Cyber Strategy Management – 1D. Review threat landscape (4/5)

Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.

Purpose

The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.

Objectives

Identify key risk themes
Develop a strategic overview of the biggest threats with the potential to impact your mission-critical assets.
Prioritize cybersecurity domains
Prioritize cybersecurity domains according to your threat landscape to ensure efficient resource allocation. Focus on areas that yield the most value.

Inputs

Business landscape
Summary of the business environment in which the company operates and its business model, including customer segments, products and services, sales, distribution and communication channels. Developed as part of “1b. Review internal factors” activity.
Technology landscape
Summary of IT operating model, IT architecture, an overview of key technologies used by the company and critical infrastructure components. Developed as part of “1b. Review internal factors” activity.
Security landscape
An outline of the security landscape featuring the organizational structure, operating model, and the key frameworks in use.
Business and technology objectives
List of business and technology objectives, their prioritization, supporting initiatives and definition of common interests. Developed as part of “1b. Review internal factors” activity.
External factors
List of the market, technology, cyber and regulatory trends affecting your organization and cyber strategy, their impact and cyber implications. Developed as part of “1c. Review external factors” activity.

Choose your approach

The first step in a threat landscape review is choosing a practical risk management approach. By adjusting traditional risk assessment methods, we can perform a broader evaluation, helping to prioritize security areas and guide strategic planning, as detailed in part 1 of this article – “1D. Review threat landscape (1/5)“.

Prepare for assessment

In preparing for a threat landscape assessment, aligning the scope with your cybersecurity strategy and identifying relevant internal and external threat sources is crucial. As part 1 of this article outlines, adequate preparation is the foundation for a robust threat landscape review – “1D. Review threat landscape (1/5)“.

Identify crown jewels

The process of conducting a threat landscape review begins with the identification of your organizational crown jewels. These are assets whose compromise could have a significant impact on your business. The detailed procedure for identifying them is documented in part 2 of this article – “1D. Review threat landscape (2/5)“.

Assess threat sources

Threat sources are anything that can cause harm to your information assets. Understanding potential threat sources to your organization is vital. Comprehensive listing, probability and strength assessment of these threats allow prioritizing risks. The approach for this is detailed in Part 3 of this article – “1D. Review threat landscape (3/5)“.

Assess threat events

A threat event refers to an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. It is important to note that a single threat source can start multiple threat events, and similarly, a single threat event could be triggered by various threat sources.

After completing the steps described below, you should have a comprehensive list of threat events that could affect your information assets. This list will assist you in prioritizing your cybersecurity domains.

Create a table for threat events

To manage your threat events, create a table labeled Threat Events. This table should include the following columns to consolidate information about threat events, threat sources, and other attributes for calculating inherent risk ratings:

The name of the threat event.
A brief description of the threat event.
The name of the threat source identified in the “Identify threat sources” activity. Threat sources will be mapped to threat events in the “Map threat events to threat sources” activity.
The category of the threat source also identified in the “Identify threat sources” activity.
The origin of the threat source identified in the “Identify threat sources” activity.
The intent of the threat source identified in the “Assess Threat Source Probability” activity.
The threat source probability determined in the “Assess Threat Source Probability” activity described above.
The threat source strength assessed in the “Assess Threat Source Strength” activity.
List of information security components impacted by a threat, e.g., confidentiality (C), integrity (I), availability (A).
The inherent likelihood of the threat event determined in the “Assess inherent likelihood” activity.
The inherent impact of the threat event measured in the “Assess inherent impact” activity.
The most critical information assets that would be affected during the threat event. Impacted assets are identified in the “Map threat events to impacted assets” activity.
The inherent risk rating derived from Inherent Impact and Inherent likelihood in the “Calculate inherent risks” activity.
A representative example from your organization or industry illustrating the scale of impact when a specific threat source successfully initiated a threat event.
Information sources used to identify threat event.

Identify potential threat events

Several standards provide catalogs of threat events:

NIST 800-30. Appendix E of NIST 800-30 provides examples of adversarial and non-adversarial threat events and their descriptions. The adversarial threats are presented following a kill-chain model and are arranged based on the threat source capability.

IRAM2. It includes adversarial, accidental, and environmental threats. The catalog incorporates the threat event type, name, and description. For adversarial and accidental threats, it provides initiation requirements concerning their origin and minimum threat strength.

ISO 27005. While Annex C of ISO 27005 provides examples of typical threats, it lacks the detailed analysis necessary for this article.

