Implementation Framework – Cyber Threat Prioritization 4.1
advertisement
Implementation Framework – Cyber Threat Prioritization Troy Townsend Jay McAllister September 2013 CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.1 Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by ODNI under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of ODNI or the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHEDON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. * These restrictions do not apply to U.S. government entities. DM-0000620 4.2 Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization Background The Software Engineering Institute (SEI) Emerging Technology Center at Carnegie Mellon University studied the state of cyber intelligence across government, industry, and academia to advance the analytical capabilities of organizations by using best practices to implement solutions for shared challenges. The study, known as the Cyber Intelligence Tradecraft Project (CITP), defined cyber intelligence as the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities to offer courses of action that enhance decision making. legitimate threats to the organization. Instead of prioritizing a cyber threat solely on the capability and intent of threats actors, the framework enables analysts to see the utility of also understanding the threat’s relevance to their organization, strengthening their threat prioritization as they come to realize that a somewhat capable actor with a desire to deface websites should not be considered in the same category as a highly capable actor intent on extracting confidential, strategic documents for extortion or blackmail. A significant challenge that emerged from the CITP was the way in which analysts prioritize cyber threats. The SEI team observed a diverse array of approaches, from analysts relying on the media and third-party intelligence service providers to using data-centric models based on a narrow scope of factors. When threat prioritization models are too narrow, they prevent analysts from effectively monitoring the changes and evolution of the most relevant and severe cyber threats. This hinders cyber intelligence and security professionals from proactively implementing defenses to guard against the latest attack trends and techniques. Among the CITP’s government participants, most intelligence analysts prioritized cyber threats by the likelihood of an actor executing an attack, which they quantified through the summation of an actor’s sophistication (capability) measured against their desire to target the organization (intent). The SEI team noted that as these analysts transitioned to the private sector, so too did this approach. Conversely, private sector CITP participants without experienced government intelligence analysts tended to discount the utility of knowing the threat actor and prioritized cyber threats by the impact attack methods had on the organization or the risk attack methods posed because of the organization’s known vulnerabilities. This Cyber Threat Prioritization Implementation Framework leverages the best practices of CITP participants and SEI expertise to offer a holistic approach to prioritizing cyber threats using a customized, tiered threat prioritization framework. The framework breaks down cyber threats into three core components: the likelihood of threat actors executing attacks, the impact threats have on an organization’s business, and the risk threats pose because of an organization’s known vulnerabilities. By assessing threats according to these components, analysts come to fully understand the causes and effects of relevant threats, which significantly improves the efficiency of their organization’s cyber intelligence efforts because they have the necessary context to accurately align analytical and security resources to the current and future cyber attacks posing the most CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.3 Examples of how assessing threats according to this elements and factors augments an analyst’s cyber in Factor Factor Factor Factor Description, Description, Description, Description, Examples threats Examples three Examples Examples • Identify cyber using the core components of a threat. Implementation Examples: Indicators of Success Here’s how analysts can leverage the Cyber Threat Prioritization 4. A ssess the likelihood, impact, and risk of the-­‐ cyber threats. Use thecompetitors, c Likelihood: Threat actors State-­‐sponsored, Implementation Framework to augment their organization’s cyber factors andasub-elements in each spider graph threats Impact: ttack types -­‐ D DoS, stealing intellectual property ( Examples of how assessing ccording to tA his element athreat nd its scomponent’s ub-­‐ intelligence efforts: rate the elements cas a low, medium, or high priority elements and factors ato ugments an corresponding analyst’s cyber intelligence apabilities. Risk: Known vulnerabilities -­‐ High-­‐profile employees, unpat attribute of the threat. The average of these ratings then determines 1. Adopt these definitions: the likelihood, impact, • Identify cyber threats using the three core components of a threat. and risk of the threat, which combine to indicate Threat = Likelihood + Impact + Risk Assess the litikelihood, impact, aand risk of the orcyber threats. Use the factor whether should be considered low, medium, high priority threat. Examples: Likelihood = Capability + Intent spider graph to rate the corresponding elements as a low, medium, or hig Likelihood: Threat actors -­‐ State-­‐sponsored, criminals, hactivists, recreational Impact = Operations + Strategic Interests Example: Acnompetitors, organization wants to know how it should prioritize hackers these ratings then determines the likelihood, impact, and risk of the threa Risk = People + Cyber Footprint its analytical and network defense efforts for