Understanding the cyber risk equation, where Risk = (Threat x Vulnerabilities) x Impact, is crucial. This equation encapsulates the culmination of threats, vulnerabilities, likelihood, and impact. It’s a powerful process that can help you grasp how threat sources exploit vulnerabilities to gain access to an organization, whether for financial gain or to inflict harm. Mastering this understanding puts you in control, enabling you to implement proactive measures that mitigate negative impacts on the organization.
There are many other forms of risk, such as environmental risks like fire, hurricanes, avalanches, floods, and tornados. There are also forms of business risk, such as credit, reputational, financial, and market risks, or the risk of losing customers due to any of these.
You may be thinking at this point, yeah, yeah, I’ve read about all of that studying for my multitude of exams. Well, in simplest terms, the question is, what is the probability that something or someone will exploit a vulnerability through exploit code, a weakness in infrastructure, site location, application code, policy, or business action, and cause harm to the organization?
Although, in today’s environment, the CISO must consider all of these things, we’ll focus on cybersecurity risk.
Threat Sources
1. Individuals
This could be an outsider like a script kiddy, or an insider like someone who just got let go and wants to inflict harm on the organization by stealing intellectual property and releasing it to the public.
2. Groups
Organized crime syndicates are more frequently getting into the cybercrime game, ad-hoc groups meeting on Telegram or Discord.
3. Organizations
This could be a competitor looking to steal your secret sauce. A supplier with weak cybersecurity practices leading to a 3rd party breach, or a partner that gets breached and a down stream attack occurs.
4. Nation States
State funded organizations focused on espionage, Politically motivated or intellectual property theft.
China
APT41 (Winnti Group), APT10 (Stone Panda).
Russia
APT28 (Fancy Bear), APT29 (Cozy Bear), Sandworm team.
North Korea
Lazarus Group, APT37 (Reaper), Kimsuky.
Iran
APT33 (Elfin), APT34 (OilRig), or Muddy Water.
5. Accidental
A user permanently deleting important data or database records, a processing error returns incorrect values, or a backup gets corrupted.
6. Environmental
Temperature, humidity, or power supply failure can all destroy critical systems.
7. Natural or Man-Made Disasters
Fire, Flood, Tornado, Hurricane, Land Slide, Volcano.
Vulnerabilities
With the multitude of potential vulnerabilities that can exist in the average organization, the need for prioritization becomes paramount. No software, hardware, mobile device, or operating system is immune. While Microsoft, Adobe, Oracle, Cisco, and Apache were the primary vendors that suffered the most exposure due to vulnerabilities, we now have to include all versions of Linux and Apple in our vulnerability management program. The challenge lies in prioritizing these vulnerabilities, requiring focus and efficiency.
When prioritizing vulnerabilities, it’s crucial to consider environmental conditions. You may have a critical vulnerability with an exploit on a box isolated from the rest of the network with no critical data. Should that be a priority? No. This strategic and forward-thinking approach to vulnerability management can help you allocate resources effectively.
Key Considerations for Prioritization:
- Exploit Code Available
- Currently being Exploited in the Wild
- Zero-Days (Mitigating Controls)
- CVSS 7 or higher
If you’re a new CISO or vCISO, consider mapping your attack surface early on and remediating it based on criticality, considering the vulnerability categories above.
One consideration wasn’t discussed above, and many times, it’s not included in the equation regarding risk. Still, it is very prevalent when it comes to exposure and should be added to your risk register for mitigation, acceptance, transference, or ignore.
Predisposing Conditions:
- Lack of Security Awareness Training
- Outdated Software and Systems
- Insufficient Access Control
- Lack of Patch Management
- Inadequate Network Security
- Human Error
- Misconfigured Cloud Environment
- Inadequate Security Testing
- No Security Checks in DevOps
- Lack of tested Disaster Recover
- Lack of Business Continuity Planning
- Lack of Mobile Device Control
- No Incident Response Plan
- No Adequate Logging
- Lack of Proper Security Device Configuration
Likelihood
When we calculate risk, we must consider and calculate the likelihood of an attack. This may be a daunting task for most, but the key is to watch your adversary’s activity through threat intelligence feeds and cybersecurity news articles. I like to read the Verizon Data Breach Investigation Report (DBIR) to understand the threat landscape. It provides insights into patterns of target industries and the threat actor behaviors or Tactics, Techniques, and Procedures (TTP) used to infiltrate the target. Another great resource is the IBM-sponsored Ponemon Institute’s Cost of a Data Breach, which provides quantitative insights into the financial consequences resulting from breaches that occurred the prior year.
Impact
The impact on an organization following a breach can vary and be far-reaching, often lasting for years. Let’s identify a few, beginning with fines related to non-compliance. If you’re bound by GDPR, the fines that can be imposed are up to 4% of your annual revenue. PCI-DSS can impose monthly fines between $5,000 and $10,000 per month. The Department of Health and Human Services may impose fines between $25,000 and a maximum of $100,000 per year if the determination was made for willful neglect. There may be other fines incurred by the SEC or other governing bodies. The organization may be subject to legal fees or civil suits because of leaking personally identifiable information (PII).
