How to Track Cyber Risk With the Threat Category Risk Framework
June 18, 2020 • The Recorded Future Team
Ideally, organizations would make every cybersecurity decision based on an objective risk assessment.
Unfortunately, this often isn’t possible.
Cyber risk is notoriously difficult to measure. This leaves many organizations in the unhappy position of making “educated guesses” about which threats are most significant.
Recently, we wrote about the Threat Category Risk (TCR) framework — a practical, quantitative cyber risk framework designed to help security teams estimate the likelihood and cost associated with different threats.
In that blog post, we explained how to apply the TCR framework to your organization’s cybersecurity program. In this blog post, we’ll focus on how to ensure your organization’s risk model stays up to date.
Threat Models Are Surprisingly Stable
The TCR framework helps security teams build a cyber risk model specific to their organization. For such a model to be useful, it must remain up to date by reflecting changes in the threat landscape.
It’s easy to assume the estimates used in your TCR model will need to be updated regularly. Cyberattacks are a constant threat, and a typical organization is hit with a barrage of new threats every day.
However, while these attacks are “new” in the sense that they may use novel command-and-control (C2) infrastructure, or a slightly modified version of a common malware package, few are truly innovative. Standard security controls and processes should still catch them, so these threats don’t have a significant impact on real-world cyber risk.
The reason for this is simple. Most threat actors lack the skill to develop entirely new and innovative threat vectors. Rather than developing their own threats, they make minor alterations to existing attack tools. Skilled and innovative threat actors are out there — but they are a tiny proportion of the active threat actor pool.
When to Update Your Model
With all that said, there will be times when updating the estimates in your TCR model is essential. The easiest way to think about this is that you should update the model whenever a “relevant threat delta” (RTD) — something that changes your cyber risk landscape enough to make your current TCR model inaccurate — occurs.
RTDs are caused by:
- Threats that are completely new or sufficiently altered to bypass existing controls
- Changes to your business or technology infrastructure that introduce the possibility of being targeted by threats that aren’t considered by the current risk model
It’s vital that your team has a process in place to identify RTDs when they occur, and update your TCR model accordingly. Of course, no matter how strong your process, there is always a time gap between a new threat being discovered and an organization’s (or vendor’s) improvements to existing security controls.
While this can’t be avoided, rapidly updating your TCR model will ensure your organization is aware of the risk it faces. Organizations that don’t make rapid adjustments when an RTD occurs are much more likely to experience a higher-than-expected financial loss.
In a typical year, RTD events are infrequent. Unless there are specific RTDs that require an immediate update of your model, updating quarterly, bi-annually, or even annually should be sufficient.
How Threat Intelligence Informs Risk-Based Security
If RTDs are so important that they demand an update to your TCR model — which, let’s not forget, is the driving force behind your entire security program — several obvious questions arise:
- How can you identify RTDs quickly when they occur?
- How do you tell the difference between an RTD and a threat delta that is minor or irrelevant to your organization?
- How should you adjust your risk estimates when an RTD is identified?
- How can you identify the best ways to improve your security program or controls to minimize the increase in cyber risk caused by an RTD?
The answer to these questions is simple: threat intelligence — strategic threat intelligence, in particular.
Threat intelligence provides your security team with visibility of your threat landscape, including real-time information about the latest threats, adversaries, and tactics, techniques, and procedures (TTPs). When a genuine RTD occurs, threat intelligence will help your team identify it quickly — often before any major attack campaigns are launched.
This has two major benefits:
- By acting on RTDs before an attack occurs, you can drastically reduce the level of cyber risk your organization is exposed to.
- Comparing current TTPs against your organization’s existing security controls will help you determine which threats are relevant to your organization, how they could affect your risk profile, and which countermeasures are appropriate.
Keeping Your TCR Model Current
When you have a threat intelligence capability that reliably helps you identify RTDs, the steps for updating your TCR model becomes very simple:
- Use threat intelligence to identify relevant threat deltas (RTDs).
- Based on your analysis of each RTD, update the relevant probabilities and cost estimates within your model.
- Rerun your Monte Carlo simulations with the new probabilities and estimates.
- Based on the outcomes of the simulations, make decisions about the level of risk that is acceptable and — if necessary — identify appropriate changes to your security program and controls.
If you follow these steps consistently, your TCR model will continue to provide an accurate risk assessment of different cyber threats. More importantly, you’ll have the information you need to make genuine business decisions about how to structure and run your cybersecurity function.
Moving Toward Risk-Based Cybersecurity
Historically, cyber risk measurement has been sporadic for many organizations. However, with the right tools and processes, any organization can make more informed cybersecurity decisions.
In “The Risk Business: What CISOs Need to Know About Risk-Based Cybersecurity,” a new book for cybersecurity leaders, Recorded Future’s Levi Gundert draws from his extensive career in cybersecurity risk management across the public and private sectors to share:
- A detailed explanation of risk-based cybersecurity, and why it is critical for business profitability.
- How any organization can accurately estimate (and act on) real-world cyber risk.
- Why most frameworks used to assess cybersecurity aren’t risk-based, and what to use instead
- How to use threat intelligence to more accurately calculate cyber risk and make better cybersecurity decisions
- Why people are more important than technology for controlling cyber risk — and how to hire and keep the best talent for your threat intelligence roles
Download your free copy of “The Risk Business” today.