 3 is based on information provided in Threat Modeling Principles by
(Representation of an attack tree paragraph).
Retrieved on 07/08/2014 from http://msdn.microsoft.com/en-us/library/ff648644.aspx
“Threat Matrix” Sample is based on Table 5: Threat Matrix for GE Energy, Wind Division that can be found on page 7 in Information Security Risk Analysis – A Matrix-based Approach by Goel, S. & Chen, V. Retrieved on 07/08/2014 from http://www.albany.edu/~GOEL/publications/goelchen2005.pdf