In this blog, we’ll exemplify how to leverage a threat advisory, revealing CVE alerts from Cybersecurity and Infrastructure Security Agency (CISA) and see how such alerts could be operationalized into an organizational threat model so that such alerts and helpful advisories can get contextually made relevant to an organizational threat model.
The recently published joint Cybersecurity Advisory (CSA) is focused around the top vulnerabilities and exposures exploited by Chinese state-sponsored threat actors, who continue to actively target US and allied organizations, software and hardware companies, stealing intellectual property and gaining access to sensitive networks. This advisory reflects geopolitical and economic factors that often shape threat trends and must be taken into consideration when developing an organizational threat model.
An organizational threat model with relevant threat libraries containing unique threat assertions are always best when unraveling how relevant they may be to the attack surface, business operations, people, processes, and vendor relationships of a company. In short – context and risk relevance. These are ideal and the CSA advisory should be funneled into a process that examines whether such an advisory is contextually relevant to the organization. This examines contextually relevant threats. As an aside, this should not, however, discount generic threats that should still be considered as part of any threat model. To further this brief tangential point, consider the following examples of universal threats that affect any organization:
– Cryptojacking an organization (making money by squatting on their infrastructure);
– Establishing persistence in an organization (to sell that persistence to other interested threat actors);
– Distributing malware (on target infrastructure);
Organizational threat models account for both unique and universal threats and both benefit from threat advisories (like the one shown above). Advisories can be ingested into any organizational threat model and provide substantive evidence to attack patterns that may prove effective against an attack surface. In the CISA advisory, we see affected technology components that are identified as being vulnerable. This vulnerability has to be associated with attacks that support a threat motive for each threat assertion in the threat model. Important to know is that there are threat campaigns that are designed and launched with less targeted goals, resulting in more opportunistic hacks – these advisories, therefore, are good for universal or generic threats that may be a part of any threat model.
The advisory shown is really introducing two things – vulnerabilities being exploited as part of threat campaigns. All this information is important to distill uniquely in order to reconcile vulnerabilities from these advisories to threat assertions developed within the threat model. Important to differentiate vulnerability threat assertions from vulnerabilities that facilitate opportunistic attack patterns that support these and other generic, industry-agnostic threat patterns and threat motives while doing organizational threat modeling.
Sharing the status quo on these and other advisories is to knee-jerk and ad hoc to see if one is affected. However, a more organized contextual approach is to funnel these activities into a risk-centric organizational threat model.
VerSprite leverages our PASTA (Process for Attack Simulation and Threat Analysis) methodology to apply a risk-based approach to threat modeling. This methodology integrates business impact, inherent application risk, trust boundaries among application components, correlated threats, and attack patterns that exploit identified weaknesses from the threat modeling exercises.