Threat Management: Concepts and Examples

Threat Management helps organizations manage risks and comply with industrial standards and regulations. It includes identifying threats, formulating strategies and developing mitigation measures. Various frameworks and standards are designed for managing an organization’s security posture. This article discusses threat management concepts and provides examples of their applications.

Zero-day

Zero-day vulnerabilities refer to software flaws unknown to the developers. For example, security researchers analyze the Chrome web browser for vulnerability. The result will be shared with Chrome developers if there are any findings. However, zero-day vulnerability means that the vulnerability has just been discovered and has not yet been patched.

Zero-day exploits refer to taking advantage of zero-day vulnerabilities for malicious reasons. A hacker may build an attack tool by exploiting a zero-day vulnerability. Metasploit is an example of where people can find vulnerabilities and attack methods in software.

Zero-day attacks mean leveraging a zero-day exploit to perform a cyber attack. When a hacker discovers a zero-day vulnerability and performs an attack using Metasploit, the act is seen as a zero-day attack.

Attack Vector and Surface

Attack Vector refers to an attacker’s pathway to breach a system. An attacker may first attempt to perform a phishing attack. Assuming an employee installed a piece of malware on the computer upon receiving malicious software provided by the attacker, a new attack surface becomes available for the attacker. The attacker can then access other endpoints which are not previously available. The entire attack path refers to the attack vector.

Examples of Attack Vectors include #1) Phishing, #2) Malware, #3) Man-in-the-middle Attacks and #4) Social Engineering.

Attack Surface means all the points of entry an attacker can try to breach. An attacker may look for wireless access points, workstations and employee login portals to unauthorizedly access a system. Attack surface also refers to scenarios where there is a change in user privilege. For example, a login portal for a user to change to an administrator role can be a point of entry. It is included in an attack surface because attackers may seek methods to escalate the privilege by exploiting it.

Examples of Attack Surface include #1) User Account, #2) Web Application (Portals), #3) Mobile Devices, #4) Software Vulnerabilities and #5) Cloud Devices.

Threats

Threats in the cyber security context mean any potential attack that attempts to access data unauthorizedly or cause disruption. There are four categories of threats: #1) Adversarial, #2) Accidental, #3) Structural and #4) Environmental.

For Adversarial threats, individuals attempt to exploit an organization’s cyber resources. Accidental Threats mean the erroneous action performed by an employee’s day-to-day activities. Structural Threats are related to the failure of IT infrastructure, such as the lack of storage space. As for Environmental Threats, they are usually out of control by an organization as they can result from a natural disaster or power outage.

One of the most common formulas for calculating risk:

Risk = Threat * Vulnerability * Consequence/Impact

Threat: Occurrence of a harmful event (e.g., malicious hacking attempts)
Vulnerability: Weakness in a system (e.g., misconfigured firewall)

Cybersecurity Policy Documents

Good cybersecurity policy documents help protect the assets of an organization. Different accredited organizations provide templates for companies to follow when drafting a policy document. SANS is one organization that provides a range of security policy templates. A comprehensive security policy document typically includes the following characteristics.

Relevance: the document should accommodate the day-to-day business of an organization.

Inclusive: all relevant parties should be included when drafting the policy document.

Accessible: the policies shall be communicated to all relevant parties. The document should be easy-to-access and available to employees.

Endorsed: The management needs to support the policy, so that it can be implemented across the organization.

Enforceable: The policy shall have statutory status, which means it is in effect.

Adaptable: A good security policy shall adapt to the changing needs and trends to be effective.

There are exception cases where business processes may not be able to comply with Cybersecurity policy documents. Therefore, policy exception processes should be created to provide a set of procedures to handle exception requests. Exception processes often include stages such as exception triggers, evaluation of consequences, and decision-making. At last, the program shall be optimized by considering the possibility of adding common exception requests to policy documents.

Security Information & Event Management (SIEM)

SIEM helps organizations detect and respond to threats by collecting and analyzing data across different systems. Modern SIEM such as Splunk and Graylog offers various functionalities to facilitate event monitoring and response.

Common characteristics of next-gen SIEM software

Real-time monitoring: Events should be analyzed in real-time so that SOC analysts can quickly respond to security issues and alerts.

