Threat Management helps organizations manage risks and comply with industrial standards and regulations. It includes identifying threats, formulating strategies and developing mitigation measures. Various frameworks and standards are designed for managing an organization’s security posture. This article discusses threat management concepts and provides examples of their applications.
- Zero-Day
- Attack Vector and Surface
- Threats
- Policy Documents
- Security Information & Event Management (SIEM)
- STRIDE
- The Bell-La Padula and Biba Model
- CSIRT
- Cyber Kill Chain
- Threat Identifiers
- CVSS
- Threat Modelling
- Threat Hunting
- Threat Intelligence
- Reconnaissance Methods
- PowerShell commands
- Types of Cybersecurity Frameworks
- Cyber Security Audits and Assessments
Zero-day
Zero-day vulnerabilities refer to software flaws unknown to the developers. For example, security researchers analyze the Chrome web browser for vulnerability. The result will be shared with Chrome developers if there are any findings. However, zero-day vulnerability means that the vulnerability has just been discovered and has not yet been patched.
Zero-day exploits refer to taking advantage of zero-day vulnerabilities for malicious reasons. A hacker may build an attack tool by exploiting a zero-day vulnerability. Metasploit is an example of where people can find vulnerabilities and attack methods in software.
Zero-day attacks mean leveraging a zero-day exploit to perform a cyber attack. When a hacker discovers a zero-day vulnerability and performs an attack using Metasploit, the act is seen as a zero-day attack.
Attack Vector and Surface
Attack Vector refers to an attacker’s pathway to breach a system. An attacker may first attempt to perform a phishing attack. Assuming an employee installed a piece of malware on the computer upon receiving malicious software provided by the attacker, a new attack surface becomes available for the attacker. The attacker can then access other endpoints which are not previously available. The entire attack path refers to the attack vector.
Examples of Attack Vectors include #1) Phishing, #2) Malware, #3) Man-in-the-middle Attacks and #4) Social Engineering.
Attack Surface means all the points of entry an attacker can try to breach. An attacker may look for wireless access points, workstations and employee login portals to unauthorizedly access a system. Attack surface also refers to scenarios where there is a change in user privilege. For example, a login portal for a user to change to an administrator role can be a point of entry. It is included in an attack surface because attackers may seek methods to escalate the privilege by exploiting it.
Examples of Attack Surface include #1) User Account, #2) Web Application (Portals), #3) Mobile Devices, #4) Software Vulnerabilities and #5) Cloud Devices.
Threats
Threats in the cyber security context mean any potential attack that attempts to access data unauthorizedly or cause disruption. There are four categories of threats: #1) Adversarial, #2) Accidental, #3) Structural and #4) Environmental.
For Adversarial threats, individuals attempt to exploit an organization’s cyber resources. Accidental Threats mean the erroneous action performed by an employee’s day-to-day activities. Structural Threats are related to the failure of IT infrastructure, such as the lack of storage space. As for Environmental Threats, they are usually out of control by an organization as they can result from a natural disaster or power outage.
One of the most common formulas for calculating risk:
Risk = Threat * Vulnerability * Consequence/Impact
Threat: Occurrence of a harmful event (e.g., malicious hacking attempts)
Vulnerability: Weakness in a system (e.g., misconfigured firewall)
Cybersecurity Policy Documents
Good cybersecurity policy documents help protect the assets of an organization. Different accredited organizations provide templates for companies to follow when drafting a policy document. SANS is one organization that provides a range of security policy templates. A comprehensive security policy document typically includes the following characteristics.
Relevance: the document should accommodate the day-to-day business of an organization.
Inclusive: all relevant parties should be included when drafting the policy document.
Accessible: the policies shall be communicated to all relevant parties. The document should be easy-to-access and available to employees.
Endorsed: The management needs to support the policy, so that it can be implemented across the organization.
Enforceable: The policy shall have statutory status, which means it is in effect.
Adaptable: A good security policy shall adapt to the changing needs and trends to be effective.
There are exception cases where business processes may not be able to comply with Cybersecurity policy documents. Therefore, policy exception processes should be created to provide a set of procedures to handle exception requests. Exception processes often include stages such as exception triggers, evaluation of consequences, and decision-making. At last, the program shall be optimized by considering the possibility of adding common exception requests to policy documents.
Security Information & Event Management (SIEM)
SIEM helps organizations detect and respond to threats by collecting and analyzing data across different systems. Modern SIEM such as Splunk and Graylog offers various functionalities to facilitate event monitoring and response.
