Transforming Cyber Risk Management with Advanced Threat Intelligence

A study by the University of Saint Joseph, Beirut, and the Faculty of Engineering, Lebanese University addresses the growing challenge of sophisticated cyber threats facing organizations. It highlights the need for a better understanding of these threats to develop stronger defensive strategies. Traditional cyber risk management often focuses only on internal risks, neglecting the motivations and tactics of external adversaries. This gap necessitates a new approach that integrates cyber threat intelligence (CTI) into risk management processes.

The Growing Threat Landscape

As digital transformation and interconnectivity increase, so do the severity and frequency of cyber threats. Organizations face substantial financial losses due to inadequate cybersecurity measures. Existing cyber risk management frameworks identify, assess, treat, and monitor digital risks but often fail to account for the external threat landscape. The shift towards automation and digital connectivity has made critical infrastructures more vulnerable to various external threats, including state-sponsored groups, organized crime, and activists. Despite significant investments in cybersecurity, many organizations lack proper situational awareness of their adversaries and the evolving threat landscape.

Traditional risk management frameworks focus primarily on internal contexts, overlooking the dynamics of external threat actors. To bridge this gap, the authors propose integrating CTI into cyber risk management. CTI provides valuable information about threat actors, their objectives, and their methods, allowing organizations to make more informed decisions and strengthen their defenses.

A New Framework for Enhanced Risk Management

The authors introduce a new framework based on EBIOS Risk Manager, enhanced with integrated CTI. The proposed framework includes several phases and workshops to ensure comprehensive risk management. The first phase, Scope and Security Baseline, defines the scope of the study, identifies business and supporting assets, and assesses potential feared events and their severity. It aligns the CTI process with the organization's context and objectives. In the Threat Intelligence and Assessment/Risk Origins phase, the workshop identifies and assesses risk origins (threat actors) using strategic threat intelligence information. An expert in emerging threats participates to ensure accurate identification and assessment of these risk origins.

Developing Realistic Attack Scenarios

The Strategic Scenarios phase develops high-level strategic scenarios based on the identified risk origins and their potential attack paths through the organization's stakeholders. Strategic and tactical threat intelligence information is used to create realistic scenarios and assess their impact. The Operational Scenarios phase constructs detailed operational attack scenarios based on the strategic scenarios. This phase uses operational and technical threat intelligence to accurately reflect potential attack paths and assess the likelihood of each scenario.

Continuous Monitoring and Adaptation

In the Risk Treatment phase, a comprehensive risk treatment strategy is formulated based on the identified risks. This phase prioritizes security measures and develops a continuous improvement plan to ensure effective responses to emerging threats. The Risk and Threat Monitoring phase is a continuous phase that monitors risks and threat intelligence, allowing for timely adaptation and re-execution of the risk management process based on new threat information. Regular workshops are held to review and update the risk treatment plan.

The proposed framework was applied to a national telecommunications infrastructure to demonstrate its effectiveness. The application revealed several enhancements over traditional EBIOS Risk Manager, including more accurate risk assessments and better prioritization of security measures. By incorporating CTI, the framework can identify specific threats relevant to the organization, leading to more accurate risk assessments. The use of strategic and operational threat intelligence allows for the development of realistic attack scenarios, improving the evaluation of risks. The risk and threat monitoring phase ensures that the framework can adapt to new threats quickly, providing a more agile and responsive risk management process.

Staying Ahead of Cyber Adversaries

The integration of CTI into cyber risk management frameworks is crucial for addressing the dynamic nature of cyber threats. The proposed framework enhances traditional risk management processes by incorporating continuous threat intelligence, leading to better-informed decisions and stronger defenses. Future work should focus on refining the framework, incorporating STIX feeds, and developing collaborative risk management approaches. In summary, this new approach to cyber risk management, driven by CTI, helps organizations stay ahead of cyber adversaries by providing a more comprehensive and adaptive risk management process.