Threat Susceptibility: From Risk Management To Active Defense

In our previous blog post in this series, Threat Susceptibility: Countermeasures and Risk Remediation Options, we continued our MITRE ATT&CK example and focused on identifying mitigations and security controls that were mapped to the TTPs the organization was susceptible to. In this post, we’ll discuss those mitigations and security controls in the context of Risk Management, Cybersecurity, Resiliency Engineering, Security Engineering, Security Operations, and Active Defense.

The NIST Risk Management Framework (RMF) has seven steps that provide a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. We’re using NIST in our examples for consistency. Managing organizational risk is paramount to effective information security and privacy programs and the NIST RMF approach to integrated risk management can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector. The security controls in the NIST RMF are really the core security people, processes, and technologies needed to manage risk.

1. Essential activities to prepare the organization to manage security and privacy risks

2. Security categorize the system and information processed, stored, and transmitted based on an impact analysis that considers Confidentiality, Integrity, and Availability.

3. Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s).
   

4. In NIST, this is normally where you select a security control baseline of Low, Moderate, or High or create a tailored security control baseline. Many commercial organizations will use the NIST Cyber Security Framework (CSF) and the mapped 800-53 security controls as a tailored security control baseline.

5. Implement the controls and document how controls are deployed

6. Assess to determine if the controls are in place, operating as intended, and producing the desired results

7. Senior official makes a risk-based decision to authorize the system (to operate)

8. Continuously monitor security control implementation and risks to the system

The first four steps of the RMF are aimed at producing the information that populates the System Security Plan (SSP). The last three steps of the RMF are aimed at the Security Assessment Plan that assesses threats, vulnerabilities, security controls, and risks. The Security Assessment Report captures the results of the security assessments and the Plan of Actions and Milestones captures all the gaps and issues that need to be addressed.

The NIST RMF uses NIST 800-53 security and privacy controls. The NIST CSF and the NIST Cyber Resiliency Engineering Framework found in NIST 800-160 vol 2 rev 1 also use the same NIST 800-53 security control catalog.

The organization’s risk management strategy is what enables the organization to select security controls. The same risk management strategy is also used in the NIST Cyber Resiliency Engineering Framework to select strategies that support the organization’s cyber resiliency goals and objectives. This in turn enables the organization to identify and select resiliency design principles and resiliency techniques that lead to resiliency implementation approaches using resiliency security controls.

NIST 800-160 vol 2 rev 1 contains a mapping of resiliency techniques and approaches to NIST 800-53 security controls and control enhancements that directly support resiliency. The same publication also contains a mapping of MITRE ATT&CK TTPs to resiliency mitigations. Mitigations are normally implemented by one or more courses of action in order to achieve the desired resiliency effect on the adversary’s behavior.

NIST 800-160 vol 2 rev 1 provides a resiliency effects vocabulary for stating claims or hypotheses about the effects of cyber mission assurance decisions on cyber adversary behavior. Cyber mission assurance decisions include choices of cyber defender actions, architectural decisions, and selections and uses of technologies to improve cyber security, resiliency, and defensibility (i.e., the ability to address ongoing adversary activities).

The resiliency effects vocabulary enables claims and hypotheses to be stated clearly, comparably across different assumed or real-world environments, and in a way that suggests evidence that might be sought but is independent of how the claims or hypotheses might be evaluated.

The resiliency effects vocabulary can be used with multiple modeling and analysis techniques, including Red Team analysis, game-theoretic modeling, attack tree and attack graph modeling, and analysis based on the cyber attack lifecycle (also referred to as cyber kill chain analysis or cyber campaign analysis).

The NIST resiliency effects vocabulary replaces the older DoD Information Operations effects vocabulary Lockheed Martin used in their Cyber Kill Chain paper Course of Action Matrix.

The results of the Cyber Threat Susceptibility Assessment and the specific TTP mappings to mitigations, security controls, and resiliency controls can be used to help identify and prioritize actions across Security Engineering and Security Operations.

Security Engineering

1. Identification of Resiliency Design Principles, Resiliency Techniques, and Implementation Approaches

2. Resiliency and Security Control Prioritizations

Security Operations

1. Attack Surface Mitigation Prioritization

2. Threat Detection and Mitigation Prioritizations

3. Identification of Incident Response Plans and Procedures for known Attack Path Scenarios

Active Defense is an area that focuses on threat-informed actions to build resilience to cyber threats. By understanding the specific TTPs that the organization is susceptible to, they can use this to tailor the organization’s threat intelligence requirements. They can use their knowledge of what TTPs they are susceptible to and where they are susceptible to determine if the threat intelligence is relevant to them or not.

Organizations can also use deception and adversary engagement opportunities in MITRE Engage mapped to the specific TTPs from their cyber threat susceptibility assessment results. If you can deflect an adversary’s activity to a deception environment then they’re not in your real environment.

By knowing the specific TTPs they are susceptible to they can look at specific deception and adversary engagement opportunities within the MTIRE Engage framework that can reduce the risk to the business by providing additional protections.

In the next blog post, we’ll look closer at resiliency goals and risk management strategies aligned to the resiliency goals and look at resiliency analysis using the threat susceptibility results to answer key motivational questions.