The new version of ISO 27001:2022 has a new control. Threat Intelligence.
It's a sign that certification bodies are starting to expect more from businesses.
What Can a Stolen Handbag Teach Us About Threats?
Last week my wife's handbag was stolen.
We were visiting family for a birthday, and we made a mistake.
The car was left unlocked.
We came back to find every compartment had been rifled through. Every coin had been taken… along with my wife's handbag, purse, iPad, and phone.
It's not the first time we've made this mistake.
But it is the first time we've had valuables taken.
So why this time? What changed?
Or, more accurately, the threat.
Risk and Threat Are Linked
Risk is a central part of cybersecurity and business.
Nothing is guaranteed, so in cybersecurity, we balance the likelihood of something bad happening with the impact it will cause.
Commonly, this is presented as the quasi-formula:
risk = probability x impact
At first glance, this seems useful. But when you look closer, follow-up questions start to arise - How do I calculate the probability of the bad thing happening?
The typical answers you'll receive to this question are:
- Use a rule-of-thumb to estimate based on past experience
- Follow the wisdom of the crowd by asking many people to estimate
But there's a different way. Consider threats and opportunities.
Threat is something that defence and intelligence analysts deal with daily. They're taught:
threat = capability x intent
The idea is - that if someone or something can inflict harm and the intention to do so, then they are a high threat. Similarly, if they are incapable of taking action or don't care to, they are a lesser threat.
But being a threat is insufficient. A situation or opportunity needs to arise that will crystallise the threat into action. And so, a more advanced risk equation used in defence and intelligence analysis is:
risk = (capability x intent x opportunity) x impact
Taking away capability, intent or opportunity reduces the likelihood of a risk occurring. If you watch international news closely, you'll see that most activities are designed to reduce one of these three in some way.
How Do I Judge Threats?
Put simply, by using threat Intelligence.
You can collect, refine and assess threats on your own. However, most businesses will subscribe to one or more threat intelligence services or feeds. And the most critical factor is using this information to improve your security.
Threat intelligence is generally categorised at three levels:
- Strategic - Broad trends and high-level information about the threat landscape, often produced for non-technical audiences.
- Tactical - Information on the tools and techniques used in attacks, likely to be technical in nature.
- Operational - Deeply technical information about specific attacks and campaigns that are currently taking place.
In cybersecurity, threat intelligence often looks like:
- Strategic - Data Breach Index Report - What is happening in cybercrime?
- Tactical - Operating system and application security patches.
- Operational - Updating signatures in EDR and identifying lost or stolen usernames and passwords.
And so, What of the Handbag?
At a strategic threat level, we were in a place where inflation and the cost of living crisis are having a significant impact. Compounding the historic substance abuse problems that are common in the area. (The inside of the car smelled like a distillery after seemingly only a few moments of compromise). This increases intent - often out of desperation.
At a tactical threat level - having 40 years of experience in the area, cars are commonly targeted for petty crime. The efficiency in emptying every compartment - including the ones I didn't know existed - was an oddly impressive capability.
And, of course, the mistake of leaving the car unlocked provided the opportunity. But for this mistake, the handbag would not have been stolen.
And so, the action we should have taken to reduce the threat...
Double check the car was locked to remove the opportunity.