Threat Analysis
Threat Analysis Theory: A threat could be anything that leads to interruption, meddling or destruction of any valuable service or item existing in the firm’s repertoire. Whether of “human” or “nonhuman” origin, the analysis must scrutinize each element that may bring about conceivable security risk. Cyber threat analysis is a process in which the knowledge of internal and external information vulnerabilities pertinent to a particular organization is matched against real-world cyber-attacks. With respect to cyber security, this threat-oriented approach to combating cyber-attacks represents a smooth transition from a state of reactive security to a state of proactive one. Moreover, the desired result of a threat assessment is to give best practices on how to maximize the protective instruments with respect to availability, confidentiality and integrity, without turning back to usability and functionality conditions.
Components of Threat Analysis as a Process:
Scope
The ability to understand what information we need to improve understanding of the threat and to set out collecting priorities.
Gathering
The ability to gather the cyber threat information relation to cyber security threat and vulnerabilities from a range of sources.
Analyze
The ability to examine information gathered and to make links between discrete pieces of information.
ACT
The ability to make intelligence-driven decisions and actboth tactically and strategically to prevent or respond to threats.
Scope Scope gives info on what is included and what is not in the analysis. In terms of cyber security, items under consideration are those that must be protected. Although they need to be identified in the first place, the level of sensitivity of what is being guarded should be defined as well by analysis drafters.
Data Collection In every respectable organization there are some sort of policies and procedures. Those need to be identified for compliance purposes. In reality, almost one-fourth of the defensive capabilities’ corporations have in place fail to meet the minimum-security standards. In the opinion of Art Gilliland, a senior vice president of security products unit of Hewlett-Packard, “the reasons for that is that they were often pushing to meet a policy – check boxing for compliance.” Amassing detailed information about real cyber incidents (e.g., URLs to malicious links, phishing email header and content, and uncovered hostile Command and Control (C2) infrastructure of domain names and IP addresses) is the first step. The focus should fall on targeted threats existing in reality, and scope settings need to filter out those perceived as such but not real, which can merely distract your attention from other ongoing security affairs. An IT analyst must have unrestricted access to data in order to transform it into intelligence. Sources of information are, for example, intrusion incidents, detection system logs, firewall logs, the reverse engineering of malware, open source Internet searches, honeypots, digital forensic analysis, etc. Of course, one source simply cannot provide all of the information needed for a thorough threat analysis, and the analyst should incorporate multiple data wells seamlessly. Once all corporate policies and procedures are collected, they should be examined to show whether they match the compliance level in the organization. Consequently, logically processing vast amounts of data and thinking critically are qualities that will form a good cyber analysis.
Threat/Vulnerability Analysis of Acceptable Risks Here we test what is being gathered to determine the level of current exposure — most of all — whether the current defenses are solid enough to neutralize information threats in terms of availability, confidentiality and integrity. This part should include as well an evaluation of whether the existing procedures, policies and security measures are adequate. Vulnerability analysis also encompasses penetration testing, which in turn seeks to acquire something valuable from the adversary’s arsenal like a classified document, code or password. An important remark – threat analysis is a continual process that one should review once in a while to ensure that all safeguards work properly. The threat/risk evaluations are to be an integral part of the organization’s overall life cycle.
Mitigation & Anticipation When all previous steps are completed, a competent security analyst can use this corpus of threat data to arrange in groups activity patterns of close similarity, attribute each pattern to specific threat actors, promptly implement mitigation measures, and anticipate the emergence of similar cyber-attacks in the future.
1 Methodology Threat metrics and models included in this part are supposed to help characterize specific threats, hereby fulfilling the purpose of threat analysis.
