THREAT ASSESSMENT
7CCSMSEM Security Management Dr. Jose M. Such
Video
Introduction
• Many approaches (CISSP) examine just the risk element
• How can you know the risk without knowing the threat?
• Threat assessment is the bed rock of a good risk assessment
• Allows you to explore who/what might be after you • Informs the risk analysis process
• It leverages open source intelligence and other sources of intelligence
Threats
• Threat = those things that may pose a danger to your information security
• Threat Agent is the actor that poses the threat
• Can be malicious or accidental
• Have the opportunity and capability to exploit a vulnerability
Threat Definitions
• ISO27000
• “Threats are anything that could cause harm to your assets, and vulnerabilities are weaknesses in your security arrangements that make it easy for these threats to occur”
Threat Assessment
• Threat assessment identifies the threats to the organisation
• Identifies the likely culprits
• Threat assessment in this space is not very mature
• Often borrows from other environments/domains
• Difficult to provide quantified, accurate and repeatable outcomes
Threat Assessment cont…
• Processes don’t keep pace with technologies
• Approaches like ISO27000 assume that the threats are
well understood
• There needs to be consistency and repeatability in the terminology used across the organisation
• Accuracy of the threat space is important as it is the foundation of accurate risk assessment
Background
• Threat assessment were regularly carried out by nation states on other nation states
• Later businesses started to apply techniques for the market place
• National threat analysis done by experts
• Normally considered over lengthy periods
• Consider 2nd Iraqi war as an indication of complexity
• Threat Analysts will tend to specialise in specific parts of the threat spectrum, geographical region etc.
Time period
• State threat analysis normally has a long time period to make assessments
• State attacks are normally a lengthy diplomacy phase coupled with a military build up
• Terrorist attacks may not have a diplomacy phase but still need planning and deployment
• Cyber attacks have short timescales • Lower threshold to initiate
• No requirement to move physical resources • Can attack from any location
• Limited observable indicators
• 1 attacker has all they need
Example of difficulty
• Feb 1998 US DoD computer systems under attack
• This was during the time of the build up to the first Iraq
war
• The attacks were widespread, co-ordinated and systematic
• Was it a state actor, such as Iraq or one of it’s allies?
• Cloverdale kids (two): 16 year olds with the help of an 18 year old Israeli, using home computer equipment
What is a Threat Agent?
1. 2.
•
• •
Natural Threats and/or accidents Non-intentional threat agents
Malicious agents
• • •
Intentional actions, the ones everyone thinks of
Characteristics Catalysts, Motivation Capability, Access Inhibitors, Amplifiers
Natural and Accidental Threats
• Natural
• Well known
• Insurance actuarial tables can be used
• Examples
• Earthquake • Fire
• Wind
• Water
• Lighting
Natural and Accidental Threats
• Accidental
• Insurance data for physical accidents
• No or limited data for electronic incidents
• Do you know how many times a user has lost a
pen drive in your organisation?
• Accidents are affected over time by attitudes and training
• There is a lack of malicious intent • Threats may be combined.
Malicious Agents
• Agent may be an individual or group that can implement the threat
• Agents are affected by amplifiers or inhibitors
• Characteristics:
• Motivation: Why are they doing this?
• Capability: Can they do it and to what level? • Catalyst: What set them off?
• Inhibitors: What has/could put them off?
• Amplifiers: What has/could push them on?
• There are two factors for a successful attack
1. Exploitable vulnerability
2. System must be important enough (To whom?)
Sequence of Factors
Inhibitors
Capability Motivation Access
Threat
Amplifiers
Threat Agent
Catalyst
Malicious Threat Agent Groups
State Terrorist Sponsored
Criminal
Threat Agent
Malicious
Pressure Commercial Hacker Group Group
Dissaffected Employee
Capability
Capability
Resources Technology
Equipment Facilities Personnel/ Funding Time
Software
Education & Training
Knowledge
Books/ Methods Manuals
Inhibitors
Inhibitors
Fear
Sensitivity to:
Technical Difficulty
Cost of Participation
Public Perception
Failure
Capture
Peer Perception
Amplifiers
Amplifiers
Access to De-Skilling Changing Fame Poor Target Peer Information Technology Security Pressure
Catalysts
Catalysts
Technology Events Personal Commercial Changes Circumstances Gain
Motivation
Secular
Political
Crime
Revenge
Motivation
Belief Personal Gain
Knowledge Financial or
Information
Religion
Power
Terrorism
Curiosity
Competitive Advantage
Video
Tutorial of Threat Assessment
• How do you do a threat assessment
• Run through the model in Jones and Ashenden
• Other approaches out there
• Understanding how threat informs the risk assessment process
• Enables priority areas.
• Provides an audit trail for due diligence/care
• Makes you think about the inputs to the risk assessment
Jones/Ashenden
• Threat Agents may belong to more than one group • Assess each group separately
• Assess each factor separately to understand relationships
• Inputs are subjective and so outputs will be subjective • Lack of facts makes this Qualitative
How Do You Describe a Threat Agent?
• Each threat has a range of properties that should be combined appropriately
• Some agents share threat properties
• Although they may not be directly comparable.
• There are relationships between the threat and the target • States attack states
• Companies attack companies
• There is personal motivation
Hacker Threat Agent – Capability
Factor
Weighting Value
1
2
3
4
5
6
Group Size (Q)
1-25
26-50
51-100
101-200
201-300
>300
History of relevant activity (H)
None
Intermittent
Occasional
Occasional
Regular
Regular and Widespread
Technical Expertise(T)
None
Very Limited
Limited
Limited
Adequate
High Level
Prowess within Community (Pr)
Not part of a group
Peripheral Interest
Interest within group
Significant within group
Important within group
Very Important within group
Reason for Target Selection (U)
Curiosity
Rebellion
Criminal Gain
Criminal Gain
Belief
Revenge, Religion, racism, nationalism
Threat Agent Capability
• Each factor assigned a weighting
• In the book the weighting has been assigned through experience
and testing
• Each class of Threat Agent has a different formula depending on the capability factors
• Hacker capability formula
TC = (Q x 4) + (T x 3) + (H x 7) + (U x 6) + Pr
• Max of 126
• Usually normalised to a percentage for comparison
Scenario
• Aerospace industry thinking about a hacker group • High value target for our fictitious “Hacktivist” group
• Group intelligence
• History of over 200 DOS attack, 30 successful intrusions publishing
sensitive info
• Working as part of an online anti-war movement
• Have already attacked a number of military, governmental and private contractor networks and systems
Example Capability
Factors
Hacker Group
Value
Size of Group (Q)
Over 60 in forums
3
Technical ability of the group (T)
Widespread reporting of their attacks on a number of military systems
6
History of Activity (H)
History of attacking defence and related
6
Reason for attack (U)
Exert pressure due to ideology
5
• 𝑇𝐶 = 3×4 + 6×3 + 6×7 + 5×6 =
+,- = 85% +-,
Amplifiers/Inhibitors/Catalysts/motivators
• Similar analysis for Amplifiers/Inhibitors/Catalysts/motivators
• Basic process:
• Assign a weighting to the factors based on the scope • Add up the factors and identify as a percentage
Summary
• This is all subjective/qualitative
• Can rate/rank the threat agents based on the five
categories
• Direct correlation not really applicable
• Gain insight into the areas of greatest concern • What are your thresholds to take action?
• Indication of where effort and resources should be applied
• Get to know your enemy!