Cyber Risk Modeling (Lite), Made Easy
“Which cyber threats (threat actor groups (aka “adversaries”) or malware) matter most to my organization, and what can I do about it?” These are straightforward questions, which have major implications for the direction of cybersecurity resource investment for an organization practicing threat-informed defense. But they aren’t so straightforward to answer.
The challenge in finding reliable - and especially quick - answers to these questions often prohibits security teams from building models of their threat landscape and using these threat models to continuously inform defensive priorities. An intuitive workflow from Control Validation Compass allows any security team - including cyber threat intelligence (CTI), detection engineering, and offensive security - to easily build a “light” cyber risk model relevant to their organization and more quickly start operationalizing a security approach informed (or even driven) by relevant adversary intelligence.
This article outlines key steps in building a good threat model, key internal & external information sources for accomplishing those steps, and the areas where Control Validation Compass, a new free and openly available tool, helps any member of a cybersecurity or intelligence team dramatically speed up generating a basic risk model relevant to the organization they support.
Notes: 1) Many fantastic talks and resources on CTI and threat modeling informed development of Control Validation Compass and are linked in the Knowledge Center. The best summary of the threat modeling approach advanced by Control Compass (and the outline for this article) is laid out in Katie Nickels’s 2020 Shmoocon talk “Resistance Isn’t Futile”. 2) Many definitions exist for concepts such as “threat” and “risk”. The important thing is that teams understand and are consistent with the definitions they use. For this article, I call the Control Compass output a “risk model” instead of the more common term “threat model”, since it considers external threats as well as internal compensating controls, giving more nuance than just considering external factors alone. I call it a “light” model since it doesn’t consider some other important factors of traditional “risk” definitions, such as event likelihood or loss potential - for a more robust approach to quantifying cyber risk, see Levi Gundert’s “The Risk Business”.?
Know Your Organization
A key first step in building a cyber risk model involves getting to know your organization itself. This step is often - understandably - overlooked when risk modeling is led by threat intelligence teams, which traditionally tend to focus more on identifying and tracking all the myriad cyber threats that exist in the modern landscape.
Knowing your organization’s underlying business objectives (for companies) or its mission (for agencies or non-governmental organizations) helps security teams understand its long-term direction. Understanding long-term direction is crucial for forecasting potential investment or changes in headcount, geographic locations, or physical or technological assets, which may impact which threats target or otherwise impact the organization. This step can be as simple as looking to written/publicized mission statements. Leadership decisions or even public filings (such as Form 10-K financial filings) can provide greater detail.
Next, security teams should know about their organization’s assets and technology footprint, and maintain awareness of potential technology transformations that may be underway or upcoming. What types of information and data does the organization handle (e.g. PII vs PHI vs PCI), and which ones matter “most” (e.g. weigh data types and potential impacts of a compromise by the three facets of the CIA Triad)? Teams that are most successful with this step are the ones that excel at maintaining or making new connections with other teams, especially those in IT infrastructure who best know the ins & outs of the organization’s technology footprint.
Finally, security teams should have an understanding of which security controls exist in their environment, and their organization’s capabilities for collecting the data/event logs needed for those controls to function as expected. This typically involves knowing which security tools & technologies are in place (in large enterprises this can often be a long list), but also what security & response processes exist, and what policies govern all of the above?
This is where the Control Validation Compass Controls Lookup feature helps, allowing any team with awareness of their organization’s security stack (not just security engineers) to get an initial sense of the policy and technical controls (detections) and even red team capabilities possibly in use in their environment. The feature should not replace an in-depth examination of an organization’s control environment (like something promoted via the DeTT&CT Framework), but it enable users to instantly see the distribution of controls, mapped to MITRE ATT&CK? techniques, that come “out-of-the-box” (or with default configurations) of the tools their organization uses. Check it out by toggling some of the endpoint, network, and cloud security tools and third-party repositories used in your environment here.
Know Your Threats
The next key step in cyber risk model development is understanding the threats that matter most to your organization. This is usually defined by the threats that will most likely affect you and/or will cause the greatest impact (harm) to your organization. There are myriad cyber threat adversary groups (Google tracks nearly 300 state-sponsored groups alone) and discrete malware/tools and attacker techniques (nearly 600 techniques + sub-techniques currently documented in Enterprise ATT&CK) in the global landscape today. Since virtually no private (or even public) organization has the resources to track every known and new threat at all times, prioritizing threats based on relevance (threat modeling) is a must.
An attainable approach to cyber threat modeling involves breaking down the potentially immense threat landscape into roughly four more-digestible chunks or categories. More mature organizations will often assign quantitative scoring (something as simple as 1-4) to these threat categories.
