The Human Element: Unpredictability in Security Risk Assessments

What truly sets security risk assessments apart from their counterparts? It's the presence of a threat actor—an individual driven to inflict harm. While headlines may point to nations, criminal networks, or ransomware groups, these are ultimately comprised of individuals.

This human element injects complexity and unpredictability into the heart of risk assessment.? Their motivations vary, their capabilities differ, and crucially, they can learn and adapt their behavior in response to our defenses. This dynamic stands in stark contrast to risks less influenced by human actions, like the risk of fire from a pipeline leak.

A security risk assessment starts by defining the risk context, which involves identifying potential threat actors, their motivations, skills, and attack methods. This step also includes a thorough description of the system being evaluated, breaking it down into its individual assets and assessing their value to different stakeholders.

Next, a vulnerability assessment is conducted to identify weaknesses within the system. The likelihood and potential impact of each vulnerability being exploited are then assessed. The assessment then moves on to identify threats that could exploit these vulnerabilities and evaluates the likelihood and impact of each threat occurring. Finally, the risks are prioritized based on their potential impact and likelihood, allowing for the development and implementation of effective mitigation strategies to address the most critical risks. The risk assessment process should be continuously monitored and reviewed to adapt to changes in the risk environment.

Intelligence is key to understand threat actors and predict their actions, but this is challenging due to uncertainty. Even understanding the efficacy of mitigating activities is hard, as threat actors will adapt their approach in response.

Consider the cloud connected coffee machine discussed on this recent post from my LinkedIn newsletter: Grabbing OT benefits in the cloud - how to align security targets | LinkedIn. We want to perform a security risk assessment for the coffee maker company. They are worried that threat actors may exploit the coffee maker system to cause harm to the coffee customers, leading to reputational damage for the company.?

The coffee company, which primarily sells its technology in Scandinavia, has decided to adopt a 3-step approach to gain a deeper understanding of the risk context for supply chain attacks.

Step 1 involves understanding their customer base, including who the buyers of their coffee machines are and which threat actors might be interested in them. This will be achieved by analyzing sales reports and reviewing recent open threat reports from Scandinavian countries to identify potential threat actors.

Step 2 focuses on determining the prevalence of supply chain attacks in Scandinavia and the likelihood of coffee-related companies being used as pivot points. Research will be conducted using open threat reports and media coverage.

Finally, in Step 3, threat profiles will be created for each of the main customer segments. These profiles will identify whether they are likely to be targeted in supply chain attacks and if the coffee company could potentially be used as a pivot point.

Based on this the coffee company decides to compile a table describing relevant threat actors for the case discussed, summarizing:?

1. Threat actor type
2. Customer groups of interest
3. Short description of expected attack vectors
4. Assessment of likelihood of attack

Sales data analysis shows that 50% of customers are municipalities, 30% are doctors and dentists, and 20% are from various other sectors.?

Government risk reports indicate that municipalities are potential targets for foreign intelligence, whereas doctors and dentists are not. Research on supply chain attacks in Scandinavia reveals that they are prevalent, with three main types identified.

1. Espionage-Driven Targeted Attacks: These attacks are specifically aimed at government, defense, and research organizations to steal sensitive information.
2. Automated Cyber Attacks: These attacks aim to compromise existing infrastructure for malicious purposes like building botnets.
3. Ransomware Attacks Exploiting Supply Chains: These attacks target weaker suppliers to gain access to larger organizations and then demand ransom payments.

The espionage-driven attack type is deemed less likely than the others.?

Municipalities

• Likely targets for espionage from foreign intelligence actors, especially municipalities hosting national critical infrastructure and defense installations
• Frequently targeted by ransomware actors. Several cases of “hands-on-keyboard” ransomware attacks in the past.?

Doctors and dentists

• Likelihood of espionage lower, unless treating patients who are also persons of interest to intelligence agencies. We have no knowledge of this, and will assume that for the coffee customers this is not a dimensioning case.?
• Ransomware attacks are possible but not hands-on-keyboard attacks since they favor larger organizations.?
• Automated attacks are highly likely to be relevant due to a generally weak security posture of such businesses.?

Let’s now consider the coffee machine infrastructure and software, and break it down into parts we can assess for vulnerabilities.?

Based on the drawing of the components used to run the coffee machine we can consider vulnerabilities at 3 levels:?

