If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.
n this blog series, we will present Radiflow’s breach simulation algorithm. We will describe the inputs used by the algorithm, and we will show its output and discuss its benefit and limitations. We will also describe Radiflow’s approach toward the challenge raised in a previous post by Rani Kehat, Radiflow’s VP BizDev: “Is Your Cyber Risk Analysis based on Empirical Data? (It Should Be)”.
Introduction
Aligning corporate business strategy with cybersecurity strategy is essential for ensuring companies’ productivity and business continuity. Companies who fail to devise and execute an efficient strategic cyber defense plan greatly increase their vulnerability to cyber attacks and probability for loss. In that manner, industrial networks are no different than any other network.
[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]
To help companies shape a strategic cybersecurity plan, organizations such as NIST, ISA and CSA have developed methodologies for helping organizations better understand and improve their management of cybersecurity risk.
If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.
In my previous post I wrote about the importance of using Threat Intelligence (TI) as part of constructing a cyber-risk strategy. In this post I will describe the different types of TI, what you can can get from TI, and what can be misleading if TI is used incorrectly.
There are three types of threat intelligence: tactical, operational and strategic.
Tactical threat intelligence includes domains, IP addresses and file hashes, and is normally consumed through security sensors. Tactical TI feeds are used to update the organization’s investigative or monitoring sensors, e.g. firewalls and domain filtering, by blocking attempted connections to malicious servers.
The second type of TI is operational threat intelligence. This type is used to share information about how threat actors conduct attacks. Operational TI is used by incident responders to ensure that their defenses and their investigation capabilities are updates with the latest attack methods. Operational TI is often obtained by reading technical white papers or by communicating with peers in other organizations whom had observed attacker behavior.
Sharing threat information requires a structured and unified framework for describing threats. To this end, TI-sharing providers have gone to great lengths to model and standardize adversary behavior. For example, the Common Attack Pattern Enumeration and Classification (CAPEC™) provides a catalog of attack patterns as well as classification taxonomy.
Another widely-used modeling framework is MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK), designed to identify the most reliable indicators of sophisticated attacks. The framework presents commonly-observed adversarial tactics and techniques, based on intelligence gathered on many advanced persistent threat (APT) groups.
In this framework, tactics represent types of adversaries’ actions (e.g. reconnaissance, initial access and more); and for each type/tactic, the framework details its exact methods of operation, or techniques. For example, techniques for performing initial access include: spearphishing attachment and exploit public-facing application, among others. MITRE also released a dedicated model for ICS, called ATT&CK ICS.
In the figure above, as an example, we can see the most-used tactics in the UK against Energy Sector networks, which in turn indicate the most effective mitigation measures (data to the figure was taken from MITRE TI source). However, this TI provides no information about the rate of cyber attack attempts on energy companies in the UK – is it once every 10 years or once a month? This would obviously change the risk level significantly. This type of information is provided as part of Strategic TI.
Strategic Threat Intelligence consists of high-level information that helps risk managers understand current risks and identify upcoming risks, of which they are yet unaware. This may include the financial impact of cyber activity, attack trends, historical data or predictions for each threat’s activity. Using this information, each user company’s board is able to weigh the risk posed by each possible attack and allocate budgets and resources for mitigation.
Combining information from multiple TI types can provide a holistic view of the threats to a specific sector in a specific region. In some cases, it can also provide quantitative information about the loss magnitude of a cyber event or the threat event frequency. However, this combined-TI still tells us nothing about the vulnerability of users’ networks to those threats. There’s another missing piece in the puzzle: the evaluated network properties. Only with this information would it be possible to efficiently transform the TI into effective actions.