a possible Impact: Attack types -­‐ DDoS, stealing intellectual property (IP), damaging/incapacitating network assets considered a low, medium, or high priority recreational hacker DDoS attack on thethreat. organization’s secure Risk: Known vulnerabilities -­‐ High-­‐profile employees, unpatched devices, unsecured remote access Example: payment site. Analysis indicates the likelihood of the recreational 2. Become familiar with the provided spider graphs to gauge the factors hacker executing the attack is high to his attack methods An organization wants to due know how it should prioritize its a Assess he likelihood, impact, and risk of the cyber threats. and Use the factors and sthe ub-­‐elements each threat that comprise each of thetthree threat components. resources. However, impact of thein DDoS attack is component’s recreational hacker DDoS attack on the organization’s secu Spider graph key:graph Titletof low because the asecure payment site has minimal spider o threat rate tcomponent he corresponding elements as a low, assessed medium, asor high priority ttribute of the threat. The average of the recreational hacker executing the attack is high due to Description and example from impact on the organization’s operations and strategic interests these ratings then determines the likelihood, impact, and risk of the threat, which combine to indicate whether it should b of the DDoS abeta ttack is assessed s low the because the s a CITP participant due toimpact it still being in internal testing. This alsoameans considered a low, medium, or high priority threat. organization’s perations nd strategic nterests due to it s risk associated with theoattack is lowabecause of the isecure Threat Component (likelihood, impact, or risk) Example: payment site’s limited interaction with people and cyber Description the risk associated with the attack is low because of the sec An organization wants to know how it should prioritize its analytical and network efense efforts footprint. this threat, which initiallydappeared a for a poss and Therefore, cyber footprint. Therefore, this threat, towbe hich initially a high priority, snow canpbe classified as aAmedium low threatthe likelihood recreational hacker DDoS attack on the organization’s ecure ayment site. nalysis to indicates as a m edium t o l ow t hreat r equiring m inimal a nalytical and requiring and attention. However, the Element of the of the hacker executing the attack the Element recreational is high minimal due to analytical his attack mnetwork ethods defense and resources. Threat Component Threat Component Note: Always factor timing into the threat prioritization assessment. When impact of the DDoS attack is assessed as low because the secure payment site has minimal impact on the Description Description a threat actor or organization can be just as important as Note: Always factor timing does into something the threat prioritization assessment. When organization’s operations and strategic interests due actor to it may still have being in internal beta torganization, esting. This also mean why or how. A threat no desire to target an be just as important as why or how. A threat actor may have no desire to t the risk associated with the attack ibut s low because of the holiday, secure payment site’s limited interaction with peop since it is a national the organization becomes a target of holiday, the organization becomes a target of opportunity for the actor to Sub-element Sub-element Sub-element Sub-element opportunity for the actor to test a new tool simply because none of its and cyber footprint. Therefore, this threat, which initially appeared to be a high priority, now can be classif security esecurity mployees are at are work. Description Description Description Description network employees at work. as a medium to low threat requiring minimal analytical and network defense attention. Factor Example Factor Example Factor Example Factor Example• 5. Plot threatsfor for eeach on o graphs similar to the following: Plot all all threats ach component component n graphs similar to the following: Note: Always factor timing into the threat prioritization assessment. When a threat actor or organization does something Factor i t i s a n ational be just as important as Factor why or how. A tFactor hreat actor may have no dLikelihood esire to t arget an organization, bImpact ut since Example Example Example ( (to organization) holiday, the organization becomes a target of opportunity for t(by he tahreat ctor atctor) o test a new tool simply because none of its netwo Medium Medium High High security employees are at work. Strategic Indicators of Success Capability People Interests Examples of how assessing Low Medium Low Medium threats according to this element • Plot all threats for each component on graphs similar to the following: Factor Example and its sub-elements and factors augments an analyst’s cyber intelligence capabilities. Intent Operations Risk Impact •(to oUse all three graphs to holistically valuate the overall cyber threat enviro (by known ve ulnerabilities) rganization) Likelihood (by threat actor) Medium High 3. Identify cyber threats using the three core components of a threat. Strategic Interests resources to the current and fMedium uture cyber attacks that pose the most legit Medium High High Example: People Low analysts Medium If cyber intelligence rate all components of a threa organization’s nCyber etwork servers for industrial espionage pur Footprint Operations then the organization s place (risk) as a high priority threat, Use allcyber three tgraphs holistically evaluate the overallalign cyberanalytical threat • Use all three graphs to holistically evaluate the overall hreat toenvironment to efficiently and security threat over others where the likelihood is toequally as high, b Impact: Attack types - distributed denial-of-service environment to efficiently align analytical and security resources the resources to the current and future cyber attacks that pose the most legitimate threats to the organization. (DDoS), stealing intellectual property (IP), damaging/ current and future cyber attacks that pose the most legitimate threats to Example: assets incapacitating network the organization. Overall Indicators of Success If cyber intelligence analysts rate all components of a threat actor executing a worm (likelihood) against an Risk: Known vulnerabilities - High-profile employees, Ifecyber intelligence analysts rate all tcomponents threat organization’s network servers or iExample: ndustrial spionage purposes (impact) hat thhreats as no ofw orm mitigation • fThreat prioritization influences which potential gaet addressed by isn ec unpatched devices, unsecured remote access actor executing a worm (likelihood) against an organization’s place (risk) as a high priority threat, then tahe resources re oarganization llocated. should immediately position itself to focus on thi network servers for industrial espionage purposes (impact) that threat over others where the likelihood is equally as high, but impact and risk is lower. has no worm mitigation in place (risk) as a high priority threat, then the organization should immediately position itself to focus Overall Indicators of Success on this threat over others where the likelihood is equally as high, but impact and risk are lower. get addressed by security operations and how network security • Threat prioritization influences which potential threats 4.4 Implementation resources Framework – Cyber Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE are Threat allocated. Capability Examples: Likelihood: Threat actors -Medium State-sponsored, Low competitors, criminals, hactivists, recreational Intent hackers Low Medium Overall Indicators of Success • Threat prioritization influences which potential threats get addressed by security operations and how network security resources are allocated. • Collection management is streamlined and organizations are able to better communicate their requirements to third party intelligence vendors. • Cyber threats are widely communicated to the organization and employees are aware of the most relevant threats. • Cyber threats are proactively monitored and prioritized, with updates available to inform security operations, intelligence analysts, and decision makers. • Analytical production aligns with threat prioritization. For instance, the organization develops a tiered system to communicate threat information to stakeholders: - Tier 1: Potential threat averages a high rating. Analysis required within 90 minutes. - Tier 2: Potential threat averages a medium rating. Analysis required within 8 hours. - Tier 3: Potential threat averages a low rating. Analysis required between 3 and 5 days. - Tier 4: Potential threat does not compute a rating, but is an indirect threat for anyone using the Internet. No specific timeframe for analysis. • Analysts use threat prioritization to do predictive analysis, like developing scenarios to test how defenses will react to the full spectrum of cyber threats. CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.5 Likelihood Understanding the capabilities and intentions of cyber threat actors determines the likelihood of them targeting an organization. To determine this likelihood, a CITP participant from industry monitored open source publications from an organization known to sponsor cyber threat actors who frequently targeted the organization. Analyzing this accessible data provided insight into the motivations of the sponsored cyber threat actors, allowing the CITP participant to narrow down the types of data likely to be targeted, and work with network security experts to create diversions, honey pots, and employ other measures to proactively defend against the threat. Likelihood Capability Intent An actor’s sophistication, tools, and resources to execute a cyber attack determine their capability. Assessing capability as an independent variable of likelihood means organizations can avoid the pitfalls of devoting time and attention to “paper tiger” threats. Attack Methods Humans are creatures of habit. Although threat actors take great care to avoid detection, at some level they too succumb to this adage. Tracking how threat actors operate exposes patterns that analysts can use to combat their effectiveness. Infrastructure Sophisticated threats often require an infrastructure to operate. This can be assessed by looking for hop points used during an attack, the command and control network, or the size and scope of a botnet. Technology Technology used or manipulated for an attack can indicate the capability of a threat actor. More sophisticated actors target SCADA or ICS devices, web-enabled products, or mobile devices in addition to traditional servers and clients. Coding Nuances and personal preferences in coding not only assist with attribution, but also can indicate actor sophistication. Maturity The maturity of the actor takes into account their planning process, pre-attack activities (research/ recon/social engineering), and post attack actions (such as tool updates or incorporating lessons learned). Targets Resources Understanding what is available to threat actors offers context to the sophistication of their attacks. Leverage government, industry, and intelligence service provider information sharing arrangements to learn about actors resources. The actor’s purpose and the expected outcome of the cyber attack determine the intent. Prioritizing actors by their intent allows analysts to focus on the most relevant threats. Motive Why do threat actors attack? Determining an actor’s motive provides insight into the possible direction of their behavior, and determines their interest in targeting the organization. Intrinsic (personally rewarding) Money