Posted November 28, 2017
Companies face such a large and diverse cyber threat landscape, it seems almost impossible to manually review all known threats, let alone guard against them. With the potential of having to sift through 10s of millions of new threat intelligence data points every day, automation-assisted cyber threat management is on the rise. However, the question remains: how can companies automate prioritization of cyber threat management prevention, response, and mitigation to maximize return on investment?
Should these systems prioritize activities according to the most severe threats or the company’s most valuable assets? Experienced cybersecurity professionals know it is not that simple. Companies rarely encounter even one or two of the 100 most severe threats that are relevant to them, and hackers tend to hit low-value assets first before pivoting to their true target. Where, then, should a company focus its efforts?
In order to effectively prioritize cyber threat management activities, it is essential to have knowledge of how threats affect a wide range of business risks:
- Which threats are currently impacting your specific industry or geographic region?
- How secure are your supply chain partners and how much access do they have to your data/IT infrastructure?
- What kinds of malicious activity indicators have been observed in either your networks or in adjacent networks?
These are only a few questions to ask yourself. Simply stated…
From Threat Scores to Risk Assessment
Many cyber threat intelligence sources provide threat severity scores that rate the potential impact of each threat. This is extremely useful when comparing one threat to another, but threat scores convey very little about each threat’s probability of impact on your organization. Risk assessments require information about both probability AND severity.
Alongside threat severity scores, many threat intelligence feeds list threats associated with specific network assets (e.g. indications of conficker infection on specific IP addresses). Wherever your network assets are reported, this provides useful information about the probability that threats already exist within your company’s firewalls.
However, relying solely on threat feeds to assess threat probabilities is poor practice. Focused company monitoring provides the best opportunities for observing threat indicators; there are many issues that affect threat probabilities for your company that threat feeds simply don’t provide. A company’s industry, supply chain partners, vulnerabilities, cyber connectivity, and perceived information value can all influence the probability, and hence risk, of encountering various threats. Let’s take a look at each in more detail:
Every industry has a different set of threats that are more or less likely to impact your organization. Many threats target specific industries such as point-of-sale malware in retail, Internet of Things threats in healthcare, or activity targeting industrial control systems in critical infrastructure and manufacturing.
Cyber Supply Chain
Securing your own company’s network assets is no longer the only concern. According to a 2015 SANS report, up to 80% of cyber breaches originate in the supply chain; thus, if the partners that access your systems and data are insecure, so are you. At the very least, organizations should encourage supply chain partners to adopt better practices. For a more robust and proactive approach to third party risk, organizations need a continuous monitoring service that provides real-time information on cyber-connected supply chain partners.
Some threats leverage vulnerabilities in specific services, application versions, open ports, or even firmware in specialized devices. If a system is known to not have or use any of these, the probability of any impact from relevant associated threats is essentially zero. Not only is information from regular vulnerability scans (e.g. Shodan, Nessus, OpenVAS) essential for helping prioritize threats based on your company’s network asset inventory, it also provides actionable information regarding which vulnerabilities require attention.
There are many threats that tend to proliferate within local networks, whether by design or simply opportunistically due to activity patterns. When these threats are active within the autonomous systems or CIDR blocks your company’s network assets inhabit, the associated risk rises significantly. Therefore, maintaining awareness of not only the threats in your neighborhood, but also the ever-evolving topology of the Internet itself are both important for accurate risk assessment.
Understanding your company’s network segmentation is important too. When evidence of malicious activity surfaces, its location within your network infrastructure can provide important information with which to prioritize response activity. Does that newly-discovered malware instance have easy access to your company’s customer database or R&D storage server?
The value your company obtains from certain data or systems may be very different from the value perceived by an adversary. It is important to consider both sides of the value equation when performing cyber risk assessments. The external value assessment will influence the probability of a targeted attack while the internal value assessment will affect the impact of a compromise and drive cyber security activity prioritizations.
Many of the factors above, as well as most threats, cannot be considered in isolation. The industries, vulnerabilities, and network connectivity of your supply chain partners matter immensely. Adversaries pivot from one threat to another, perhaps using a spear-phishing email to entice a watering-hole visit that installs malware through which they pivot into root access. Interaction effects are perhaps the most difficult issues to integrate into your company’s cyber risk assessment, but their importance cannot be understated.
Informing Automated Risk Assessment
Companies need automation-assisted risk assessment capabilities that go well beyond comparison of threat severity scores. Certainly, threat intelligence sources provide a huge amount of information that can help cybersecurity professionals understand the ever-growing and ever-changing threat landscape. This is a great starting point; however, effective cybersecurity management also requires the integration of contextual data that inform understanding of the probability associated with each threat.
Additional information sources should include:
- Industry & Supply Chain Threat Activity – Subscribing to threat updates from information sharing and analysis centers (ISACs) is a great start. However, third party monitoring of your industry’s participants and leveraging trusted relationships between cybersecurity professionals will provide more timely and actionable data.
- Regular Vulnerability Scan Results – A list of your systems’ current and emerging vulnerabilities/weaknesses (e.g. CVE, CWE) can help assess susceptibility to certain threats.
- Internet Infrastructure Updates – Understanding your network neighborhood requires monitoring changes to the use of domain names, IP addresses, and autonomous systems. These changes can also provide indicators of some threats such as phishing or BGP hijacking.
- Network Activity – Capturing your company’s network activity (both external and internal) can provide indicators for threat activity detection as well as useful forensic material.
Ideally, your company should obtain such information in machine-readable formats, promoting automated risk assessment calculations that leverage both severity AND probability. These calculations can produce a range of useful risk values to support the prioritization of prevention, response, and mitigation actions.
- Risk of Threat – Rank network locations with reported threat indications for inclusion in intrusion prevention systems (IPS). These locations can be prioritized by not only the typical threat severity scores, but a score informed by probability of threat existence at that location and its probability of targeting your company.
- Risk of Compromise – Rank internal network assets on the likelihood they could be breached so you can prioritize prevention activities.
- Risk of Targeted Attack – A risk ranking based on severity and probability that your internal systems are the current target of a threat (or multiple threats) along with knowledge of asset value can help prioritize your cyber incident response actions.
- Expected Value of Asset Compromise – With probability, severity, and asset value information, it is possible to calculate expected values of cyber threat effects at department, division, or company-wide scales. Measured over time, this metric can be used to summarize your specific company’s evolving threat landscape and evaluate its return on investment in cyber defense efforts.
Risk-based cyber security management is not simple. Threat scores are just one piece of the risk assessment puzzle and prevention, response, and mitigation actions require different prioritizations. Your company’s unique and evolving context significantly influences its greatest risks. As the amount of data available for monitoring cyber threats and related contexts continues to grow, your company can take steps to prepare for emerging automation-assisted cyber threat management tools.
First, ensure access to high-quality feed and scanning data sources. These sources should provide machine-readable data that your automated systems can use to catalog threats, vulnerabilities, network structure, and network activity.
Next, make sure your systems can identify the activity in your specific industry and supply chain. The time you invest in creating and updating network footprints for your partners and competitors will pay off as you gain visibility in emerging industry and supply chain threats.
Finally, develop analytical methods for calculating useful severity, probability, and risk scores based on available data. Ensure that the calculations are robust so the resulting scores are useful to your organization’s processes.
Your company can begin taking advantage of data-driven cyber risk assessment to prioritize its prevention, response, and mitigation activities, yielding better cybersecurity with less effort. When done right, financial estimates of cyber security exposure can help monitor return on investment and inform your company’s allocation of budget to cybersecurity efforts.