A3
A3

Threat landscape

What is the aim?

All countries are dependent on digital resilience for their economic prosperity. Providing strategic advice on the threat landscape allows countries to identify priority sectors and their threats in order to make risk-based decisions that are appropriate to their unique economic circumstances.

Why do it?

Understanding in detail the particular impact of any damage or loss of capability arising from an attack or accident allows a country to focus on protection and resilience rather than just defense. Reviewing the threat landscape provides a generic overview of known and emerging threats. This is especially important for emerging economies where the impact of a national cyber incident could have a disproportionate impact on economic growth. 

What are typical outputs? 

  1. Prioritizing critical services / organizations e.g. critical national infrastructure such as utilities and government networks and clearly defined roles and responsibilities for owning the associated risks
  2. Identifying threat actors and their motivations unique to the country 
  3. Relationship of threat landscape to the national cyber strategy if one exists; if not, how it could be related
  4. Understanding of threat intelligence requirements

How is it delivered?

Direct consultancy, facilitated workshops. Analysis of the major threats in relation to a prioritized list of national capabilities and organizations. Gap analysis compared to similar countries with a higher level of maturity. 

How easily can a country do it themselves?

Some external help will be needed to develop the foundation and set up the ongoing maintenance. Once a process has been established, awareness raised and priorities identified, then it is a relatively straightforward process. 

What good practice guidance is available?

The ENISA (NCSC and all major security vendors) provide a regular report on the cyber threat landscape – standard risk analysis frameworks help map this to specific vulnerabilities. 

  • The effectiveness of this activity is greatly improved by having a good understanding of what is critical CNI and CII, before providing strategic advice on the threat landscape. A series of workshops to develop this understanding is easy to implement and helps raise awareness. 
  • Having clearly defined roles and responsibilities within organizations that are accountable for security will steer the risk apportioned to each threat. Having this in place, as well as a good understanding of the national monitoring and detection capabilities, will also add value to the work. Again, these can be developed through workshops.

Cost

$6,580 USD for facilitated workshops to develop understanding followed by $13,160 USD for a 1-year monthly mentoring and development service. 

Duration

Circa 1 week for the initiation workshops followed by a 12-month light touch project to increase the national capability. Depending on how much support the country needs, this could be a little as one day a month mentoring or 4 days a month to deliver fully embedded and maintained capability. 

In 2019, CYSIAM were asked to work with an organization from a Middle Eastern country that had responsibility for the security of some public networks and had just suffered a serious cyber attack. CYSIAM’s main effort was to help them recover from the attack, perform a post-incident analysis and assist with formally developing their appreciation of the threats unique to their country. They already had a good appreciation of the vulnerabilities of the organizations that they were responsible for; however, they had not formally carried out a threat landscape activity and so did not fully understand the strategic threat. The nature of the incident prompted the organization to bring in external and independent expertise to take a strategic approach to cybersecurity rather than focusing only on the technical controls. 

CYSIAM initially focused on helping the organization understand the root cause of the recent incident and, using some analysis and threat intelligence, were able to relate it to an ongoing ransomware campaign. Once the immediate threat was identified, it was relatively easy to map across to existing and emerging threats to help network defenders and non-technical managers to understand the risks and build a remediation plan for this isolated incident. However, the organization recognized that a more proactive approach was needed. 

As the organization clearly understood their priorities and existing vulnerabilities, CYSIAM carried out a series of threat landscape modelling workshops and used a number of sources to provide strategic advice on the current and emerging threats. These were principally the annual security reports from NCSC, the ENSIA ETL and the Mandiant Fire-Eye open-source analysis of existing, new and emerging threats. This threat-mapping activity allowed non-technical leaders in the organization to make prioritized decisions for current and future investment in preventative measures and allowed cyber defenders to shift their focus from response to resilience. 

Because of the vulnerability analysis conducted on the organization, the support provided to the security team in learning from the incident and developing a mature understanding and effective prioritization of their responsibilities, CYSIAM were able to easily take threat data from and landscape analysis and apply the relevant parts to their organization. Most importantly, the organizations and staff involved were able to achieve a step change in their own capability by using a combination of vulnerability awareness, network prioritization and open-source cyber threat landscape data. 

The next stage of maturity is to develop their own strategic threat landscape reporting once a good foundation has been established. 

  1. Identify the technical estate that needs to be protected

  2. Identify the roles and responsibilities for protecting the technical estate

  3. Define the critical infrastructure and services

  4. Discover and analyse vulnerabilities in the infrastructure, services and supporting infrastructure and services 

  5. Perform threat modelling based on national and international cyber-threat trends

  6. Map across threats to vulnerabilities and increase resilience to potential cyber incidents