Calling in a forensics team to investigate, identify, eradicate the threat, and help recover from the breach can be quite costly. For small businesses, the costs can range from $8,000 to $30,000, while larger organizations might incur costs between $10,000 and $100,000 or more.
Most organizations that are impacted by a data breach resulting in the exfiltration of PII are encouraged to provide credit monitoring services for a period of time, usually one year. Basic credit monitoring services typically range from $10 to $30 per month per individual, so if you consider a breach affecting 24,000 individuals, the cost of providing credit monitoring services could amount to $240,000.
Some of the long-term effects may be loss of market share or customers transitioning to a competitor and becoming loyal customers. Losing intellectual property or trade secrets to a competitor or a foreign country will also negatively impact the bottom line.
Conclusion
In the 2024 Cost of a Data Breach report, the average data breach cost was $4.88 million, up 10% from 2023.
No matter how you calculate risk, your job as a CISO is to ensure that the business remains operational and productive, but not only is that the most critical, from a tactical perspective, you must also maintain a positive influence on the business, plan strategically, reduce costs, and help to improve efficiency and ease of use.
If all of this appears overwhelming, start with your most critical, most exposed assets and data. Identify your crown jewels and start there, but always remember that your people are a big part of that equation.
You will never eliminate risk. The goal is to reduce risk to an acceptable level determined by your organization’s risk tolerance.
By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA
An Extra Tidbit for Consideration:
Common Tactics, Techniques & Procedures (TTPs)
Familiarize yourself with the MITRE ATT&CK Framework, which outlines adversary behaviors across phases like initial access, persistence, privilege escalation, and impact. Understanding these tactics can help bolster your defenses and better anticipate potential threats.
MITRE ATT&CK Framework
1. Initial Access
- Phishing: Sending fraudulent emails to trick recipients into revealing sensitive information or downloading malware.
- Spear Phishing: A targeted form of phishing aimed at specific individuals or organizations.
- Drive-by Downloads: Compromising websites to automatically download malware onto visitors’ devices.
- Exploiting Public-Facing Applications: Using vulnerabilities in web applications to gain access.
- Supply Chain Attacks: Compromising third-party vendors to infiltrate target networks.
2. Execution
- Command and Scripting Interpreter: Using scripts and command-line interfaces to execute malicious commands.
- PowerShell: Utilizing PowerShell scripts for malicious activities.
- Exploitation for Client Execution: Exploiting vulnerabilities to run arbitrary code on a victim’s machine.
- Scheduled Task/Job: Creating scheduled tasks to run malicious code.
3. Persistence
- Boot or Logon Auto-start Execution: Ensuring malware starts when the system boots or a user logs on.
- Hijacking Execution Flow: Redirecting legitimate code execution to malicious code.
- Valid Accounts: Using stolen credentials to maintain access.
- Web Shell: Installing web shells on compromised servers to maintain access.
4. Privilege Escalation
- Exploitation for Privilege Escalation: Exploiting vulnerabilities to gain higher-level permissions.
- Credential Dumping: Extracting credentials from operating system memory, registry, or files.
- Bypassing User Account Control (UAC): Evading Windows UAC to execute code with elevated privileges.
5. Defense Evasion
- Obfuscated Files or Information: Hiding the presence of malware through obfuscation.
- Code Signing: Using stolen or fraudulent certificates to sign malicious code.
- Disabling Security Tools: Disabling antivirus, endpoint detection, and other security measures.
- Fileless Malware: Running malicious code directly in memory to avoid detection.
6. Credential Access
- Keylogging: Capturing keystrokes to steal credentials.
- Brute Force: Repeatedly trying passwords to gain access.
- Credential Dumping: Extracting passwords and hashes from the system.
- Phishing for Credentials: Trick users into revealing their login information.
7. Discovery
- Network Service Scanning: Scanning for open ports and services on the network.
- System Network Configuration Discovery: Gathering information about network configurations and settings.
- System Information Discovery: Collecting information about the operating system and hardware.
- File and Directory Discovery: Locating files and directories on a compromised system.
8. Collection
- Data from Local System: Gathering sensitive information from the local machine.
- Data from Network Shared Drive: Collecting data from network shares.
- Input Capture: Capturing input from keyboards, screens, and other devices.
- Email Collection: Accessing email accounts to gather sensitive information.
9. Command and Control
- Commonly Used Port: Communicating over commonly used ports to blend in with normal traffic.
- Standard Application Layer Protocol: Using HTTP, HTTPS, DNS, and other protocols for command and control (C2) communication.
- Web Service: Using legitimate web services for C2.
- Custom C2 Protocol: Developing custom protocols for C2 to evade detection.
10. Exfiltration
- Automated Exfiltration: Using scripts and tools to automate data exfiltration.
- Exfiltration Over C2 Channel: Sending data over the same channel used for command and control.
- Exfiltration Over Alternative Protocol: Using non-standard protocols to exfiltrate data.
- Scheduled Transfer: Exfiltrating data at specific times to avoid detection.
11. Impact
- Data Destruction: Deleting or corrupting data to cause disruption.
- Data Encryption for Impact: Encrypting data to render it unusable (often seen in ransomware attacks).
- Service Stop: Stopping critical services to disrupt operations.
- Network Denial of Service: Overloading network resources to disrupt services.