Common characteristics of next-gen SIEM software
Real-time monitoring: Events should be analyzed in real-time so that SOC analysts can quickly respond to security issues and alerts.
Incident response: Security analysts shall be able to set up pre-defined rules to manage potential breaches. For example, blocking a malicious IP when the threshold has been exceeded. Automating incidence response helps minimize recovery time and cost.
User monitoring: Compliance reporting is a critical element in SIEM software. Organizations should monitor user behaviour and store audit trails to comply with regulations.
Advanced analytics: Analytical reports should be generated to help system administrators make sense of the data collected. As an example, dashboards shall be created to display events based on criticality.
Common Log Files in a Linux System
HTTP/web server request logs: /var/log/httpd, /var/log/apache, /var/log/nginx
Corn jobs logs: /var/log/cron, /var/log/syslog
Linux security event logs: /var/log/auth.log, /var/log/secure
Kernel event logs: /var/log/kern
STRIDE
There are six principles for the STRIDE framework, including Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
S: Spoofing – User authentication should be performed to access resources.
T: Tampering – Related to the data integrity of the CIA triad.
R: Repudiation – The initiator of a request should not be able to deny the action performed.
I: Information Disclosure – Corporate secrets shall be kept safe from a competitor or malicious actor. (i.e., Confidentiality)
D: Denial of Service – Attackers may try to perform a distributed denial of service (DDoS) attack to affect the availability of a service.
E: Elevation of Privileges – Attackers often find ways to escalate a user privilege to gain control of a system.
The Bell-La Padula and Biba Model
The Bell-La Padula Model recommends granting access on a strictly need-to-know basis. For example, a person authorized to read documents classified as “Confidential” may not read “Top Secret” documents. This is also known as the no-read-up principle, where a user with a lower security level should not be allowed to read documents assigned with a higher security level. On the other hand, a person with “Top Secret” access rights can read down to documents with “Confidential” access rights. However, they cannot write information to a lower security level, known as no-write-down (*-property). The Bell-La Padula Model helps achieve Confidentiality.
The Biba Model is related to the segregation of duties. A subject is only given access to information necessary for his/her job, known as no-read-down. It enforces role-based access control. Besides, it also enforces no-write-up (*-property). The Biba Model helps achieve Integrity.
Computer Security Incident Response Team (CSIRT)
CSIRT is a term referring to the handling of security incidents. Different stages are described in CSIRT, which are summarized in the following table.
| # | Stage | Explaination | Examples |
| 1 | Preparation | Steps taken before an incident occurs | Conduct employee training |
| 2 | Identification / Detection | Analyze events to determine whether there is a security impact | Analyze system logs |
| 3 | Containment / Response | Interact with affected system(s) and perform damage controls | Isolate traffic |
| 4 | Eradiction / Mitigation | Understand the cause of an incident | Perform a root cause analysis Remove malware |
| 5 | Recovery | Restore a system to operational status | Bring the system online |
| 6 | Lessons Learned | Document what is learnt from the incident | Provide an incident report to the management |
Cyber Kill Chain
Cyber Kill Chain refers to a framework describing the steps of a cyber attack. It covers areas from the Reconnaissance stage to the Actions on Objectives stage (a.k.a. the exfiltration of data). The following table summarizes the 7 stages described in the Cyber Kill Chain framework.
| # | Stage | Explanation | Examples |
| 1 | Reconnaissance | Conduct research on a potential target | Collect email addresses of corporate employees Perform nmap network scanning to identify a point of entry |
| 2 | Weaponization | Craft an attack method which exploits vulnerabilities of the target | Look for vulnerabilities in an old Apache web server. |
| 3 | Delivery | Deliver a malicious payload to the target system | Deliver malicious software through phishing emails and USB devices. |
| 4 | Exploitation | Gain entry to the system by utilizing the payload. Execute code remotely through a vulnerability in the victim’s system | Perform remote code execution by triggering a vulnerability in an Apache web server. |
| 5 | Installation | Install a backdoor to obtain persistent access to the victim’s system | Install a backdoor / a key logging tool on the victim’s computer. |
| 6 | Command and control | Escalate system privileges and establish a communication channel between the backdoor and an outside system. | Configure a cron job to run the backdoor with administrative privilege. Let it communicate with an outside server regularly. |
| 7 | Actions on objectives | Achieve the objectives of the attack. | Obtain confidential information on the victim’s computer. |
Threats Identifiers
There are different methods to identify Cybersecurity threats. Industrial standards of threat identifiers are summarized below.
