© All rights reserved. Cyber Struggle 2022
Cyber Struggle
  • Company
    • About Us
    • CS Internals
    • Careers
    • Press and Media
    • GDPR Notification
    • Contact Us
  • S-46 Simulation
  • Programs
    • Aegis Program
      • Aegis Program Details
      • Aegis Testimonials
    • Ranger Program
      • Ranger Program Details
      • Ranger Testimonials
    • Contemprorary Certifications
      • Cyber Struggle Tactical Pistol Operator
  • Resources
    • Articles
    • Threat Reports
    • Tools
    • Announcements
  • Community
    • Community Programs
      • Ribbon Program
    • Delta Group
0
Cyber Struggle
Home / Blog / Articles / 4-Level Analysis for Threat Prioritization

4-Level Analysis for Threat Prioritization

By cyberstruggle inArticles, Delta Group

Today we want to introduce you to an analysis technique that will improve defense planning by more accurate prioritization of threats. This technique integrates different types of information based on a particular threat conception. This conception deviates from the actor-centric definition which is popular in the industry. Therefore, in this chapter, we will try to describe these differences.

Threats are properties if the terrain

Threat — A method (techniques or tactics) an attacker (actor, agent, adversary) can possibly use to achieve or advance towards a particular goal. Threats are inherent in any terrain (IT infra, software, process) regardless of the attacker’s capabilities or intent, and are not necessarily caused by a weakness (software flaw or vulnerability).

For instance, an organization that serves web applications must be concerned about web attacks. An organization that uses credentials should be concerned about credential attacks. If an organization doesn’t have the means to manage their credentials at scale, the threat (of credential attacks) is greater for them.

What you own dictates how an attacker can approach you. If you don’t use the cloud, an attacker can’t use cloud techniques on you, no matter how willing or capable he is. If all your employees use Macs, malware threats are much less of a concern for you. To better understand the threats, we must know our terrain better and look at it through the lenses of the adversary.

This is possible with scenario planning exercises that are focused on our core assets. These are essentially brainstorming sessions aimed at listing every possible way an adversary could attack (or abuse) the system in question. The resulting list contains hypothetical threat scenarios that can then be prioritized and counteracted. So these scenarios don’t need to be probable, but only possible. Similarly, we are not interested in discovering weaknesses at this stage.

Once the threats are known, then counteracting is a matter of organizing your terrain. With the knowledge of prioritized threats (threat landscape, threat map or threat library) we can better direct our strategic and operational efforts towards mitigating them.

This type of threat analysis contrasts with the actor-centric method favored in the industry. I argue that the actor-centric analysis is flawed for two reasons:

    1. Actor-centric analysis considers threats as a property of the adversary. But adversaries can be highly adaptive. Therefore, focusing efforts on countering an adversary’s current capabilities is essentially hoping that they won’t adapt (or, as some argue, forcing them to). Since it is not possible to know whether or how an adversary will adapt, your preparation can’t go beyond what is current.
    2. Actor-centric analysis tries to observe what’s happening outside (by analyzing the threat actors) and apply these insights to cyber defense. However, the relevance of these insights becomes an issue. Currently, the industry is trying to overcome this by categorizing threats by geography and industry. But this type of correlation is not always useful. Also, “What did happen? /What did we find?” offers a very narrow window compared to“what is possible to happen?”.

Whereas, if threats are considered to be a property of the terrain, it becomes possible to know and plan for every possible threat in advance (assuming you have knowledge of your terrain). Afterwards, you can prioritize threats by using actor-centric (and possibly other) insights and then start implementing controls to mitigate them. Where controls are insufficient or absent, there is a gap that an adversary can take advantage of. Gaps make it more likely to introduce weaknesses, and weaknesses can be exploited to actualize threats.

