Threat Matrices

How BLS approaches Threat Matrices and how we’re improving their effectiveness within the community

Why our Customers use them

Threat matrices are an industry standard used to inform clients about the various adversarial attack scenarios they are at risk of encountering. These matrices contain various quantifiers including attacker capability, intent, etc. that are meant to give the client as much information as possible so that they might better allocate resources to prevent high impact incidents in the future. As part of our Risk Assessment offering, BLS provides a threat matrix that is based on the NIST standards detailed in their 800-30r1 publication. These recommendations are risk-based, prescriptive, and make the most efficient use of limited defensive resources.

Defining risk

For the purposes of conducting risk assessments and generating threat matrices, risk is derived from the likelihood and impact of one or more threat events. Impacts are typically described in terms of a loss of confidentiality, integrity, or availability (CIA) and can be easily mapped to material impacts to customer, employees, assets, physical infrastructure, and/or reputation.

Creating a threat matrix

A threat matrix event consists of multiple quantifiers. We present here a brief explanation of each quantifier followed by an attack scenario consisting of three events.

Capability, intent, and targeting

These three attributes are specific to the attacker. Attackers can be a nation state, skiddy, or something else entirely.

Relevance

Relevance describes how applicable an event is for the target organzation. For example, if this is something they have already experienced and defended against in the past, then Relevance is “Confirmed”. Alternatively, it may also signify that competitors within the same sector have experienced the event and it is “Expected”.

Likelihood for attack initiation and likelihood for adverse impact

The likelihood for attack initiation is a measure that is based on available evidence, experience and judgement. Attack initiation likelihood should consider attacker capability, intent, and targeting factors. As an example, the likelihood that an attacker will INITIATE a SQL injection attack against a public-facing web application might be high.

Adverse impact likelihood is also formulated based on attacker capability, intent, and targeting. However, it also considers the defensive posture of the organization. For example, even though an organization is likely to see SQL injection attacks against a public-facing web application, a robust vulnerability management program and a properly configured web application firewall can decrease the likelihood of adverse impacts.

The likelihood for attack initiation and the likelihood for adverse impact values combine to form the result contained by “Overall Likelihood”.

Vulnerability severity and pervasiveness of predisposing conditions

These factors, while separate, are originally given in the NIST template as one derived value. BLS elected to keep these values separate as they have separate meaning that may become lost. Vulnerability severity deals with issues discovered during an assessment that can be corrected through configuration changes or remediation where as predisposing conditions may be more difficult to mitigate or change. Calling these out separately allows a customer to focus their actions more effectively.

Vulnerability severity is assigned to any finding that the assessing body discovers over the course of the assessment. Findings include vulnerabilities within the organizational structure, a business process, and.or information systems. For example, the wire transfer process may lack a two-person integrity (TPI) check. Alternatively, a web form may not properly sanitize user input. BLSOPS mirrors the CVSS 3.0 scoring system when assigning value.

The pervasiveness of a predisposing condition is derived by assigning a weight to an observed condition that contributes to an event taking place. A predisposing condition may be something information related, technical, or operational/environmental. The value is determined by how deeply intertwined the organization is with the observed condition. For example, a datacenter may be located on the Gulf Coast which is pre-disposed to hurricanes in the Summer and early Fall.

Impact

The value for impact is formed by considering the depth to which the event affects the assessed organization. Depth ranges from multiple severe adverse effects to negligible effect.

Phishing to Domain Admin compromise

Example three step attack scenario:

Event 1 - Opportunistic attacker sends malicious Word document to target email accounts

FactorValue
Capability4
Intent8
Targeting2
RelevanceConfirmed
Likelihood for Attack Initiation8
Severity and Predisposition3
Likelihood for Adverse Impact3
Overall LikelihoodModerate
Impact3
Overall RiskLow

Event 2 - Employee reads opportunistic attacker sent email and opens malicious Word document

FactorValue
Capability4
Intent8
Targeting2
RelevanceConfirmed
Likelihood for Attack Initiation5
Severity and Predisposition4
Likelihood for Adverse Impact7
Overall LikelihoodModerate
Impact6
Overall RiskModerate

