How does your organization respond to new cyber threats?
Standard enterprise operating practice when a new cyber threat appears follows a familiar process:
1) A High Potential Risk Is Recognized By A Security Team
The security team will order a penetration test – at least for the critical and high-risk applications. However, depending on the nature of the preliminary threat intelligence, the pen-test may need to be conducted across thousands of applications and the infrastructure itself.
The starting price for a web application pen-test is $1,200, but the costs can easily fall into the $3,000 – $5,000 range depending on the complexity of the application and the nature of the new cyber threat. Multiply that by the number of applications to be pen-tested plus the internal or external network or any social engineering component and clearly pen-testing a new threat becomes a costly endeavor.
2) Analyze Potential Attack Vectors
Upon receiving the documented finding from the penetration testers about where and how the organization may be vulnerable to the newly identified threat – which could take from one week to several months – the organization will need to prioritize resources to mitigate it.
The first stage in this will include an analysis of the potential attack vectors – the path between the comprehensive attack surface where the new cyber threat lives to any potentially targetable assets. Understanding the attack vectors will provide critical insight for the security team regarding specific data exposure and any business or technological impacts the threat poses.
3) Prioritize Finite Mitigation Resources
Next, the security team needs to prioritize its finite mitigation resources. Based on their analysis of the attack vectors, the security team will determine what needs to be patched immediately, what new controls need to be implemented, or what components need to be isolated.
The challenge at this stage is that increasingly, modern attacks – especially those initiated by profit-oriented cybercriminals – are becoming as sophisticated and covert as attacks historically attributed to so-called state-sponsored attackers. According to Ed Cabrera, Trend Micro CISO, cybercriminals are chasing the money. As their attention is shifting from individuals to enterprises, the sophistication and covertness of their methods are rivaling those normally attributed to state-sponsored actors.
- Finally – after what may have taken six months or longer, and after the new cyber threat is no longer “new” – the organization can set about the work of remediation of its deployed applications, infrastructure, and systems.
Penetration testing has reigned as the industry standard for studying the potential exposure to a new cyber threat on a per-application basis. However, it is a time and resource-intensive process. Furthermore, while pen-testing may be useful, it is known to be ineffective in addressing many of the issues that need to be verified. Ultimately, pen-testing against a new cyber threat is “too little too late.”
The alternative to pen-testing – which is a non-repeatable, non-scalable process – is to roll out a mature, enterprise threat modeling practice. An enterprise threat modeling practice, powered by ThreatModelerTM – can reduce the time it takes to analyze the new threat and develop a prioritized mitigation response from six or more months hours or even minutes.
Understanding the potential impact is as easy as the click of a button – ensuring that all threat models across the organization are updated with the new threat intelligence – and then fed automatically into the comprehensive attack surface analyzer. From there the security team can quickly analyze the new threat by any desired set of filters, study the probable attack vectors and potential data exposure, and provide the DevOps team with the appropriate mitigating controls and a prioritized list of vulnerable applications, components, and system.
Moreover, with a mature enterprise threat modeling practice, organizations also have
- Actionable output for all key stakeholders – including quantifiable data with which the CISO can produce measurable results;
- The ability to develop a thorough understanding of the organization’s attacker population based on the attributes needed to reach the organization’s assets from the attack surface; and
- The capacity to chain threat models – that is, to nest threat models within threat models – so as to create a truly comprehensive attack surface analysis.
 “Rate Card, Standard Pen Test.” HighBit Security, LLC: Port Sanilac. 2017.
 Acharya, Srimant. “The Cost of Pen Testing a Web Application.” TATA Consultancy Services, LLC: Phoenix. December 2016.
 Violino, Bob. “Ransomware, Email Scams Causing Cyber Threats to Soar.” Health Data Management. SourceMedia LLC: New York. March 9, 2017.
 “Testing Guide Introduction.” OWASP: Bel Air. June 14, 2016.