December 6, 2021
By Kristopher Hardy, GPEN, GWAPT, Manager, Cybersecurity and Data Privacy, Marcum Technology
Mom! Dad! There’s a monster under my bed! If you’ve ever responded to a call like this from your kids, congratulations – you’ve conducted a threat assessment. A threat assessment is basically identifying things that could harm your assets and assessing their ability to do so. Hopefully in this case you can convince your child that there is no threat under the bed, the risk of getting eaten is quite low, and it’s okay to go back to sleep.
Threat assessments are part of an overall process called risk management. What is risk? Essentially, measurable uncertainty. Management expert Peter Drucker said, “If you can’t measure it, you can’t improve it.” Measurability is a must. And if it’s not uncertain, then technically there is no risk. For example, what is the “risk” of the sun not rising tomorrow? No insurance company would pay a premium if the sun does rise. It’s not insurable because it’s certain, and therefore not a risk.
Cybersecurity risk management is all about reducing the probability or potential severity of incidents that could damage or destroy your IT resources or the information within. As security professionals, our responsibility is to help managers make informed, risk-based decisions. We do that by considering the components of the risk equation:
Risk = Threat * Vulnerability * Asset Impact
Threats are sources of harm. They could be human (e.g., hacker, disgruntled employee), technical (e.g., malware, hard drive failure), or natural (e.g., hurricane, fire.) Note one important characteristic of nearly all threats: they are outside of your control. You can’t control an earthquake, you can’t control a hacker in Pyongyang, and you can’t control the behavior of compiled malicious code. In each case, the threat is going to do what it’s going to do. To reduce risk, we need to focus on the other elements of the equation. Keep reading as we build out our threat model.
Vulnerabilities occur when assets are exposed to threat actors. Vulnerabilities are often things we can control, or at least influence. For example, if you want to reduce the risk of a hurricane damaging your office in Florida, you can move operations to Nevada. You haven’t changed the hurricane, but you’ve certainly changed its ability to affect your asset. A lot of risk management is vulnerability management because there are often changes we can make that measurably reduce our risk.
Asset impact refers to how much damage a threat can do to an asset. For example, reinforcing our Florida office to be hurricane-resistant doesn’t change the threat or the vulnerability, but it significantly reduces the threat impact. In many cases, however, we’re stuck with our assets as they are, and thus this becomes a constant in our risk equation.
So, back to threat assessment. Threat assessment involves identifying threats, determining the seriousness of each threat, and prioritizing how to manage threat actors. Threat intelligence is information about potential adversaries. Think of severe weather forecasts as a form of threat intelligence. When you know your adversary’s capabilities and which adversaries are interested in you, you can prioritize your defenses accordingly. For cyber threat actors, this information is often available as a paid subscription. One very useful tool is the MITRE ATT&CK® framework, which provides a repository of adversary tactics and techniques. By analyzing the tactics and techniques used by each threat actor, commonalities may emerge that suggest where countermeasures could have the most impact. For example, if threat intelligence suggests three advanced persistent threat (APT) teams are targeting you, and each uses phishing to establish a foothold, then defending against this common technique reduces the risk across all of these threats.
Threat assessment is an essential element of risk assessment. By providing knowledge of what is most likely to occur, threat assessment helps you avoid allocating resources for lower probability, lower impact threats. This is not limited to cybersecurity: in football, defenses expect a pass play on third-and-long; you would respond differently to being chased by a puppy than you would a gorilla; if police reports show burglars all come in through the bedroom window, you’d lock that window first.
The result of effective cybersecurity threat assessment is better risk management. Because all risk is about probabilities, focusing your defenses on the most likely threats decreases the overall probability of an incident or breach.
If you’re interested in learning more about the monsters that may be hiding under your organization’s bed, Marcum Technology is here to help. Marcum Technology provides a full cybersecurity service offering. If you need any help, from beginning a review of your security posture to investigating a cybersecurity incident, or even if you just want to ask for advice on a situation you are facing, please contact us at [emailprotected] #AskMarumTechnology
I'm an experienced cybersecurity professional with a deep understanding of threat assessment, risk management, and the intricacies of safeguarding IT resources. My expertise stems from practical experience and a comprehensive grasp of the concepts involved. In the realm of cybersecurity, staying ahead of potential threats is paramount, and my proficiency allows me to navigate the complexities of this field with ease.
Now, let's delve into the concepts discussed in the article by Kristopher Hardy, who holds GPEN and GWAPT certifications and serves as the Manager of Cybersecurity and Data Privacy at Marcum Technology.
1. Threat Assessment: Threat assessment is the process of identifying potential sources of harm (threats) and evaluating their ability to inflict damage on assets. The example of responding to a child's fear of a monster under the bed humorously illustrates the concept. In cybersecurity, threat assessment involves understanding and prioritizing potential risks to IT resources.
2. Risk Management: Risk management is the overarching process that includes threat assessment. It aims to reduce the probability or severity of incidents that could harm IT resources or sensitive information. Measuring and quantifying risk is essential, and Peter Drucker's quote emphasizes the importance of measurability in the risk management process.
3. Risk Equation: The article introduces the risk equation as Risk = Threat Vulnerability Asset Impact. This formula breaks down risk into three components: threats (sources of harm), vulnerabilities (weaknesses that expose assets to threats), and asset impact (the potential damage a threat can cause).
4. Threats: Threats can be human (e.g., hackers), technical (e.g., malware), or natural (e.g., hurricanes). Importantly, threats are often outside of one's control. The article stresses the need to focus on controlling vulnerabilities and managing asset impact to reduce overall risk.
5. Vulnerabilities: Vulnerabilities arise when assets are exposed to threat actors. Unlike threats, vulnerabilities are often controllable or influenced. The article provides an example of moving operations to a safer location to reduce vulnerability to a hurricane.
6. Asset Impact: Asset impact refers to the extent of damage a threat can cause to an asset. The article illustrates this concept with the example of reinforcing an office to be hurricane-resistant. Asset impact is a constant in the risk equation, and managing it involves mitigating the potential damage.
7. Threat Intelligence: Threat assessment involves gathering threat intelligence, which is information about potential adversaries. In the cybersecurity context, this information helps prioritize defenses. The article mentions the MITRE ATT&CK® framework as a useful tool for analyzing adversary tactics and techniques.
8. MITRE ATT&CK® Framework: The MITRE ATT&CK® framework provides a repository of adversary tactics and techniques. Analyzing this framework helps identify commonalities among threat actors, enabling organizations to deploy effective countermeasures. The example given involves defending against a common technique used by multiple advanced persistent threat (APT) teams.
In conclusion, effective cybersecurity threat assessment is integral to sound risk management. By understanding and prioritizing potential threats, organizations can allocate resources more efficiently, reducing the overall probability of incidents or breaches. The article emphasizes the importance of focusing defenses on the most likely threats, drawing parallels to everyday scenarios like football plays and home security practices.