Incident response: Security analysts shall be able to set up pre-defined rules to manage potential breaches. For example, blocking a malicious IP when the threshold has been exceeded. Automating incidence response helps minimize recovery time and cost.

User monitoring: Compliance reporting is a critical element in SIEM software. Organizations should monitor user behaviour and store audit trails to comply with regulations.

Advanced analytics: Analytical reports should be generated to help system administrators make sense of the data collected. As an example, dashboards shall be created to display events based on criticality.

Common Log Files in a Linux System

HTTP/web server request logs: /var/log/httpd, /var/log/apache, /var/log/nginx

Corn jobs logs: /var/log/cron, /var/log/syslog

Linux security event logs: /var/log/auth.log, /var/log/secure

Kernel event logs: /var/log/kern

STRIDE

There are six principles for the STRIDE framework, including Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

S: Spoofing – User authentication should be performed to access resources.

T: Tampering – Related to the data integrity of the CIA triad.

R: Repudiation – The initiator of a request should not be able to deny the action performed.

I: Information Disclosure – Corporate secrets shall be kept safe from a competitor or malicious actor. (i.e., Confidentiality)

D: Denial of Service – Attackers may try to perform a distributed denial of service (DDoS) attack to affect the availability of a service.

E: Elevation of Privileges – Attackers often find ways to escalate a user privilege to gain control of a system.

The Bell-La Padula and Biba Model

The Bell-La Padula Model recommends granting access on a strictly need-to-know basis. For example, a person authorized to read documents classified as “Confidential” may not read “Top Secret” documents. This is also known as the no-read-up principle, where a user with a lower security level should not be allowed to read documents assigned with a higher security level. On the other hand, a person with “Top Secret” access rights can read down to documents with “Confidential” access rights. However, they cannot write information to a lower security level, known as no-write-down (*-property). The Bell-La Padula Model helps achieve Confidentiality.

The Biba Model is related to the segregation of duties. A subject is only given access to information necessary for his/her job, known as no-read-down. It enforces role-based access control. Besides, it also enforces no-write-up (*-property). The Biba Model helps achieve Integrity.

Computer Security Incident Response Team (CSIRT)

CSIRT is a term referring to the handling of security incidents. Different stages are described in CSIRT, which are summarized in the following table.

#StageExplainationExamples
1PreparationSteps taken before an incident occursConduct employee training
2Identification / DetectionAnalyze events to determine whether there is a security impactAnalyze system logs
3Containment / ResponseInteract with affected system(s) and perform damage controlsIsolate traffic
4Eradiction / MitigationUnderstand the cause of an incidentPerform a root cause analysis

Remove malware
5RecoveryRestore a system to operational statusBring the system online
6Lessons LearnedDocument what is learnt from the incidentProvide an incident report to the management

Cyber Kill Chain

Cyber Kill Chain refers to a framework describing the steps of a cyber attack. It covers areas from the Reconnaissance stage to the Actions on Objectives stage (a.k.a. the exfiltration of data). The following table summarizes the 7 stages described in the Cyber Kill Chain framework.

#StageExplanationExamples
1ReconnaissanceConduct research on a potential targetCollect email addresses of corporate employees
Perform nmap network scanning to identify a point of entry
2WeaponizationCraft an attack method which exploits vulnerabilities of the targetLook for vulnerabilities in an old Apache web server.
3DeliveryDeliver a malicious payload to the target systemDeliver malicious software through phishing emails and USB devices.
4ExploitationGain entry to the system by utilizing the payload. Execute code remotely through a vulnerability in the victim’s systemPerform remote code execution by triggering a vulnerability in an Apache web server.
5InstallationInstall a backdoor to obtain persistent access to the victim’s systemInstall a backdoor / a key logging tool on the victim’s computer.
6Command and controlEscalate system privileges and establish a communication channel between the backdoor and an outside system. Configure a cron job to run the backdoor with administrative privilege. Let it communicate with an outside server regularly.
7Actions on objectivesAchieve the objectives of the attack.Obtain confidential information on the victim’s computer.

Threats Identifiers

There are different methods to identify Cybersecurity threats. Industrial standards of threat identifiers are summarized below.

