2. Plot the path of possible cyber attacks
Home | Understand the biggest risks… | Plot the paths of possible cyber… | Map controls against… | Determine your appetite for cyber risk | CRQ checklist
You’ve identified your key risk scenarios. Now you need to map out what an attack would look like for each of them.
The secret here is going to the right level of detail. If you look at attacks at too high a level, you’ll overlook important factors. Try to go into too much detail and you risk expending too much time and effort, getting lost in the weeds and missing forest for the trees.
An attacker-centric approach to threat modelling can help. It focuses on the tactics, techniques and procedures threat actors take. And that includes threats that may or may not be malicious.
An effective technique to use for this is to create “attack trees”. Attack trees are logical, step diagrams that show what kinds of weaknesses attackers must exploit to reach their goals such as maliciously encrypting data.
This logical model of the attack then will enable you to assess the strength of your defence controls at each stage.
Sounds a bit daunting? Not sure where to start? There are some great guides available that help simplify the process. For example, OWASP sets out some helpful initial questions that you can ask yourself:
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good job?
Using attack trees to plot the path of potential cyber threats to your organisation enables you to build a library of relevant scenarios. These can then be reused to save time for future assessments to measure improvements in risk reduction.
It’s far quicker to adapt existing attack trees than to start from scratch each time.
This doesn’t need to be a labour-intensive activity. With a few people in a couple of hours, you’ll be able to quickly identify what really matters to measure.
How do we currently measure cyber risk?
What threat scenarios will we model?