 

 

 

As discussed above, we consider threats to be a property of the terrain, independent from an actor’s intent and capabilities. Terrain dictates the battle. Similarly in cyber intrusions, what you own (assets, personnel, processes etc.) dictates how an adversary can possibly approach you. Therefore, threats are the methods & techniques an adversary may use to achieve their objective (whatever that is). To be able to assess threats, one should first have sufficient knowledge of his terrain. That means the most crucial groundwork to be done is scenario planning. (see: chapter 1)

Stemming from this thought, four data points are the most useful on deciding which threats are most relevant and should be prioritise. These are:

    • Posture risk
    • Incident post-mortems
    • Vulnerabilities
    • Threat intelligence

Now we shall elaborate each one.

1. Posture Risk

Security posture represents how effectively we can mitigate a threat with our existing controls. Not all security controls can mitigate all of the threats. For instance, we can not expect a WAF to counter endpoint-related threats (e.g: malware). Another thing to note is that almost all security controls can be bypassed. Therefore, there will always be a residual risk.

To use this data point, we should gather all the threats we have listed during our scenario planning sessions, and assess whether our controls are sufficiently mitigating each threat. You may group similar threat scenarios under categories to make things easier. An example could be like the following:

This is fictional and does not represent a real security posture analysis

If the controls are not sufficient to mitigate a threat, or there are no controls whatsoever, then this called a weakness. Although sounding similar, a weakness is not the same with a vulnerability. A vulnerability is what an adversary can exploit to materialise threats. A weakness on the other hand, is what’s causing the system to introduce these vulnerabilities. For example, if you’re not scanning your codebase for hardcoded credentials, these credentials will be introduced to your codebase much more often. Lack of the control (source code scanner) is a weakness, whereas the hardcoded credential itself is the vulnerability, which the adversary will exploit.

2. Incident post-mortems

An incident represents an actualised threat. Therefore, they are the most important data points for our analysis. All incidents, especially the ones where adversary has reached its objective, should be thoroughly examined to uncover all the TTPs. After that, these TTPs should be mapped to our threat library to see which of the threat scenarios we listed has materialised. Post-mortems are also useful for unrevealing the weaknesses (a.k.a posture gaps), which is causing the vulnerabilities to be introduced to the system.

3. Vulnerabilities

Vulnerabilities are the opportunities an adversary may abuse to enter our systems and achieve their objectives. Their existence do not pose active threats on their own. But if the system is producing same kind of vulnerabilities very often, it usually points to a gap in our posture (weakness) and will more likely be discovered by an adversary. These should be noted and included in our threat assessment.

4. Threat Intelligence

Threat intelligence can provide useful insights into adversary intent, drivers and their TTPs. Intent and drivers can be used to understand the type of actors that are likely to target our systems. And TTPs can be mapped to our threat library to indicate which scenarios are more likely to actualise.

Using these four data points, it will be possible to assess which threat scenarios are more likely to materialise (and some have already). This will give us a good prediction window, where we can focus our efforts and better prepared for the cyber threats.

 

threat analysisthreat intelligencethreat prioritization
34 Posts
cyberstruggle
  • Early Warning Intelligence - How to predict cyber attacks?
    Previous PostEarly Warning Intelligence - How to predict cyber attacks?

Related Posts

Early Warning Intelligence – How to predict cyber attacks?
Articles Delta Group

Early Warning Intelligence – How to predict cyber attacks?

COM Hijacking for Persistence
Articles Delta Group

COM Hijacking for Persistence

Ratelimit Bypass Tool: Whitepass
Announcements Articles Delta Group

Ratelimit Bypass Tool: Whitepass

Credential Dumping Tool: Chalumeau
Announcements Articles Delta Group

Credential Dumping Tool: Chalumeau

Leave a Reply (Cancel reply)

Your email address will not be published. Required fields are marked *

*
*

five × five =

About Company

About
CS Internals
Careers
Press and Media
Contact Us

Programs

Cyber Struggle Ranger
Cyber Struggle Aegis
Cyber Struggle TPO

For Corporates

Cyber Range Platform
SOC Maturity Certification
In-House SOC Mngmt
Outsource SOC Mngmt
Head Hunting Partnership

Subscribe to newsletter

cs_logo_son

© 2023 Cyber Struggle

in
F.A.Q
Support Forum
Video Tutorials

Search panel can contain any widgets and shortcodes.

Call us: 0 800 255 22 55
Copy