4-Level Analysis for Threat Prioritisation — Chapter II
Following my first article 4-Level Analysis for Threat Prioritisation, I would like to discuss how we can combine four data points in our threat assessments to better prioritise threats. I decided to dedicate another article on how we can model adversary intent and drivers (which I mentioned in the last part of chapter 1).
As discussed in the first chapter, I consider threats to be a property of the terrain, independent from an actor’s intent and capabilities. Terrain dictates the battle. Similarly in cyber intrusions, what you own (assets, personnel, processes etc.) dictates how an adversary can possibly approach you. Therefore, threats are the methods & techniques an adversary may use to achieve their objective (whatever that is). To be able to assess threats, one should first have sufficient knowledge of his terrain. That means the most crucial groundwork to be done is scenario planning. (see: chapter 1)
Stemming from this thought, four data points are the most useful on deciding which threats are most relevant and should be prioritise. These are:
- Posture risk
- Incident post-mortems
- Threat intelligence
Now we shall elaborate each one.
1. Posture Risk
Security posture represents how effectively we can mitigate a threat with our existing controls. Not all security controls can mitigate all of the threats. For instance, we can not expect a WAF to counter endpoint related threats (e.g: malware). Another thing to note is that almost all security controls can be bypassed. Therefore, there will always be a residual risk.
To use this data point, we should gather all the threats we have listed during our scenario planning sessions, and assess whether our controls are sufficiently mitigating each threat. You may group similar threat scenarios under categories to make things easier. An example could be like the following:
If the controls are not sufficient to mitigate a threat, or there are no controls whatsoever, then this called a weakness. Although sounding similar, a weakness is not the same with a vulnerability. A vulnerability is what an adversary can exploit to materialise threats. A weakness on the other hand, is what’s causing the system to introduce these vulnerabilities. For example, if you’re not scanning your codebase for hardcoded credentials, these credentials will be introduced to your codebase much more often. Lack of the control (source code scanner) is a weakness, whereas the hardcoded credential itself is the vulnerability, which the adversary will exploit.
2. Incident post-mortems
An incident represents an actualised threat. Therefore, they are the most important data points for our analysis. All incidents, especially the ones where adversary has reached its objective, should be thoroughly examined to uncover all the TTPs. After that, these TTPs should be mapped to our threat library to see which of the threat scenarios we listed has materialised. Post-mortems are also useful for unrevealing the weaknesses (a.k.a posture gaps), which is causing the vulnerabilities to be introduced to the system.
Vulnerabilities are the opportunities an adversary may abuse to enter our systems and achieve their objectives. Their existence do not pose active threats on their own. But if the system is producing same kind of vulnerabilities very often, it usually points to a gap in our posture (weakness) and will more likely be discovered by an adversary. These should be noted and included in our threat assessment.
4. Threat intelligence
Threat intelligence can provide useful insights into adversary intent, drivers and their TTPs. Intent and drivers can be used to understand the type of actors that are likely to target our systems. And TTPs can be mapped to our threat library to indicate which scenarios are more likely to actualise.
Using these four data points, it will be possible to assess which threat scenarios are more likely to materialise (and some have already). This will give us a good prediction window, where we can focus our efforts and better prepared for the cyber threats.
I hope you liked these series. See you in the next one!