Obtaining and maintaining capabilities incur costs. Wellresourced/sponsored threat actors are often more dangerous than less resourced actors, with other variables being equal. Fame, bragging rights, thirst for knowledge/access, justification of skills, satisfying boredom, patriotism, and hactivist allegiance; all reasons a hacker might be motivated to target an organization. People Extrinsic (receive external reward or avoid punishment) From collaborators and co-workers to teachers and mentors, the number and type of people involved in a campaign can be indicative of its capability. Extrinsic motives revolve around two key concepts: reward or avoiding punishment. These motives include everything from state-sponsored denial and deception operations, misinformation campaigns, and psychological operations to financial incentives from competing businesses, organized crime, and blackmail. Tools Tools often hint at the capability of an actor, but the lack of a custom tool does not always imply a novice attacker. Most sophisticated actors will use the right tool for the job; if open source tools will work, there is no need to customize one. Training Targeted Data Understanding what a threat actor is after will factor into determining their intent to target the organization. Personally Identifiable Information (PII) Are the attackers stealing personal information from your customers? From your employees? Determining if this type of information is vulnerable can help assess the likelihood that the actor targets the organization. Research and Development Some actors exist to steal corporate R&D data. Organizations with heavy R&D missions are more likely to be targeted by actors specializing in corporate espionage or supporting nation-states. Business Process Certain categories of actors, especially insider threats, target the inner workings of the organization. From hiring and firing information to time cards and audit findings, organizations likely will be targeted if this information is accessible. Industrial Control Systems The type and quality of training available to the threat actor can help determine their capability. Online videos, IRC channels, certification courses, military training, or formal academic education all yield different levels of sophistication. Certain actors specialize in compromising industrial control systems and the associated human-machine interface. Organizations operating these systems should prioritize these threat actors accordingly. Capability can be assessed by looking at what is targeted. Does the actor rely on mass phishing emails, identify specific targets (network, website, employee, mobile platform) or exploit a specific vulnerability (Adobe, Windows, SQL, etc.)? Indicators of Success • Analysts have a repository of current and historical threat actor tactics, techniques, and procedures (TTPs) to generate profiles that are fed into data collection platforms to separate known threats that automated defensive actions can mitigate from unknown threats requiring an analyst’s attention. • Analysts understand threat actors’ intentions well enough to assign them to different categories, such as nation-state, criminal, hactivist, recreational, or competitor; enabling them to identify the most likely threats their organization faces through profiling. • Analysts gain perspective on the tools threat actors use to assess how they access an organization or if they outsource tool development. A basic netflow analysis could show the majority of attacks come from well known, prepackaged scripts, which analysts can easily combat using remediation efforts posted on open source websites. • Analysts realize that if a threat actor is targeting their organization for fame, the likelihood increases for the actor to choose a DDoS attack to the organization’s website as the attack method. • From their organization being the first result in a Google search to knowing over what holidays certain actors like to conduct attacks, analysts recognize the importance of timing when it comes to assessing the overall likelihood of a threat. • Analysts realize that sophisticated actors use the lowest common denominator for attacks. If a threat actor can use an off-the-shelf tool to accomplish their goal, they’ll wait to deploy customized tools on harder targets. • Analysts understand that the targeting of Adobe or Windows software vulnerabilities usually equates to a threat of lower sophistication than one targeting Windows operating systems. 4.6 Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Impact Analyzing the effects cyber attacks have on an organization’s operations and strategic interests provides quantifiable, business-related information to justify its impact on the organization. A CITP participant quantified the impact of cyber threats to their leadership by assessing how much money the organization would pay to reroute its product distribution channels after a hacker compromised the network and disclosed specific travel routes to competitors intent on disrupting this distribution. Impact Operations Strategic Interests Cyber attacks adversely affect an organization’s day-to-day operations. Since the effects often are financially quantifiable, analysts can use dollar amounts to communicate the impact attacks have on how an organization functions. Direct Costs Cyber attacks have a financial impact on organizations. Prioritizing threats according to their cost in terms of remediation and mitigation can resonate with technical and non-technical stakeholders. Incident Response Consider the costs to perform an investigation, remediation, and forensics; including required software/ licenses for incident response tools. Downtime Business costs of a network-reliant service being unavailable, including missed transactions or loss of potential revenue also play a role Mitigation and/or Prevention Factor in costs