For example: in the figure above, we can see that spear-phishing is one of the most used tactics among attackers in the Energy Sector in UK. Does this mean that all the risk officers in the UK energy sector should spent their entire security budget on spear-phishing defenses? Not necessarily – simply because spear-phishing may not be an applicable technique in the highest risk zones in the OT network. If the organization has adequate IT-OT segmentation in place, spear-phishing would not cause significant damage. Instead, risk officers may consider installing defenses against insider threats and improving their user-authentication tools – since attack techniques exploiting weak user authentication are more applicable in the OT network. Therefore, using only TI, may lead to incorrect investments in security. Risk officers must consider the specific OT network properties,
Every OT network has its own unique properties: topology, vulnerabilities, security controls and more. These network properties define which tactics can indeed be used in the network and which can’t. Consequently, these properties define which threats have a higher likelihood of compromising the network. Assuming the network is well-modeled, risk officers can now evaluate the entire “attack chain”: which threats are targeting the network, at what frequency, and what is the likelihood of these threats compromising the network, given the network properties and security controls deployed.
Using the TI and the network model, Radiflow’s TI-based breach simulation can evaluate over 100 “attack chains” for different threats. In a matter of seconds, the simulation evaluates which devices are more likely to be compromised, which mitigations are the most effective and which threats are the most dangerous to your specific network.
Another lack of the the general TI related to the “second best mitigation to choose”. Let’s take a closer look at one of the outputs provided by the Radiflow simulation: the Control Level, which denotes the percentage of TTPs that are mitigated by one or more security controls, out of all of the TTPs used by the attackers targeting the evaluated network. You can see in the figure that Network Intrusion Prevention and Privileged Account Management cover the largest number of TTPs. Therefore, implementing one of them will yield the largest Control Level increase.
But which mitigation should you choose second? This is where it becomes less clear. The second chosen mitigation should be the one that covers the largest number of TTPs which were not covered by previous chosen mitigations. Furthermore, when you add in budget constraints, compliance requirements and the potential impact/risk projected for the different TTPs, the process of prioritizing mitigations becomes incredibly complex. This further emphasizes why it’s imperative to run a simulation that’s able to evaluate all options, based on the actual evaluated network model.
The main challenge in the modeling part is of course producing an accurate network model — better accuracy provides more effective results. In the next posts we will further elaborate on how Radiflow’s visibility and detection system can be used to build the network model, the attackers and the mitigations used. In addition, we will show how the Radiflow model enables presentation of results and receiving inputs using any terminology or security standard, e.g. IEC-62443.
Imitating an attacker’s behavior
The first step in these methodologies is identifying network vulnerabilities. This is done by imitating an attacker’s behavior – looking for the same “holes” in the network that a hacker would look for. Organizations often use actual (ethical) hackers to perform active penetration testing for detecting security flaws in the network.
In order to properly imitate an attacker, organizations and security experts continuously collect intelligence on attackers’ behaviors and activity. Threat intelligence data is gathered by specialized organizations that track attackers’ motivations, the tools they use, the internet servers they own and more. Analysis of the TI data allows security personnel to properly define pen-testing test cases to imitate each attacker’s activity and to ensure that the protected network has sufficient defenses in place.
The combination of threat intelligence and an aligned penetration testing plan provides a strong mechanism for identifying network weaknesses. However, while active penetration testing is absolutely necessary for completing the TI-based identification phase, it is considered dangerous – the risk of accidental damage during testing may actually be higher than that of an actual attack (accounting for the low frequency of real-world attacks).
TI-based vulnerability detection
As an alternative to active penetration testing, Radiflow proposes a threat intelligence-based breach simulation method for OT networks. This method consists of two stages:
Radiflow’s breach simulation algorithm uses three main inputs:
Execution of the algorithm includes several steps:
Scenario-based evaluation
Often, risk managers are required to evaluate the likelihood of a specific scenario, e.g. the likelihood of loss of productivity due to a cyber incident. For such cases we have developed a scenario-based risk evaluator. This algorithm uses the device compromise likelihood, accounting for the scenario’s unique attributes, to estimate the likelihood of the scenario to materialize.
Since the core of our algorithm is based on TI, we will continue in the next post with some background on threat-intelligence.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3