#AbbreviationFull NameExampleCharacteristics
1CVECommon Vulnerabilities and ExposuresCVE-YYYY-####

CVE-2021-26855
Vulnerability in Microsoft Exchange Server
One CVE should be addressed independently. Fixing one CVE should not require fixing another CVE.

The vendor must have acknowledged the threat

The threat must be proven

Every product gets a CVE, even if a shared codebase is used between different vendors
2NVDNational Vulnerability DatabaseAn article published in the NVD stated a Cisco iOS vulnerability and how to remediate itMaintained by NIST

Include CVSS

Provide remediation methods / recommendations
3CWECommon Weakness EnumerationCWE-119: Improper Restriction of Operations…Focus on software vulnerabilities
4CAPECCommon Attack Pattern Enumeration and ClassificationCAPEC-163: XML injectionMaintained by MITRE

Focus on the Top 10 software vulnerabilities.

Describes common attack patterns, insecure coding practices and their potential impacts

Provides recommendations on improving coding practices
5ATT&CKAdversarial, Tactics, Techniques and Common KnowledgeStage 1: Execution
User Execution

Stage 3: Privilege Escalation
Create or Modify System Processes, Schedule Task/Job

Stage 9: Command and Control
Proxy, Remote Access Software
Maintained by MITRE

Focus on Top 10 software vulnerabilities.

Describes common attack patterns, insecure coding practices and their potential impacts

Provides recommendations on improving coding practices
6CPECommon Platform Enumerationcpe:/o:microsoft:windows_vista::sp1Maintained by MITRE

Summarized in a matrix which involves 11 categories

Focus on tactics used by threat actors in cyber attacks.

Primarily related to system and network threats
7CCECommon Configuration EnumerationCCE-215: Weak Password PolicyProvide a standardized way to describe issues related to system configuration
8CVSSCommon Vulnerability Scoring SystemCVSS 9.1: CVE-2021-26855

Critical CVSS: 9-10
High CVSS: 7-8.9
Medium CVSS: 4-6.9
Low CVSS: 0.1-3.9
CVSS prioritizes CVEs with a scoring system

Include three groups, namely Base Metric, Temporal, and Environmental.

CVSS Scoring Components

Components of the CVSS scoring system include the following groups. They are used to calculate the final CVSS score.

#CVSS Metric GroupDescription
1BaseBase Metric Group is used to calculate the initial score of CVSS. It can be subdivided into two categories:

#1) Exploitability
Privilege Required, Attack Vector (Malware, Network Intrusion, Password Cracking, etc.)

#2) Impact
How the vulnerability impacts Confidentiality, Integrity and Availability (CIA).
2TemporalThe temporal metric group changes CVSS scores as additional information, patches and remediation strategies become available.
3EnvironmentalAllow organizations to adjust the CVSS scores based on their existing corporate environment. Factors influencing environmental metrics also include CIA.

Threat Modelling

Threat modelling identifies potential risks and assesses their impacts from the point of view of an organization. Through threat modelling, the management and security professionals can better understand the organization’s security posture and implement security controls for mitigating such threats.

AreaExamples
Frameworks– STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege)
– PASTA (Process for Attack Simulation and Threat Analysis)
Considerations– Adversary Capabilities (Study common resources used by threat actors)
– Attack Surface
– Attack Vector

Threat Hunting

Threat hunting actively searches for threats within an organization which may otherwise go unnoticed by conventional security devices. The threat-hunting processes typically involve establishing a hypothesis and profiling threat actors.

ProcessExamples
Establish a hypothesisThink about the systems which an attacker most likely targets.
Look at the most valuable assets of an organization.
Profile threat actorsThink about how an attacker will likely perform an attack (attack vectors).
Guess the objectives of threat actors.

Threat Intelligence

Threat Intelligence refers to the practice of collecting and analyzing data. Threat Intelligence tools can identify and manage cyber threats. They can be divided into four categories.

#Threat Intelligence CategoryExamples
1Strategic IntelBudget review for planning future IT equipment purchases
Annual risk assessment carried out by external auditors for management review
2Technical IntelCIS Hardening, Configuration Guidelines for best practices
3Tactical IntelSIEM (Splunk, Graylog) for real-time event monitoring
4Operational IntelBusiness Intelligence Software (SAP, Workday) for anomaly detection

Reconnaissance

Reconnaissance are technique employed by attackers to gather information about their attack targets. Reconnaissance methods can be divided into Active and Passive categories.