of additional hardware/software required to mitigate a specific threat. Some impacts are harder to quantify, but they are no less important. Strategic interests capture the intangible aspects of the organization that can be affected by a cyber threat. Business Operations Organizational Interests In addition to the known costs of responding to an attack, organizations also should consider the cascading effects an attack can cause and their associated costs. Plans, people, and products offer tremendous insight into why an organization is targeted and where a threat can do the most damage if certain information is compromised. Supply Chain Costs associated with the inability to meet demand, delay to operations, and having to supplement/replace suppliers can significantly impact an organization. Logistics An organization must function whether it is enduring an attack or not, so make sure to consider the cost of continuing operations during and after an attack, such as re-routing communications, securing intellectual property, adding equipment/personnel to avoid another similar attack, and upgrading systems/networks/processes. Market/Industry Consider the impact of losing strategic vision data, such as annual reports, 1/3/5 year strategic outlooks, operational policies, mergers, and acquisitions. How are competitors affected by the cyber threat? Is the industry equally affected by the threat? Consider national and foreign competition in threat prioritization. Stakeholders Geopolitical Organizational Culture Factor in the impact of legal/regulatory requirements from governments, law enforcement, regional entities (European Union), and external business arrangements. Also consider changes to the organization's culture, including work-from-home policies, complex password requirements, and restricted network access. Loss of intellectual property may reveal R&D investments or R&D strategies, delay product releases, affect future acquisitions, and cause a loss of competitive advantage. Organizations do not operate in a bubble, and neither should threat prioritization. Consider the ramifications cyber attacks can have on organizational partnerships, reputation, culture, geopolitics, and market space. Strategic Planning Assess how threats impact shareholders, board of directors, and employees. Future Earnings External Interests Does the threat affect political relationships, or the ability to operate in foreign countries? Will the impact of the threat affect the stock market? Is the local/regional economy impacted? All of these factors play a role that decision makers will want information on. Partnerships Consider the impact to third parties, including information-sharing partners (government/industry/ service provider) and other business relations (companies/governments/ regions). Assess the validity of shared data if strategic partners are affected. Brand Reputation Brand Reputation: Understand the impact to the brand and its implications on public opinion. Indicators of Success • • Internally, analysts establish frequent communication with the business units responsible for operations to discuss threats, alter threat prioritization, and predict new threats. These business units can include R&D, physical security, risk management, IT, human resources, insider threat, and business intelligence. Analysts identify and remediate the cascading effects a cyber attack could have by targeting one part of the organization’s operational network and systems. • Analysts recognize how a cyber attack could impact the organization’s ability to operate and communicate to stakeholders and institute appropriate contingencies to eliminate this impact when an attack occurs in the future. • Knowledge of the impact cyber attacks can have on an organization’s operations enables analysts to determine the financial costs to recover and repair damage done by the threats that the analysts’ prioritization efforts deem most likely to harm the organization. CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE • Analysts ensure that threat prioritization isn’t based off personal biases or those of decision makers, stakeholders, service providers, or the media. • Analysts correlate logs of IPs accessing the parts of their organization’s website containing data on strategic planning and intellectual property with known bad IPs to predict where threats will be concentrated now and in the future. • Analysts understand the financial cost associated with a geopolitical event in a country threatening their organization’s Internet presence in that market. • Analysts recognize that if peers in their industry and the organization’s economic interests are being attacked, the likelihood of being targeted increases and they take preventative measures to ensure that doesn’t happen. Implementation Framework – Cyber Threat Prioritization 4.7 Risk Assessing how people and the organization’s cyber footprint make the organization vulnerable to cyber attacks determines what areas within it are the most at risk of being targeted. One CITP participant’s CEO is active with companies and institutes that are separate from the organization. The CITP participant’s cyber intelligence analysts maintain an awareness of these activities, so when hacktivists publicly threatened attacks against one of the institutes, the analysts knew this could have implications for their organization and altered network defenses to prepare for a potential attack. Risk People Cyber Footprint Cyber threats generally have one thing in common; at some point a human interacts with the threat. This interaction must be a part of threat prioritization to understand an attacker’s most commonly targeted vulnerability: people. Relevance From leadership to rank-and-file employees, the Internet offers a communication platform that allows anyone to make their organization more visible to threat actors. Access