How Black Lantern Security Approaches Threat Matrices and How We Are Improving Their Effectiveness within the Community
Why Our Customers Use Them
Threat matrices are an industry standard used to inform clients about the various adversarial attack scenarios they are at risk of encountering. These matrices contain various quantifiers including attacker capability, intent, etc. that are meant to give the client as much information as possible so that they might better allocate resources to prevent high impact incidents in the future. As part of our Risk Assessment offering, BLS provides a threat matrix that is based on the NIST standards detailed in their 800-30r1 publication. These recommendations are risk-based, prescriptive, and make the most efficient use of limited defensive resources.
For the purposes of conducting risk assessments and generating threat matrices, risk is derived from the likelihood and impact of one or more threat events. Impacts are typically described in terms of a loss of confidentiality, integrity, or availability (CIA) and can be easily mapped to material impacts to customer, employees, assets, physical infrastructure, and/or reputation.
Creating a Threat Matrix
A threat matrix event consists of multiple quantifiers. We present here a brief explanation of each quantifier followed by an attack scenario consisting of three events.
Capability, Intent, and Targeting
These three attributes are specific to the attacker. Attackers can be a nation state, skiddy, or something else entirely.
Relevance describes how applicable an event is for the target organization. For example, if this is something they have already experienced and defended against in the past, then Relevance is “Confirmed”. Alternatively, it may also signify that competitors within the same sector have experienced the event and it is “Expected.”
Likelihood for Attack Initiation and Likelihood for Adverse Impact
The likelihood for attack initiation is a measure that is based on available evidence, experience and judgement. Attack initiation likelihood should consider attacker capability, intent, and targeting factors. As an example, the likelihood that an attacker will INITIATE a SQL injection attack against a public-facing web application might be high.
Adverse impact likelihood is also formulated based on attacker capability, intent, and targeting. However, it also considers the defensive posture of the organization. For example, even though an organization is likely to see SQL injection attacks against a public-facing web application, a robust vulnerability management program and a properly configured web application firewall can decrease the likelihood of adverse impacts.
The likelihood for attack initiation and the likelihood for adverse impact values combine to form the result contained by “Overall Likelihood”.
Vulnerability Severity and Pervasiveness of Predisposing Conditions
These factors, while separate, are originally given in the NIST template as one derived value. BLS elected to keep these values separate as they have separate meaning that may become lost. Vulnerability severity deals with issues discovered during an assessment that can be corrected through configuration changes or remediation where as predisposing conditions may be more difficult to mitigate or change. Calling these out separately allows a customer to focus their actions more effectively.
Vulnerability severity is assigned to any finding that the assessing body discovers over the course of the assessment. Findings include vulnerabilities within the organizational structure, a business process, and.or information systems. For example, the wire transfer process may lack a two-person integrity (TPI) check. Alternatively, a web form may not properly sanitize user input. BLSOPS mirrors the CVSS 3.0 scoring system when assigning value.
The pervasiveness of a predisposing condition is derived by assigning a weight to an observed condition that contributes to an event taking place. A predisposing condition may be something information related, technical, or operational/environmental. The value is determined by how deeply intertwined the organization is with the observed condition. For example, a datacenter may be located on the Gulf Coast which is pre-disposed to hurricanes in the Summer and early Fall.
The value for impact is formed by considering the depth to which the event affects the assessed organization. Depth ranges from multiple severe adverse effects to negligible effect.
Phishing to Domain Admin Compromise
Example three step attack scenario:
Where Threat Matrices Sometimes Fall Short
While threat matrices have been widely adopted within the security industry, it has not come without criticism. Most notably, the quantifier values involved in the threat matrices are left up to the organization conducting the assessment. There is very little guidance on how to apply these values in a meaningful and consistent way. For example, Organization A and Organization B may believe that they are most likely to be the target of an opportunistic attacker. However, Org A has decided that an opportunistic attacker has a Capability factor of 5 while Org B believes an opportunistic attacker has a Capability factor of 6. The disparity in data creates divides between information provided by organizations and lessens the community’s ability to provide clients comparable and actionable information.
Taking this a step further, replace organization A and B with two different teams working within the same organization. Depending on the individual executing this stage of reporting, you may have different interpretations implemented. As a result, clients are provided inconsistent data year over year.
How BLS is Fixing Things
For the Organization
Enter_The_Matrix (ETM) v1.0 is being released to help organizations address these issues. To tackle inconsistencies in analyzing adversarial attack scenarios and the associated risk, ETM provides attacker event templates; one or more events provide a scenario. Attacker event templates also provide a long-term vehicle for tracking the quantifiers for each event in a scenario. As the threats to an organization evolve over time, the attacker event templates can be modified accordingly.
For the Community
In addition to providing a platform for the creation and management of attacker event templates, ETM allows for the export and import of JSON formatted event template sets. This gives the community the opportunity to collaborate and provide their template sets to the public. Through the public arena we can all come to a consensus on what threat actor quantifiers should be so that the industry can provide defenders with more accurate and actionable information.
Bells and Whistles
Since BLS has begun to address the most glaring issues, it was decided to include some niceties too.
Included in each event configuration is the option to assign a MITRE ATT&CK ID to each event. The ATT&CK IDs are kept up to date as MITRE adds/removes/edits items from its database and include TTPs from the Enterprise, Mobile, and ICS collections. Users can get more information about the TTPs via helper icons that bring the user to the relevant online resource.
Attack Scenario Graphs
Once an attack scenario has been created, a directed threat graph can be created automatically based on the user inputs. Threat graphs provide a high level illustration for what went on for that particular scenario. The graphs utilize an iconset that conveys what is occurring for each event, as well as color coded edges illustrating the risk level associated with each event. Graphs can be easily exported for inclusion in presentations and reports.
When an assessment is complete, and you’ve created all the attack scenarios you’d like to convey to your client, you may generate one or more threat trees. Threat trees encompass and illustrate all of the possible attack paths for that assessment. ETM pulls the MITRE ATT&CK IDs from each of the attack scenarios and stitches them together to show all routes to potential compromise in a single viewgraph. These graphs are feature rich, allowing you to create custom categories, colors, fonts, node shapes, edge styles, and graph distribution.
ETM allows your organization to export the resulting threat matrices in two ways. The first option is a living spreadsheet (XLSX) that is meant to be used by the client blue team as they improve their security posture. Changing values within the spreadsheet will automatically update the calculated values (Overall Likelihood of Attack, Overall Risk) as well as color coding. These spreadsheets follow the template suggested within the NIST 800-30r1 publication but have been modified to include the MITRE ATT&CK framework. The MITRE ATT&CK IDs present within the spreadsheet are hyperlinked to give the defender immediate access to detailed information about the TTP from the MITRE ATT&CK website. The second option is purposed for those who like to hold reports in hand. The threat matrix is formatted to fit a tabular design and is paginated in a way that is suitable for printing to paper or PDF.
Enter the Matrix, https://github.com/blacklanternsecurity/enter_the_matrix
MITRE ATT&CK, https://attack.mitre.org/
ATT&CK For ICS, https://collaborate.mitre.org/attackics/index.php/Overview
NIST 800-30r1, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf