This year I facilitated a discussion – formally, a ‘Peer-to-Peer Session’ – at RSA focused on threat profiling. The concept of ‘threat profiling’ is usually new to infosec practitioners, who are typically used to ‘threat intelligence’, ‘risk management’, and similar terms. Threat profiling as a concept and practice refers to the identification, scoping, and classification of threat vectors facing the defended environment. As you might already suspect, this process is not a ‘one-size-fits-all’ endeavor, but rather is very unique to the individual organization based on their function, value to others, and network infrastructure.
To start the discussion, I asked the question, “What is a threat?” The subsequent interaction was good, but focused on the typical characterization of threats: specific entities, from script kiddies to APTs, that may impact your environment. In guiding the discussion, I sought to move the group beyond this ‘who’-centric definition of threats to a value-focused orientation. Specifically, in evaluating your threat environment, think what aspects of your organization are of value to a malicious entity, and what actions they need to take to realize that value. This spans the gamut of criminal actors seeking to lock systems for ransom to nation-state actors seeking intellectual property to steal – but will almost always be somewhat unique to each organization depending on their underlying business or operations. Primarily, I wanted to guide attendees to viewing the ‘threat environment’ not as a collection of interestingly described animals, numbered APTs, or criminal malware families, but instead as a manifestation of that which threatens organizational value.
Adopting this viewpoint opens up a number of new cognitive possibilities considering defensive planning and operations. Instead of sinking into a cognitive bias situation such as “the Russians don’t care about me,” defenders can transition to identifying threats to sources of value – and the means to achieve these adversary goals – irrespective of the entity responsible. Embracing this value-centric approach to threats liberates defenders to identify network resources, infrastructure, and nodes based on their relevance to either achieving adversary objectives, or ensuring continued provision of value to the organization. Specifically, this approach leads to the identification of ‘key network terrain’: those nodes either instrumental to or fundamentally based on enabling the organization to continue its primary function, or continued value production.
Finally addressing the title of this post, the identification of threats and profiling how they can impact your organization represents a combination of ‘art’ and ‘science’. The latter can be achieved rather simply through metrics such as cost and value centers within the organization, and determining relative probabilities of compromise based on exposure and underlying technology. The former gets trickier and where matters become very focused on the individual institution – for example, what value accrues to reputational risks should an entity be compromised? What loss is sustained when an organization loses control over the entity’s ‘crown jewels’ as a result of a network attack? While fuzzy, such determinations are necessary – and serve as an effective mechanism to focus and center network defense planning.
The next stage of discussion moved from identifying threats – with this value-based approach defined above – to planning defense. By identifying critical value nodes, either as ‘ends-in-themselves’ or ‘means-to-an-end’ items, network defenders can effectively prioritize scarce resources to address the organization’s fundamental needs. The example I used to illustrate this at a basic level compared individual workstations and domain controllers: we should expect and anticipate individual workstations to be compromised, and plan accordingly to efficiently remediate these devices with minimal loss in operational effectiveness and value. But vital infrastructure or value-creating nodes, such as a domain controller, cannot be easily remediated and represent at minimum a ‘mission kill’ for the organization as an adversary can leverage this access for significant further compromise of the targeted network. Therefore, defense should allocate assets and procedures in such a way where individual workstation ‘losses’ are acceptable and understood, while doing the best possible effort to ensure a domain controller compromise never occurs given the cost of such an event. In this fashion, an organization can position resources so that workstation compromises are triaged – while putting in the work to ensure that such an end-point compromise does not lead to subsequent activity resulting in a truly value-destructive action.
Essentially, organizations must move their defensive operations to focus on areas of strategic value – as illustrated by the action of threat profiling – to ensure manageable, effective security of the network. To paraphrase Frederick the Great – he who defends everything, defends nothing. From an information security perspective, allocating scarce resources indiscriminately across all network nodes and resources only serves to spread effort thinly and ineffectively across multiple items. Focusing instead on only those items critical to maintaining or producing continued organizational value ensures intelligent, sustainable allocation of resources – even if in so doing the security organization must accept some ‘losses’ for peripheral or less-valuable resources.
Once such strategic items are identified, defensive planners and operators must then determine whether or not the appropriate capabilities and visibility exists to achieve their goal of securing strategic resources. Identifying critical paths to strategic resources reveals those communication pathways and endpoints that require attention and monitoring – where gaps exist, action is required to ensure that defenders can adequately examine and respond to threats focusing on valuable aspects of the organization’s network. Essentially, this ‘gap analysis’ approach informed by threat activity focuses and centers questions of what security tools are required, what visibility is needed, and how to orchestrate a security program. Once all the prior steps in the process outlined above are complete, an organization is left with the critical paths, and critical nodes, necessary for an adversary to achieve their potential objectives – and thus a list of what activity, traffic, and behavior must be observed and monitored to ensure adequate defense.
Ultimately, the end-goal of the entire process of identifying sources of value, plausible threats to those value centers, and then orchestrating visibility and response around those critical pathways is to intelligently and efficiently allocate scarce resources to security problems. Defending all end-points equally is not only wasteful, but unnecessary as not all end-points or network nodes are of equal value. By focusing on what is of interest to adversaries and what is most important to the organization, network defense and monitoring can be effectively economized to fit the needs of the organization.
By adopting a value-based, strategic approach to network defense, organizations can improve response while ensuring critical assets receive necessary defensive coverage. Spreading resources indiscriminately only dilutes response and over-taxes operations resources and personnel. Developing a continuous threat (and risk) profiling posture ensures such activity is evolving and keeps pace not only with the threat environment, but also sources of value within the organization itself.
Instead of seeking a ‘one size fits all’ approach to threat detection, response, and modeling, organizations need to recognize and own the task of identifying what their threat environment looks like from the perspective of the organization. Taking this analytical approach, organizations can identify security needs, prioritize resource allocation, and ensure critical network nodes are covered. The approach is neither easy nor simple, but by embracing this technique organizations can ensure a more robust and effective security response molded to their specific needs.