The Importance of Performing a Cybersecurity Threat Assessment
By Kristopher Hardy, GPEN, GWAPT, Manager, Cybersecurity and Data Privacy, Marcum Technology
Mom! Dad! There’s a monster under my bed! If you’ve ever responded to a call like this from your kids, congratulations – you’ve conducted a threat assessment. A threat assessment is basically identifying things that could harm your assets and assessing their ability to do so. Hopefully in this case you can convince your child that there is no threat under the bed, the risk of getting eaten is quite low, and it’s okay to go back to sleep.
Threat assessments are part of an overall process called risk management. What is risk? Essentially, measurable uncertainty. Management expert Peter Drucker said, “If you can’t measure it, you can’t improve it.” Measurability is a must. And if it’s not uncertain, then technically there is no risk. For example, what is the “risk” of the sun not rising tomorrow? No insurance company would pay a premium if the sun does rise. It’s not insurable because it’s certain, and therefore not a risk.
Cybersecurity risk management is all about reducing the probability or potential severity of incidents that could damage or destroy your IT resources or the information within. As security professionals, our responsibility is to help managers make informed, risk-based decisions. We do that by considering the components of the risk equation:
Risk = Threat * Vulnerability * Asset Impact
Threats are sources of harm. They could be human (e.g., hacker, disgruntled employee), technical (e.g., malware, hard drive failure), or natural (e.g., hurricane, fire.) Note one important characteristic of nearly all threats: they are outside of your control. You can’t control an earthquake, you can’t control a hacker in Pyongyang, and you can’t control the behavior of compiled malicious code. In each case, the threat is going to do what it’s going to do. To reduce risk, we need to focus on the other elements of the equation. Keep reading as we build out our threat model.
Vulnerabilities occur when assets are exposed to threat actors. Vulnerabilities are often things we can control, or at least influence. For example, if you want to reduce the risk of a hurricane damaging your office in Florida, you can move operations to Nevada. You haven’t changed the hurricane, but you’ve certainly changed its ability to affect your asset. A lot of risk management is vulnerability management because there are often changes we can make that measurably reduce our risk.
Asset impact refers to how much damage a threat can do to an asset. For example, reinforcing our Florida office to be hurricane-resistant doesn’t change the threat or the vulnerability, but it significantly reduces the threat impact. In many cases, however, we’re stuck with our assets as they are, and thus this becomes a constant in our risk equation.
So, back to threat assessment. Threat assessment involves identifying threats, determining the seriousness of each threat, and prioritizing how to manage threat actors. Threat intelligence is information about potential adversaries. Think of severe weather forecasts as a form of threat intelligence. When you know your adversary’s capabilities and which adversaries are interested in you, you can prioritize your defenses accordingly. For cyber threat actors, this information is often available as a paid subscription. One very useful tool is the MITRE ATT&CK® framework, which provides a repository of adversary tactics and techniques. By analyzing the tactics and techniques used by each threat actor, commonalities may emerge that suggest where countermeasures could have the most impact. For example, if threat intelligence suggests three advanced persistent threat (APT) teams are targeting you, and each uses phishing to establish a foothold, then defending against this common technique reduces the risk across all of these threats.
Threat assessment is an essential element of risk assessment. By providing knowledge of what is most likely to occur, threat assessment helps you avoid allocating resources for lower probability, lower impact threats. This is not limited to cybersecurity: in football, defenses expect a pass play on third-and-long; you would respond differently to being chased by a puppy than you would a gorilla; if police reports show burglars all come in through the bedroom window, you’d lock that window first.
The result of effective cybersecurity threat assessment is better risk management. Because all risk is about probabilities, focusing your defenses on the most likely threats decreases the overall probability of an incident or breach.
If you’re interested in learning more about the monsters that may be hiding under your organization’s bed, Marcum Technology is here to help. Marcum Technology provides a full cybersecurity service offering. If you need any help, from beginning a review of your security posture to investigating a cybersecurity incident, or even if you just want to ask for advice on a situation you are facing, please contact us at firstname.lastname@example.org #AskMarumTechnology