| # | Abbreviation | Full Name | Example | Characteristics |
| 1 | CVE | Common Vulnerabilities and Exposures | CVE-YYYY-#### CVE-2021-26855 Vulnerability in Microsoft Exchange Server | One CVE should be addressed independently. Fixing one CVE should not require fixing another CVE. The vendor must have acknowledged the threat The threat must be proven Every product gets a CVE, even if a shared codebase is used between different vendors |
| 2 | NVD | National Vulnerability Database | An article published in the NVD stated a Cisco iOS vulnerability and how to remediate it | Maintained by NIST Include CVSS Provide remediation methods / recommendations |
| 3 | CWE | Common Weakness Enumeration | CWE-119: Improper Restriction of Operations… | Focus on software vulnerabilities |
| 4 | CAPEC | Common Attack Pattern Enumeration and Classification | CAPEC-163: XML injection | Maintained by MITRE Focus on the Top 10 software vulnerabilities. Describes common attack patterns, insecure coding practices and their potential impacts Provides recommendations on improving coding practices |
| 5 | ATT&CK | Adversarial, Tactics, Techniques and Common Knowledge | Stage 1: Execution User Execution Stage 3: Privilege Escalation Create or Modify System Processes, Schedule Task/Job Stage 9: Command and Control Proxy, Remote Access Software | Maintained by MITRE Focus on Top 10 software vulnerabilities. Describes common attack patterns, insecure coding practices and their potential impacts Provides recommendations on improving coding practices |
| 6 | CPE | Common Platform Enumeration | cpe:/o:microsoft:windows_vista::sp1 | Maintained by MITRE Summarized in a matrix which involves 11 categories Focus on tactics used by threat actors in cyber attacks. Primarily related to system and network threats |
| 7 | CCE | Common Configuration Enumeration | CCE-215: Weak Password Policy | Provide a standardized way to describe issues related to system configuration |
| 8 | CVSS | Common Vulnerability Scoring System | CVSS 9.1: CVE-2021-26855 Critical CVSS: 9-10 High CVSS: 7-8.9 Medium CVSS: 4-6.9 Low CVSS: 0.1-3.9 | CVSS prioritizes CVEs with a scoring system Include three groups, namely Base Metric, Temporal, and Environmental. |
CVSS Scoring Components
Components of the CVSS scoring system include the following groups. They are used to calculate the final CVSS score.
| # | CVSS Metric Group | Description |
| 1 | Base | Base Metric Group is used to calculate the initial score of CVSS. It can be subdivided into two categories: #1) Exploitability Privilege Required, Attack Vector (Malware, Network Intrusion, Password Cracking, etc.) #2) Impact How the vulnerability impacts Confidentiality, Integrity and Availability (CIA). |
| 2 | Temporal | The temporal metric group changes CVSS scores as additional information, patches and remediation strategies become available. |
| 3 | Environmental | Allow organizations to adjust the CVSS scores based on their existing corporate environment. Factors influencing environmental metrics also include CIA. |
Threat Modelling
Threat modelling identifies potential risks and assesses their impacts from the point of view of an organization. Through threat modelling, the management and security professionals can better understand the organization’s security posture and implement security controls for mitigating such threats.
| Area | Examples |
| Frameworks | – STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege) – PASTA (Process for Attack Simulation and Threat Analysis) |
| Considerations | – Adversary Capabilities (Study common resources used by threat actors) – Attack Surface – Attack Vector |
Threat Hunting
Threat hunting actively searches for threats within an organization which may otherwise go unnoticed by conventional security devices. The threat-hunting processes typically involve establishing a hypothesis and profiling threat actors.
| Process | Examples |
| Establish a hypothesis | Think about the systems which an attacker most likely targets. Look at the most valuable assets of an organization. |
| Profile threat actors | Think about how an attacker will likely perform an attack (attack vectors). Guess the objectives of threat actors. |
Threat Intelligence
Threat Intelligence refers to the practice of collecting and analyzing data. Threat Intelligence tools can identify and manage cyber threats. They can be divided into four categories.
| # | Threat Intelligence Category | Examples |
| 1 | Strategic Intel | Budget review for planning future IT equipment purchases Annual risk assessment carried out by external auditors for management review |
| 2 | Technical Intel | CIS Hardening, Configuration Guidelines for best practices |
| 3 | Tactical Intel | SIEM (Splunk, Graylog) for real-time event monitoring |
| 4 | Operational Intel | Business Intelligence Software (SAP, Workday) for anomaly detection |
Reconnaissance
Reconnaissance are technique employed by attackers to gather information about their attack targets. Reconnaissance methods can be divided into Active and Passive categories.
