I have spent some time working in the threat industry and through my own experience, I started getting interested in looking at things from a different perspective. There are great professionals and researchers in this area of cyber security however, it lacks cohesion. A higher degree of cohesion within as well as in other areas, would benefit the discipline. In any case, just because I prefer to raise my head and get a higher perspective that does not mean others want or can do it. The outcome of my preferences is what I am presenting in this post.
This threat model is not mine, I have just added in here and there and made the connections I needed. I think is a good start to represent the threat today and link it to the different organizational levels. The Cyber Threat does not only impact technology and it is important to understand the full extend because it is the input of other activities such as threat oriented risk management.
You can save the image for full resolution.
The threat is defined by its threat level and class, I broke down the view of threat according to the three levels of an organization. This view of the threat can be mapped directly to the three levels of threat intelligence.
Each of the teams are working at different levels within the organisation. The most important for the purpose of this post is strategy – and it is embedded within the organisational level connected to mission and systems but also supporting cyber risk management at the organisational level.
Most of the industry’s focus is today in the tactical level with MITRE ATT&CK, the main framework and probably the biggest cyber terrain modelling exercise that we have ever seen before. Many argue that this is the most important level and view of the threat today, but I differ completely from this approach because to succeed in protecting the organization against the cyber threat you need to have strong Strategic, Operational and Tactical teams.
The operational level is now been disregarded in favor of MITRE ATT&CK despite the mapping of TTPs and Kill Chain stages being nearly straight. The Kill Chain is not perfect, but it was developed at a time in which we did not know as much as we know today about threat operations. The biggest challenge after the tactical level, is to be able to understand and convey to the business layer that the other two upper levels are as important or more than the tactical. It is not enough to have good solutions, standards and controls… The operational level and investing in people is as important as the tactical level to success in protecting the organization. In addition new solutions and methodologies to counter the threat such as cyber deception will not be successful unless this level achieves a greater attention.
Although it is not enough, the tactical level seems to be the level in which there is consensus and MITRE is playing a key role in maturing this framework derived from real threat operations. This framework has landed well in the private sector, being a key component of a nation-wide cyber defense strategy at the tactical level. Furthermore, the framework is available to the global community – and it is here where we can see another effort to drive a safer nation through collaboration between government, private sector and community.
An interesting development has recently happened in the tactical level with the presentation of a new framework AMITT (adversarial misinformation and influence tactics and techniques). This framework’s main objective is to capture the TTPs of misinformation campaigns launched by threat groups and hostile governments. We need to wait a bit more and see how the threat evolves. This type of trade craft and operations have big implication and business impact in the strategic / organizational level.
I also added relationships between the different levels trying to show the relationship and interdependence between the three different views of the threat from the tactical to the strategic level.
There are also two interesting topics such as threat sophistication and attribution. Threat attribution is complex to achieve and that is why it is better to leave to those who have the resources to do it correctly however; it makes no harm to understand some of the characteristics.
In regards to sophistication, it is a good threat attribute to understand. Sophistication is dependent on the environment, in some environments the threat will be sophisticated in others it will not be as much. The tactical and operational level is a good place to get a better understanding of the threats you encounter and its technical sophistication however; only the strategic view will provide a reflection of that sophistication through cyber effects and business impact.
I had to build this picture to finally reach the strategic level; which is the one I really needed to understand for my purpose.
In the strategic level the threat is identified by the three attributes,
Each of these attributes is directly related to the following components of Cyber Risk Management.
- Capability relates to Architecture and Engineering
- Intent relates to Governance
- Targeting relates to Operations
Depending on the level of threat that an organization faces, the road to Cyber Preparedness is different. Those organizations facing conventional threats need to orient their cyber preparedness level through practice – compliant risk driven management unlike, those organizations which are facing non-conventional or advanced threats which have to take a threat oriented risk management practice for preparedness.
In the end, it is possible to establish correlation between the threat and preparedness level with a threat class which in turns provides an entry into a risk framing methodology. This methodology is oriented towards the threat the organization faces and it’s strategic level of preparedness.
The model provides a complete view of the threat. It also supports the business at the organizational level to adopt a cyber risk management approach that factors in the threat, to be able to model the main three areas discussed before Architecture & Engineering, Operations and Governance.
Ultimately this demonstrates the direct link between the threat level that an organization faces or expects to face and its preparedness strategy. In an organization, this will typically involved areas such as Strategic Threat Intelligence and Cyber Risk among others.