Lesson 2.3. Risk assessments and commercial threat Intelligence
For this lesson. The objectives are one. Understand what in organizations risk appetite is and how I t security fits into the overall risk picture
to discuss the risk assessment process. Frameworks available for conducting risk assessments and why they are important.
Three. Identify the benefits of threat, intelligence and how high our teams can leverage threat intelligence throughout the ire. Lifecycle. I've mentioned risk several times already through this presentation, and I really can't stress enough how important it is tohave
risk management and enterprise risk management and I t and cybersecurity. As part of those discussions,
you do not want to be hanging yourself out there or walking a tight rope is this image shows, because the risk management decisions is not an I. T or cybersecurity decision to make. It is business executives and or mission and executives or
the commander of an organization, depending on where you're coming from.
But if you make these risk decisions in a silo and no one knows the decisions that you've made as a cybersecurity leader, that can have negative consequences to your career and certainly to the organization, so you want to make sure through the risk register process that have already introduced you to And how do you communicate with executives
these issues and risks are being elevated as appropriate Now? Certainly you don't elevate every risk because some of the risks are easily mitigated or
They don't have to go up to the very top, but they're certainly those large risks. And that's why we use a framework of what's the likelihood in the impact of these risks actually happening
to help you define what should go up to executives and what should stay at the local level.
So we'll talk about understanding, risk and risk appetite. You don't want to be. The people shown in this picture do not proceed beyond this point, and you can see a bunch of people out there. There are clearly some risks that should not be held close. Hold within the security organization,
and you also need to understand to what is that line of You cannot proceed beyond this without
involving some other people. And that's why sitting down with leaders and asking them just flat out what's the risk appetite of this organization and how do you feel about cybersecurity risk, and how much are you willing to let me? Except on your behalf? Vice? What should I be bringing up to senior leadership?
Those are the kinds of questions that should be asked
within an organization.
Search should also be involved in patch management and vulnerability management, because that helps you understand what the risk is like for an organization. If I t is horrible that getting patches out and there's multiple vulnerabilities that air getting shown on vulnerability scans,
especially you layer on top of that high value asset and criticality information that we've talked through
and the exploit ability of those vulnerabilities. So what's their CVS s score and how are they looking Teoh to the organization? That's really important, because if you know as a search that
these resource is over here are highly vulnerable, they're not patched. There's exploits available for the vulnerabilities.
Then you may change your response criteria. Your timelines. You're monitoring and controlling of those systems to account for these vulnerabilities, so certain really needs to be in the loop and have access to
the patch management vulnerability management processes.
When we talk about risk assessments, there's a lot of different ways. You can go about doing a risk assessment, but every organization needs to have a risk assessment, and these risk assessments need to be updated at least once a year. Because threats change, vulnerabilities change
the organization's target status may change. And that's why having a risk assessment done
on update it is so important. So if you have a risk assessment, search should be familiar with the document. When I worked in the Department of Energy's program, we had a counter intelligence organization that would go out and give us a risk assessment. We would do our own I t risk assessment, but it was really nice to see from counterintelligence
how they perceived us as a risk. What were the people that were after us, what was there,
tactics and techniques that they were using to get into organizations and how they felt about our risk posture. But then we would do our own I t. One. You may have internal audit organizations that are doing risk assessments as well, or that E R M group may be doing a risk assessment, but it might not include
I. T. And cybersecurity is part of that
there are two examples I wanted to highlight here and there. Hyperlinked within this organise are within the slide deck is the NIST cybersecurity framework, or CSF.
They also have the risk management framework, or RMF. RMF is dedicated and really designed for federal agencies. NIST is also being used for federal agencies in the CSF framework, but it was originally developed for private organizations and those that are trying to have
some standardized way to measure cybersecurity risk and implementing security controls.
And then the next 830 is a whole document that shows exactly how to do risk assessments.
Threat Intelligence can help you as an incident response team understand something very fundamental to you. So as you see on the slide, you see the threat landscape.
This is all the things that are out there that you may or may not need to be worried about. But the vulnerabilities, the threats, the exploits, just the whole landscape that's out there
and then you have your organization, all the systems and data applications and people
and then in the very middle is what threat intel helps you focus on. And really, what that is, is how does the threat landscape and your organization intersect? That is what you need to be concerned with as an incident responder, because that's where the risk really lies and threat. Intel
helps clarify that for you
another way it helps is it gives you information based on evidence. It also provides you actionable advice, and it can influence your response based on whether or not you're even susceptible to something or what
the success rate has been for certain attacks based on the threat intelligence information.
When you look through ah, examples of threat intelligence, there's a lot. There's a lot of organizations and companies that will sell you threat intel. Some of them are better than others, but there's also some feeds that you can get for free. So if you don't have much of a budget for this, and you just want to see how it might help your organization,
look at some of these links that I have here
on where you can get threat intel information
and just check it out. See if this information might be helpful to you and your organization.
Okay, a quiz question for us on this. How does threat intelligence help a security organization. A. It identifies all of the vulnerabilities within the environment.
Be the in the intelligence assists with focusing on on Lee what impacts the organization.
See, it provides a contract for 24 by seven Intel analysts to provide assistance during an incident.
All right, the answer here is be the intelligence. If you remember that slide, I have the crossover really assists with focusing on what is most impactful to the organization, and it cuts out all the other noise. And it helps you really focus on what you need to be looking at.
Another question here. What does the NIST CSF provide organizations with?
A. A framework that can be customized to define in organizations as is and to be implementation of security controls and best practices.
Be guidelines on how to remediate vulnerabilities or see compliance with the federal law that requires its implementation.
The answer to this is a It does provide you a framework to look at the maturity of the organization. It has different tiers, and we'll talk through this a little bit more in depth as we go.
But it also gives you the ability to measure your as is and then you're to be state for cybersecurity and help you identify the gaps and build a road map on how you can overcome those gaps and get to the maturity level that you feel is appropriate for your organization.
It's one summary here. We've talked about what an organization's risk appetite is and how I t and Security fits into that.
The benefits of how threat intelligence can help IR teams focus and leverage that intelligence and also the risk assessment process and a couple of frameworks that are available and why it is important to have a risk assessment completed for your organization.