These sources can serve as a starting point in identifying potential threat events that could impact your organization. Furthermore, you may refer to the earlier reports described in the “Identify information sources” activity. The goal is to identify not only current threats but also emerging threats for which you may need to prepare mitigation strategies.

To identify threat events relevant to your organization, examine your information assets, supporting assets, and technology objectives. The supporting assets will help you identify current applicable threat events, while the technology objectives will highlight future threats, particularly if your organization plans to adopt new or emerging technologies.

Also, consider your business model, industry sector, and the political, economic, regulatory, social, technological, and other environmental factors that influence your organization. These aspects also shape the nature of potential threat events.

Since you conduct this assessment at a strategic level, you might find it helpful to group specific threats and operate in terms of threat categories or domains rather than focusing on detailed techniques.

For each identified threat event, define the information security attribute the threat event can impact, e.g., confidentiality (C), integrity (I), and availability (A). You can store this information in the Impacted column – you can use it later when assessing the business impact of the threat event on your information assets.

You might also find it beneficial to include the name of the information source that helped you identify a specific threat event. References to trusted information sources increase the credibility of your research.

By the end of this activity, you should possess a comprehensive list of threat events relevant to your organization, each with its category and origin.

IDThreat EventThreat Event DescriptionImpactedInformation Sources
TE001PhishingExternal attackers can send emails prerenting to be from a legitimate source to our employees to reveal their credentials or introduce malware into our systems to obtain initial access into our organization.CVerizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30, IBM - 2022 Cost of Data Breach
TE002RansomwareExternal attackers can deliver and install malware into our systems to steal our sensitive information or spread ransomware for financial gains.AVerizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30, IBM - 2022 Cost of Data Breach
TE003Data leakage - accidentalInsiders can leak our confidential data by mistake, by loosing data storage devices or by not following information handling guidelines.CVerizon - 2023 Data Breach Investigations Report, ISF IRAM2, ISACA Risk IT, NIST SP 800-30, IBM - 2022 Cost of Data Breach
TE004Data leakage - theftInsiders can steal our sensitive information for personal gains by exploiting vulnerabilities in our data protection capabilities leading to financial and competivie advantage losses.CISACA Risk IT, NIST SP 800-30, IBM - 2022 Cost of Data Breach
TE005Vulnerability exploitationExternal attackers can exploit vulnerabilities in our applications or supporting systems to obtain unauthorized access to sensitive information.C, I, AVerizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30
TE006Insufficient vendor oversightInadequate selection or oversight over vendors can lead to sharing sensitive information with vendors that do not guarantee its adequate protection leading to potential data leakage incidents.C, I, AISACA Risk IT, IBM - 2022 Cost of Data Breach
TE007Denial of serviceExternal attackers can attempt to make our Internet-facing resources unavailable to our clients leading to financial and reputational losses.AVerizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30
TE008MisconfigurationImproperly configured services, systems or infrastructure can expose sensitive data to unauthorized users, degrade system performance or lead to its unavailability.C, I, AVerizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30, IBM - 2022 Cost of Data Breach
TE009Power failurePower failures or disruptions in data center can lead to data loss or unvailability of applications supporting key business processes.AISF IRAM2
TE010Ineffective security designInadequate planning or ineffective design during adoption of new technologies can lead to insecure implementations.C, I, AISACA Risk IT
TE011Regulatory incomplianceOverlooking or misinterpreting new laws or regulations impacting cyber security may lead to incompliance with them and result in fines and financial losses.C, I, AISACA Risk IT
TE012FireFire in our facilities can impact health and safety of our employees, damage facilities and equipment and lead to disruption to critical processes.AISF IRAM2, NIST SP 800-30

Map threat events to threat sources

The next step involves mapping threat events to the threat sources capable of triggering them you identified in step “4. Determine threat sources”. This critical process allows you to identify any threat sources within your environment with the potential to initiate specific threat events and to evaluate the likelihood of their occurrence.

However, this step poses a challenge, as numerous threat sources might trigger a single threat event. Similarly, a single threat source could potentially trigger several different threat events. Thus, a many-to-many relationship often exists between threat events and threat sources.

NIST advises mapping all threat sources to the threat events they could trigger, given that the threat probability and threat strength may vary for each pairing. Nevertheless, this approach might overly complicate the assessment, which is unnecessary for a strategic-level evaluation.

