Chris Cronin introduces the concept of threat forecasting, emphasizing the use of open source data for risk assessments. The presentation outlines the importance of likelihood estimations and the impacts of threats on business objectives, particularly in sectors like healthcare and banking. He discusses the HIT Index and the predictability of cybersecurity threats, highlighting that while accurate predictions are less critical, understanding potential threats is essential. The talk also covers the significance of aligning threat data with business operations and the necessity of conducting thorough risk assessments. Ultimately, the session encourages attendees to engage in further discussions about improving cybersecurity practices.
TRANSCRIPT
Hi. I’m Chris Cronin with HALOCK Security Labs. Today, I’m gonna be talking to you about threat forecasting, the ability to take open source data and use it in your risk assessments to figure out likelihood.
We’re gonna be talking about this topic today over three subjects. One is showing you that threat forecasting is actually possible. When you see that, then the world shall become known to you. You’ll see something about the way people behave.
But then we’re gonna take your newfound skill and help you, use that for your likelihood estimations in your risk assessments.
Now, HALOCK is probably best known for Duty of Care Risk Analysis (DoCRA). This is the ability to make sure that your risk assessments, are looking at the impact to others and the impact to yourself, to make sure that there’s balance between the burden of your controls and the risks to others that the controls are there to prevent.
We often display this by focusing a lot on impacts, making sure that people are thinking through the impacts to their objectives, say profitability, or their mission, say the benefit that their users or community gets from their services, or the impact to others, the requirement to keep people safe during incidents.
And then there’s this likelihood component too that we don’t really talk about a whole lot because we’re focusing so much on making sure that impacts are well thought through, whether qualitatively or quantitatively. You can use DoCRA in either way. But people ask, what about likelihood? How does HALOCK figure out how common something might be and how that should be figured into your risk assessments?
Well, we’re going to be spending a lot of time in this format. This is something called the hit index. It’s HALOCK’s view into the Veris Community Database (VCDB). Now the Veris Community Database is the, publicly reported portion of records that you see in Verizon’s Data Breach Investigations Report (DBIR).
The way you’ll read this HIT (HALOCK Industry Threat) Index during our presentation is that the the commonality of of threats inside reported incidents are gonna be, represented by the size of the boxes.
So personnel error in the top left is the most commonly seen cause of incidents in these publicly reported incidents. And the least common is on the bottom right is a box that’s so small we can’t fit the whole title in. That’s malfunction.
So we’re going to spend a lot of time in this model, this HIT index model, to talk about foreseeability.
What we hear from a lot of people is that, hey, you can’t predict cybersecurity threats because there’s so much innovation in cybersecurity attacks.
Well, there is, but let’s start by saying this. We don’t actually want to predict. We’re not going for accuracy. And you’ll see there’s a good reason for that.
What we want to do is forecast. We want to estimate the things that could go wrong so we can prepare. That’s what due care is. We thought through what could have happened and we prepared.
And besides, cybersecurity does innovate, but not by much year over year. So we’ve got this sort of a fake analytic tool here, the Innovator Guestimator.
HALOCK does a lot of incident response as well. And what we see is what the data shows us. Year over year, we have the same things happening over and over again. There is innovation, but it’s in a small minority of the actual breaches that we see reported.
Let’s talk about why we’re not going for accuracy in our predictions.
Here’s the outcome of an accurate prediction.
We were breached this year and lost a million records, just as we predicted. Look how accurate we are. That’s not what we’re going for. We want the idea of a forecast.
We saw that Tmax was prone to errors, so we removed their access to the crown jewels. Their eventual error released much less data than we originally estimated.
When we’re forecasting, we’re thinking through what could go wrong, and we adjust our behavior to match that foreseeability.
But that’s a portion of what we’re going for. Risk is about likelihood and impact. So if we see that something could go wrong, we can adjust by reducing the likelihood of effective threats by changing something about RSA defenses, or we take systems data and people out of harm’s way knowing that the thing is going to happen anyway.