#CategoryExamples
1Active ReconnaissancePort Scanning
Vulnerability Scanning
2Passive ReconnaissanceSocial Engineering
Using OSINT to craft an attack (weaponization)

PowerShell and SCHTASK Commands

PowerShell commands are commonly used by attackers to deliver payload to Windows-based operating systems and perform fileless attacks by executing malicious code in memory. Commands like SCHTASKS (Schedule Tasks) can be used by an attacker in a PowerShell attack to schedule for automated task execution based on criteria such as time and conditions, making an attack become sophisticated and repeatable.

SCHTASK

#CommandExplanation
1Set-MpPreferencePerform configuration on Windows Defender
2exec bypassBypass the default security policy set by PowerShell. Execute an unsafe command.
3RU/RU means “run as”
/RU “SYSTEM”, meaning run the command as a System user.
4SCHTASKS /CREATE/CREATE means create a new scheduled task
5SCHTASKS /TN/TN stands for taskname. Specify the name for the scheduled task.
/TN Scheduled-Task-1
6SCHTASKS /TR/TR stands for the filepath. Specify the task path for retrieving the information.
/TR C:\Windows\System32\notepad.exe
7SCHTASKS /SC/SC stands for schedule. There are multiple attributes related to /SC. They can be:
/SC MINUTE
/SC HOURLY
/SC DAILY
/SC WEEKLY
/SC ONCE
/SC ONSTART
/SC ONLOGON
/SC ONIDLE
/SC MONTHLY 1-12
/SC ONEVENT, meaning to run the task when an event happen. An event can be a Window Event log event.
8SCHTASKS /MO/MO stands for modifier
/MO *[System/EventID=101]
It means that a task made with SCHTASKS will be triggered whenever a System Event with EventID 101 is generated in Windows Event Log.
9SCHTASKS /EC/EC specifies the channel of events in Windows Event Log for triggering an task set with /SC ONEVENT parameter.
/EC System /MO *[System/EventID=101]
Only look at the System Channel within Windows Event Log.

Configure Active Directory

ObjectivePowerShell Command
Configure AD Password for a userSet-ADAccountPassword -Reset -newPassword
Force a user to change their password at logonSet-ADUser -ChangePasswordAtLogon

Types of Cybersecurity Frameworks

Cybersecurity frameworks can be separated into different functions, including Control, Program and Risk.

FrameworksFunctionExamples
ControlProvides a structured and detailed approach for implementing and managing security controls. (e.g. procedures and guidelines)CIS
PCI-DSS
ISO 27002 (Cybersecurity Control Implementation)
NIST 800-53 (Security and Privacy requirements of Federal Information Systems and Organizations)
ProgramGuides overall security management. ISO 27001 (Standard for ISMS – Information Security Management Systems)
ISO 27701 (Privacy Management Standards)
RiskDefines processes regarding risk assessment and management.ISO 27005 (Information Security Risk Management)
NIST Risk Management Framework
CVSS

Cyber Security Audits and Assessments

Cybersecurity audits and assessments both involve checking the security posture of an organization. Cybersecurity assessment perform a high-level analysis to determine the effectiveness of controls. It involves the evaluation of the maturity of an organization. On the other hand, cybersecurity audits are point-in-time evaluations which verify that controls are implemented according to the organization’s policies and procedures.

Area of FocusCybersecurity AssessmentCybersecurity Audit
Assessment MethodHigh-levelDetailed and Specific
OccurrenceOn-going / point-in-timePoint-in-time (Usually performed periodically or annually)
ExamplesVulnerability Scanning, Penetration Testing, Gap analysis, Roadmap, ScorecardsVerify controls in place against policies and standards
FrameworksCapability Maturity Model Index (CMMI):
Lv 1: Initial (no formal process)
Lv 2: Managed (some basic processes like monitoring and configuration management)
Lv 3: Defined (processes used consistently across the firm)
Lv 4: Quantitative (quantitative data is used for performance measurement and management)
Lv 5: Optimized (continuous improvement)
ISO, HIPPA, PCI-DSS