1. Procedures and operations
2. Network
3. Components and software

The people in the coffee company most familiar with procedures and operations of the machines are the service technicians who install and maintain the machines for the customers. When asking them about possible vulnerabilities, they already have several known issues to report:?

• The admin logon to the Linux computer happens through the touch screen with a simple 4 digit pin code. The same code is used for every machine and every customer.?
• To allow for remote maintenance the machines expose SSH over reverse forwarding via a virtual machine in AWS, this means that all machines are reachable from the Internet. The technician can log on using the root user and a shared password used for all the machines to perform support operations.?
• The underlying operating system is never really updated. It is running an older version of Linux.?

As for the network itself, the coffee machine is plugged into the office router to provide Internet access. There are no preferences for how this is done from the coffee machine company and many customers plug the machine into the same network as their office workers use.?

Asking about the PLC’s, the technicials can also reveal that they are left in “remote programming mode” to simplify remote management and troubleshooting. This means that anyone on the network with the engineering software can change the PLC settings.?

The application software itself may also contain vulnerabilities. It has primarily been developed by contractors with little follow-up from the company. The security posture of the application software running on the Linux computer is therefore unknown.?

In the cloud a single database is used for all customers to store coffee preferences, suggest new brews and so on. The API’s are used by the Linux computer on the coffee machine. The cloud system also stores personal data and billing information about all the customers. The API is using a static API key for authentication, which is embedded in the URL as a GET parameter. The coffee company is also running other internal services for the company in the same cloud environment without any real segregation from the coffee machine data and services.?

The company thus revealed that there are quite a lot of vulnerabilities in the coffee machine system.?

When assessing how threat actors are likely to exploit these vulnerabilities, the coffee company develops 3 exploit scenarios:?

1. Espionage agency targeting municipalities identifies exposed SSH endpoint and uses brute-force attack to gain access. Then performs internal reconnaissance and moves laterally from the Linux box internally to gain access to the municipalities core IT systems, in order to exfiltrate data. Data exfiltration is likely to occur through the coffee machine Linux computer to avoid detection in more heavily monitored IT systems.?
2. Ransomware operator finding the exposed SSH endpoint, similar attack pattern as the espionage operation. May also try to gain access to underlying AWS account and hit all coffee customers with ransomware, for example by manipulating API endpoints.?
3. Botnet brute-forcing the SSH endpoint and adding the LInux machine directly to a botnet, and using this to attack others and send out spam e-mails.?

When assessing the risk of these 3 scenarios, the coffee company creates the following table:?

All scenarios depend on the exposed SSH endpoint, getting rid of that is a good start. SSH connections to end-users is important for technical support, but the company sets up a jump host in AWS and only allows local IP addresses to connect using SSH. This way the Internet exposure is removed and they have time to gradually work on the next items.?

Adapting to the new barrier

Let’s say an intelligence agency has been tasked with breaching a Norwegian municipality where significant activity in support of the Ukraininan war effort takes place. They had identified several exposed SSH endpoints and breached them but not yet installed any back doors. Then the coffee company removes the SSH exposure. How can the agency now respond to this, in order to complete their mission of securing network access? Here are some ways:

1. Find other means of gaining access, for example through spearphishing of municipality employee user accounts
2. Gain access to the coffee company infrastructure, and exploit their access as as supplier to gain a foothold

The agency may choose to go for option #2 here, as they would correctly believe the security posture of the coffee company is quite poor. They may thus try to phish employees, or exploit other systems to gain access to the AWS environment. This is an example of threat actor adaptation when new security controls are created.?

Summary

Understanding of the threat actor’s motivation is not necessary for all security work. If you know you have vulnerabilities that are easy to exploit you should fix those problems irrespective of who the threat actors are.?

But if you are seeking to analyse your security risk, understanding the threat actor is a key piece of the puzzle. There are many open reports published from government agencies and security companies that can help provide insight into threat actor capabilities and motivations, but without clear questions you want to answer it will be hard to translate the relatively generic reports into actionable intelligence. This is why you should always start with defining the questions you want answered. In this example we looked specifically at supply chain attacks on some specific customer categories for a coffee machine provider to offices. That is a much more specific question than “what cyber attacks are likely to occur?”.?

Security risk assessments without taking the threat actor into account are likely to be too generic to provide much decision support. Distilling your uncertainties into answerable questions will help you make better security decisions.?