领英推荐
The first and typically highest-scored category involves direct threats to the organization. These are typically threats the organization knows they certainly care about, usually as a result of directly observing the threat (suspected actor group or malware) in real-world incidents, usually via the organization’s telemetry/log data.
The second category involves inferred threats to the organization, usually based on analysis of threats impacting organizations similar to one’s own, usually others within the same industry. Threats affecting immediate industry peers (organizations that most closely resemble one’s own) may receive slightly higher scores. Privileged-circle information sharing, such as through ISACs, is a key source of information informing this category of threats. Searching publicly-reported incidents for threats affecting a given industry can also be valuable.
The Control Validation Compass Threat Model feature shines in this area. Identifying validated cyber threat activity involving a given industry has traditionally been a labor-intensive task involving heavy use of manual, keyword-based searches across news and/or vendor or agency reports. The Threat Model capability allows users to instantly surface relevant adversaries grouped into key categories relevant for intelligence analysis (based on human-vetted linkages), including attacker motivation & location and victim industry & geography (more on the methodology here). The output - complete ATT&CK technique mappings associated with each adversary or entire categories - is complemented with custom Diamond Model and ATT&CK heatmap visuals - a cyber threat modeler’s dream! The feature aims to greatly lower the barrier to entry of cyber threat modeling, putting formerly advanced modeling workflows into the hands of anyone who can use the UI-based tool, including CTI analysts but also detection engineers or SOC, red, or purple team operators.
The final and typically lowest-scored category involves opportunistic or indiscriminate threats - threats that may impact an organization despite or regardless of any specific targeting or intent. This category should not be discarded entirely. There is often a limited sample of public reporting on cyber threat activity, and a lack of reports involving one’s industry or peers should not automatically negate a particular threat from your model. Robust models will not only consider threats already linked to a given industry or motive via reporting, but also any and all threats that may logically be relevant to one’s organization.
Align Threats & Controls and Prioritize Which Controls to Strengthen
Once you’ve gained a better understanding of your organization, technology environment, and security controls, and identified relevant threats, the final risk modeling step involves aligning your threat profile with your controls so you can make better sense of your unique profile and start to take action based on it. Luckily with Control Validation Compass, this step is incredibly easy - effortless and automatic in fact, because every resource included in the tool, both controls resources and every adversary profile, is already mapped to the MITRE ATT&CK knowledge base.
ATT&CK mapping is core to Control Validation Compass, serving as the critical bridge between the internal controls and the external threat environments (I go into more detail on this value here). From the controls side, Control Validation Compass offers a unique collection of mappings and direct links to resources across nearly 30 publicly accessible repositories containing control policy guidance, threat detection rules, and offensive security test scripts, such as MITRE ATT&CK’s “Mitigations”, the Sigma repository, Atomic Red Team, and many more. Resource sets are included only if they contain mappings to ATT&CK techniques or sub-techniques. From the threat side, I built an entire unique threat dataset by merging two existing powerhouse datasets, allowing Control Compass users to surface hundreds of ATT&CK-mapped TTP intelligence profiles organized around structured, human-vetted links to adversary categories such as motive, location, and victim industry.
The Controls and Threat Model features of Control Validation Compass are finally merged into a single valuable Risk Model (Threat Alignment) workflow, which reduces a potentially weeks- or months-long task of building a risk model into literally seconds’ worth of work and a few clicks. Use the same options as above to build your threat model based on your industry or other factors of interest (or in this case even add your own threat intelligence), toggle which security tools and resources are relevant to you to filter your results, and output a rank-ordered list of which adversary techniques are potentially most relevant to you or worth digging into further. Re-sort the list to re-prioritize your unique TTP list based on a) which techniques have the most existing out-of-the-box controls, b) which have the least (useful for gap identification), or c) which appeared most often in your threat model (coming this week!).
This prioritization informs which techniques security teams should consider focusing on first, for example by implementing new preconfigured detections that may not be in place, developing custom rules to fill existing detection gaps, or even deploying or developing new red team tests to perform the critical step of validating that detections are actually working as intended. Control Validation Compass allows any security team member to easily generate and visualize the list of techniques to prioritize, bringing a formerly advanced workflow into the hands of many and enabling more teams to start taking action on their intelligence-informed threat models. By making the process so fast, the tool also gives teams critical time back to begin the next steps of operationalizing new security controls, tuning or strengthening existing ones, and completing the feedback loop by validating they work as expected against the actual adversary techniques they are most likely to face.
MITRE ATT&CK? and ATT&CK? are registered trademarks of The MITRE Corporation.