Unmasking the Bogeyman – Utilising cyber-intellegence and threat profiling to measure threats to your organisation!
Presentation by James R Williams of StateFarm.
The number of breaches and issues over the last few years have helped security professionals prove that the bogeyman is indeed real and that there are many real threats to our organisations. These range from <potentially> government funded malware such as Stuxnet and Duqu, through to attacks against RSA, Sony etc. to denial of service attacks.
However just knowing about these is not enough, we need to be able to measure and quantify these threats in the context of our organisations. This is true for both emerging and realised threats.
Definitions, what is a cyber threat?
- ” The possibility of a malicious attempt to damage or disrupt a computer network or system” – Oxford dictionaries.
What a cyber threat is not;
- Vulnerability or exploitability of a given technology or solution.
- Likelihood of an event occurring
- Risk to the organisation from a defined threat. (Risk is the product of analysing threat, vulnerability and impact).
Threat profiling is a tool / process that can be used to analyse a cyber threat.
This starts with identifying and classifying the threat;
The threat then needs to be measured in a meaningful and consistent way. In order to do this a threat scale of 1-10 was created that is made up from accumulated scores around whether the threat is real and current or upcoming, what mitigations are there against the threat etc. Threat impact categories from NIST are used. This is demonstrated in the below diagram;
To add detail and meaning to this score the items in the below diagram need to be considered to understand the scale of the threat, the motivation (how hard the attacker will try, for how long, and with what resources), and also the actions the threat would take e.g. the target of the threat.
This data can then be incorporated into a Threat Profile table to provide a consolidated view of the specific threat and it’s score. A slightly tongue in cheek example is shown below;
This talk links nicely with the earlier talk around the operational risk quantification process here;
This profiling could be used as part of or an addition to the risk assessment process. This would be one of the early steps in the are of understanding threats and what they are in order to then translate them into actual business risks.
A note on data sources;
- For cyber threats, one of the best sources of data for your organisation is to engage with a mature cyber intelligence / threat intelligence service. These are costly but can provide very targeted intelligence that has links from criminal underground, government actors, social media, boards such as paste bin etc. and more general news sources.
- Next to the above are more general sources of threat information such as various industry forums.
- But also remember many other data sources can be used to add value such as
- Intrusion Prevention / Detection system logs
- Incident handling documentation
- Human resources
- Physical security assets
- Security Information and Event Management (SIEM) systems
Some useful reading / guidance on this topic;
US National Institute of Standards and Technology (NIST) – Preliminary Cybersecurity Framework :
“…The organization uses a formal, threat-aware risk management process…”
US National Institute of Standards and Technology (NIST) – Guide for Conducting Risk Assessments
NIST Special Publication 800-30
US National Institute of Standards and Technology (NIST) – Computer Security Incident Handling Guideline
NIST SP 800-61 Revision 2
From a cyber / technical threat assessment perspective this presentation has some very good ideas and outputs a relatively simple, easy to use set of scores and information around threats. It doesn’t yet cover how to ‘chain’ multiple threats together, and does not cover turning it into something for general management / the board.
As mentioned, this would be a great starting point for the earlier process around quantifying operational risks.