For this exercise, you could adopt a more straightforward method. For each threat event in your Threat Events table, identify a single, most relevant threat source in the Threat Sources table that meets the following criteria:

  • Capable of initiating the selected threat event,
  • Has the highest threat source criticality rating,
  • The threat source origin aligns with the threat event origin. Some threat events, for example, could be initiated by internal threat sources like insiders with access to your internal network,
  • Threat source intent is aligned with the type of initiated event type. As an example, threat source interested in espionage will more likely initiate events leading to sensitive data theft than events focused on creating business disruption,
  • The threat source strength is adequate to initiate the selected threat event. For instance, an individual hacker might lack the capability to launch an APT attack against your organization. However, nation-state actors or hacking groups might be capable.

After identifying the relevant threat source, assign it to the Threat Source column in the Threat Events table. Based on this selection, populate the Threat Source Probability, Threat Source Strength, and Threat Source Criticality columns in the same table. The Threat Events table is where all critical risk calculation elements can be stored. This data relates to the threat and will be used to assess inherent likelihood.

If no threat source can initiate a threat event, the event may not be relevant to your organization and should be discarded.

If multiple threat sources have the same threat source criticality, select the most relevant source based on the nature of the threat event.

As a result of this activity, you should have a list of threat events, each with additional information about the most relevant threat sources capable of initiating them.

IDThreat EventThreat SourceThreat Source CategoryThreat Source OriginThreat Source ProbabilityThreat Source Strength
TE001PhishingTS001 Hacking groupAdversarialExternal4 - High5 - Very High
TE002RansomwareTS001 Hacking groupAdversarialExternal4 - High5 - Very High
TE003Data leakage - accidentalTS006 UserAdversarialInternal4 - High2 - Low
TE004Data leakage - theftTS004 Privileged insiderAdversarialInternal3 - Medium3 - Medium
TE005Vulnerability exploitationTS001 Hacking groupAdversarialExternal4 - High5 - Very High
TE006Insufficient vendor oversightTS006 UserAdversarialInternal4 - High2 - Low
TE007Denial of serviceTS001 Hacking groupAdversarialExternal4 - High5 - Very High
TE008MisconfigurationTS010 Privileged userAccidentalInternal2 - Low3 - Medium
TE009Power failureTS005 Power supplyStructuralInternal2 - Low4 - High
TE010Ineffective security designTS006 UserAccidentalInternal4 - High2 - Low
TE011Regulatory incomplianceTS006 UserAccidentalInternal4 - High2 - Low
TE012FireTS012 FireEnvironmentalInternal / External1 - Very Low5 - Very High

Map threat events to impacted assets

Mapping threat events to impacted assets is crucial in evaluating threat event impact. To establish this mapping, follow the steps below:

Create a Threats-Assets table. Set up a table to store your mapping data. Include these columns:

The threat event name from the Threat Events table.
The name of the initiating threat source.
The strength of the threat source.
The name of the primary asset.
A list of key supporting assets.
List of information components impacted by a threat, e.g. Confidentiality (C), Integrity (I), Availability (A).
The impact in case of a confidentiality breach.
The impact in case of an availability breach.
The Impact in case of an integrity breach.
The overall impact rating based on impacted information security components or components.

Select threat event. Choose a relevant threat event from the Threat Event column in the Threat Events table. Based on this selection, the Threat Source, Threat Strength and Origin columns should be populated.

Map impacted assets. Take into account the threat source and determine which crown jewels you identified in step “3. Identify crown jewels” would be of interest to them. Evaluate the nature of the threat event and assess which types of supporting and, consequently, primary assets it can impact. For instance, web application attacks will affect web applications and hence all information assets reliant on web applications. Likewise, ransomware spreading across your network can impact most of your servers and the information assets they support. Using separate rows in your table, map each primary asset the selected threat can impact. Upon selecting an asset, populate the following columns: Supporting Assets, Impact – C, Impact – I, Impact – A. You can automate the process of filling in these columns using formulas available in your worksheet software.

Establish the overall impact. The business impact level of a threat event on a specific asset will depend on the affected information security attribute. Different attributes may sustain varying levels of impact. Review your Impacted column to identify which components could be affected, then select the highest rating from the relevant values in the Impact – C, Impact – I and Impact – A columns. As before, you can also automate this calculation using available formulas.

Repeat the three steps above for each identified threat event.

This mapping will later assist in assessing inherent impact.

