Open in app

Sign in

Write

Sign in

An Objective Attacker-Risk Matrix

Andrew Sanford
7 min readDec 15, 2018

--

An objective approach to determining high-level InfoSec risk . I provide a worksheet you can use to try out this approach.

An example attacker-risk matrix

The InfoSec industry is tasked with identifying and then mitigating cybersecurity risks. Two of the risks are (1) the type of attacker coming after an organization and (2) the type of assets (e.g., data or machines — for botnets) sought after by attackers. Traditionally, attackers have been grouped into ~four categories (i.e., Script Kiddies, Hacktivists, Organized Crime and Nation States/APTs).

Under this model, each attacker type is assumed to have roughly the similar capabilities (e.g., hacktivists have moderate and organized have high capabilities), objectives (e.g., obtaining financial data) and roughly the same goals over time (e.g., APTs go after Intellectual Property (IP) and Organized Crime goes after money). While this assumption — that capabilities, objectives and goals are highly correlated — has been helpful in the past, it’s no longer an accurate representation of today’s world.

Photo by Chris Ried on Unsplash

For example, the source code for Mirai and the NSA’s EternalBlue exploit are now online. A ‘script kiddie’ could follow a YouTube tutorial to ransomware a hospital’s critical systems, or a ‘hacktivist’ could create a DDoS of unprecedented size. Even a few years ago, low-skilled attackers wouldn’t have these capabilities, but today they do.

By assuming these three variables are highly correlated, InfoSec personnel are left with an incomplete picture, leaving unconsidered gaps in an org’s risk posture. What’s needed is a more-accurate model that can take each of the three basic variables (i.e., capabilities, objectives and changes over time) into account. Additionally, the model would greatly benefit by being able to (1) provide management with objective outcomes, rather than ‘qualitative’ or ‘conceptual’ ones, and (2) be adapted to each organization’s situation.

To address these issues, in this article, I propose a new, objective model that addresses each assumption/variable. The result is a dynamic matrix that:

  1. Provides an objective risk score (that management can easily understand)
  2. InfoSec professionals can use to better determine how to protect their organization.

TL;DR

This matrix helps your org understand where your org’s risks are, from a high-level, by considering an attacker’s capabilities & objectives (as related to your org). From there, your org can decide from where to prevent, detect and respond to attackers and where to allocate resources. You can download & use the matrix here.

Table of Contents

  • The Three Variables
  • A Finished Matrix
  • A Walk-through Example of Using Matrix
  • Next Steps for the Matrix

Variable 1 | Attacker Capabilities

In Sep. 2018, Britain’s National Cyber Security Centre published an article that recommends ranking hackers’ capabilities on a seven-tier scale:

  • None
  • Minimal
  • Intermediate
  • Advanced
  • Expert
  • Innovative
  • Strategic

This is a valuable improvement on the traditional approach (i.e., four-types) as attackers have different capabilities (e.g., a hacktivist could have minimal skills or could be an expert attacker). The matrix uses these as the first set of variables and, to make the results easier to digest, reassigns them a ranking from 1–10 (1=low risk; 10=high risk) as follows:

  • None (1)
  • Minimal (2)
  • Intermediate (4)
  • Advanced (6)
  • Expert (8)
  • Innovative (9)
  • Strategic (10)

I’ve assigned these values, so you may have other ideas on how each level’s risk rating. That said, a scale of 1–10 is important to use as most people are familiar with this concept. I’d love to hear your thoughts on how to improve this ranking! Please feel free to leave your comments below.

Attacker capability objective rankings

Variable 2 | The Attacker’s Objectives

There are a lot of different objectives an attacker may have. One may want to dox your company, another extort money from you (or your customers) via ransomware and yet another may be trying to steal your IP. That said, an attacker’s objectives are unique to your organization & industry.

To illustrate this, let’s compare a hospital to a bank. These types of organizations have very different assets an attacker will come after. Hospitals are far more susceptible to ransomware or botnets as they have to use outdated devices (from a software update standpoint). They also have health information on patients. While banks don’t have to worry about getting FDA approval for updating their software, they do have financial information (obviously), one of the most sought-after assets.

To determine an attacker’s objectives related to your organization:

  1. Consider what general categories of data your org has/deals with (e.g., financial, political, IP, health, etc.). These categories are what an attacker will come after.
  2. Assign a value from 1–10 (1=low risk; 10=high risk) of how valuable each category is. The values are not relative to one another — they are absolute. If you handle a lot of political information, that would be a high-risk (e.g., 10). If you have some IP that’s not critical to your org, that would be lower-risk (e.g., 3)

The end result should look something like this:

Completed example of an attacker’s objectives

This list contains of some of the objectives an attacker may have. It’s by no means comprehensive, but it does contain some general categories to consider:

  • Financial
  • Political
  • IP (Intellectual Property)
  • PII (Personally Identifiable Information)
  • Health data

Variable 3 | Changes Over Time

Over time, attacker’s objectives & capabilities change. For instance, in peacetime, a hospital in the United States may have a minimal political risk, but should the US go to war, that risk could become extremely high. For most organizations, though, changes usually come as they acquire new types data from customers & vendors, are involved in M&A, etc.

To address changes, the model can be easily changed to reflect reality. To do this, repeat the steps contained in the two previous sections.

A Finished Matrix

How the Variables Interact

The ratings for the Attacker’s Capabilities are multiplied by the Attacker’s Objectives to create an objective risk matrix. The result looks like this:

A completed risk matrix

Choosing Where to Prevent, Detect & Recover from Attacks

Because resources are limited, an organization must choose where to focus its efforts. From a high-level, security initiatives can be placed into three groups:

  • Prevention
  • Detection
  • Recovery

A completed matrix can help an organization figure out where they want to allocate resources. Using the screenshot above, an organization may decide to:

  • Prevent against Advanced attackers*
  • Detect Expert attackers
  • Recover from Innovative attackers

*By preventing against an Advanced attacker, your org is naturally able to prevent attacks from any less-capable attacker (i.e., None, Minimal and Intermediate). The same is true for where you decide to detect and recover from.

Deciding from where to prevent, detect and recover from attackers

Once your org has made these high-level decisions, the next steps are to:

  • Determine how to technically prevent, detect and recover from attacks
  • Allocate resources

A Walk-through Example of Using Matrix

I’ve created a worksheet you can use. You can download it here (free for everyone).

  1. Go to the ‘Working Version’ tab.
  2. Decide what an attacker’s objectives are (the ‘Categories’ column)
  3. Rank the categories (the ‘Ranking’ column)
  4. See the ‘presentable’ report on the ‘Report Version’ tab

Note: Values will update automatically — you may, though, need to copy & paste the functions to additional rows to accommodate for more categories.

And you’re done!

Conclusion

This matrix breaks down the assumptions behind the traditional approach to attacker types, providing organization’s with a more-accurate model of reality. This model (matrix) provides great benefit by:

  1. Providing management with objective outcomes, rather than ‘qualitative’ or ‘conceptual’ ones, and
  2. Being adaptable to each organization’s situation

Next Steps

Going forward, I’d like to:

  • Receive feedback on the matrix
  • Further refine & improve the matrix
  • See what trends exist in which industries
  • Publish additional info related to the matrix
  • Potentially publish the matrix in an A-level academic journal (e.g., MISQ)

With that in mind, I’d love to hear your thoughts on how this matrix can be improved. Ultimately, the goal is to make something that’s beneficial for everyone.

PS: Where Does this Matrix Fit in My Org’s Threat Modeling Exercise?

This matrix fits it at the very beginning of your organization’s threat modeling assessment (or tabletop exercise). In threat modeling, you typically consider:

  1. What assets are most valuable to your company?
  2. What are the conceptual ways an attacker could get access to those emails (e.g., bypassing IAM controls)
  3. Technically, how could those conceptual threats become real?
  4. Repeat steps 2–3 until you’re very granular

[Disclaimer: This article is not legal nor consultative advice. I am not affiliated with nor receive compensation from any of the organizations/products mentioned in this article.]

Cybersecurity
Technology
Management
Risk

--

--

Andrew Sanford
Andrew Sanford

Written by Andrew Sanford

102 Followers
10 Following

InfoSec & Privacy Professional. Views are my own

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams