In addition to my threat intelligence work, I am also updating an older GTP/Burton paper on threat assessment (see “Threat Assessment in Dangerous Times” [GTP access required])
WTH is “threat assessment”, apart from a subject that hardly anybody seems to care about? Is it part of risk assessment? Is it one of the threat intelligence use cases? Is it something that only 1%-ers do?
We can decompose it into reviewing the details about the threats (such as via threat actor profiles and other threat intelligence, strategic and tactical) and then assessing the relevance of the threat to our organization.
It may go like this:
- Identify broad types of threats to include in the threat assessment (it may well start from the list of all possible threats)
- Gather information about threats – their history, background, backing, time frames for action, capabilities, and intents [capabilities + intents tuple being the core of it!]; this applies to classes of threats, specific threats and occasionally specific threat actors
- Analyze those threats in terms of their interaction with company assets, personnel, locations, technologies, and systems.
Let’s try this process to see how it may be done (the example below is inspired by Austin Powers and of course this video):
|Threat||Threat Actor Profile||Relevance to Our Organization|
|Sharks with fricking lasers||Adversary level: advanced
Intent: world domination
Capabilities: biting, lasing, raising killer waves, causing terror
ObservedTTPs: laser beam in the eye, phishing, exfiltration via pool drain
AssociatedActors: sharks with freeze rays
Were seen in the corporate pool
Attacked a similar organization
Are known to be interested in our technology for underwater teleportation
BTW, does anybody has a full STIX threat actor profile for a shark with a fricking laser? The table above only serves as a poor man’s threat profile and threat assessment documentation. Still, given the above threat assessment, we absolutely must include “sharks with fricking lasers” into our organization’s risk assessment!
Posts related to this research project:
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM? (a very useful read!)
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Do you include the IRAM methodology in your threat assessment paper(s)??
@ronald As a matter of fact, I do. IRAM does get an honorable mention in the paper.