GigaOm called OTORIO “the lone outperformer and pioneer” among the IIoT security vendors it analyzed.

See why

Using Threat Likelihood to Comprehend and Focus Risk: Taking OT Digital and Cyber Security Posture Assessment to the Next Level

Using Threat Likelihood to Comprehend and Focus Risk: Taking OT Digital and Cyber Security Posture Assessment to the Next Level

20 Sep 2022

By Ben Reich, Chief Architect, OTORIO

Thus far this blog series has focused attention on the components of risk related to organizational security posture. Vulnerability and impact, discussed in my previous posts, are features of business assets that make up an organization’s digital presence. Thus, posture is a measure of the organization’s resilience, irrespective of external threats. The mathematical complement of posture is business vulnerability which is  calculated based on an asset’s impact and its vulnerability (See previous post). Thus if an asset has a posture score of 0.3, its business vulnerability is 1 - 0.3 = 0.7.

A measure of risk must take into account both internal posture and external threats. Even if an organization maintains a poor security posture and does not defend itself, if no one is interested in attacking it and exploiting its vulnerabilities, then there is no risk of damage.

The threat level to an organization is a quantitative measure based on analyzing all relevant events in the organization’s network. Threat analysis involves diagnosing all possible threats that stem from these events. Even a single event may constitute a threat, or be a sign of other potential ones.

In this post and the next one, I will explain how to calculate threat, and how to utilize it for ongoing risk analysis and digital posture assessments.

Risk and its relationship to threat

Quantifying risk involves coming up with a number that accurately represents the current threat level. This number is then multiplied by the business vulnerability discussed in previous posts. The product of these factors is the organization’s risk level:

The reason for multiplying  these two factors is to apply the theoretical rule that if either vulnerability or threat amount to zero, then there is no risk. In practice, however, this never happens..

Threat likelihood

Estimating threat begins by maintaining a list of malicious attack scenarios that may materialize in an organization. Examples of such threats include a  “ransomware attack” or “SQL injection attempt”.  Note that the likelihood of these attack scenarios does not depend on posture. Contrary to the notion that a  “successful ransomware attack” depends on the level of vulnerability, our interest lies in assessing the likelihood that an attack is actually happening rather than its chances of success. This separation of threat from posture is at the heart of successfully analyzing risk and providing a high level of explainability for different use cases.

The likelihood that a malicious attack scenario is happening or forthcoming is a predictive activity based on two types of information. The first type is cyber intelligence. This involves ongoing monitoring of threat intelligence advisory databases and corresponding updates about the likelihood of malicious threat scenarios.. 

For instance, an organization that depends on Sector-based Information Sharing and Analysis Centers (ISACS) can analyze the feeds and map incoming advisory information to update the likelihood of malicious attack scenarios. 

Another useful source of intelligence for potential attack scenarios is the MITRE ATT&CK® database. The list of techniques and sub-techniques that hackers use should be part of the list of scenarios maintained by every enterprise and updated on an ongoing basis.

More general strategies may also be helpful. Elevating the likelihood of attacks across different types of scenarios based on geopolitical considerations and situational analysis is the equivalent of raising alertness during times of trouble.

The second type of information that is used to estimate likelihood is situational. Continuous monitoring of events is essential to estimate the likelihood that malicious scenarios are unfolding in an organization. This type of monitoring is possible where the network is constantly being watched by a defensive cyber security team.  

Ongoing Use Case - Monitoring for Threat

In the ongoing use case, the enterprise is continuously monitored for malicious activity. As events start to pile up, it becomes much more  difficult to examine them for patterns that indicate malicious scenarios. 

One  such example would be repeated attempts to rename an administrator account. According to MITRE, this may be an indication of the presence of the Whiskey delta-two malware in the network.  To avoid  pursuing false positives, an enterprise can assume that 10 attempts will trigger this scenario. This means that if 10 attempts are made in a certain period of time, this would make it a 100% a likelihood  that Whiskey delta-two malware attack occurred.  This implies that the likelihood of Whiskey delta-two occurring after 6 attempts is calculated as 0.6 and after 8 attempts it will be 0.8. 

This approach floats potential attacks to the top of an organization’s priorities list as they happen. Because this threat is a factor in the risk number of the specific asset impacted by these renaming attempts, the risk level of that asset will increase as the attack unfolds and the likelihood increases, making it possible to react in time.

The table below shows how this scenario unfolds in a network with 5 assets, assuming that renaming attempts are being run on Asset-3, and that all else remains constant. The numbers are calculated risk values for each asset.

 

Attempts on Asset #3

asset -1

Asset-2

Asset-3

asset-4

asset-5

1

0.3

0.55

0.4

0.7

0.72

2

0.3

0.55

0.4

0.7

0.72

3

0.3

0.55

0.4

0.7

0.72

4

0.3

0.55

0.47

0.7

0.72

5

0.3

0.55

0.54

0.7

0.72

6

0.3

0.55

0.61

0.7

0.72

7

0.3

0.55

0.68

0.7

0.72

8

0.3

0.55

0.76

0.7

0.72

9

0.3

0.55

0.83

0.7

0.72

 

Until attempt #4 is made, nothing changes in the risk picture. This static behavior represents a stage where the unfolding scenario contributes a risk level of under 0.4, meaning that it is not the highest risk on Asset-3. Attempt #4 creates a risk of 0.47 on Asset-3 making the unfolding scenario the highest risk on the asset. At this point Asset-3 is still only the 4th highest risk asset in the network. After 8 attempts this asset is the highest risk asset in the network making it top priority for investigation and mitigation. 

In this scenario it took 8 renaming attacks to make the risk of Whiskey-delta-two the most urgent threat for the SOC team to focus on using a pure risk-based mitigation approach.    

Posture Assessment Use Case - Prevention of Attack

A periodic or one-time posture assessment does not involve ongoing threat monitoring. The network is scanned for asset inventory and vulnerabilities. Risk is calculated according to posture. However, the posture assessment model does not exclude threat analysis. A good posture assessment must take potential threats into account to prioritize mitigation. 

Once initial assessment data collection is complete, all network assets can be considered to be at an arbitrary threat level that is constant across the network. This threat picture can be enhanced using intelligence information as discussed above.

The next steps is to  simulate different threat scenarios on the system. In this manner, the assessor can answer questions like:

  • Which assets will be most affected by a certain threat scenario?
  • How will a threat scenario affect my network risk level?
  • What are the most dangerous attack vectors for threats?
  • Which assets are vulnerable to a larger number of risk scenarios?
  • Which risk scenario is dangerous to assets with the highest business vulnerability?

Putting posture assessment in the context of potential threat helps to focus the assessor on the assets that are most vulnerable and the risk scenarios that have the highest capacity to damage them . 

Bottom Line

Maintaining a list of potential threats is important for posture assessment in addition to ongoing monitoring use cases. It is critical to successfully translate situational data into likelihood of threats in monitoring use cases to achieve accurate risk estimations and prioritize mitigations.

Having an identical risk model for ongoing monitoring as well as posture assessment enables an analyst to perform critical simulations to contextualize business vulnerability and create an effective mitigation plan.

In both scenarios, maintaining a list of malicious threat scenarios involves the following steps:

  • Use industry data-sharing hubs like ISACS or MITRE to find relevant threats
  • Add customer-specific threats
  • Correlate situational events into threat scenarios 
  • Apply quantitative logic on correlations to update the likelihood of threat scenarios through the capture of real live data or by way of simulation.

As always, automating this process for quantifying threat likelihood is the only way to make sure that threat data is accurate and consistent at scale.