Event 3 - Opportunistic attacker receives reverse shell and discovers employee used Domain Admin account to open Word document

FactorValue
Capability4
Intent8
Targeting2
RelevanceConfirmed
Likelihood for Attack Initiation3
Severity and Predisposition8
Likelihood for Adverse Impact9
Overall LikelihoodModerate
Impact10
Overall RiskHigh

Where Threat Matrices sometimes fall short

While threat matrices have been widely adopted within the security industry, it has not come without criticism. Most notably, the quantifier values involved in the threat matrices are left up to the organization conducting the assessment. There is very little guidance on how to apply these values in a meaningful and consistent way. For example, Organization A and Organization B may believe that they are most likely to be the target of an opportunistic attacker. However, Org A has decided that an opportunistic attacker has a Capability factor of 5 while Org B believes an opportunistic attacker has a Capability factor of 6. The disparity in data creates divides between information provided by organizations and lessens the community’s ability to provide clients comparable and actionable information.

Taking this a step further, replace organization A and B with two different teams working within the same organization. Depending on the individual executing this stage of reporting, you may have different interpretations implemented. As a result, clients are provided inconsistent data year over year.

How is BLSOPS fixing things

For the organization

Enter_The_Matrix (ETM) v1.0 is being released to help organizations address these issues. To tackle inconsistencies in analyzing adversarial attack scenarios and the associated risk, ETM provides attacker event templates; one or more events provide a scenario. Attacker event templates also provide a long-term vehicle for tracking the quantifiers for each event in a scenario. As the threats to an organization evolve over time, the attacker event templates can be modified accordingly.

For the community

In addition to providing a platform for the creation and management of attacker event templates, ETM allows for the export and import of JSON formatted event template sets. This gives the community the opportunity to collaborate and provide their template sets to the public. Through the public arena we can all come to a consensus on what threat actor quantifiers should be so that the industry can provide defenders with more accurate and actionable information.

Bells and whistles

Since BLSOPS has begun to address the most glaring issues, it was decided to include some niceties too.

MITRE ATT&CK

Included in each event configuration is the option to assign a MITRE ATT&CK ID to each event. The ATT&CK IDs are kept up to date as MITRE adds/removes/edits items from its database and include TTPs from the Enterprise, Mobile, and ICS collections. Users can get more information about the TTPs via helper icons that bring the user to the relevant online resource.

Attack Scenario Graphs

Once an attack scenario has been created, a directed threat graph can be created automatically based on the user inputs. Threat graphs provide a high level illustration for what went on for that particular scenario. The graphs utilize an iconset that conveys what is occurring for each event, as well as color coded edges illustrating the risk level associated with each event. Graphs can be easily exported for inclusion in presentations and reports.

Threat Trees

When an assessment is complete, and you’ve created all the attack scenarios you’d like to convey to your client, you may generate one or more threat trees. Threat trees encompass and illustrate all of the possible attack paths for that assessment. ETM pulls the MITRE ATT&CK IDs from each of the attack scenarios and stitches them together to show all routes to potential compromise in a single viewgraph. These graphs are feature rich, allowing you to create custom categories, colors, fonts, node shapes, edge styles, and graph distribution.

Exporting Reports

ETM allows your organization to export the resulting threat matrices in two ways. The first option is a living spreadsheet (XLSX) that is meant to be used by the client blue team as they improve their security posture. Changing values within the spreadsheet will automatically update the calculated values (Overall Likelihood of Attack, Overall Risk) as well as color coding. These spreadsheets follow the template suggested within the NIST 800-30r1 publication but have been modified to include the MITRE ATT&CK framework. The MITRE ATT&CK IDs present within the spreadsheet are hyperlinked to give the defender immediate access to detailed information about the TTP from the MITRE ATT&CK website. The second option is purposed for those who like to hold reports in hand. The threat matrix is formatted to fit a tabular design and is paginated in a way that is suitable for printing to paper or PDF.

References

Enter_The_Matrix MITRE ATT&CK ATT&CK For ICS NIST 800-30r1


© 2020 | All rights reserved | 1834 Summerville Avenue | Suite 250 | North Charleston, SC | 29405 | 843.991.4612