1. Short Description
DiVA assesses and quantifies the consequences of cyber-attacks on CI assets,
and the losses related to intangible assets. It innovates with a unique
cyber-security cost-benefit analysis approach that combines up-to-date modern
attack trends, integrated assessment of vulnerabilities and likelihoods of
cyber-attacks with an innovative macro - and microeconomic model of intangible
costs, to deliver risk estimations for individual organizations and sectors.
The aim of DiVA is therefore to create an integrated approach to cyber-security
cost-benefit analysis that:
- starts from an integrated assessment of
vulnerabilities and their likelihoods.
- exploits an innovative macro- and microeconomic model
for intangible costs.
- ends with an estimation of the risks for an organization
or a business sector followed by guidelines on investments to mitigate the loss
of an enterprise’s integrity.
2. Main Purpose and benefits
Risk can be defined as the combination of likelihood of an event to
occur and its consequences. When assessing the risk of cyber-attacks for an organization,
the complexities include:
- Estimating the vulnerabilities of the organization to
cyber-attacks and therefore the likelihood of being subject to attacks and the
tangible and intangible assets at risk, as a direct or indirect consequence of
the attacks. Since it is impossible to directly estimate the likelihood of a
cyber-attack for a specific organization, it is necessary to assess the
technical and social vulnerability of the organization and indirectly compute
the probability of the cyber-attack.
- Quantifying the possible consequences of the attacks
on the tangible and intangible assets at risk. It is of particular importance
to take into consideration the role that the intangible assets can play, since
their costs are often underestimated or even ignored whilst, on the contrary,
they can be as large as tangible ones or even exceed these.
- Assessing the risks and taking decisions on the
best-possible investments to mitigate the risks of cyber-attacks
Inside DiVA there are different roles:
- Administrator –
is the administrator of the DiVA platform
- Chief Information Security Officer (CISO) – is the responsible of the security
assessment
- External Auditor – is responsible to review the assessment done by the CISO
The DiVA goals are to provide a complete cyber vulnerability assessment
and avoid expensive consultancy of big companies in the attack prevention scope,
the question you must answer to complete this process are the following:
o
This phase
typically means to define the list of relevant assets, which could be a target
for the attacker,
o
The type of
company, which, according to a specified profile can be attacked by specific
attacker profiles.
o
Who can
access/manage the asset and where are they stored.
- WHO WOULD ATTACK MY COMPANY?
o
Threat Agents:
Government Hackers, Hacktivists, Insiders, according to a base of past cases,
an information that comes from the past attacks set of knowledge
- WHY SHOULD SOMEBODY ATTACK MY COMPANY?
o
There are
different possible motivations that can guide an attacker to hack a company.
Among others, for example, accidental hacking, desire of dominance, ideological
motivations, notoriety.
- HOW MY COMPANY COULD BE ATTACKED?
o
Identify the
possible attack strategies, from the attacker point of view
- WHAT ARE THE WEAKNESSES OF MY COMPANY?
o
It is important
to measure the weak points of a company surface, for example through
self-assessment (using a cyber-maturity questionnaire).
- IS COMPANY’s PERCEPTION REALISTIC?
o
As any other
questionnaire based and self-assessment methodology, which extracts the
knowledge from some internal key holders, the DiVA methodology is subjected to
biases in the perception of the above points. Some evaluators may skip some
important trends or assets or over/underestimate the security level of their
countermeasures. The role of an external penetration tester is therefore
important to check if the self-assessment, filled out by the CISO, matches the
actual company maturity level.
The DiVA framework allows
a company’s CISO to perform a Risk Assessment to generate risk profiles and
identify possible threats and vulnerabilities that could compromise both the
company’s tangible and intangible assets.
To do this the CISO has
two dashboards: (1) the vulnerability assessment and (2) the risk assessment
3.1 Vulnerability Assessment
The process is structured into two questionnaires, the
first phase if the vulnerability assessment is composed by the Threat Agent Identification
(TAI) and Motivations identification.
The term Threat Agent is used to indicate an
individual or group that can manifest a threat. To understand “who” the
potential threat agent is, DiVA will use the Intel Threat Agent Library (TAL),
appropriately customized and simplified to meet the specificities of 7Shield.
In order to evaluate the relevance of a threat agent
for estimating likelihood of an attack, it is important to identify his
motivations. Motivation in fact, is a determining factor in understanding which
companies are more likely to be attacked and the persistence and intensity of
an attack. Within DiVA, the list of motivations is the one proposed by Intel in
the Threat Agent Motivation: Accidental, Coercion, Disgruntlement, Dominance,
Ideology, Notoriety, Organizational-gain, Personal-gain, Personal-satisfaction
and Unpredictable.
