Preparedness is defined as being in a state of readiness (Webster, 2022). This can take many different forms but when it comes to cybersecurity, a big part is knowing what threats lie in wait within the cyber landscape. It’s difficult to prepare against threats or vulnerabilities you don’t know exist. Being able to conduct proper research and make decisions based on high integrity intelligence is crucial. The IEC 62443-4-1 standard requires a process called threat modelling to achieve this purpose. The effectiveness of the threat model is very much dependent on this intelligence. Typically, this has meant that threat modelling is an activity that requires significant experience and knowledge of a wide range of cyber-attacks. Such experience is in high demand and can often be difficult to find. However, much of this expert knowledge has been captured and can be found on the Internet. Incorporating this knowledge into your threat models will greatly increase the quality and value of those models.
There are many resources available that can be used to gather this expert knowledge. Some resources will be evident showing current threats and vulnerabilities that have been discovered. Others will provide best practices which can infer potential issues if not employed properly. For instance, failing to implement proper input validation can lead to a SQL injection attack. Below are some resources that are helpful in identifying the latest threats and vulnerabilities. While this list is certainly not exhaustive, it might provide a starting point as we delve into the rabbit hole of cyberspace.
- Mitre ATT&CK: “Mitre ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations” (Mitre, 2021). This information is extremely useful in the development of threat models as it provides an understanding of the methodologies used to attack a particular asset. ATT&CK also provides a breakdown of actions that may be encountered during different categories of an attack. For instance, during the reconnaissance stage, a bad actor may actively scan networks, gather victim information, and phish for information. MITRE ATT&CK®
- Common Attack Pattern Enumeration and Classification: The Common Attack Pattern Enumeration and Classification (CAPEC) website is a platform hosted by MITRE and used by the cybersecurity community to better understand how a bad actor operates by providing some of the common mechanisms of attack and the domains by which actors attack a system. With this knowledge in hand, security professionals can gain a better understanding of the vulnerabilities being targeted and can better secure them. (CAPEC, 2021) CAPEC - Common Attack Pattern Enumeration and Classification (CAPEC™) (mitre.org)
- Common Weakness Enumeration: The Common Weakness Enumeration (CWE) is another resource hosted by MITRE that can be used by the community. It highlights the software and hardware weaknesses known throughout the information technology (IT) industry. These weaknesses are often used to gain unauthorized access to data and operations. The use of CWE provides a baseline for weakness identification, mitigation, and prevention efforts (CWE, 2021). CWE - Common Weakness Enumeration (mitre.org)
- Open Web Application Security Project: The Open Web Application Security Project (OWASP) is a nonprofit foundation focused on improving the security implemented in software projects, specifically web-based application. The website provides several projects supported by the OWASP Foundation including the Top 10 Web Application Security Risks, Dependency Track, and Mobile Security Testing Guide, to name a few (OWASP, 2022). OWASP Foundation | Open Source Foundation for Application Security
- DHS CISA Automated Indicator Sharing: The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Automated Indicator Sharing enables real time exchange of cyber threat indicators and defensive measures to help reduce the susceptibility of cyber-attacks (DHS-CISA, n.d.). Information is shared in a machine-readable format to promote automation, and ease of sharing and use. The AIS community encourages participants to share cyber threat indicators and defensive measures to promote the latest and most current information be disseminated and acted upon (DHS-CISA, n.d.). Automated Indicator Sharing | CISA
- FBI-InfraGard: The FBI-InfraGard is a collaboration between the public and private sector whose mission is to protect critical infrastructure through education, information sharing, networking and workshops on emerging technologies and threats. Membership includes personnel from business executives, entrepreneurs, lawyers, military and government officials, state and local law enforcement, academia, IT, and cybersecurity professionals. Membership is not guaranteed as there is a vetting process members must complete that could take up to three months to accomplish (Infragard, n.d.). Home (infragard.org)
- State Government Sponsored Resources: Another useful resource are the cyber specific centers sponsored by the state governments throughout the country. For example, the Pennsylvania Information Sharing and Analysis Center (PA-ISAC) was established to address the cybersecurity readiness and critical infrastructure coordination within the Commonwealth (PA-ISAC, 2022). In parallel, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) provides a one-stop-shop for cybersecurity information sharing, threat intelligence, and incident reporting.
Threat models are only as good as the intelligence in which they are built upon. By relying on poor information, important threats may be missed. Incorporating sound and current information into the risk management process mitigates the possibility of overlooking or de-emphasizing a threat or vulnerability that is likely to be exploited.
The threat landscape of cyberspace is continually changing. Because of this fluid environment, it is important to understand that preparedness and threat modeling is not a static, one-and-done task. It is something that is dynamic and can change on a daily basis just as the cyber landscape does. Being able to maintain a steady source of reliable intelligence is crucial when trying to discern whether a threat or vulnerability is of concern. While reviewing threats in real-time and taking immediate action is ideal, this is not always possible. Periodic and frequent review is needed to reduce the possibility of a threat going unnoticed. It is also important cybersecurity professionals know their systems and the components they are operating so it is known whether your system is affected. Overall, being able to gather current information from reliable sources, knowing the components in play, being able to act in a timely manner, and building strong, reliable threat models can reduce the possibility of attacks from succeeding.
CAPEC. (2021). Common Attack Pattern Enumeration and Classification. Retrieved on February 6, 2022 from https://capec.mitre.org
CWE. (2021). Common Weakness Enumeration. Retrieved on February 7, 2022 from https://cwe.mitre.org
DHS-CISA. (n.d.). Automated Indicator Sharing. Retrieved on February 7, 2022 from https://www.cisa.gov/ais
InfraGard. (n.d.). InfraGard. Retrieved on February 8, 2022 from https://www.infragard.org
Mitre. (2021). Mitre Att&ck. Retrieved on February 8, 2022 from https://attack.mitre.org
NJCCIC. (2022). New Jersey Cybersecurity and Communications Integration Cell. Retrieved on February 8, 2022 from https://www.cyber.nj.gov/
OWASP. (2022). Open Web Application Security Project. Retrieved on February 6, 2022 from https://owasp.org
PA-ISAC. (2022). PA Information Sharing and Analysis Center. Retrieved on February 8, 2022 from https://www.oa.pa.gov/Programs/Information%20Technology/cybersecurity/localgov/Pages/PA-ISAC.aspx
Webster. (n.d.). Preparedness. Retrieved on February 7, 2022 from https://www.merriam-webster.com/dictionary/preparedness