Join Mike Chapple for an in-depth discussion in this video Threat classification, part of CySA+ Cert Prep: 3 Cyber Incident Response.
- [Narrator] Cybersecurity professionals must deal with a wide variety of threats as they plan and implement security controls. Conducting a threat analysis is an effective way to gage the cybersecurity risk facing an organization. During a threat analysis, the cybersecurity team uses professional expertise, industry research, threat intelligence, and other information sources to develop a comprehensive list of the threats facing the organization. Once they've developed that list of threats, they then evaluate these threats based upon two criteria.
First, they assess the likelihood of each threat. This likelihood judgment incorporates the team opinion about how likely it is that the threat will materialize and how likely it is that the threat will actually target their organization. This likelihood rating may vary significantly from organization to organization for the same threat. For example, consider the threat of an attack by a foreign government. The likelihood of this threat may be very high for a defense contractor who maintains sensitive military information but much lower for a restaurant chain that doesn't have any information of interest to that foreign government.
The second evaluation factor is the impact of the threat if it should materialize. When we evaluate the impact of a threat, we take a number of contracts into account. For example, we assess how much damage the threat could cause us. If we're looking at the threat of a hacking attack, we might judge the ability of those hackers to obtain and use sophisticated tools that are capable of bypassing our layers of security defense. Once we have this threat information compiled, we can create a threat register that lists all of the threats that we've identified and their likelihood and impact ratings.
This register is crucial when conducting security assessments and deciding where to make investments in new security controls. As you conduct your threat identification and classification exercise, it's helpful to keep a classification matrix, known as the Johari window, in mind. The Johari window classifies information into categories based upon whether it is known to us and whether it's known to others. This window has four quadrants. In the context of cybersecurity threats, there are known knowns.
These are threats that we know about and our adversaries know about as well. Published vulnerabilities, viruses with known signatures, and brute force password attacks all fit into this category of known knowns. Then there are known unknowns. These are threats that are known to us but not known to others. For example, we might have discovered a security vulnerability in our own infrastructure that's not detectable from the outside and that attackers are not yet aware of.
The category of unknown knowns contains threats that are known to others but not to us. For example, if an attacker discovers a new zero-day security exploit but has not yet used it, they know of a security threat but we have no way of knowing about that threat until the exploit is actually used or it's discovered independently by a third party. Finally, there are unknown unknowns. These are security threats that nobody has discovered yet. Every vulnerability that is discovered by researchers fits into this category before the time it's actually discovered.
And there are many vulnerabilities out there that fit into this category. They're security threats that we haven't yet discovered but they're lurking silently, waiting to reach the light of day. As you conduct your threat classification exercise, conduct careful research to include as much information as possible, but don't forget about the Johari window. No matter how much research you do, there will still be vulnerabilities that you haven't discovered, and you must plan for those unknown unknowns.
Want more CySA+ test prep tips? Visit certmike.com to join Mike's free study group.
- Identifying and classifying security incidents
- Determining incident severity
- Building an incident response program
- Notification, mitigation, recording, and reporting
- Incident symptoms
- Conducting forensic investigations
- Password, network, software, and device forensics