Hello and welcome to the next module. Cyber Threat. Intelligence Perceptions.
This march, we're gonna cover the different concepts of threat
what kind of analysis you might be interested in
and a little bit more about
indicators of compromise. The perception of several intelligence is important, right, because this
is how an organization or the organization's leadership
threat information risk information is made available.
Risk based decision making is a large part of
keeping an organization healthy from a cyber security perspective.
So you think, hear about defining threats to begin with,
You can say that it's an agent or entity. The exploits of vulnerability. That's a pretty common definition.
we can also think about a threat really standing on its own,
because there may not always be a associated vulnerability.
brisk analysis model
uh, that's been used for quite a long time is the idea of like a
ah threatened vulnerability pairing or risk register?
And what this allows you to do is to consider threats of vulnerabilities in isolation as well as
For instance, you might discover that there's a threat
through some of your monitoring or through some of your threat feeds that come from vendors or from open source
And the threat may be serious,
but it may not be relevant.
Real simple example might be something like You're looking at some of your favorite websites and you see oh, there's a
Your organization may not be using any apple products.
Maybe Maybe you're completely standardized on Microsoft
like herself, Windows.
In that case, the threat is still really still important.
But it's probably not gonna be relevant to your organization because
that would be vulnerable to this threat.
On the other hand, sometimes you might discover you have a vulnerability or some kind of weakness.
the idea there would be that you should also understand what is the associated threat that might take advantage of this weakness.
There may not always be a threat. That's that's known at the time that the vulnerabilities discovered. So
it's an important part of risk analysis
You always think about threats and vulnerabilities being paired together.
We also need to think about what is a good definition of risk.
We know that there is positive risk and negative risk.
Sometimes people have, ah, strange reaction when they see the term positive risk.
But what positive risk really means is that it's a risk worth taking.
A good example might be an organization that decides
that they'd like to buy one of their smaller competitors.
So the larger company
wants to get access to the smaller companies product or their technology or there
customer base, for instance.
And there is risk involved
because there there's a financial outlay to to buy that smaller company,
which means that money cannot be used for other purposes,
including maintaining enhancing
a cyber security program.
other risks might, in this kind of scenario, might be that the smaller company
has some internal problems, maybe with management. Or
properly vented their employees. There might be some risks
associated with the personnel themselves.
Or maybe there are hidden problems with their technology and so on,
so those risks are all quite obvious.
But this could still be considered a positive risk because the larger company, when it successfully purchases a smaller company and they integrate themselves with each other.
The larger company would be expected to make more profits and to grow their customer base and someone
there are other types of positive. That's an easy one. Thio. Get your mind around
Negative risk is a little bit more straightforward, right?
implies that taking this action or rather even not taking some action
is expected to have negative consequences. Is expected to reduce security, for instance, or cost more money.
They're different ways of looking at that.
Another way to to to, uh,
summarized, the idea of risk is to think about
what can we gain or what can we lose by taking this action?
Or, conversely, what could he gain or lose by not taking an action?
Sometimes risk response is to do nothing,
and that's appropriate in those situations where there may not be any
action that's affordable or realistic.
So it's good to have a multi sided view of what risk really means
to understand. It's different types of contexts.
We can also think about,
you know the risk responses themselves.
Accepting risk, for instance,
there's well, there's several scenarios where you might accept risk.
One might be that the cost of the remediation.
The cost of the countermeasure
exceeds the value of the assets.
In that case, accepting risk is is the usual response
an organization but also accept risk.
If there is no possible remediation,
the threat might exist. You know, like to use an extreme example. Let's say there's a threat of
a large meteor hitting your warrant. You're building your physical infrastructure.
Sure, there is a threat that that could happen at some point. Meteors do hit
but what is the possible remediation is practical. To bury your organization underneath
hundreds of yards of topsoil,
you're rather hundreds of feet underground.
That may not be realistic, so in that case you accept the risk because
the threat is so hot
that it's probably better overall to just hope for the best end.
30. It's for accepting risk would be. When the risk is measured, it's determined that it's within the acceptable
Sometimes this is referred to as a
because an organization can decide to engage in risky behavior,
positive risk, of course,
or even negative risking my factory
and the appetite for risk
is usually defined by your top level leadership.
Their philosophy of management, the governance model and so on
would indicate how large the risk appetite really is.
And for organizations that are run very conservatively, the risk appetite wouldn't be expected to be smaller.
So what are the other options for risk?
We could think about
ignoring a risk, which I've already touched on a little bit.
I could also think about
trying to transfer a risk.
And there are two ways to transfer risk
the 1st 1 That's why we used is to buy insurance.
This is simple to understand you by auto comprehensive coverage for your automobile You by homeowners Insurance life insurance,
these airways to transfer some risk to another party.
Another method for transferring risk or for sharing risk
For instance, an organization might decide that they do not have the
expertise to handle certain types of cyber security operations like Incident Response
or they don't have the expertise to do things like pen testing.
they might hire 1/3 party to do this for them,
thereby transferring some of the risk to the other organization
other things to think about would be trying to put cyber threat intelligence into the bigger picture.
What is its real purpose in your organization? And how should it be utilized
in order to get the most benefit from that investment?
Because, inevitably, setting up a sucker threat intelligence
function within your organization is going to cost money.
It'll be staffing to consider hiring
people with the appropriate training and credentials and so on.
Sending people to training
something that would be considered because you may not
have the expertise at the level where it's required. Some people need to
additional training to get up to up to the next higher level of
In addition, there might be hardware and software required. Additional service is that the organization decides to engage in
these all cost money,
and there's some risk associated with,
uh, expanding the financial aspect of
However, the benefits are pretty obvious. If you've got dedicating analysts that are actively monitoring security controls, actively performance monitoring your systems and networks,
then they can look for threats on a more regular basis. Ideally, you want as much of this activity to be automated as possible, using you know, sim devices, for instance, I've GPS that we talked about in an earlier model.
These are great solutions to take the burden off of humans
because humans are better at making decisions on
when you've got different kinds of information that need to be sort of considering and thought through.
What we're not so good at is doing repetitive,
tasks that require ah, you know, very
high levels of focus.
You could do that for a short period of time, but as we all know, it's very easy to get burned out
doing repetitive tasks that require intense concentration.
And it's too easy to start making mistakes. So we want to automate as much as possible.
So beyond the idea of identifying threats
and making their their presence known to analysts. And you're
your sock or your knock, for instance,
incident response must play a vital role here
because it's only going half the distance. If you just
discover a threat and send out an alert,
someone needs to look at that information and make a decision. Is this
the threat that's that's worth investigating further?
Is it relevant is incredible.
What should our incident response team do,
you don't want to invoke the incident response function more often than it's actually needed.
As I mentioned earlier discussion, there is that danger of being a little bit oversensitive to certain kinds of threats,
and crying wolf off a little bit too often can have
So they used to be a balance
and some kind of determination to say, OK, we've got certain criteria that have been Matt.
Now this constitutes a threat where incident response functions must be invoked.