If there’s one thing that’s a given in the world of cybersecurity, it’s that change is constant. Consequently, any tools or techniques you use that remain unchanged will not be very effective at thwarting cyber threats.
If you’re committed to a strong cyber posture, then you must also be committed to continually increasing your understanding of the cyber landscape, often in real-time. The only way to keep up is with research and information sharing. And that applies to threat modeling as well.
Types of Research
In threat modeling you build a threat framework. And that framework must be constantly updated with information gathered doing research, if you want it to be effective. What types of research are required to keep the threat framework up to date?
First, there is research into regulations, industry standards, security requirements and components that are included in the framework. Next, there is identifying and classifying new or hidden threats to existing components. And finally, there is validating existing, and developing new, mitigations, test cases and code snippets which provide actionable advice.
Those who use the threat framework as the basis of their threat models must have some ability to customize their experience with unique components, requirements, policies, standards, etc. And it takes ongoing research to make that happen.
Types of Information Sharing
A key aspect of the research mentioned above is identifying and classifying threats. But it’s an intimidating task for any one organization to try and keep up with all the threats. That’s where information sharing comes in.
The one thing that can accelerate research is information sharing. Fortunately, the cyber community has been very good at establishing vehicles for sharing information.
The most prominent of these sharing programs is CVE (Common Vulnerabilities and Exposures). From the organization’s website, “The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program.”
As part of the CVE Program, the CVSS (Common Vulnerability Scoring System) is used to assign severity scores to vulnerabilities to help practitioners prioritize their efforts.
CVE with CVSS is a good starting point for cyber threat information sharing, but it’s a general tool. Are there any industry-specific information sharing organizations? As things turn out, there are.
The ISAO (Information Sharing and Analysis Organizations) is a non-governmental organization established in 2015 with a mission to “improve the nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices.”
The founding of the ISAO has led directly to the formation of industry-specific sharing organizations. The most prominent ones are FS-ISAC for financial services firms and H-ISAC for the healthcare industry. These are cyber intelligence sharing communities solely focused on threats unique and particular to that one industry. In almost every case, these organizations include a peer-to-peer network of trusted experts. That’s how you information share and turbo charge cyber research.
Threat Research Center
ThreatModeler understands the importance of research and information sharing on effective threat modeling. That’s why the company established a Threat Research Center (TRC) in support of its platform. TRC is a group of security researchers tasked with the difficult challenge of doing the investigations, identifying the threats and most importantly, helping customers get the most value out of ThreatModeler.
If you’d like to learn more about how ThreatModeler leverages the TRC to produce the most up-to-date threat frameworks available, we encourage you to contact us here.