Use of threat reports in information security risk assessments
In this article, I would like to summarise how to replace the often run-of-the-mill, template-based risk assessments that are often produced on the fly due to compliance pressure on organisations, with real value-added assessments that consider real threats. This article is not intended to provide a detailed description of risk management methodologies and processes.
Risk assessment – objectives and template trap
PCI-DSS, ISO 2700x, NIST SP 800-53, NIST CSF, NIS2, DORA and I could go on. These are information security standards and regulations of different origins and scope, but all of them have one common point: they take a risk-based approach and require an assessment of information security risks. Unfortunately, compliance often only involves the production of documents and, as a result, assessments prepared for this purpose often do not add value.
The best practices and standards require information security risk assessment in order to identify and assess the risks to organizations and to allocate scarce resources to address the risks identified as a priority to protect the organization from the negative effects of the risks.
Nowadays, there are many different risk management standards and frameworks, so everyone can find the right one and tailor it for their organisation. The most popular standards and frameworks are ISO 27005, NIST SP 800-30, FAIR, CRAMM, CIS RAM.
Each of these risk management standards and frameworks includes different threat-vulnerability lists, probability and impact scales, and risk level scales. This help can often be a trap, as it is common for the risk assessor to focus on these only. Why can this be a trap? The current version of ISO 27005, my preferred standard, was released in 2022, The previous version was released in 2018. Global cyber security trends can change in 4 years: just think about the rise of ransomware.
Threat reports and their benefits
Typically, threat reports summarise global or regional cybersecurity trends based on a predefined taxonomy and real incident data and analyse their elements in detail. Two such threat reports are the Threat Landscape (ETL) published by ENISA, the European Union's cyber security agency, and the Data Breach Investigation Report (DBIR) published by Verizon, a US telecommunications company.
The ENISA ETL has been published since 2012 and, by definition, only includes European trends. The first edition of the Verizon DBIR was published in 2015 and its scope is global. A particular positive feature of the DBIR is that it includes a breakdown by region (e.g. EMEA, US) and by sector (e.g. financial, IT, healthcare). This has been followed by ETL over time, and there are now reports on critical infrastructure, transport, healthcare, among others. In compiling the ETL, ENISA uses its own cyber threat intelligence (CTI) capabilities, but also various security researchers, blogs and media articles are used and cited to support their statements. DBIR uses the VERIS incident classification, they produce a huge sample of analyses from public incident reports, data from their partners.
In the last couple of years, both reports have been complemented by mapping to the MITRE ATT&CK® framework of adversary attack tactics and techniques, as well as mapping to security standards. The ETL maps ISO 27001 and the DBIR maps the appropriate controls and recommendations from CIS security controls. On the defensive side, this is a very big help, because the reports not only identify problems in the form of threats, but they also give (high-level) recommendations for solutions to the security professionals, and they don't have to make them up subjectively and spend a lot of time putting them together.
I have covered a lot more theory than I wanted to, so I will get to the examples. As I wrote at the beginning of the article, it is not the purpose of this article to go into detail about risk management methodologies and processes. I will now only highlight the steps where threat reports can be leveraged.
In the ISO 27005 risk assessment process, the identification of relevant threats is part of the Risk identification step. In the same step, asset elements, their vulnerabilities and existing controls are identified too.
Among other interesting things, the Verizon DBIR includes the Actions used in incidents and breaches, the Vectors used in attacks, and the Assets targeted by attacks. In addition, the categories of attackers and their motivations were analysed. Key lessons from the DBIR 2022:
Top Actions (which have caused breaches):
- Use of stolen credentials
- Exploit vulnerabilities
- Privilege abuse
- Backdoor or C2
- Export data
Top Vectors (through which breaches were caused):
- Web application
- Desktop sharing software
- E-mail unknown
- Download by malware
- Direct install
- LAN access
- Server (Web application, Mail, Database)
- Person (Finance, employee)
- User device (Desktop, laptop, mobile phones)
- Media (Documents)
- ~ 80% External
- ~ 15% Internal
- ~ 4% Multiple
- ~ 1% Partner
Threat Actor Motives:
- ~90% Financial
- ~5% Espionage
- ~5% Other
Based on the results of the DBIR, it can be seen that the assessment of the security controls applied to the listed asset elements, attack vectors and the recommended controls against the attack activities are of paramount importance in the risk assessment. From the actor’s perspective, organisations need to protect against external attackers as a key element, but they cannot forget about the internal threat. The motive of the attackers is probably not surprising to anyone, as cybercrime is still on the rise.
Among the steps in the ISO 27005 process, the person performing the assessment should determine the impact of the risk and the probability of its occurrence in the Risk Analysis step. It is expected that the likelihood of occurrence of the identified risks associated with the threats listed as top threats in the DBIR will be high.
Many people may think that the contents of the DBIR are familiar to many experts from their own experience, perhaps from other sources, or are included in some form in the threat vulnerability list of the referenced standards. This may always be true, but one cannot ignore the fact that either the DBIR or the ETL material provides access to extensively collected, cross-checked, reliable and usable data that one expert could hardly produce from her or his own resources. For this reason, I think these can be rock-solid elements of our risk management methodology.
The main idea I would like to highlight is that if we only do risk assessments to comply with standards and legislation, or if we only stick to templates and lists in our assessments (of course, proper organisation-specific control assessments are also essential), it will be too "static" and template-driven, which may not reflect real threats and global trends. Of course, identified risks need to be managed, but if the real risks are not identified and analysed, the impact can be felt by our own organisation and our customers.
The threat reports presented in this article are not time-consuming to study and analyse, and knowledge of them can be expected of security professionals in an evolving and changing industry.
Verizon DBIR: Link
Enisa ETL: Link