2 Threat Metrics Adecent threat measurement can facilitate analysis through improved understanding of how trends and anomalies occur. It can also underscore the imminence of certain types of vulnerabilities and connect missing dots between threats and potential consequences. In other words, a qualitative threat measurement can yield accurate results concerning risk management. Unfortunately, defining and applying threat measures of proper quality is a practice that lacks maturity and consistence. The notion “metric” denotes a unit of measure, while ‘measure’ stands for a given hallmark of performance. If we measure some event in a consistent way—using a good metric that is unambiguous and clear as well—the analyst will most likely improve his ability to understand that event (threat in our case), control, affect and defend against it to a certain extent. And if the nebulosity is not so dark, decision-making based on correct interpretation will be much simpler. An example of a good quantitative portrayal in cyberspace would be the number of attacks per month. Measured for a long stretch of time, the count of cyber-attacks can reveal the adversary’s capability and intent, allowing analysts in turn to calculate properly the risk and allocate needful resources to cope with it.
3 Threat Models A stand-alone metric is oftentimes insufficient to encapsulate behavioral characteristics of complex systems/actors. A combination of metrics, the so-called “measurement framework”, might do the job.
4 The Generic Threat Matrix The generic threat matrix uses attributes of a threat that can help the analyst characterize the type of threat based on its overall nature. This kind of characterization allows analysts to describe the threat’s full spectrum without labelling it with preconceived notions. To get a new angle on the matter, we can say that “[t]he matrix is a framework or model for organizing a set of related metrics.� The threat matrix is graduated into levels of magnitude, with each level corresponding to a different kind of threat.
Practical Threat Analysis and Risk assessment This part of the paper essentially analyzes the threat analysis and risk assessment. The purpose of this part is to maximize the protection of one level from the three main pillars of security, namely confidentiality, integrity and accessibility, while being based on usability and functionality. Knowing that a risk for any organization or individual is an interactive relationship of threat, asset and vulnerability. Different levels of risk can be represented as the product of impact and probability (probability).
Table 1: Represent example of risk Rating Scale Quantitative Measure
Qualitative Measure
Description
5
High
A high level of risk can occur very often and can have a critical effect on the organization. Several measures will be needed to remedy a high risk.
4
Medium High
A moderately high risk can occur and / or reproduce with high probability but may not persist for a long time. If happens, the organization can have a significant or serious effect.
3
Medium
A medium level risk is likely to occur in most cases in many circumstances and if a medium level attack occurs, it can have moderate to severe effects on the organization.
2
Low Medium
A low to medium risk can be taken into consideration when the organization will have a minor or moderate impact as a result of an attack. A low average risk may occur more or less occasionally or may not occur at all and can be easily corrected.
1
Low
The risk is considered low when the probability of an attack against an entity is very low and the impact of the attack on the entity is negligible or minor. Low risks will never occur or very rarely and can be easily corrected.
Figure 1: Represents a risk matrix that shows the different levels of risk.
Obviously, a vulnerability is a weakness of the system that can be exploited aggressively by an attacker or can be inadvertently triggered by someone within the organization. The probability of exploiting a vulnerability that is primarily related to the intent of the attacker, his abilities, and the attacker's target. If a vulnerability is exploited, the impact on an organization can be expressed in terms of risk such as Negligible, Minor, Moderate, Important, Severe.
Table 2 below represents example of a risk assessment architecture, also explain several security vulnerabilities in the system that attackers could exploit to access customers' personal information. Asset
Threat
Vulnerability
Threat Actor
Threat vector
Consequences
Likelihood
Impact
Risk
Customer Personal details
she can be highly consulted as manipulated
The database had no security policies in place, which made the sensitive data very accessible.
Hackers or a person within the organization (insider).
Access the database via the web server or by doing SQL injections.
All that is related to the personal information of employees such as name, address, telephone can be consulted and used or even modified.
Possible (3/5)
Signifi cant (4/5)
Mediu m High
Company website
The source code of the website can be modified by injecting a malicious code that will run on the browser (Cross site scripting).
Cross site scripting it’s a kind of attack that can be performed on the website if security measures are not taken care of while developing the website.
Hackers or an insider.
Web pages
Malicious code can be injected into the web pages, which will be able to give access to the web server and even to the database.
Very Likely (5/5)
Severe (5/5)
High
Data controller’s system
No intrusion detection system.
A system with no proper security measures can be easily penetrated.
Hackers or an insider trying to get unauthorized access.
Backdoor created in the web server.
Access to the data controller system allows an attacker to execute Privileged OS commands using a remote Shell.
