risk management and threat modeling

risk assessment

identifies and prioritizes risks

threat

external force jeopardizing security

threat vectors

the specific methods that threats use to exploit a vulnerability

vulnerability

weakness in security controls

risks

the combination of a vulnerability and a corresponding threat

qualitative risk assessment

uses subjective ratings to evaluate risk impact and likelihood

quantitative risk assessment

use objective numeric ratings to evaluate risk likelihood and impact

Asset Value (AV)

the dollar value of an asset

• 3 techniques: original cost, depreciated cost, and replacement cost

Exposure Factor (EF)

expected percentage of damage to an asset

Single-Loss Expectancy (SLE)

expected dollar loss if a risk occurs one time

asset value (AV) * times exposure factor (EF) = SLE

Annualized Rate of Occurence (ARO)

number of times a risk is expected to occur each year

Annualized Loss Expectancy (ALE)

expected dollar loss from a risk in any given year

Mean Time to Failure (MTTF)

average time a nonrepairable component will last

Mean Time between Failures (MTBF)

average time gap between failures of a repairable component

risk management/treatment

systematically analyzing potential responses to each risk and implementing strategies to control those risks appropriately

risk avoidance

changes the organization’s business practices

risk transference

shifts the impact of a risk to another organization

risk mitigation

reduces the likelihood or impact of the risk

control assessments

test control effectiveness

risk register

tracks risk information

threat intelligence

shares risk information

NIST risk management framework

1. categorize information system

2. select security controls

3. implement security controls

4. assess security controls

5. authorize information system

6. monitor security controls

ISO 31000 Risk Management

• risk identification

• risk analysis

• risk evaluation

• risk treatment

• establishing the context

• monitoring and review

threat intelligence

the set of activities that an organization undertakes to educate itself about changes in the cybersecurity threat landscape, and adapt security controls based upon that information

open source intelligence sources

• security websites

• vulnerability databases

• news media

• social media

• dark web

• info sharing centers

• file repositories

• code repositories

• security researchers

threat sharing frameworks

• The Cyber Observable eXpression or CybOX framework, provides a standardized schema for categorizing security observations. CybOX helps us understand what properties we can use to describe intrusion attempts, malicious software, and other observable security events when we're trying to explain them to other people.

• The Structured Threat Information eXpression or STIX, is a standardized language used to communicate security information between systems and organizations. STIX takes the properties of the CybOX framework and gives us a language that we can use to describe those properties in a structured manner.

• Trusted Automated eXchange of Indicator Information or TAXII, is a set of services that actually share a security information between systems and organizations. TAXII provides a technical framework for exchanging messages that are written in the STIX language. STIX, TAXII and CybOX work together and they're part of a community driven effort facilitated by the US Department of Homeland Security.

• OpenIOC is another framework

ISACs

information sharing and analysis centers

Security orchestration, automation, and response (SOAR)

enhances SIEM capabilities

threat hunting

organized systematic approach to seeking out indicators of compromise on our networks using expertise and analytic techniques

indicators of compromise

• unusual binary files

• unexpected processes or resource consumption

• deviations in network traffic

• unexplained log entries

• unapproved configuration changes