We’re going to go through these five steps today as we talk about how we develop a forecast. We want to know how our business operates. Our business is going to operate differently than just about everybody else. But we want to know how our threat landscape is revealed by how we do our business. And then we’re going to get threat data. We’re going to align threat data with our threat landscape, and then we’re going to organize the data to see where threats have been. So that’s a clue as to how we’re going to forecast, but let’s take a look at this first step first.
How, how our business operates, knowing how that works. So let’s take a few examples here.
These are not actual stats, but it’s a picture of what a business looks like in terms of where the business is conducted and how much of a business assets go into certain buckets. So let’s look at hospitals.
Hospital physical is very big. We have to show up to a hospital to see, the doctors, the nurses, etcetera.
Systems, they have abundant systems that make sure that our records are doing well, helps with decisions, helps with research, certainly helps with billing. And then personnel, there’s more personnel than physical locations. We see our nurses and our doctors and we see people who, who intake and then there are, there are technicians and lab techs and pharmacy, and there are all sorts of people who do other things in hospitals. So there’s a lot of people handling a lot of personal information on a one on one basis. Right?
Let’s take a look at banking. Banking is tremendously physical. There are bank branches everywhere, where people go and handle and exchange personal information and cash and all sorts of stuff. They have abundant systems.
This isn’t about the, the density of the data or the number of, of transactions. It’s really this is a question about where we are doing our business. And of course, personnel are significantly big. Many people are handling a lot of personal information, in banks.
In information services, it looks much different. Physical is important, but as a weight of where are how many assets we have that are doing interesting things and have interesting data. Systems, are chief there. Right?
Personnel, also significant because they’ve got to run these systems. But systems and information services is definitely, the major factor in in where assets are. Retail, physical systems, and personnel, especially for brick and mortar businesses.
So, okay, that’s where businesses are. So what’s the big deal? Well, what’s the data showing? The data shows us that our threat landscape is where we conduct business. So the pictures that we just showed you, we’re not just where assets are, but where breaches happen.
So now let’s understand where we do our business in terms of what our threat landscape is.
We’re gonna go back to the Veris Community Database. Again, this is generic. So it’s all data in the Veris Community Database (VCDB) for all industries. But again, personnel error and then personnel misuse and hacking systems are the chief, common threats that go into an attack like this.
And then we have technical things like malware and and, and then we get physical. Right? So that’s a picture of really how we’re going to be looking at this stuff. Let’s go back to hospitals.
What did we say? Physical is very big. You have to go to a hospital to to get the treatments there. Systems are abundant and then a lot of personnel.
More personnel than physical. What is the, what is the hidden index from the Veris Community Database tell us?
Personnel misuse and personnel error, and then if you go down to the bottom, row, in the middle you see social engineering. Those things combine to create personnel issues. A personnel misuse is people on purpose doing something wrong, often to get their job done, but they’re on purpose doing something wrong. Personnel error is a mistake that someone made, And then social engineering, well, we know what that is. But we talk about those differently because, we would we would do different things in order to prevent those things. And only then do we get to physical asset loss, which is abundant, and then physical facility toward the top right, and then hacking systems and malware and and hacking web applications.
So you see that where we do business has a lot in hospitals to do with, with where the threats are. Let’s take a look at the threat landscape for banking.
Remember, we said banking was prominently physical, and then personnel, and then systems. Very abundant, right?
What do the threats say? Physical facility, the top left, physical asset loss, bottom in the next column, and then point of sale, POS is skimmers, very prominent. And then after that, we get to personnel misuse, and then toward the top right personnel error. You combine those boxes and you get a significant part of the real estate of the hit index of what’s in the, Veris Community Database. Well, why is that? Well, take a look at what’s going on in these, physical facility boxes. It’s tampering, disabled control, surveillance, victim and facility.
What’s happening there?
It’s manipulating ATMs.
Now again, this isn’t the number of records that get abused, it’s the commonality of the attack, skimmers and point of sale. So banks have a strong physical presence in their threat landscape because they’ve got such a strong prominence in vulnerable physical environments. If you’re a bank, or or you’re a credit union, go to the, the FFIEC CAD, this tool that’s commonly used to look at the security controls in your organization, and you’re going to see that ATM attacks, physical security attack, ATM attacks aren’t even in that survey. You have to go to your threat information to figure out what’s actually happening.
So for information services, systems very, very prominent. Some physical, of course, personnel to run the systems. But in information services, systems are clearly the lead issue. And sure enough, that’s where the threats happen. Hacking systems, hacking web, malware, on the top right. These things combine to create the majority of the real estate in the HIT index. Only then do you get the personnel error, social engineering, personnel misuse.
So what we see happening is again, the threats are happening where the business happens. So if you look in the various community databases, and we’ve got hidden indexes for each of these, you see that this is happening over and over again for just about every industry. If you want to see what your hidden index looks like, come by and talk to us at the booth. We’re here, so we’re happy to show you what, what’s happening in your industry too. Let’s test the hypothesis. Did we rig this? Well, let’s see what we learned.
Here’s a HIT Index. I’m not telling you what the industry is for. But let’s see what’s going on as threats.
Personnel error and personnel misuse are clearly big here. Hacking systems follows, and then we see physical asset loss, right? And then we get into another hacking deal. Social engineering is big, And at the very bottom right, we see skimmers.
So what we see here is a lot of people handling a lot of sensitive information. Right? Take a look at misdelivery under personnel error. Misdelivery is on the top right of that block.
So there’s a lot of moving around of data, distributing data in which a person can make an accident. Right? The bottom right is skimmers, so not a lot of personal transactions as we mentioned. So what kind of business is this?
Is this, is this a soft, let’s say a fast food chain?
Would it look like that? Would it be a manufacturer? Would it look like manufacturing? Or would it look like a financial advisory?
Think about what you learned. Well, it’s for financial advisors. There’s a lot of one on one contact with customers, most employees are handling personal information, there’s lots of delivery and distribution of personal information, and there are rare on-site transactions.
So again, our business is where our threats are. Past is prologue.
If we look at what’s been happening, then we can get a good sense of what’s going to happen in the future. Why is this? Well because business changes slowly enough that we can forecast threat landscapes by watching what’s been happening.
Our technical infrastructure, for the most part, doesn’t change. So things have changed this year because of COVID. We’ll talk about that in a moment. Go to market methods, pretty much the same.
Customer interaction vectors, it’s in person, now it’s over. Video conferencing, business processes generally don’t change. Reporting structures stay the same. Governance stays the same.
So as long as these things are staying the same, we can use the past as prologue. Again, we’ll talk about how to use your risk analysis to how to deal with changes like COVID.
Let’s now get threat data. Where are we gonna get it from? Well, the data we’re talking about here is what’s in the Veris Community database. That’s this is a big database.
You can do some good analysis in here. Nine thousand reported incidents about. About two thousand five hundred characterizations of incidents. We’ll talk about what some of those look like in a bit.
It’s sponsored by Verizon. It’s part of the, the data here is part of what they put into their database, their data breach investigations report.
It’s fed now by a large community, so they’re always adding records and details to, to existing records to get a finer and finer picture of what’s been happening.
There are other sources of past threats. If you’re looking for technical threats, the kinds of things that are good for tactical prep and response, on the wire attacks, MISP, Open CTI, CVE, commercial vendors are doing this kind of stuff. They’re taking a lot of things that are happening on the wire, so you can look at things that are, that are going on as far as technical attacks that may ebb and flow during the course of several days. If you’re looking for all reported threats, things that are that are also physical and have to do with personnel, this is good for your forecasting and planning.
So for your risk assessments, Veris Community Database we talked about, The Privacy Rights Clearing House has almost the same number of records, about nine thousand attack records, but much less data to parse, but still very useful for some. And then your ISACs, your Information Sharing and Analysis Centers. You may have an ISAC for your industry. You should look that up and see there’s a lot of really good information sharing going on there.
So we got our public data. Now we have to align the threat data to our threat landscape.
How are we going to do that? Well, let’s first see what’s going on in the Veris Community Data There are a lot of kinds of data that characterize threats. There are basic facts, the who, what, when, where. There are exploited assets, this is partial, this is being developed more over time. So what systems were in the attack?
Data classifications, was this personnel error? Was this personal data?
Was this cardholder data?
Third party roles, were there third parties involved in this? Industries and sub industries, threat actions, threat vectors, the size of the breach, financial impacts.
We look at, to build the hidden index, we look at industries and sub industries, threat actions and threat vectors. Why? Well, we want to know how these threats relate to how our business functions, because again, our threat landscape matches how we do business. But we also want to look at threat actions and threat vectors because these are things that we can manage, right?
We can put in controls that address these threat actions and threat vectors. We haven’t found patterns in the size of the breach or the financial impacts yet. We don’t see any compelling data there to help us figure out a pattern that we would actually put into the analysis just yet. Maybe one day, we’re not anticipating that.
What’s the fifth step in how we forecast? We’re going to organize our data to see where the threats have been.
That’s a part of the forecast, right? Going back to, now the picture of the healthcare, where have the threats been in healthcare?
Well, personnel misuse, personnel errors, some misdelivery, this kind of thing. Physical asset loss, people just losing media. There’s tremendously large, block there. We have to pay significant attention to that when we’re doing our risk assessments in a clinical health care hospital environment.
Physical facilities and hacking systems all are important, but, but what we wanna be sure of is that when we’re thinking about this concept of past as prologue, it’s true that that’s that what we know has been happening is going to feed our estimation of what’s going on in the future, but it’s only part of the risk question.
But what we do know is cyber threats change often, but generally within the same threat landscape.
Business changes slowly enough to forecast threat landscapes.
We want you to be in a position to say, I thought these threats were foreseeable because they are frequently reported as threats in organizations like mine.
Or I thought these threats were unlikely because they are so rarely reported as threats in organizations like mine.
And now this is how you get to know how the world is.
You see that we can tell something about what our future behavior is going to be look like, is going to look like because of what our past behavior has looked like.
This is a really important moment because it it it removes the mystery of what, of what likelihood scoring is. It’s actually having enough data and aligning that data to who we are and what we do to think about what could be happening in the future. So what about COVID-19?
Well, that’s where our risk assessments come in. Let’s take a look at what those are. We’re going to talk about how to use threat forecasting and risk assessments next. Now first, let’s talk about what risk assessments are, and come to agreement.
Risk assessments are estimations of likelihood and impact of bad events. How likely is it that bad things will happen, and what’s the harm when they do happen?
They can be qualitative or quantitative. You can use plain language to describe it, or probability and percentages of harm. Here’s what risk assessments are not. They’re not audits, They’re not gap assessments.
They’re not scans. These are important, but these are not risk assessments. If someone says, here’s your vulnerabilities when you ask for the risk assessment, they don’t know what a risk assessment is. They’re definitely not maturity assessments.
Oh, you rate two point one out of five, you should get to three, that’s where your peers are, is not a risk assessment. But let’s take a look at maturity assessments for a moment, because we’re going to find them to be useful in a way.
Maturity scores are basically the idea that the lower the score, the weaker your control. And if there is a scale of one to five, we’re saying one is ad hoc, not implemented, two is documented or inconsistent, three is it’s implemented consistently.
A lot of consultants tell their clients get to this, get to three, that’s where your peers are. It’s a terrible idea, because when you get to four, test it and correct it, that’s what regulations are telling you to do. So if your if your consultant is telling you to get to implement consistently three, they’re telling you don’t shoot for four.
Don’t actually comply with regulations.
That’s not a good idea. And by the time you get to five, be innovative or or to address root causes for continual improvement, that’s when you get to a level of like ISO twenty seven thousand and one. Right? Some of those areas you’re going to want to get better at than others.
Duty of Care Risk Analysis (DoCRA) as a reminder, is looking at both the impact and the likelihood. That’s how you get to know what to do. You can have a high likelihood of something with low impact. Just because it has a high likelihood doesn’t mean that’s what you prioritize. It has to be that combination of likelihood and impact that you care about, but impact to you and to others. You have to make sure everyone’s been taken care of. This is where law is going.