The output of this phase aims at giving a
quantitative score which identifies the attacker’s attitude. In other words, it
aims at answering the question “How dangerous is the threat agent?”
In the second phase the goal is to estimate the
likelihood of the particular vulnerability involved being discovered and
exploited. At this stage it is important to introduce two important concepts:
the Attack Strategies and the Attack Map which contains them all.
Attack Strategies are defined by CAPEC (Common
Attack Pattern Enumeration and Classification) taxonomy as general elements of
an attack that are seen over and over in the attacks on today's cyber-enabled
capabilities. The DiVA system simplified the list of possible attack strategies
in order to increase the updateability of the system and decrease the
difficulties of the terminology used.
The output of the second phase is a refined attack
map, where the attack strategies, whose skills are considered above the
competences of the threat agents interested in the enterprise, are reported
with a corresponding likelihood.
3.2 Risk Assessment
In this part of the DiVA framework the CISO is asked
to provide information about the company assets and economics in order to
identify the most critical attack strategies, the most vulnerable assets and
calculate the impact evaluation.
This process is structured in different
questionnaires:
- Asset clustering - Is the
first step of the process and aims at describing the company domain in terms of
owned assets. In other terms this phase responds to the question "What do
I own?”
- Impact Evaluation - Measuring
the impact on assets
- Estimation of the Attack
Related Costs - Estimate the attack related costs; "Communicate or
evaluate the costs of the declared attack costs"
- Risk Evaluation - Manage
your risk based on cost benefit analysis. The general approach includes both
qualitative and quantitative methodologies based on risk definition (ISO31000)
and risk management (ISO31010).
4. Integration with other Tools of 7SHILED
The DiVA tool has a
dashboard which is integrated in the Cyber Physical Threat Monitoring Dashboard
(CPTMD).
In addition, DiVA shares risk
data with the other 7SHIELD tools through the Kafka message broker:
o
DiVA receives the list of assets needed for the
risk assessment from the MDBA component where all the assets of the
infrastructure are registered.
o
These data are used to automatically create and
start the risk assessment.
o
DiVA shares with the SPGU component the data
regarding Impact, Likelihood, Vulnerability, Criticality and Risk for each
asset, to be visualised before, during or after the disaster
5. Infrastructure RequirementsDiVA is deployed as a service at the URL “http://cyber-risk.eng.it/”.
As required software are:
- Docker
v.18.06.01-ce - or later versions
- Docker-compose
v.1.22.0 - or later versions
- Git
v2.17.1 - or later versions
The hardware required is:
- CPU: 4 64-bit cores or more
- RAM: 8GB or more
- Disk: 40 GB or more
- OS:
Any system supporting the Docker engine
6. Operation Manual
6.1 Set-up
The DiVA tool is installed using docker with a
docker-compose file, all the configurations for the deploy are contained in the
“.env” configuration file of the tool.
6.2 Getting Started
The tool to work properly needs to be connected to
the Kafka broker and the Single Sing On (SSO), the variables that need to be
set for these connections are:
o
OAUTH_ISSUER
o
OAUTH_JWKS
o
OAUTH_CLIENT_ID
o OAUTH_USER_INFO
o
KAFKA_BOOTSTRAP_SERVERS
o
KAFKA_GROUP_ID
o
KAFKA_SECURITY_DIR
o
KAFKA_SECURITY_KEYSTORE_LOCATION
o
KAFKA_SECURITY_KEYSTORE_PASSWORD
o
KAFKA_SECURITY_TRUSTSTORE_LOCATION
o
KAFKA_SECURITY_TRUSTSTORE_PASSWORD
o
KAFKA_SECURITY_KEY_PASSWORD
o
KAFKA_RISK_PICTURE_TOPIC
All these information must be included in the
configuration file.
6.3 Nominal Operations
There are not any notifications coming from DiVA, all
the information about the risk assessment are communicated to the other tools using
the Kafka broker
6.3.2 Data entry - User Inputs
The user is required to input data about the company
through questionaries or forms
The information is
communicated to the user using graphs and tables
7. User Interface
To achieve these goals, the tool guides the CISO
through the required steps, as illustrated in the following guide.
The CISO must first feed the system with information
by providing some basic information about the enterprise, such as the type of
the organization, business activities as well as the owned assets.
The application processes the data provided in the previous steps – which give
a deeper insight into the cyber threats that could compromise the security of
the organization – to deliver information about appropriate countermeasures.
7.1 Creation of Risk Assessment
The risk assessment aims at describing the cyber
risks to which the enterprise is exposed in the current situation. This allows
compiling different assessments to be made over time to compare the evolution
of the enterprise’s cyber risk exposure.
First the CISO is redirected to the dashboard, where
a summary of the information derived from the completed steps is available
based on the current progress. The purpose of the widget below is to display
the status of all the steps performed and to allow the CISO to proceed to the
next step or to edit a previous version of a step already filled in by clicking
the action button.
Figure 7‑1 Vulnerability
Assessment Dashboard
7.1.1 Identify Threat Agents
Threat agents are the actors responsible for
carrying out the attacks that cause the impairment of the targeted assets,
causing economic losses to the companies. The knowledge of the crucial assets
owned by the company is only the starting point for their protection, as it is
indispensable to also know the threat agents who may be interested in
performing an attack. Therefore, it is important to understand
Threat Agents motivation and goals in order to possibly understand whether they
could also be in the environment of the company. The subsets of threat agents,
interested in performing an attack, can be identified by the CISO through a
questionnaire connecting each threat agent to a subset of questions. Each
question represents an aspect or a characteristic of the company that may
increase the interest of the threat agent. Therefore, the possible
questionnaire responses will be YES if those characteristics are present and NO
otherwise. The level of interest of a particular threat agent is calculated by
dividing the ratio of confirmed characteristics (YES) with all characteristics
that represent a potential interest for such a threat agent, which is then
converted into a percentage. For instance, to determine
whether a Government Hacker may be motivated to target the specific company,
the following questions are raised:
Figure 7‑2 Government Hacker
Questions
To transform these answers
into a meaningful value, i.e. the level of interest of the associated threat
agent, the following formula is used:
𝑳𝒆𝒗𝒆𝒍𝑶𝒇𝑰𝒏𝒕𝒆𝒓𝒆𝒔𝒕𝒙 = 𝒌𝒙 / 𝒏𝒙
In other words, for a given
threat agent x, its level of interest is expressed as the ratio between the
number of YES responses, kx, over the number of all questions, nx, both related
to that threat agent.
7.1.2 Assess Vulnerabilities
The next step is to evaluate the current maturity
level about cybersecurity attacks in the target company. To do this,
DiVA uses a self-assessment questionnaire, where each question is linked to one
or more attack strategies. In other words, each question evaluates a particular
vulnerability that could be exploited to perform some attacks. Therefore, the
CISO is asked to fill this questionnaire by providing information about the
level of the countermeasures currently adopted inside the company. Different
questions may have different weights; therefore, we distinguish among regular
and relevant questions. Regular questions have the same weight in evaluating
the maturity of the countermeasures, while relevant questions have a higher
impact
Figure 7‑3 Vulnerability
Assessment Questions
It may also be the case that
some of the questions are not applicable to the context of the target company, hence, it
will be possible to provide a neutral answer which will have no weight on the likelihood of results.
7.1.3 Likelihood and Vulnerability Estimation
Two relevant concepts in the DiVA framework are the
Likelihood and the Vulnerability.
Likelihood represents the probability of an asset
being compromised through an attack. On the other side, the vulnerability is a
weakness present in the system, which can be exploited by an attacker to reduce
a system information assurance. This value is obtained by considering the level
of countermeasures currently adopted, if any, by the target company.
Attack strategies can be seen as tools in the threat
agent’s toolbox, and just as a tool an attack strategy requires skills to be
used. Thus, attack strategies and the skills of the threat agent are linked.
The greater the skill level of a threat agent, the more likely the severity and
effectiveness of the attack strategy; and vice versa.
Associated with each attack strategy there is a
likelihood value, as defined by CAPEC, which is a function of its properties,
frequency and resources. This is defined as initial likelihood.
The contextual likelihood situates the value
of the initial likelihood, as provided by CAPEC, within its context and
assesses them based on the level of countermeasures adopted within the company.
The refined likelihood introduces the
knowledge and the expertise of an external professional into the process of
likelihood estimation by considering their assessment of the countermeasures
adopted by the company. To do this, once more, we average the initial
likelihood with the value of the refined vulnerability, provided by the external
expert
Figure 7‑4 Likelihoods for the
most dangerous Threat Agents
An Attack Plan is performed along “Phases” (from
Reconnaissance to Command and Control) and “Layers” (from Human to Physical) of
the attack vector. The following Attacks Matrix reports all the attack
strategies that may be performed by a threat agent to endanger the company's
assets. Once a threat agent is selected from the list, the procedure analyses
the attack strategies, including their characteristics (such as frequency,
required skills and resources), and estimates their likelihood to be performed.
Red boxes represent the most dangerous attack strategies, those to be mitigated
with greater priority, while those in grey cannot be performed by the threat
agent due to low skills. Attack plans span across the different estimations of
likelihood. Hence, they are subject to changes: some of the attack
strategies that have a high initial likelihood may end up with a low contextual
likelihood and a medium refined likelihood, meaning that such attacks have
already been partially mitigated through adopted countermeasures.
Once the identification of the threat agents is
complete, an initial attack plan will be available for each threat agent based
on their respective likelihood provided by CAPEC [1] for the attack strategies.
Figure 7‑5 Attack Plans Initial
Likelihood
7.1.5.1 Contextual Attack Plan
After the CISO has submitted the self-assessment
questionnaire, the likelihood linked to each of the attack strategies may vary
and so may the respective attack plan.
Figure 7‑6 Attack Plans
Contextual Likelihood
7.1.5.1 Refined Attack Plan
Finally, a refined attack plan will be available after the
external expert has completed their self-assessment questionnaire.
Figure 7‑7 Attack Plans Refined
Likelihood
The second part of the DiVA framework is the Risk
Board, here are represented a series of risk assessments. The risk assessment
can be created by clicking the dedicated button or can be automatically created
by the platform after DiVA receives the list of assets from the MDBA component.
Once a self-assessment has been created and
selected, the CISO is redirected to the dashboard where a summary of the
information derived from the completed steps is available based on the current
progress. As an initial phase in an empty system, the CISO starts by providing
the application with data to describe and structure the target enterprise.
Figure 7‑9 Risk Assessment
Questionnaires
The Asset Clustering step aims at describing the
company in terms of its owned assets. This phase is designed to answer the
question “What do I own?”.
Therefore, the CISO is asked to select the assets
which, according to their physical characteristics, can be assigned to one of
the two macro categories: tangible and intangible.
For a risk assessment created
manually the CISO can select the assets and the subset of the assets. In
an automatically generated risk assessment this information is already provided
and can be only checked by the CISO.
Depending
on how the assets can be compromised by an attack, they can be divided into
direct assets and indirect assets. The first ones are directly
exposed to an attack, while the latter can only be attacked after a direct
asset has been compromised. In this case, the direct asset acts as an
intermediary for the spread of the attack on other assets, which will be called
indirect assets. The following figure illustrates a case in which a cyberattack
has an impact on the asset Digital supported process because of a compromised
Equipment
As for the assets this is only modifiable in manually
created risk assessments.
7.1.10 Attack Related Costs
The CISO can feed the system with information about
the costs that could arise in the event that an asset is deliberately
compromised by an attack. For instance, an attack on the Blueprint asset would
result in the company incurring costs of restoring the status of the asset as
it was before the attack, as well as a loss of revenues. The following figure
illustrates the attack related costs of the asset Blueprint.
At this point the CISO is asked to Evaluate the
impact of the attacks, he can choose to follow a quantitative or a qualitative
approach.
Figure 7‑13 Impact Evaluation
Approach
If the CISO chooses one approach DiVA calculates
automatically the other.
7.1.12 Economic Estimation
In order to estimate the value of the assets, the
DiVA framework uses a residual approach provided by Gu and Lev (2003, 2011) as
described in section 5.1 of D3.3. The first step of the impact evaluation asks
the CISO to provide the percentage of the discounting rate and the values of
the EBITDAs for the current year, the two previous years and the estimated
values for the next three years.
Figure 7‑14 Impact Evaluation
EBITDA
These values are then used to calculate the economic
performance needed for the next step.
Figure 7‑15 Impact Evaluation
Costs
In the second
step, we ask for the values of the tangible assets, both physical and
financial, their return percentage and the amount of their liabilities.
Alongside the division of values per asset, it is also
possible to calculate the loss on intangible assets due to cyberattacks by
providing a percentage value. The full loss value is then split among the
different categories and finally among the assets within each category by using
their priority values.
Figure 7‑16 Splitting Intellectual
Property
Figure 7‑17 Loss Simulation
Intellectual Property
7.1.14 Estimation of the Attack-Related Costs
For the attack related costs previously identified,
in addition to the possibility of inserting their known value manually, there
is a formula to calculate them by providing some input parameters.
Figure 7‑18 Estimation of the Attack
Related Costs
7.1.15 Riak Management and Mitigations
Finally, the assets at risk are displayed in a
Boston Square that considers the impact of the asset and its criticality, that
is its risk of being attacked. The criticality of an asset is obtained as the
product of the maximum likelihood and vulnerability of the attack strategies
that could compromise it. By multiplying the value of the criticality with its
impact the associated risk value is generated.
Figure 7‑19 Asset at risk Boston
square
Depending on the attack strategies that can affect an asset,
it is possible to list all the possible mitigations that could be adopted by
the company in order to protect this asset
Figure 7‑20 Asset at risk details