Threat Intelligence
3/24/2017
11:00 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Prioritizing Threats: Why Most Companies Get It Wrong

To stay safer, focus on multiple-threat attack chains rather than on individual threats.

We've all seen them — you might even have one open right now: an Excel spreadsheet with red, greens, and yellows that tell you where your risk is. You probably follow the simple convention of focusing on low-hanging fruit first and then drill down as hard and as fast as you can on the critical and high items.

Sorry to say this, but you've been doing it wrong. You see, attackers are opportunistic and scrappy, yet we don't seem to work in those variables onto our sea of reds and yellows. I refer to this as the "single versus multivariable risk assessment problem." We have single rows with risk assigned and work them as if they are singular risks. Attackers, on the other hand, chain risks together. They leverage a low risk on a Web server and a low risk on a database server to get access to high-risk data. Two lows can equal a high? Yes, but your prioritization process doesn't think that way.

What can you do to get a more accurate prioritization list? Focus on multiple-threat attack chains rather than threats alone. Grab a conference room, some coffee, and the leaders of each of your IT areas (network, infrastructure, application) and draw a simple diagram of your network from a 30,000-foot view. Start pretending attacks are successful using the single items from your threat list. For example, assume the low-risk item in your spreadsheet mentioning a threat on your endpoints is exploited. What do attackers have access to in terms of other threats now that the threat has been exploited? For example, can they now exploit the medium-level threat on the file server because all users have birthright permissions that allow them to authenticate to the file server? OK, follow that threat. Now that the attacker is on the file server, what threats can they leverage now?  

As you do this a couple of times and start with various threat entry points, you will start to see patterns emerge — threats that seem to be in every attack chain. That is where you should be prioritizing your work.

Let's look at a real-world example from a client using the scenario above of the endpoint-threat starting point. What came out of the exercise was that the biggest threat repeated across all attack chains was the use of NTLMv1, an old authentication protocol for Microsoft Windows that is prone to many vulnerabilities used by attackers, to perform man-in-the-middle attacks and to brute force passwords — yet this threat was a low-risk, low-impact item in the client's fancy Excel spreadsheet.

If you really want to provide even more accurate prioritization, at each step of the above process add how easy it is to detect this risk on a scale of 1 to 10 and the impact on the overall success of the attack using the same 1 to 10 scale. For example, if the medium-risk threat on the file server included access to the corporate intellectual property, and you have no ability to detect who accesses which files, this isn't easy to detect (10) and the severity is high (9 or maybe a 10). The larger the numbers you have, the more likely this attack chain is actually the high-risk attack chain. This can help quantitatively cause the low-risk, high-impact threats to bubble up a bit quicker.

This process isn't hard. It isn't overly complicated. It doesn't need an actuary to provide a bunch of algorithms to calculate. But it works. It has an official name, failure effect mode analysis, and has some offshoot versions you may have heard of, such as Alex Hutton's RiskFish and the bowtie method. All approaches want you to focus on the process the attackers actually use and to calculate (or at least qualitatively evaluate) the intersection of multiple risks while taking into account your ability to prevent or detect such risks. So stop using those multicolored Excel spreadsheets and instead start documenting multivariable risks in order to better prioritize.

Related Content:

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2017 | 8:50:05 PM
good point
"... What can you do to get a more accurate prioritization list? Focus on multiple-threat attack chains rather than threats alone ..."

This is a good point and this should follow a layered security measures being put in place.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2017 | 8:48:10 PM
Good example
"... For example, if the medium-risk threat on the file server included access to the corporate intellectual property, and you have no ability to detect who accesses which files, this isn't easy to detect (10) and the severity is high (9 or maybe a 10). "

Makes sense and good example to explain and make the point. We actually use this steps.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2017 | 8:45:47 PM
Re: Holistic data stewardship
"... The holistic viewpoint is much needed among cybersecurity analysts ..."

Good point and hard to achieve, security personnel are mainly working as fire extinguishers, so not time for them to come up with a holistic viewpoint.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2017 | 8:43:42 PM
Re: Holistic data stewardship
"... by attackers going after singular threats at completely two completely different organizations (Amazon and Apple). ..."

That makes sense, it might be easier for attackers to focus on one thing then trying to achieve many things at once.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2017 | 8:41:51 PM
Risk prioritization
Risk prioritization is difficulty and when it comes to security it is more difficult. Partially it is because we do not really know what the treats are.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/28/2017 | 7:39:19 PM
Holistic data stewardship
Indeed, this is how Wired reporter Mat Honan had his entire digital life compromised and taken away from him a few years back -- by attackers going after singular threats at completely two completely different organizations (Amazon and Apple).  The holistic viewpoint is much needed among cybersecurity analysts -- and, for that matter, anyone who works on any aspect of data stewardship.  Alas, few see it that way.
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.