The Risk Prioritisation Process in an Increased Cyber Threat Landscape

21 May 2020 | Santhosh Kumar

It is well-known by now that cyber criminals attempt to take advantage of every global event that draws major attention. The current pandemic is not any different and it is being reported from various sources that cyberattacks have increased due to the COVID-19 pandemic.

The UAE's Telecommunications Regulatory Authority (TRA) recorded an 11 per cent monthly rise in cyberattack attempts against the country’s federal government entities in March 2020. As per their statement, more than 34,930 attempts were stopped last month, an increase of 3,449 on February's numbers. Fifty-nine per cent of the cases were related to malware, 34 per cent were attempts to exploit systems, and more than 6 per cent were phishing attempts. Refer to the Monthly UAE Security Report (MAR 2020) in TRA website for complete details.

The enforced social distancing rules have pushed most of the organisations towards a “working from home” initiative, asking the employees to perform their daily activities by connecting remotely to the corporate network. Enabling remote connections, especially to networks which otherwise wouldn’t be accessible online, can pose additional risks.

As a result, the threat surface has increased, and cybercriminals are trying to take advantage of the overall situation by strategising their attacks while exploiting heightened emotions like stress and panic.

This has resulted in an increase in cyber threats and the associated cyber threat intelligence (CTI) being generated for organisations’ consumption. CTI contains information about threats and threat actors that helps mitigate against malicious activity. Therefore, it is in an organisation’s best interest to consider intergrading CTI with the risk management process to enable the organisation to take corrective actions based on risk prioritisation.

There are several practical challenges with this integration process because of the time-sensitive nature of the emerging threats. These challenges warrant a discussion around a more suitable approach under unprecedented circumstances when it comes to rethinking risk prioritisation.

Risk Prioritisation Approach

Organisations utilise CTI information to mitigate any relevant vulnerabilities within their business environment prior to these being identified and targeted by threat actors. CTI team should first identify any corresponding vulnerabilities within the business environment against the nature of the increased cyber threats. Then, the CTI team should inform the corresponding stakeholders (mostly Information Technology and Cyber Security teams) to fix these vulnerabilities. However, organisations do not have unlimited resources or bandwidth and require some prioritisation to fix those cyber threats that are critical and requiring immediate action.

Organisations might already be using a risk-based prioritisation for the cyber threats arising out of CTI. A risk-based approach to cybersecurity means that risk is above all other factors before making security-related decisions. This approach without considering the time-sensitive nature of these threats would not be very effective. Moreover, a risk-based prioritisation with a time-sensitive approach would enable the organizations to take risk-aware decisions in a timely manner.

Integration with risk management process

This risk prioritisation should be implemented by integrating the threats arising from CTI into the cyber security risk management process. The cybersecurity risk management team should calculate the risk ratings (E.g. High, Medium and Low) for these threats based on their risk management framework (impact and likelihood statements). Refer to the matrix below for a sample risk prioritisation matrix. Then, the cybersecurity risk management team should provide risk-based prioritisation for these threats to the corresponding stakeholders. Finally, the stakeholders should take corrective actions based on these risk ratings and their associated timelines. A risk-based approach to CTI would ensure effective prioritisation of cyber threats and their corresponding mitigation efforts.

Figure 1 – Sample Risk Prioritisation Matrix

Possible challenges with this approach

However, there are several practical challenges while using a risk-based approach to prioritise CTI. These are mainly due to the time-sensitive nature of these threats. Stakeholders need to take immediate action to mitigate these real-world threats, as threat actors (attackers) are continuously exploiting them. However, the risk prioritisation might unintentionally delay the process of corrective action, as a regular cybersecurity risk assessment should be performed for these threats. Hence, the stakeholders might need to wait until the issuance of the complete risk assessment report to initiate corrective actions. This unintentional delay could be considered critical and even unacceptable, given the time-sensitive nature of these threats. These challenges are elaborated below:

  • Cyber threats are time-sensitive that would require immediate action
  • Risk prioritisation of these threats will unintentionally delay the dissemination of critical information to relevant stakeholders
  • The CTI team should integrate all these threats with the organization’s internal cybersecurity risk management framework for the risk prioritization
  • The risk management process might involve considerable turnover time based on the risk management team’s efficiency, bandwidth and capabilities
  • These threats should jump the risk assessment queue to take top priority because of its time-sensitive nature
  • The risk management team might have other high priority tasks that might take a back seat because of these threats
  • All these above factors will in turn unintentionally delay the mitigation efforts by stakeholders in a timely manner

Recommendations

Though these challenges might appear daunting at first look, diligent evaluation of existing processes could provide some valuable solutions. There is no perfect solution for these practical challenges. However, some delicate changes to existing processes could result in an optimal and feasible solution. They are:

  • Filter all the incoming cyber threat intelligence to identify relevant threats that might have an adverse impact on the organisation
  • This process should drastically reduce the threats requiring risk prioritisation
  • Issue a flash or immediate requirements CTI report to all relevant stakeholders without risk prioritisation
  • This report could include immediate next steps required (compensating controls like patch updates or configuration changes) to mitigate these risks as much as possible
  • This report should also include a timeline for an updated report with detailed risk prioritisation of these threats
  • This should enable the stakeholders to take initial mitigation efforts promptly without awaiting for risk prioritisation
  • In addition, the stakeholders would get to know when to expect a detailed report with risk prioritisation. This should enable them to plan accordingly
  • Customise the existing risk management process to provide high priority for cyber threats arising from CTI
  • Establish internal service level agreements for this customized process and obtain buy-in from relevant stakeholders

With organisations receiving increased CTI about cyberattacks and the associated threats, it will require a method of prioritisation for taking corrective actions. Refer to “Cyber Threats In The Midst Of COVID-19 Pandemic” at Digital14 Insights section for the latest Cyber Threat Intelligence report published in April 2020. The current situation provides compelling reasons to review and enhance the integration of CTI with the cybersecurity risk management process with specific consideration given to the time-sensitive nature of these cyber threats. The above recommendations would be a great start for this enhanced integration process. Organisations can also speak with an external Governance, Risk and Compliance (GRC) consultant to manage this enhanced integration process.

We Are Digital14

Connect with us