Operationalizing CISA Alerts with Threat Models for Effective Cybersecurity
In this blog, we’ll exemplify how to leverage a threat advisory, revealing CVE alerts from Cybersecurity and Infrastructure Security Agency (CISA) and see how such alerts could be operationalized into an organizational threat model so that such alerts and helpful advisories can get contextually made relevant to an organizational threat model.
The recently published joint Cybersecurity Advisory (CSA) is focused around the top vulnerabilities and exposures exploited by Chinese state-sponsored threat actors, who continue to actively target US and allied organizations, software and hardware companies, stealing intellectual property and gaining access to sensitive networks. This advisory reflects geopolitical and economic factors that often shape threat trends and must be taken into consideration when developing an organizational threat model.
An organizational threat model with relevant threat libraries containing unique threat assertions are always best when unraveling how relevant they may be to the attack surface, business operations, people, processes, and vendor relationships of a company. In short – context and risk relevance. These are ideal and the CISA advisory should be funneled into a process that examines whether such an advisory is contextually relevant to the organization. This examines contextually relevant threats. As an aside, this should not, however, discount generic threats that should still be considered as part of any threat model. To further this brief tangential point, consider the following examples of universal threats that affect any organization:
– Cryptojacking an organization (making money by squatting on their infrastructure); – Establishing persistence in an organization (to sell that persistence to other interested threat actors); – Distributing malware (on target infrastructure);
Organizational threat models account for both unique and universal threats and both benefit from threat advisories (like the one shown above). Advisories can be ingested into any organizational threat model and provide substantive evidence to attack patterns that may prove effective against an attack surface. In the CISA advisory, we see affected technology components that are identified as being vulnerable. This vulnerability has to be associated with attacks that support a threat motive for each threat assertion in the threat model. Important to know is that there are threat campaigns that are designed and launched with less targeted goals, resulting in more opportunistic hacks – these advisories, therefore, are good for universal or generic threats that may be a part of any threat model.
The advisory shown is really introducing two things – vulnerabilities being exploited as part of threat campaigns. All this information is important to distill uniquely in order to reconcile vulnerabilities from these advisories to threat assertions developed within the threat model. Important to differentiate vulnerability threat assertions from vulnerabilities that facilitate opportunistic attack patterns that support these and other generic, industry-agnostic threat patterns and threat motives while doing organizational threat modeling.
The key takeaways here are the following:
Organizational threat models put everything into context.
These threat advisories map to stage IV of PASTA and reconcile to generic threat assertions in a custom threat library within the model.
Activities around attack surface management (Stage 2 of PASTA) now become correlated to these types of advisories.
These advisories really come to life in stage v – vulnerability analysis of PASTA and get correlated to the threats in the threat model that are birthed in Stage 4 of PASTA.
Sharing the status quo on these and other advisories is to knee-jerk and ad hoc to see if one is affected. However, a more organized contextual approach is to funnel these activities into a risk-centric organizational threat model.
To learn more about threat modeling and PASTA methodology, click here.
VerSprite leverages our PASTA (Process for Attack Simulation and Threat Analysis) methodology to apply a risk-based approach to threat modeling. This methodology integrates business impact, inherent application risk, trust boundaries among application components, correlated threats, and attack patterns that exploit identified weaknesses from the threat modeling exercises.