Very likely (5/5)
Severe (5/5)
High
Financial card details
Storing financial data incorrectly.
Unencrypted card details stored in the database
Hackers or an insider trying to get unauthorized access.
The source code of the website can be used to communicate directly with the database
The details of the credit card can be used to perform fraudulent transactions.
Very likely (5/5)
Severe (5/5)
High
Encryption key
Encryption algorithms can be used to calculate the encryption key
Simple encryption algorithm used to form an encryption key.
Hackers or an insider.
Reverse engineering.
If the private encryption key is compromised, all encrypted data becomes in a critical state and can be decrypted.
Possibe (3/5)
Severe (5/5)
Mediu m High
CVV number
Storing CVV numbers in the database is a high risk.
CVV numbers, if not encrypted, can be easily read if the attacker interacts with the database.
Hackers or an insider.
Web site source code can be used to query the database for CVV numbers.
CVV numbers are a means that can be used to prove authentication in online transactions.
Very likely (5/5)
Severe (5/5)
High
X Application Server
Unpatched and out of date software’s and no intrusion detection system
Scripts can be uploaded to the server which when executed gives remote administration access to the server.
Hackers or an unauthorized insider.
Backdoor’s created on the server via malicious script.
Once access to the administration is done on the server, it is possible to launch various administrator activities and access the hosted web servers.
Likely (4/5)
Severe (5/5)
High
Database
Database injections and unmanaged data
Sensitive data in the database can be extremely vulnerable to SQL attack injections and can be very inconsistent.
Hackers
SQL injections
Sensitive data may be erased and / or stolen from the database and used fraudulently.
Likely (4/5)
Severe (5/5)
High
Security Architecture
Figure 2: shows an example of security architecture for company during the time of the attack.
Security Recommendations The company should have put in place procedures and robust security mechanism. It is noted that employees of a company are trained and aware of the importance of data security within the organization. The attackers' knowledge of the application server software vulnerability, even if there were patches to fix these vulnerabilities, is indicative of the data controller's lack of knowledge regarding the security of the information. Table 3 lists the security recommendations that could have prevented the attack.
High level security diagram to prevent attacks The company should have put in place procedures and robust security mechanism. It is noted that employees of a company are trained and aware of the importance of data security within the organization. The attackers' knowledge of the application server software vulnerability, even if there were patches to fix these vulnerabilities, is indicative of the data controller's lack of knowledge regarding the security of the information. Table 3 lists the security recommendations that could have prevented the attack.
Motivation for the attack:
In 2016, cyberattacks caused $ 450 billion in damage to the global economy, and this number is expected to continue to increase in the coming years as devices become more connected. It is bigger than the size of well-known economies like the United Arab Emirates around $ 371 billion or Norway around $ 370 billion - that's why it's not surprising to see organizations clearing important resources and invest a significant amount of money to strengthen their internal defenses and reduce the risk of threats. It is extremely important to understand why hackers hack and what are the motives for these powerful cyberattacks. According to Randware, the reasons why hackers hack are:
Ransom (41%) Insider threat (27%) Political reasons (26%) Competition (26%) Cyberwar (24%) Angry user (20%) Motive unknown (11%) In terms of numbers, ransom is one of the main objectives of around 41% of customers, but many other reasons - politics, competition and cyberwar were evenly distributed. Verizon, in its 2017 report on data breaches, analyzes the different motivations of hackers in a different way. Based on three more essential categories "Finance", "Espionage" and "Fun, Ideology", this is what cyberattacks look like over time: In practice, spying seems to be on the rise. This is important, as more than 50% of hackers already come from organized crime groups and around 20% from state-affiliated actors. With espionage becoming a more widespread pattern over time, this suggests that cyberattacks will continue to be more sophisticated, and that specialized hacker teams will execute an increasing percentage of attacks. Hackers attack for a multitude of different reasons. In addition, it seems that the actors and motivations of piracy are gradually changing with the advancement of time, as nowadays, fewer cyberattacks have fixed motivations (fun, ideology, resentment). With more sophisticated attackers based on teamwork, it is not surprising that the cyber security sector is growing at an annual rate of around 9.5%. Usually, cyberattacks occur because criminals want your: Detailed financial information of the company Financial information of customers (ex: credit card data) Sensitive personal information Email address information and login credentials of customers or staff Customer database information Customer list information Information about the organization's IT infrastructure IT services information (ex: Accept online payments) Intellectual property information
Cyber-attacks against organizations are often motivated by objective financial gains. However, other motivations may include: Produce a social or political point (ex: through activism) Any type of spying (ex: spying on competitors to gain advantage) Intellectual challenge (ex: "white hat" piracy) The essential part of the discussion is that cybersecurity threats do not always come from anonymous pirates or online crime groups. Generally, vulnerabilities can also occur within your own business.