| # | Category | Examples |
| 1 | Active Reconnaissance | Port Scanning Vulnerability Scanning |
| 2 | Passive Reconnaissance | Social Engineering Using OSINT to craft an attack (weaponization) |
PowerShell and SCHTASK Commands
PowerShell commands are commonly used by attackers to deliver payload to Windows-based operating systems and perform fileless attacks by executing malicious code in memory. Commands like SCHTASKS (Schedule Tasks) can be used by an attacker in a PowerShell attack to schedule for automated task execution based on criteria such as time and conditions, making an attack become sophisticated and repeatable.
SCHTASK
| # | Command | Explanation |
| 1 | Set-MpPreference | Perform configuration on Windows Defender |
| 2 | exec bypass | Bypass the default security policy set by PowerShell. Execute an unsafe command. |
| 3 | RU | /RU means “run as” /RU “SYSTEM”, meaning run the command as a System user. |
| 4 | SCHTASKS /CREATE | /CREATE means create a new scheduled task |
| 5 | SCHTASKS /TN | /TN stands for taskname. Specify the name for the scheduled task. /TN Scheduled-Task-1 |
| 6 | SCHTASKS /TR | /TR stands for the filepath. Specify the task path for retrieving the information. /TR C:\Windows\System32\notepad.exe |
| 7 | SCHTASKS /SC | /SC stands for schedule. There are multiple attributes related to /SC. They can be: /SC MINUTE /SC HOURLY /SC DAILY /SC WEEKLY /SC ONCE /SC ONSTART /SC ONLOGON /SC ONIDLE /SC MONTHLY 1-12 /SC ONEVENT, meaning to run the task when an event happen. An event can be a Window Event log event. |
| 8 | SCHTASKS /MO | /MO stands for modifier /MO *[System/EventID=101] It means that a task made with SCHTASKS will be triggered whenever a System Event with EventID 101 is generated in Windows Event Log. |
| 9 | SCHTASKS /EC | /EC specifies the channel of events in Windows Event Log for triggering an task set with /SC ONEVENT parameter. /EC System /MO *[System/EventID=101] Only look at the System Channel within Windows Event Log. |
Configure Active Directory
| Objective | PowerShell Command |
| Configure AD Password for a user | Set-ADAccountPassword -Reset -newPassword |
| Force a user to change their password at logon | Set-ADUser -ChangePasswordAtLogon |
Types of Cybersecurity Frameworks
Cybersecurity frameworks can be separated into different functions, including Control, Program and Risk.
| Frameworks | Function | Examples |
| Control | Provides a structured and detailed approach for implementing and managing security controls. (e.g. procedures and guidelines) | CIS PCI-DSS ISO 27002 (Cybersecurity Control Implementation) NIST 800-53 (Security and Privacy requirements of Federal Information Systems and Organizations) |
| Program | Guides overall security management. | ISO 27001 (Standard for ISMS – Information Security Management Systems) ISO 27701 (Privacy Management Standards) |
| Risk | Defines processes regarding risk assessment and management. | ISO 27005 (Information Security Risk Management) NIST Risk Management Framework CVSS |
Cyber Security Audits and Assessments
Cybersecurity audits and assessments both involve checking the security posture of an organization. Cybersecurity assessment perform a high-level analysis to determine the effectiveness of controls. It involves the evaluation of the maturity of an organization. On the other hand, cybersecurity audits are point-in-time evaluations which verify that controls are implemented according to the organization’s policies and procedures.
| Area of Focus | Cybersecurity Assessment | Cybersecurity Audit |
| Assessment Method | High-level | Detailed and Specific |
| Occurrence | On-going / point-in-time | Point-in-time (Usually performed periodically or annually) |
| Examples | Vulnerability Scanning, Penetration Testing, Gap analysis, Roadmap, Scorecards | Verify controls in place against policies and standards |
| Frameworks | Capability Maturity Model Index (CMMI): Lv 1: Initial (no formal process) Lv 2: Managed (some basic processes like monitoring and configuration management) Lv 3: Defined (processes used consistently across the firm) Lv 4: Quantitative (quantitative data is used for performance measurement and management) Lv 5: Optimized (continuous improvement) | ISO, HIPPA, PCI-DSS |