Threats

Threat actors, advanced persistent threats (APTs), or serious threats, what does this all mean?

This can range from an earthquake (source) that causes a power outage to your office building (event) to a malicious insider (source) who steals data (event). Using the photo above, the threat source would be the accumulated slow on the roof, with one possible threat event: the snow sliding down in one go, with the risk of hurting someone walking underneath at that very moment.

As suggested above, threats have two main components: threat sources and threat events. Let's break these down.

Threat Sources

Threat Sources are the entities that can carry out a threat. They can be a person, a group, or a natural phenomenon. When they are a person, they can also be called Threat Actors.

Threats can be classified into two main categories: intentional and unintentional.

• Intentional threats are carried out deliberately by malicious actors, such as hackers or cybercriminals,

• Unintentional threats are not deliberately carried out but can cause harm, such as a natural disaster or human error.

The NIST Guide for Conducting Risk Assessments gives good examples of threat sources. They have categorised threat sources into four categories.

• Adversarial

  • Individual (outsider, insider)

  • Group (ad hoc, established)

  • Organisation (competitor, supplier, partner, customer)

  • Nation-state

• Accidental

  • User

  • Privileged user/administrator

• Structural

  • Information Technology (IT) equipment (e.g., server, storage, router)

  • Environmental controls (e.g., temperature/humidity controls, power supply)

  • Software (e.g., operating system, network, applications)

• Environmental

  • Natural or man-made disaster (e.g., fire, flood, hurricane, earthquake, Bombing)

  • Unusual natural events (e.g., sunspots)

Other sources have other categories. It doesn't matter; this is simply a tool to get us to think about possible threats.

Threat Events

Threat Events occur when a threat source takes advantage of a vulnerability to cause harm. This is where it gets more unwieldy, as an infinite number of events could happen. I would categorise this using the following categories based on the MITRE ATT&CK Framework.

• Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organisation

• Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure

• Initial Access: trying to get into your network, i.e., spear phishing

• Execution: trying to run malicious code, i.e., running a remote access tool

• Persistence: trying to maintain their foothold, i.e., changing configurations

• Privilege Escalation: trying to gain higher

• level permissions, i.e., leveraging a vulnerability to elevate access

• Defence Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware

• Credential Access: stealing account names and passwords, i.e., keylogging

• Discovery: trying to figure out your environment, i.e., exploring what they can control

• Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems

• Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage

• Command and Control: communicating with compromised systems to control them, i.e., mimicking regular web traffic to communicate with a victim network

• Exfiltration: stealing data, i.e., transferring data to a cloud account

• Impact: manipulating, interrupting, or destroying systems and data, i.e., encrypting data with ransomware

Wrap Up

Combining threat sources and threat events helps develop possible threat scenarios that could create a risk. I typically like to do a whiteboard session with different parts of the organisation, as they all have different perspectives. The IT team will look at this from their services' perspective: What could happen to my servers, my cloud instance... The finance team will consider their processes and people, etc. This helps to have a broader picture.