Take a look at some recent decisions coming out from, from states. This is one from, the state of Pennsylvania, when they found that Orbitz had not appropriately safeguarded the Expedia assets that they acquired in a, in a merger. So the, and the instructions from the state of Pennsylvania are that we conduct risk assessments to look at the potential harm to ourselves and others, and to use controls where the burden is not greater than the than the value that we provide to our clients, our customers, our guests, but making sure that everybody’s taken care of. The concept of Duty of Care Risk Analysis that we’re starting to see come up in these, regulatory and and and litigation issues is neither your conduct nor your controls may create a likelihood of harm to yourself or others that’s large enough to require correction.
That’s pretty interesting. The idea is that if you saw a risk on the left without a safeguard, where your objectives for profitability were fine, your mission to serve others was fine, but you had an obligations risk that was above acceptability, you need to put a safeguard in place where they’re all okay. You’re not allowed this scenario, where you’ve taken care of that obligations risk on the right, but your objectives or mission risk have been put into an unacceptable risk. You’re not supposed to sacrifice one for the other. That’s not reasonable. And that’s in regulation. And that’s how you deal with litigation.
So now let’s talk about how this foreseeability goes into this. We showed you this HIT Index, but there’s actual math that goes behind it. All we’re doing is taking values from the various community database. So each of these threat clusters, these big blocks, are associated with a chunk of data where the percentages of these threats occur and reported breaches.
Again, this is all cases. This isn’t broken down, this one example.
Now what if we can figure out likelihood by subtracting the forecast, I’m sorry, subtracting the control strength from the forecast? In other words, we’re mitigating the commonality of a breach in our environment because of the strength of our controls. There are a couple of ways we can think of to do this, and we’ll show you how this comes into play with a COVID type scenario.
We can mitigate the forecast of our control strength if we do something like this. Now this is conceptual. This isn’t the actual math that we use.
But if you have, let’s say, your threat clusters, of personal a personnel error coming into about fifty eight percent in your industry causing reported breaches, then your maturity scores the greater your maturity score is, the lower you would expect that probability to be. Again, this is conceptual. This isn’t the actual math, but this gives you an idea of what we’re going for. So let’s say in a COVID type situation, someone says, I’ve always been worried about personnel error, so I had these controls that had a maturity score of four, I was testing them, I made sure that they were working, so I was correcting them if they came out bad.
But if we’re going to make this change, having people work from home, the the my controls for personnel error are now only a score of two. They’re only implemented in some places. So now my probability of personnel error goes up. So you should see how this starts to work.
You can mitigate, the forecast by the strength of controls, but when something comes up that you’re now moving your, you’re moving your environment, your workers, where how you do business, you can very quickly say, today, before I expect the data to change in mass, I’m going to look at how it affects me.
If the maturity of my score has gone down because I changed something and didn’t put controls in place, now the likelihood goes up, because I’m mitigating the forecast less. There are a number of ways to do this. If you, this is again, conceptual, if you take the quintiles of percentages of threats, and compare them to the maturity, you might have a regular likelihood score. This way you can use, say, a bell curve that accents to a greater tolerance or less risk tolerance to come up with a likelihood score.
If you’d like to know how to do that, just come by and talk to us in the booth. We’ll tell you about the methods for doing that. So the big lesson here is that your threat landscape is where your business is conducted, and the data shows it, the data proves it. The question then is, how do you make sure that you’ve taken this information and made it useful for you?
Well, this is where the risk assessment comes in. You’re going to take the likelihood score, and you’re going to think about the, the the impact scores, the impacts to you and to others, and put it into a system like DOCRA or CIS RAM, which is a Center for Internet Security’s risk assessment method, that can show you how to actually take this data and plug it in. So if you have any questions about this, come by the booth. We’d love to talk to you about how to implement it, and to actually show you pictures of what your HIT index might look like in your industry.
But, it’s been a pleasure talking to you today, and we look forward to talking to you later on today at the booth.
