November 29, 2018 • Zane Pokorny
Editor’s Note: Over the next several months, we’re sharing excerpts from our new book, “The Threat Intelligence Handbook.” Here, we’re looking at the sixth chapter, “Threat Intelligence for Risk Analysis.” To read the full chapter, download your free copy of the handbook.
When we talk about something being risky in everyday use, we mean that something bad might happen if things don’t go our way. We stand to lose something precious if we take a risk — some people “risk it all” on a bet, for example.
The International Organization for Standardization (ISO) gives a sharper definition — risk is “the effect of uncertainty on objectives.” Risks are the chances of external factors and circumstances pushing us off course. What the ISO’s definition makes clear is that risks, and therefore risk management, are ultimately a matter of odds. They’re measurable and quantifiable. We just have to know what metrics to focus on, what tools we need to measure those metrics, and how to construct the right narrative to effectively communicate our findings to decision makers.
The problem is, people are generally not great at measuring risk. We have to battle through numerous cognitive biases that can cause us to poorly judge the likelihood of something happening, either by overestimating risks, causing us to act overly cautiously, or by barrelling ahead toward our goals without adequately considering the consequences of our actions. Defeating these impulses requires constructing an effective framework for action and reflection — one that you can follow consistently and improve over time.
The author Ray Bradbury once said that living at risk “is jumping off a cliff and building your wings on the way down.” To fairly represent Bradbury, it should be clarified that he said that within the context of encouraging people to take risks, arguing that you’ll never learn unless you try something and make mistakes along the way — the image of young birds leaping from their nests before knowing how to fly comes to mind. But even within the pretext of “nothing ventured, nothing gained,” one should perhaps not leap off cliffs without at least carrying the materials and blueprints one might need, should one indeed desire to build wings along the way rather than crashing into the ground.
In this chapter from our new book, “The Threat Intelligence Handbook,” we’ll explore the value of using models like the FAIR framework to get those materials and blueprints we need to manage risk well, see the right and wrong ways to gather data about risk, and learn how threat intelligence can provide hard data about attack probabilities and costs.
The following chapter has been edited and condensed for clarity.
Today, there are more than 1,700 vendors in cybersecurity. Most of them define their mission as some version of “making your environment secure.” But how can enterprises set priorities for investing in technology and services, as well as people?
Risk modeling offers a way to objectively assess current risks, and to estimate clear and quantifiable outcomes from investments in cybersecurity. But many cyber risk models today suffer from either:
Non-quantified output is not very actionable, while models based on faulty input result in “garbage in-garbage out” scenarios, whose output appears to be precise but is in fact misleading.
To avoid these problems, enterprises need a well-designed risk model and plenty of valid, current information, including threat intelligence.
The type of equation at the core of any risk model is: Likelihood of occurrence x impact.
But clearly God (or the Devil) is in the details. Fortunately, some smart people have developed some very good risk models and methodologies that you can use or adapt to your own needs. One that we like is the Factor Analysis of Information Risk (FAIR) model from the FAIR Institute.
The FAIR framework helps you create a quantitative risk assessment model that contains specific probabilities for loss from specific kinds of threats. The image below shows the framework of this model.
The FAIR framework (and others like it) enable you to create risk models that:
When measurements, formulas, assumptions, variables, and outcomes are made transparent, they can be discussed, defended, and changed. Because much of the FAIR model is defined in business and financial terms, executives, line of business managers, and other stakeholders can learn to speak the same language and to classify assets, threats, and vulnerabilities in the same way.
Try to incorporate specific probabilities about future losses into your risk model whenever possible. Specific probabilities enable risk managers and senior executives to discuss the model and how it can be improved, after which they have more confidence in the model and the recommendations that come out of it.
In the table below, two pairs of statements sit next to each other. In each pair, which statement is more useful?
|“The threat from distributed denial of service (DDoS) attacks to our business has been changed from high to medium (red to yellow).”||“There is a 20 percent probability that our business will incur a loss of over $300,000 in the next 12 months because a distributed denial of service (DDoS) attack will disrupt the availability of our customer-facing websites.”|
|“The threat of ransomware to our business has changed from low to medium (green to yellow).”||“There is a 10 percent probability that our business will incur a loss of $150,000 in the next 12 months due to ransomware.”|
As shown in the left side of the FAIR framework in the image above, a big part of creating a threat model involves estimating the probability of successful attacks (or “loss event frequency,” in the language of the FAIR framework).
The first step is to create a list of threat categories that might affect the business. This list typically includes malware, phishing attacks, exploit kits, zero-day attacks, web application exploits, DDoS attacks, ransomware, and many other threats.
The next step is much more difficult: to estimate probabilities that the attacks will happen, and that they will succeed (e.g., the odds that the enterprise contains vulnerabilities related to the attacks and existing controls are not sufficient to stop them).
Try to avoid the following scenario: A GRC (governance, risk, and compliance) team member asks a security analyst, “What is the likelihood of our facing this particular attack?” The security analyst (who really can’t win) thinks for 30 seconds about past experience and current security controls and makes a wild guess: “I don’t know, maybe 20 percent.”
To avoid appearing clueless, your security team needs answers that are better informed than that one. Threat intelligence can help by answering questions such as:
Analysts still need to know a great deal about the enterprise and its security defenses, but threat intelligence enriches their knowledge of attacks, the actors behind them, and their targets. It also provides hard data on the prevalence of the attacks.
The other major component of the formulas in our model is the probable cost of successful attacks. Most of the data for estimating cost is likely to come from inside the enterprise. However, threat intelligence can provide useful reference points on topics like:
This chapter is just one of many in our new book that provides helpful explanations of the different ways threat intelligence can be applied to your security program. Other chapters look at different use cases for threat intelligence, like how it can benefit vulnerability management, incident response, security leadership, and more.
And as far as this chapter goes, you’ll find more content in the book as well, including more charts and figures, like a timeline showing trends in the proliferation of malware families. Get your free copy of “The Threat Intelligence Handbook” now.