Types of cyber-attackers: insiders and outsiders Cyber attackers often fall into two categories: those who pose risks from the inside and those who pose a threat to your business from outside your organization.
Insiders
Anyone in-house with physical or remote access to the organization's assets who may be exposed to cyber risk. For example: Trusted employees accidentally misplaced Employees neglecting security policies and procedures Discontented employees or former employees who want to hurt your business to please a contestant. Malicious insiders who often have legitimate access to critical information and systems Vendors, business partners, customers, and contractors who have access to the organization's critical resources may also be at risk.
Outsiders
All external cyber security threats come from different sources, cited: Well organized criminals or criminal groups reunited Professional hackers - malicious or not Amateur hackers - called "script kiddies" Cyber risks, whatever their source, are perfectly managed to understand the range of motivations that may lead to attacks. it is also required to know where and how to report a cybercrime, if this happens in your organization.
Cyber criminals use highly accurate financial malware such as Carbanak, Dyre, Dridex, Rovnix and Shifu to steal funds directly from victims' bank accounts. Or through ransomware such as Cryptolocker and Tesla. Another attack for profit-denial of service (DDoS) attacks is extortion, which has been gaining popularity in recent years. Such attacks like this can often involve malware that targets point-of-sale systems. On the other hand, profit is not always the reason for cybercrime. By giving an example, a private company that develops military technologies may be the target of industrial espionage. In this case, the attackers could be state-sponsored or even for-profit criminal groups acting on behalf of a state or even a corporation.
About Dawgen Global Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit, accounting, tax, Information Technology, Risk, HR Solution, Performance, M&A, corporate finance and other advisory services. Our Caribbean regional network covers Jamaica. Trinidad and Tobago, Bahamas, Bermuda, the Cayman Islands, the Eastern Caribbean (Barbados, Antigua, St Lucia, Grenada, and St Kitts & Nevis), the Netherlands Antilles (Bonaire, Curacao, and St Maarten) and Aruba and the Turks and Caicos Islands. Our regional focus is to improve services to local, regional and international clients. Through our affiliation and membership in other Global Networks and Associations, we offer a global perspective while maintaining our regional insight by seeking alternatives for you – we tap the power of both. Our multidisciplinary teams of professionals leverage a wealth of industry-tailored, practical approaches to help you discover opportunities for your business. Whether your organization is strong and healthy, under stress or facing difficult choices, we work with you to find financial, strategic and operational solutions that improve your liquidity, financial flexibility and stakeholder returns. We’re here to help you build a sustainable business – in the short and long-term. Contact Information: Regional Head Office: Dawgen Towers, 47-49 Trinidad Terrace, Kingston 5 | Jamaica Telephone: (876) 929-2518| (876) 926-5210| (876) 630-2011| Fax: (876) 929-1300 Email: dawkins.brown@dawgen.com
Services External Audit Financial Reporting
International Tax Planning
Account Advisory
Sales Tax
Specialized Audits
Tax Planning
Tax
Audit
Risk
Governance ERM Internal Audit Compliance Technology Risk Fraud & Ethics
Advisory Performance
Transaction Services
Performance Advisory
Valuation Services
Revenue Enhancement
Restructuring & Insolvency
Operational Improvement
Forensic Services
Change Management
M&A Integration
www.dawgen.global info@dawgen.global Tel: 876-926 5210/876-6302011