How Regular Risk Assessment Prevents and Stabilizes Threats

Risk assessments

Data breaches, foreign hackers and corporate espionage: today, it seems that phrases like these are on the tips of every tongue, and not without good reason. As digital literacy, Internet access and affordable technology scale with global penetration, the knowledge and skill of attackers is increasing as well. Organizations both public and private are right to be concerned about these risks.

At the same time, “risk” is a broad domain, and while it might seem that we are facing more of them today than ever before, it remains true that the greatest risks to an organization originate from the inside. From mundane eventualities like power surges, to human error or malicious sabotage, any and every vulnerability within an organization constitutes a “risk”.

While individually a single risk may not amount to much, collectively risks represent a danger that can seriously obstruct – if not destroy – an organization and its mission. But with so many to worry about, how can they be anticipated and successfully prevented?

How to Define Risk

“Risk” is a measure of likeliness that a vulnerability in a system or asset will be exploited leading to adverse effects, and the probable impact of those effects. Impact may be measured in financial loss, operational obstruction or human capital.

The existence of vulnerabilities in any given system or asset can be taken for granted. All technology is flawed in some way, or risk would not exist. While most vulnerabilities are benign, obscure or inert, some are always serious enough to be targeted by threats.

Today, companies face many threats from the outside, including attackers, malware, foreign governments and APT groups. But they face many more from the inside, from malicious employees, to deprecated equipment, human error, poor coding and mishandling of data.

Fortunately, there are many methods to prevent threats from succeeding, and respond when they do. But organizations focused on prevention or remediation cannot skip the discovery process. Before risks can be dealt with, they must first be identified, measured and assessed.

The Role of Risk Assessment

A risk assessment is the controlled, systematic identification and documentation of existing risks, likeliness of occurrence and probable impact. A professional risk assessment will follow careful methodology to ensure that nothing is overlooked, and that remediation is prioritized according to severity.

The purpose of a risk assessment is not merely to prevent risks from occurring, but also to establish a suitable response that will mitigate damages if they do occur. Risk assessments therefore inform organizational policies, providing an objective, quantifiable basis for regulation and best practice.

IT infrastructure and assets change with time as old equipment is discarded, new equipment is acquired, and configuration changes are made on a regular basis. Moreover, the availability of knowledgeable and skilled personnel may change with new hires, transfers or retirement.

For these reasons and many others, risk assessment should be repeated on a regular basis as part of an organization’s overall security and auditing cycle. What held true yesterday will not necessarily hold true tomorrow.

The NIST Framework

The National Institute of Standards and Technology (NIST) publishes a risk management framework for federal agencies, partners and contractors, and maintains the Framework for Improving Critical Infrastructure Cybersecurity (SP 800-30).

NIST’s guidelines for conducting a risk assessment establish six broad steps:

  1. Identify Threat Sources
  2. Identify Threat Events
  3. Identify Vulnerabilities
  4. Determine the Likelihood of Exploitation
  5. Determine probable impact
  6. Calculate Risk as Combination of Likelihood and Impact

Other standards bodies follow NIST’s framework closely in their own publications, making it a de facto industry standard for conducting regular, thorough risk assessments as part of an overall risk management program.

Simplified, Productive Assessments

Risk is inevitable. It is a consequence of using technology and systems built by people in a world populated by people, some of them good, some bad, and none perfect. But being caught off guard is not inevitable. And when a breach, attack or system failure hits, those who are prepared will suffer the least and recover fastest.

Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our Risk Assessment framework.

Threat Prevention with the MITRE ATT&CK Matrix

At Securicon, we take an OT-centered approach to asset owners. With the aid of the MITRE ATT&CK Framework (ATT&CK), we design tailor-made scenarios to test OT defenses and detection. By outlining methods for infiltrating a network, maintaining persistence and exfiltrating data, ATT&CK is a tool that can assist asset owners in building a cybersecurity program for industrial control systems (ICS).

Why Should Asset Owners Care?

Today, asset owners have begun to monitor information technology (IT) and operational technology (OT) events with a single security operation center (SOC). This allows them to receive security alerts from the enterprise level of the Purdue Model down to the process control layer from one location. With so much information, the ATT&CK Matrix helps us to identify what asset owners should be watching for in their environments.

Our Approach

Overview

At Securicon, we approach the ATT&CK framework as a punch list of events that asset owners should monitor carefully. We utilize these methods in our ICS threat simulation (Threat Prevention Team) to test the asset owners’ defensive analysts (Blue Team). Through these methods, we are able to identify the respective strengths and weaknesses of their security program. In the following sections, we will outline the steps a typical adversarial simulation.

Scoping & Initial Engagement

Securicon and trusted individuals working for the asset owner monitor the Threat Prevention Team’s activities to determine mission success. We start by developing scenarios of initial access for the asset owner to approve; a common arrangement includes a combination of vulnerability exploitation and social engineering used to gain unauthorized network access.

During the scoping process, asset owners are given the opportunity to select events from the ATT&CK framework for Securicon’s Threat Prevention Team to simulate. Otherwise, the Threat Prevention Team acts on its own discretion and expertise to accomplish the simulation’s objective.

During the Engagement

After scoping and initial contact are concluded, the Blue Team receives regular updates allowing them to observe simulation progress. Securicon uses numerous methods to move laterally through the asset owner’s network until we reach the OT layer. Using internal reconnaissance, exploitation and post-exploitation techniques, the Threat Prevention Team will continue until its mission is completed.

Post-Engagement

After the mission is complete, the Threat Prevention Team compiles their findings into a report for the asset owner’s trusted individuals. Additionally, asset owners will often request a presentation for their executive team. Using the ATT&CK Framework for reference, the Threat Prevention Team will explain their progression through the asset owner’s network with maps and other visual aids.

As OT malware like Triton/Trisis, Industroyer, BlackEnergy, and Stuxnet continue to propagate, asset owners need to be prepared for threat events. Asset owners in the process of building an ICS Security Program should utilize adversarial threat simulation services to discover security gaps.

While malware rarely conforms to the MITRE ATT&CK Framework point-by-point, Securicon’s senior consultants are prepared for any eventuality. We combine individual research and experience to assess defenses rigorously, leaving no stone unturned. Real life scenarios like Triton/Trisis can be perfectly simulated using custom-built ICS modules to imitate valid communication within the OT network.


Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!