Cybersecurity Risk Management & Incident Response: Key Concepts and Frameworks

Recover

Assets and operations affected by a cybersecurity incident are restored

Tangible Assets

Are physical in nature

Most important CIS Security Controls

Hardware and software asset inventory

Event

Any observable occurrence involving computing assets

Adverse Event

Any event associated with a negative consequence

Computer Security/Cybersecurity Incident

Actually or imminently jeopardizes without lawful authority the Confidentiality, integrity or availability of information systems

Breach

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information

Threat Event

An event or situation that has the potential for causing undesired consequences or impact

Attack

Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself

CVE Mission

Identify, Define, Catalog publicly disclosed cybersecurity vulnerabilities

CVE Record

One CVE Record for each vulnerability

NVD Purpose

U.S. government repository of vulnerability management data

Supplemental

Does not modify the final score and are used as additional insight into the characteristics of a vulnerability

Known vulnerabilities

Exploited in the wild

Common Weakness Enumeration (CWE)

A taxonomy for identifying the common sources of software flaws (e.g., buffer overflows, failure to check input data)

Risk Assessment

The process of identifying risks to the following resulting from the operation of a system

Financially motivated actors

Cyber campaigns or groups directed by a criminal organization with the motivations of financial gain

Influence operations

Information campaigns communicated online or offline to manipulate fashion to shift perceptions, behaviors, or decisions by the target audience to further a group or nation's interests

Advanced Persistent Threat (APT)

Well-resourced and engage in sophisticated malicious cyber activity that is targeted and aimed at prolonged network/system intrusion

Ransomware as a Service (RaaS)

Ransomware is sold or leased to another organization

Affiliates

Has access to one or more ransomware families and conducts the attack

Adversary

A person or group that conducts or has the intent to conduct detrimental activities

CTI Purpose

Provides context for decision making; Helps SOC/IR teams move from reactive to proactive defense

Compromise

The reduction or eradication of trust of an endpoint, network, environment, identity, application, service, secret, or data due to intentional malicious activity

Indicator of compromise

Anomalous data or behavior suggesting a potential or observed compromise from a cybersecurity attack or intrusion

Campaign

Any grouping of intrusion activity conducted over specific period of time with common targets and objectives

Atomic

The smallest unit: IP, email, hostname, etc

Behavioral

Patterns of adversary actions: tactics, techniques, procedures, actor preferences

Govern

The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored

Identify

The organization's current cybersecurity risks are understood

Protect

Safeguards to manage the organization's cybersecurity risks are used

Detect

Possible cybersecurity attacks and compromises are found and analyzed

Respond

Actions regarding a detected cybersecurity incident are taken

Asset

Anything that has value to an organization or enable it to achieve its business processes

Intangible Assets

Are not physical in nature and include mission and business processes, functions, digital information and data, firmware, software, and services

High Value Asset

Information or an information system that is so critical to the organization that the loss would have serious impact

Incident Response

The remediation or mitigation of violations of security policies and recommended practices

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event. Impact + Likelihood = risk

Risk Management

The program and supporting processes to manage risk

Impact

The effect on an organization's operations

Likelihood

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.

Threat

Any circumstance or event with potential to adversely impact the organization

Threat Source/agent

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability

Threat Outcome

The effect a threat action upon a vulnerability has on the CIA of the organizations operations, assets, or individuals

Predisposing conditions

Properties of the organization, mission or business process, architecture, or information systems that contribute to the likelihood of a threat event

Vulnerability

A weakness in a system which an actor or event may intentionally exploit or accidentally trigger the weakness to access, modify, or disrupt the normal operations of a system, resulting in a security incident or violation of the systems security policy

Common Vulnerabilities and Exposures (CVE)

Managed by MITRE Corporation

CVE Vulnerability Naming authorities

CISA, Mitre, Adobe, Apache, etc

Nation Vulnerability Database (NVD)

Managed by NIST

NVD Contents

Including: Security checklist references, Security related software flaws, Misconfigurations, Product names, and Impact metrics

Common Vulnerability Scoring System (CVSS)

Managed by First.org

CVSS Purpose

Communicates the characteristics and severity of software vulnerabilities

Scored 0-10

Is a measure of severity, no risk

CVSS's 4 metrics

Base, Threat, Environmental, and Supplemental

Base

Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments

Environmental

Represents the characteristics of a vulnerability that are unique to the user's environment

Attack Vector

In CVSS it takes into account Network, Adjacent, local, and physical

Known Exploited Vulnerabilities Catalog (KEV)

Managed by CISA

Weaknesses

Poor coding practices, as exemplified by CWEs

Risk Response

Accepting, Avoiding, Mitigating, Sharing, or transferring risk to agency operations, agency assets, individuals, other organizations, or the nation

Risk Mitigation

Prioritizing, evaluating, and implementing the appropriate risk reducing controls/countermeasures recommended from the risk management process

Cyber Threat

Three classes of increasing sophistication of an attacker

Tiers I-II

Exploits pre-existing known vulnerabilities

Tiers III-IV

Discovers unknown vulnerabilities

Tiers V-VI

Creates vulnerabilities using full spectrum

Nation State Actors

Cyber operations acting on behalf or directed by a nation or state aligned program

Private sector offensive Actors (PSOAs)

Cyber activity led by commercial actors that are known legitimate legal entities

Groups in development

A temporary designation given to an unknown, emerging, or developing threat activity

APT Goals

Cyber espionage, including theft of intellectual property or state secrets, eCrime for financial gain, Hacktivism, Destruction

Stages of APT Attack

Infiltration, Escalation and lateral movement, Exfiltration

Nation State

A group of people who share the same language, history, and traditions and live in a specific area. They have their own government and are considered a sovereign state.

Gangs/Operators

Develops and maintains tools, sold to affiliates

Initial Access Brokers

Infect systems with malware or a botnet and sell them as a load. Access sold to affiliates

Attacker

A party, including an insider, who acts with malicious intent to compromise a system

Threat Actor (TA)

An individual or group posing a threat

MITRE Att&ck Enterprise

14 tactics represent the 'why' of a technique

Cyber Threat Intelligence (CTI)

Cyber threat information that has been aggregated, transformed analyzed, interpreted, or enriched to provide the necessary context for decision making processes

CTI Types

Strategic, Operational, Tactical

CIS Critical Security Controls

18 controls

Continuous monitoring

Assets are monitored to find anomalies, indicators or compromise, and other potentially adverse events

Intrusion

An adversary gains unauthorised access to an endpoint, network, environment, application, or service

Anomaly

Condition that deviates from expectations based on requirements specifications, design documents, user documents, or standards, or from someone's perceptions or experiences

Indicator of Attack (IOA)

Intent of an adversary's actions suggested by anomalous data or behaviors

IOC Types

Atomic, Computed, and Behavioral

Computed

Match multiple atomic IOCs: hash regular expression

Threat Hunting

The proactive search for undetected suspicious and malicious activity in an environment

Telemetry

Artifacts derived from security capabilities that provide visibility into security posture. ISO 8601 time format: YYYY-MM-DDTHH:MM:SS.mmm[Z|±hh:mm]

Still learning (28)

You've started learning these terms. Keep it up!