In order to get a handle on who is coming after your data and how to stop them, you’ll need to perform some threat assessments. Sounds scary, but I’ll walk you through it.
What is a Security Threat Assessment?
A security threat assessment is a process for identifying potential threats that could harm a business’s cyber assets. Threat assessments are often followed by security risk management and mitgation plans for how to protect the overall busienss.
The National Institute of Standards and Technology (NIST), which is a key player in the cybersecurity world has given us a very helpful way to think about cybersecurity breaches. The threat source (also called an agent) initiates the threat event (or attack); the threat event exploits one or more vulnerabilities (vectors) that cause adverse impact (you got hacked!). The end result produces organizational risk. And migraines. Painful, splitting migraines.
3 Characteristics of a Cyber Threat
In terms of risk, a cyber threat has three main attributes:
- The kind of threat agent
- The probability of occurrence
- Its impact
When you perform a threat assessment, your goal is to determine all three attributes on a per-asset basis. To do this, you’ll need to know what your assets are, what their value is to us (our definition of impact), who the threat agents might be (the bad people out to get you), their motives, and any pertinent threat intelligence and historical data out there.
Security Threat Rankings
Your next task is to rank the preceding list in terms of which actors and motives are most likely to be engaged in your world. You already have a good sense of your assets, both at the enterprise level and at the business unit level; now spend some time and think: Who on this list is the most likely agent for an attack? Assign a numerical value from 1 to 4, ranging from “least likely,” to “somewhat likely,” to “very likely,” to “extremely likely.” In terms of my bias and recommendations? I’d consider the insider as a very likely agent and money/extortion as the primary motive.
You now have an understanding of the threat agents and their motives as they might apply to your organization. This is an excellent first step, but you’re far from finished. Knowing the who and the why of cyberattacks is not enough. You also need to know the how and the when.
First, the how. One of the best places to look for this type of information is the European Union Agency for Network and Information Security (ENISA). They have been putting together an annual threat landscape and trends report since 2012.
At this stage in your process, this document is required reading—succinct, and easily understood by both executives and cyber-professionals alike. In addition to discussing the most current threats, the ENISA report also compares landscapes from previous years. If you look at this material, you’ll see changes over time, but the same basic threats appear over and over again: malware, web-based attacks, and phishing all reliably make the top of the list. Other worries include botnets, ransomware, insider threats, and physical damage causing data loss.
ENISA reports and others like them offer you an understanding of the prevalent vectors from the previous year. You can extrapolate from that (who was at play last year, using which tool?) and make reasonable assumptions and decisions that will affect your choice and tuning of your cyber controls. What these reports do not give you is a sense of what is happening right now.
For that, you’ll need the when.
To get that information, you will need real-time threat intelligence, both from inside and outside your organization. External-threat intelligence provides you with clues about the types of likely payloads and who is currently using them. For example:
- What kind of malware has just been released?
- What new vulnerabilities have been discovered, and what’s being done to address them?
- What attacks are in progress?
- What’s the current “buzz” on the dark web?
Threat intelligence also gathers information from inside your organization and provides insight on everything from the state of equipment to who is accessing what and when, any abnormal behavior and traffic, and so forth.
As you can imagine, the amount of data involved in threat intelligence is massive. Moreover, processing and making sense of the threat intelligence data requires expertise and dedication. Someone in your staff with cybersecurity and technology training needs to be charged with making sense of the data and providing the necessary feedback and recommendations.
Doing this involves threat intelligence tools and feeds (both private and public). I highly recommend picking one of the top-tier vendors, installing (or subscribing to) their solution, and dedicating the right personnel to monitor and advise. Otherwise, you may find yourself trying to empty the ocean one teaspoonful at a time.
But if you really want to take a crack at threat intelligence on your own, you will find many places with public feeds, including:
- AlienVault’s Open Threat Exchange
- Threat Intelligence Review’s Cybersecurity Intelligence Feed Reviews
Furthermore, most cybersecurity vendors produce free threat-intelligence reports on a regular basis. For example:
If a formal threat-intelligence solution is not appropriate for your size company, then, at a minimum, I recommend that you review these reports on a regular basis.
Security Threat Assessment Reports
1. Threat Modeling.
Is there some sort of organized methodology for all this? You bet! In fact, threat-risk modeling is a vast discipline. It’s PhD-level stuff, with some of the best and brightest minds in risk management, cybersecurity, and technology working on it day and night. The following is a very, very small sampling of their work:
Several years back, Microsoft developed STRIDE to replace their older threat classification DREAD. DREAD stood for: Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability. But STRIDE stands for Spoofing (of a user’s identity), Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of privilege.
TRIKE which doesn’t stand for anything in particular, is an open-source threat-modeling tool created by Brenda Larcom and Eleanor Saitta. Their claim to fame is its granular, risk-based approach. TRIKE’s great spreadsheet and help file are free to download.
Carnegie Mellon University’s Software Engineering Institute, in collaboration with CERT, developed OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), which is currently considered to be one of the best threat-modeling frameworks and toolsets. OCTAVE comes in three sizes: the original OCTAVE for large enterprises, OCTAVE-S for smaller companies, and OCTAVE Allegro, which is a narrower, information-asset focused version.
When it comes to the total universe of frameworks, tools, and resources available for threat analysis, this list doesn’t even begin to scratch the surface. The subject matter is vast, and unless you are at a minimum a cybersecurity professional—or better yet, a threat researcher—you can quickly become overwhelmed. Even the well-meaning, beautifully curated open-source community sites with the latest threat intelligence can quickly make you feel like you’re trying to drink from a fire hose.
Security Threat Assessment Next Steps
So what do you do? Take it a step at a time, use the resources at your disposal appropriately, and trust yourself.
I am hoping that by now I don’t need to tell you that threat assessments are dynamic: what is a threat today may be moot tomorrow. You need to remain vigilant in your efforts to stay current with what is going on in cyberspace. Money and effort spent to protect yourself from one threat must be redirected to protect you from the new threats that have surfaced.
Neither privacy nor cybersecurity programs are “one and done.” That’s why cyberCTRL takes a personalized, end-to-end approach to both. Because they must always be present in your thinking and your planning. Much as we consider healthy living to include proper nutrition and exercise, good cyber-living includes proper privacy and cybersecurity practices.
Both are a way of life.