4-Level Analysis for Threat Prioritisation — Chapter I
Today I want to introduce you an analysis technique that will improve defense planning by more accurate prioritisation of threats. This technique integrates different types of information based on a particular threat conception. This conception deviates from the actor-centric definition which is popular in the industry. Therefore, in this chapter I will try to describe these differences.
Threats are properties of the terrain
Threat — A method (techniques or tactics) an attacker (actor, agent, adversary) can possibly use to achieve or advance towards a particular goal. Threats are inherent in any terrain (IT infra, software, process) regardless of the attacker capabilities or intent, and are not necessarily caused by a weakness (software flaw or vulnerability).
For instance, an organisation which serves web applications must be concerned about web attacks. An organisation which uses credentials, should be concerned about credential attacks. If an organisation doesn’t have the means to manage their credentials at scale, the threat (of credential attacks) is greater for them.
What you own dictates how an attacker can approach you. If you don’t use cloud, an attacker can’t use cloud techniques on you, no matter how willing or capable he is. If all your employees use Mac’s, malware threats are much less of a concern for you. To better understand the threats, we must know our terrain better and look at it through the lenses of the adversary.
This is possible with scenario planning exercises that are focused on our core assets. These are essentially brainstorming sessions aimed at listing every possible way an adversary could attack (or abuse) the system in question. The resulting list contains hypothetical threat scenarios that can then be prioritised and counteracted. So these scenarios don’t need to be probable, but only possible. Similarly, we are not interested in discovering weaknesses at this stage.
Once the threats are known, then counteracting is a matter of organising your terrain. With the knowledge of prioritised threats (threat landscape, threat map or threat library) we can better direct our strategic and operational efforts towards mitigating them.
This type of threat analysis contrasts with the actor-centric method favoured in the industry. I argue that the actor-centric analysis is flawed for two reasons:
- Actor-centric analysis consider threats as a property of the adversary. But adversaries can be highly adaptive. Therefore, focusing efforts on countering an adversary’s current capabilities is essentially hoping that they won’t adapt (or, as some argue, forcing them to). Since it is not possible to know whether or how an adversary will adapt, your preparation can’t go beyond what is current.
- Actor-centric analysis tries to observe what’s happening outside (by analysing the threat actors) and apply these insights to cyber defence. However, relevance of these insights becomes an issue. Currently, the industry is trying to overcome this by categorising threats by geography and industries. But this type of correlation is not always useful. Also, “what did happen? / what did we find?” offers a very narrow window compared to“what is possible to happen?”.
Whereas, if threats are considered to be a property of the terrain, it becomes possible to know and plan for every possible threat in advance (assuming you have knowledge of your terrain). Afterwards you can prioritise threats by using actor-centric (and possibly other) insights, and then start implementing controls to mitigate them. Where controls are insufficient or absent, there is a gap that an adversary can take advantage of. Gaps make it more likely to introduce weaknesses, and weaknesses can be exploited to actualise threats.
In the next chapter I will discuss the conception of adversary intent, which is another key element for our 4-level analysis.
See you until then!