Employees with administrator privileges or access to sensitive data are more attractive targets for threat actors. Determining who has what access can significantly aid in identifying the risk to employees. Online Presence Maintain awareness of information employees put online and their popularity on blogs/social media— both can garner the attention of threat actors. Information posted online can unwittingly reveal vulnerabilities and flaws in security policy, or incite threat actors to target the organization. Extracurricular Activities Be mindful of the activities employees participate in outside of work. Employees’ status with external institutions, such as non-profits, may increase their risk of being targeted. Motive There always is a rhyme or reason for why people enable cyber attacks. Whether it’s ignorance, financial trouble, disgruntlement, or boredom, by knowing these vulnerabilities analysts can diminish their effectiveness through prevention. The greater an organization’s online exposure, the more opportunity an attacker has to find vulnerabilities. Consider the organization’s infrastructure, supply chain, online exposure, and components most susceptible to attacks. Infrastructure The unknown provenance of software and hardware complicates risk determination in the cyber environment. Overcoming this limitation requires researching where, when, and how an organization’s infra-structure is most susceptible to cyber threats. Physical and Network-Based Access Develop a blueprint of where network appliances, workstations, and third party equipment connect to the organization’s network and identify the most likely risks for cyber threat activities. Software Most organizations rely on software to accomplish day-to-day operations. A robust threat prioritization assesses the risks associated with relying on particular software, which network users require access to high-risk software, and the organization’s ability to detect if a software vulnerability has been exploited. Position As with access points, consider how threat actors can exploit the different roles people play throughout the organization, from network administrator or HR representative to CEO, supply chain manager, or a recently fired employee. Supply Chain Abnormal Activity The most stringent network defenses can be subverted by counterfeit equipment or software. Understanding and assessing threats to the organization’s supply chain provides additional data points to measure risk of compromise through the organization’s network infrastructure. Develop baseline or expected network behavior for key users. Consider what deviations may indicate potential nefarious activity and consistently watch for them. Some examples can involve an employee working off-hours, emailing attachments to personal email accounts, or accessing information that is unrelated to their normal job. The content and services an organization provides on the Internet serve as attractive targets for threat actors. Analysts can assess severity of risk based on this insight into likely attack vectors. Website Hardware Individuals have varying access to both physical and network-based sections of an organization that threat actors can leverage to execute an attack. Assess which employees are at higher risk of being targeted based on their access. Online Presence Analyze how threat actors might leverage an organization’s website to plan and execute an attack. This includes compromising customer account log-ins, collecting employee contact information, defacing the site, or denying legitimate access to it. Additional Exposure An organization’s public relations and marketing departments track how social media and other aspects of the Internet help bring attention to the organization. Threat prioritization efforts also should track how this attention affects its cyber threat environment. Additional Services FTP, Telnet, VPN access, webmail, remote desktop, and other web-based services used by an organization increase the risk of potential cyber attacks, and should be factored into threat prioritization. Indicators of Success • Whether it is an employee alerting about a suspicious email they received or a vendor providing a list of bad IPs, analysts have engaged enough with individuals associated with the organization that they actively contact the analysts about issues that could alter how threats are prioritized. • Employee feedback influences threat prioritization because analysts offer feedback mechanisms via all of their cyber intelligence communication platforms; emails, analytical products, briefings, or awareness campaigns. • If the CEO or a junior analyst blogs about topics that likely will bring the attention of threat actors, analysts are aware of these activities and consider the position, influence, popularity, and online presence of these individuals in order to predict how they should change the organization’s security posture. • 4.8 • Analysts understand the organization’s operating environment well enough that with system updates and patches, they alleviate ~80% of threats; freeing them to focus on the ~20% that could significantly impact the organization. • Analysts recognize their organization is only as secure as its supply chain. If it acquires software and analysts don’t know who did the actual coding, the code’s reliability, or to what extent it has been error tested, then they won’t know how threat actors could use potential vulnerabilities within the code to conduct an attack. • Analysts incorporate timing into their prioritization efforts to align increases in network defenses with the different times during the year (holidays, system upgrades) when the organization’s network is most vulnerable. Analysts become aware of the fact that every vulnerability is not a threat worthy of further analysis and mitigation. Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE
