Threat Analysis

Threats, both threat actors and threat scenarios, are people, groups, and events exploiting weaknesses in an organization’s information systems, to carry out harmful acts. These acts target the confidentiality, integrity, and availability of digital assets. Figure 6-2 shows the three pillars of information or cybersecurity, sometimes referred to as the information security triad.

Cybersecurity attacks are targeted against one or more of the pillars shown in Figure 6-2. Attacks such as the Equifax breach target confidentiality of data. Data is viewed by unauthorized individuals, whether it remains at the entity or is removed. Attacks against data integrity result when a threat actor changes data without the data owners detecting these changes. Even when a breach is detected, these attacks are still problematic, because knowing what data changed is not always an easy task. Business operations are anchored in accurate data, so when integrity is compromised, business performance is impacted. Availability attacks include denial-of-service attacks designed to crash servers and other network devices. When networks are rendered unavailable, revenue and contractual obligations might be at risk. Ransomware is another type of availability attack. These are common and are reported in the news several times a year. These attempts succeed when attackers successfully exploit end users who inadvertently launch malware designed to encrypt databases and other important repositories. Attackers expect victim entities to pay ransom to get the data unlocked. If the ransom is not paid, attackers threaten to destroy the data. It is important to know that backups with integrity exist and are ready for restoration purposes; otherwise, target organizations have limited options.

The last example of availability threats is included in business continuity and disaster recovery plans. Events such as floods, earthquakes, and terrorist attacks cause disruptions in business operations and force recovery of IT operations to backup sites.

Threat actors and scenarios cause incidents ranging in classification from nuisance to detrimental. In severe cases, threats cause the loss of significant revenue over a period of years.

How Vulnerabilities Become Risks

Vulnerabilities represent weaknesses in information systems. Threat actors seek to uncover and exploit these in a successful attack. Weak passwords, default accounts with default passwords, and unpatched systems are examples of vulnerabilities commonly exploited. For a risk to be present, a threat and a vulnerability must exist. Vulnerabilities that no threat actor or scenario would exploit are not a cybersecurity risk. Take a Windows 2003 server as an example. Support for this operating system ended some time ago. If it were accessible via the Internet, a risk exists. Possibly a very significant risk, depending on the assets at risk. If it were accessible on the local area network (LAN), a risk exists, but possibly a less significant one, based on the likelihood of an exploit. If this server is stored in a locked closet, with data not deemed valuable to the entity, and is not on the network, then, despite all the unpatched flaws in the operating system, no risk exists. Many confuse vulnerability scans with identifying risks. These “tools” place high and critical ratings on vulnerabilities found during scans, but these should not be thought of as risk ratings. A list generated by a Tenable or Qualys scan does not represent a list of risks, rather, a list of issues with context regarding the exploitability of the finding. Threat and impact context is required to measure the cybersecurity risk. Figure 6-3 shows this relationship.

Once these relationships are identified and established, the seriousness of each risk is measured.

Measuring Risk Severity

Risk is measured using two parameters: likelihood the risk will be exploited and impact to the entity if exploited. Each has its own considerations for measurement.

Impact

Impact measures damage done to the entity if a vulnerability is successfully exploited. An exploit granting an attacker root access to a Linux system or a system administrator (SA) access to an SQL database are high-impact exploits. This access gives a threat actor the ability to do anything he or she chooses to the system and its data. Understanding impact is a function of several factors.

• The data the system processes

• The privileges exposed via the exploit

• Ability to detect the exploit or attacker’s movements afterward

• Proximity to mission-critical data

The first three are self-explanatory. If the exploit in question exists at a health system, systems processing patient information are high-impact environments. Administrator accounts are high impact if attackers get access to them. Another consideration related to impact is detection. If an attacker gains access, allowing him or her to run PowerShell commands, for example, and detection tools are not present to detect its use, a high-impact situation might exist. The last item—proximity to mission critical data—considers where in the Cyber Attack Life Cycle the exploit landed the attacker. Does the attacker need only to find one more weakness to breach the target data? These characteristics are considered when assessing impact. Impact is also measured many times using a one-to-five scale, with five indicating the highest impact. Figure 6-4 shows a heat map, an example using the one-to-five scale for likelihood and impact ratings.

Using the heat map, a risk with very high impact and very high likelihood is considered very high. Risks with very low ratings in both categories are considered very low. Every other combination of likelihood and impacts falls somewhere in between.

Review the Risk Assessment

Once the risk assessment is complete, the blueprint for planning and anticipating how a breach could occur is visually displayed. In Figure 6-5, an abbreviated example of a risk register produced during the assessment displays one high, medium, and low risk.

The high risk documented during the assessment states that employees are susceptible to phishing attacks. One way to reduce the risk level is to identify a cybersecurity control. To combat vulnerable end users being targeted by phishing attacks, a training and awareness control identified in the NIST CSF would be aligned to this risk. The amount of risk reduction, if any, depends on the maturity of the control process. Immature controls tend to operate ineffectively, and, therefore, fail to reduce the amount of risk. During incident response planning, the team would focus on preparing for attacks launched via e-mails directed at employees. Playbooks outlining necessary actions to combat phishing campaigns, malware, and ransomware attacks are key focus areas for practice sessions.

The medium risk illustrates vulnerabilities nation-states and cybercriminals can exploit in web applications. This one allows access to an entity’s environment. The incident response team should plan for successful attacks against web servers and understand the relevant playbooks to contain an attack of this type.

The low risk shows that the entity does an effective job maintaining an inventory of hardware and software assets. The incident response team does not have to spend as much time planning for responses due to lost assets.

These three examples illustrate how the incident response team can think through scenarios in which events, incidents, and breaches initiate: critical and high risks first, then moderate as necessary, and, finally, low risks. It is probable that low risks are not part of the scenario planning and that only certain moderate/medium risks, depending on overlap with critical and high risks, are, for example, the medium risk owing to misconfigured web applications being exploited. If a high risk existed because out-of-date code libraries were in use, the configuration risk might be redundant and not necessary for incident planning purposes. The items on the risk register must be evaluated individually but should be considered where common attack vectors are present.

Breaking Down the Life Cycle

The attack life cycle can be thought of as having three phases. The first begins with initial recon and ends once a foothold is established inside the targeted network. The second is an iterative process of escalating privileges, conducting internal reconnaissance, moving laterally, and maintaining persistence. The last phase is finishing the job.

How This Helps

Targeting End Users

Phishing attacks are used either to gain entry and establish a foothold for the attacker or to unleash ransomware. Beginning with the attack on Anthem, 2015 became a year of large breaches, owing to phishing attacks. These attacks targeted healthcare entities and captured many headlines. Anthem’s attack began with a well-crafted spear phishing attack aimed at an individual with elevated credentials. The e-mail setting off the chain of events led the target to a malicious domain.

Targeting Web Applications

The Equifax breach reminded everyone how important basic configuration management and security of web applications is to entities. Equifax faced intense criticism because its breach began when a vulnerability did not get patched.

OWASP Top Ten

The Open Web Application Security Project (OWASP)¹ was established to develop and maintain secure applications. Every other year, the group publishes a top-ten list of security risks related to web applications. Figure 6-7 shows the version published in 2017.

• A1: Injection: Common in SQL, NoSQL, and other platforms, this flaw allows for the execution of commands by these platforms causing data exposure to the attacker.

• A2: Broken Authentication: Insecure configurations of authentication mechanisms and session management lead to attackers capturing session tokens or passwords. Attackers can impersonate individuals using these credentials.

• A3: Sensitive Data Exposure: Web applications and APIs expose sensitive data when moving from web servers to the browser, if traveling in the clear.

• A4: XML External Entities: These attacks target XML-based web services by uploading or include hostile code in an XML document.

• A5: Broken Access Control: This issue occurs when entities do not configure authorizations for users correctly. Authenticated users who are not configured correctly allow users to interact with data not intended by the data owners.

• A6: Security Misconfiguration: There are many ways application misconfiguration can occur, making this a very common risk. The misconfigurations result from unchanged default settings to configuration changes not fully vetted for security issues.

• A7: Cross-Site Scripting (XSS): Missing validation checks allow user input to update or end up in web pages.

• A8: Insecure Deserialization: Often difficult to execute, because available exploits require customization, these attacks occur when attackers substitute malicious data and rebuild it into a malicious object.

• A9: Using Components with Known Vulnerabilities: Libraries, frameworks, and modules with vulnerabilities are easily exploited. Entities not consistently testing for and remediating these vulnerabilities leave themselves exposed to exploits available in the wild.

• A10: Insufficient Logging and Monitoring: If web applications are not monitored for exploitation of vulnerabilities, attackers can use these to establish a foothold and pivot to other parts of the network.

These risk items are not unusually sophisticated. Threat actors know how to find these issues and exploit them without too much effort. If not already completed, it is important for the entity to test web applications for the presence of these issues. If any exist, the incident response team must plan for and anticipate cybersecurity events related to these events. How is this accomplished? By focusing detective capabilities and resources on these risks, if remediation is not possible or the team believes recurrence is possible. Regarding response playbooks, these would focus on compromised credentials, data theft, malware/ransomware outbreaks, or denial of service, depending on the exploit.