Threat EventThreat SourceThreat Source StrengthAssetSupporting AssetsImpactedImpact - CImpact - IImpact - AImpact - Overall
TE001 PhishingTS001 Hacking group5 - Very HighA006 Authentication dataActive Directory, Azure Active Directory, Azure Key Vaults, CyberArkC, I, A5 - Very High5 - Very High5 - Very High5 - Very High
TE002 RansomwareTS001 Hacking group5 - Very HighA001 Business strategyNetwork shares, Laptops, Storage backups, Data centerA4 - High4 - High2 - Low2 - Low
TE002 RansomwareTS001 Hacking group5 - Very HighA002 Sales pipelineSalesforce (SaaS), Cloud provider, Laptops, Network shares, Storage backupsA4 - High3 - Medium3 - Medium3 - Medium
TE002 RansomwareTS001 Hacking group5 - Very HighA003 New service documentationNetwork shares, Laptops, Storage backups, Data centerA4 - High4 - High3 - Medium3 - Medium
TE002 RansomwareTS001 Hacking group5 - Very HighA004 Client dataClient portal (web), Mobile applications (Android, iOS), API, 60 web servers in AKS cluster, Database as a Service (DBaaS), Cloud service provider, Sales team, Customer service teamA5 - Very High4 - High5 - Very High5 - Very High
TE002 RansomwareTS001 Hacking group5 - Very HighA005 Platform codeWeb servers (production, test, development), GitHub, CI/CD tools (including code scanning platform)A5 - Very High4 - High3 - Medium3 - Medium
TE004 Data leakage - theftTS004 Privileged insider3 - MediumA001 Business strategyNetwork shares, Laptops, Storage backups, Data centerC4 - High4 - High2 - Low4 - High
TE004 Data leakage - theftTS004 Privileged insider3 - MediumA002 Sales pipelineSalesforce (SaaS), Cloud provider, Laptops, Network shares, Storage backupsC4 - High3 - Medium3 - Medium4 - High
TE004 Data leakage - theftTS004 Privileged insider3 - MediumA003 New service documentationNetwork shares, Laptops, Storage backups, Data centerC4 - High4 - High3 - Medium4 - High
TE004 Data leakage - theftTS004 Privileged insider3 - MediumA004 Client dataClient portal (web), Mobile applications (Android, iOS), API, 60 web servers in AKS cluster, Database as a Service (DBaaS), Cloud service provider, Sales team, Customer service teamC5 - Very High4 - High5 - Very High5 - Very High
TE004 Data leakage - theftTS004 Privileged insider3 - MediumA005 Platform codeWeb servers (production, test, development), GitHub, CI/CD tools (including code scanning platform)C5 - Very High4 - High3 - Medium5 - Very High
TE004 Data leakage - theftTS004 Privileged insider3 - MediumA006 Authentication dataActive Directory, Azure Active Directory, Azure Key Vaults, CyberArkC5 - Very High5 - Very High5 - Very High5 - Very High
TE007 Denial of serviceTS001 Hacking group5 - Very HighA002 Sales pipelineSalesforce (SaaS), Cloud provider, Laptops, Network shares, Storage backupsA4 - High3 - Medium3 - Medium3 - Medium
TE007 Denial of serviceTS001 Hacking group5 - Very HighA004 Client dataClient portal (web), Mobile applications (Android, iOS), API, 60 web servers in AKS cluster, Database as a Service (DBaaS), Cloud service provider, Sales team, Customer service teamA5 - Very High4 - High5 - Very High5 - Very High

Estimate the inherent likelihood

The process of assessing inherent likelihood revolves around gauging how frequently a specific threat source could initiate a threat event against your organization, irrespective of risk mitigation measures. This process estimates the frequency of a threat source initiating an event based on the evaluation of likelihood, characteristics, historical data, and market reports. The approach is explained in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Estimate the inherent impact

From the likelihood, we shift to “Inherent Impact” – the potential consequences of a successful threat event, without considering mitigation controls. The assessment involves analyzing potential effects on assets and identifying key ones at risk. The procedure is outlined in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Calculate inherent risks

Upon understanding inherent impacts, we proceed to calculate inherent risks. These guide us toward the most significant cybersecurity areas, enabling a prioritized listing of threat events by combining likelihood and impact. The method for this calculation will be described in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Summarize the threat landscape

Effectively summarizing the threat landscape involves outlining the top ten risks in comprehensible language for stakeholders. The approach for creating this summary will be detailed in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Outputs

Threat landscape summary
Summary of prioritized organizational threat landscape presenting key risks, their description, criticality rating and most important attributes.
Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.