opening pandora's box - oasis · pandora's box as a gift and the gift was opened evil...
TRANSCRIPT
![Page 1: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/1.jpg)
Opening Pandora's Box
![Page 2: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/2.jpg)
Agenda
Background StorySetup the discussionWhat is fair for 5th graders How to model a scenario Why attackWhy I'm Sore....Example ScenarioTying it all togetherHow to make it SOAR
➔ Story Time & Questions I ask➔ What is RISK? No seriously, What is RISK? ➔ FAIR Overview➔ Mitre ATT&CK➔ SOAR at a glance➔ Modeling a scenario RISK + ATT&CK + SOAR
➔ Questions
![Page 3: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/3.jpg)
Story Time
![Page 4: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/4.jpg)
What FOUR Simple Questions Did I Ask?
![Page 5: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/5.jpg)
What is the largest cyber
security RISK to your organization?
#1
![Page 6: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/6.jpg)
What are the ASSETS that hold the most value in your organization?
#2
![Page 7: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/7.jpg)
If _____ was breached, how do you Respond today?
#3
![Page 8: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/8.jpg)
If _____ was breached, what is the financial or reputational Loss that could occur?
#4
![Page 9: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/9.jpg)
How did they Respond?
![Page 10: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/10.jpg)
Over 40% →
![Page 11: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/11.jpg)
Only 1 Really Good Answer
![Page 12: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/12.jpg)
“We know exactly what percentage and where the financial losses come from, they come from Fraud Events”
![Page 13: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/13.jpg)
What is RISK?
![Page 14: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/14.jpg)
RISK = Loss Exposure
In business that generally means financial loss...
![Page 15: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/15.jpg)
When thinking in terms of RISK…is this password an Asset or a Control?
![Page 16: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/16.jpg)
If the password opens a door to this…
Then in terms of RISK it is probably not an Asset
![Page 17: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/17.jpg)
But if the password opened a door to an energy plant or shut it down...then someone, somewhere would definitely consider the password to be an Asset!
![Page 18: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/18.jpg)
Anything can be an asset…
But are you really concerned about the passwords?
Or the places, data, and applications, the passwords provide access to?
Or are you concerned about the effect or loss that could occur?
![Page 19: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/19.jpg)
So when you think about RISK, you must be crystal clear on what you consider a real Asset.
![Page 20: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/20.jpg)
Then and only then can we think of the potential or probability of loss exposure
![Page 21: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/21.jpg)
When Zeus created pandora's box as a giftand the gift was opened evil poured out…almost like lava burning and covering everything in its path
![Page 22: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/22.jpg)
Thats Kind Of How Loss Flow Works
Photo Credit: Measuring & Managing Information Risk
![Page 23: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/23.jpg)
What Types Of Loss flows Are There?
In risk frameworks like FAIR
● Loss for both primary and secondary stakeholders include things like productivity, response costs, replacement costs, competitive advantage, fines and judgments, response costs, and reputation.
![Page 24: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/24.jpg)
What Is FAIR?Factor Analysis of Information Risk
![Page 25: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/25.jpg)
In FAIR,Accuracy is better than Precision
You can have high degrees of precision and yet not be accurate.
![Page 26: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/26.jpg)
FAIR - Its A Way Of Measuring Risk
Explained as a recipe
1 pt Ontology / Taxonomy1 pt Risk Terminology (TE, TEF, LE, LEF, CF, POA……)1 pt Data Gathering1 pt Probability, Normalized Distributions
½ pt PERT Formula using 3 point estimates (spread between minimum, most likely, to least likely)
½ pt Monte Carlo Simulation
![Page 27: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/27.jpg)
RISK
Loss Event Frequency
Loss Magnitude
Threat Event Frequency Vulnerability Primary
LossSecondary
Risk
Secondary Loss Event Frequency
Secondary Loss Magnitude
DifficultyThreat Capability
Probability of Action
Contact Frequency
Recreated from Measuring and Managing Information Risk
FAIR Taxonomy / Ontology
![Page 28: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/28.jpg)
Slimmed Down Version (Not Full Process)
● Identify Scenario○ Asset○ Threat Community
● Evaluate Loss Event Frequency (LEF)○ Estimate Threat Event Frequency
(TEF)○ Estimate Threat Capabilities
(TCAP)○ Estimate Difficulty ○ Determine Vulnerability○ Determine Primary Loss Event
Frequency (PLEF)○ Determine Secondary Loss Event
Frequency (SLEF)
● Estimate Probability Loss Magnitude (PLM)
● Estimate Probability Secondary Loss Magnitude (SLM)
● Determine Primary and Secondary Risk
● Determine overall RISK
Credit: Measuring and Managing Information Risk
![Page 29: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/29.jpg)
FAIR - Stick All Of This In The Blender
LEF Min LEF Most Likely LEF Max Data Gathering Confidence
0.3 once every 3 years
0.5 once every 2 years
3 three times a year
Low
TEF Min TEF Most Likely TEF Max Data Gathering Confidence
0.015 0.05 0.6 Low
LOSS MAGNITUDE
MIN RESPONSE COST
MIN REPLACEMENT
Data Gathering Confidence
PRIMARY $500,000 $2900 Low
SECONDARY $1,300,00 $30,600,000 Medium
![Page 30: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/30.jpg)
Stop... This All Seems Too Complicated...
LEF Min LEF Most Likely LEF Max Data Gathering Confidence
0.3 once every 3 years
0.5 once every 2 years
3 three times a year
Low
TEF Min TEF Most Likely TEF Max Data Gathering Confidence
0.015 0.05 0.6 Low
LOSS MAGNITUDE MIN RESPONSE COST
MIN REPLACEMENT Data Gathering Confidence
PRIMARY $500,000 $2900 Low
SECONDARY $1,300,00 $30,600,000 Medium
Basically it allows us to communicate in the terms of RISK and understand potential financial loss...
To communicate to security staff / executives etc…….
![Page 31: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/31.jpg)
What is Mitre Att&CK
![Page 32: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/32.jpg)
Mitre Att&CK
MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Its an attacker/ threat
taxonomy/ontology:
1pt Tactics
1pt Techniques
1pt Procedures
Mix in numbers, and a
coverage matrix
Book Definition…. As a recipe!
![Page 33: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/33.jpg)
The Grid (Reminds me of the movie Tron)
The Grid, An attackers frontier, they tried to picture clusters of attacks as they move through the computer, what did they look like, ships, motorcycles, were the circuits like freeways, they kept dreaming of a world, they would never see, and then, one day, they got in...
![Page 34: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/34.jpg)
Quick Example
![Page 35: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/35.jpg)
What is SOAR
![Page 36: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/36.jpg)
Security Orchestration Automation & Response
![Page 37: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/37.jpg)
![Page 38: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/38.jpg)
Modeling a RISK Scenario with FAIR + ATT&CK + SOAR
![Page 39: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/39.jpg)
● Determine Asset at risk
● Threat Community & Profile
● Threat Type / Capability
● Effect? Confidentiality, Integrity,
Availability
● Apply FAIR (TE, TEF, LE, LEF, CF,
POA……)
● Apply Assoc. Mitre Att&CK TTPs
● Determine Priority and build
response playbooks
Model a Scenario
Asset Employee Or Corporate Laptop/Endpoints
Threat Community Cyber Criminals
Threat Type Malicious Activity
Effect Confidentiality
Assoc. TTPS T1192….
![Page 40: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/40.jpg)
FAIR & ATT&CK - Dirty Example
Credit: Jack Jones & FAIR Institute
![Page 41: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/41.jpg)
Dirty Example
Depending on the FAIR results for the minimum, most likely, and maximum costs, the ATT&CK TTP’s associated and coverage of TTP’s we can then PRIORITIZE the response accordingly.
Credit: Jack Jones & FAIR Institute
![Page 42: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/42.jpg)
SOAR Activity
● Develop and Tag response processes, and use cases or playbooks that tie to the TTP’s and RISK (Loss Exposure)
● Prevention/Detection○ Design automation detection assistance and processes for
notifying and taking automated actions○ Update automatically any detection and prevention systems
like blocks, detection systems etc.● Post breach
○ Determine time consuming manual interventions (Can it be automated?)
○ Automate and reduce Costs of manual intervention○ Collect evidence to determine how to improve RISK loss
exposure, and magnitude.
![Page 43: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/43.jpg)
Dirty Example
![Page 44: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/44.jpg)
In Summary
By applying FAIR + Att&CK + SOAR we can ask questions like
● Raise or Lower priority of the SOAR use case?● Automate manual intervention?● What automation response metrics are req?● Does the responses align with the TTP’s and the FAIR
estimates?● Is the Att&CK and SOAR coverage we have for this RISK
enough to reduce the RISK / Loss Exposure, or Financial Loss that could occur?
● Finally….
![Page 45: Opening Pandora's Box - OASIS · pandora's box as a gift and the gift was opened evil poured out…almost like lava burning and covering everything in its path. Thats Kind Of How](https://reader030.vdocuments.net/reader030/viewer/2022041001/5ea174fc85dd526e341d72d2/html5/thumbnails/45.jpg)
Thank you.