What are the targets of cyber threats?
In the NIST cybersecurity framework core function of ‘Identify,’ organizations are tasked to do ‘Asset Management’ where they need to discover and maintain an inventory of assets that are resources to the business. These resources need to be prioritized based on their classification, criticality, and business value. Organizations are also asked to ‘Identify’ the ‘Business Environment,’ including priorities for business objectives, business dependencies, and critical functions of assets supporting the business. They are also tasked with establishing resilience requirements to support the delivery of business-critical services.
I mention the above because that information represents what is of value to the business and what the impact would be to the business during a breach. It’s the foundation for the ‘impact’ portion of the NIST cybersecurity ‘Identify’ task of ‘Risk Assessment.’ This is where organizations need to identify threats, vulnerabilities, likelihoods, and impacts to the business’s assets as these are used to determine risk. This is where cyber threat susceptibility assessments should be completed and used to identify and prioritize risk responses.
Which cyber threats can’t be avoided?
Cyber Threat Susceptibility is the inability of the organization to avoid cyber threats. The objective is to identify and assess cyber threats and select countermeasures effective at mitigating those threats. Organizations will need to define the scope of the assessment and model the attack surface to include security configurations, vulnerabilities, other existing security controls. It’s essential to understand what cyber threats the organization is susceptible to and what cyber threats they can avoid.
Using MITRE ATT&CK for cyber threat TTPs
To make cyber threat susceptibility a bit more concrete, let’s use MITRE ATT&CK to represent the cyber threats at the TTP level. MITRE ATT&CK also makes you think about more advanced adversaries who can breach anyone given enough time and resources. Threat actors who conduct targeted attacks are more likely to analyze information like all the target organization’s past job vacancies and other publicly available information to build a social and technical targeting package with information about the business’s people, processes, and technologies so they can enjoy higher success rates.
The cyber threat susceptibility assessment might start with all the enterprise ATT&CK TTPs, but the initial set of candidate TTPs undergoes a narrowing process to eliminate TTPs considered implausible. Several factors can make a TTP an implausible method of cyber attack. Many TTPs have prerequisites or conditions that must hold true in order for that TTP to be effective.
A prerequisite for a SQL injection attack, for example, is that the system must include a SQL database. The use of weak passwords is one condition that must hold true in order for an adversary to successfully conduct brute force password attacks. Many candidate ATT&CK TTPs may be eliminated because of missing prerequisites.
Organizations have also invested heavily over the years in security controls that can prevent the occurrence of some candidate ATT&CK TTPs. Preventing the occurrence of the TTP enables the organization to avoid the TTP, and the organization is no longer susceptible to the prevented ATT&CK TTPs.
What remains is a set of plausible ATT&CK TTPs that the organization is susceptible to based on the organization’s assets, vulnerabilities, security controls, and current attack surface. Over the last decade, the significant mindset shift was to ‘assume breach,’ Now the organization is armed with a specific set of TTPs that will make it past the preventative controls. Assuming breach means organizations will need to focus on the TTPs they can’t avoid and to work on being able to withstand the impact of the cyber threats by reducing vulnerability and increasing resilience.
Using ATT&CK Sightings and Attack Flows to enhance results.
Determining likelihood and impact is an important step in assessing risk. Start with the TTPs that the organization is susceptible to and identify possible attack path scenarios by building ‘Attack Flows’ that target critical assets in the business to determine the likelihood and impact of the attack path scenario. Consider prioritizing the list of susceptible TTPs using MITRE CTID’s ‘ATT&CK Sightings’ results to add weighting to likelihood predictions during risk calculation. This can also help prioritize risk remediation activities based on ATT&CK Sighting’s real-world observations of adversary activity.
Things like Monte Carlo simulations can come in handy since this is a model used to predict the probability of different outcomes when the intervention of random variables is present. Monte Carlo simulations help to explain the impact of the risk and uncertainty in prediction and forecasting models. At the end of the analysis, you want to quantitatively assess the most likely and highest impact attack path scenarios that would be the priority for risk remediation.