What Is a Threat Profile?
The CyberGRX platform provides a Framework Mapper feature on all company profiles that enables users to map their third parties' or their own completed CyberGRX assessment to other control frameworks. This includes industry-standard control frameworks (i.e. NIST, ISO, CMMC, etc.), as well as CyberGRX-developed Threat Profiles that aim to highlight users' specific vulnerabilities or impacted controls in the wake of real world cyber attacks.
Framework Mapper in Company Profile:
CyberGRX is dedicated to delivering real-time insights around recent cyber events to help our users quickly identify potential risks, and prioritize follow-up activities, which is critical in minimizing the impact of these attacks. To date, CyberGRX has provided Threat Profiles around a myriad of cyber events including SolarWinds, Kaseya Ransomware, Hafnium, Log4j and more. Learn more here.
How Does CyberGRX Develop Threat Profiles?
- Identify the Threat: First, we must identify and track all formal and alternative names attributed to an event to ensure we are adequately and accurately updating our knowledge about the threat as more information becomes available.
- Classify the Threat: It is important to distinguish proof-of-concept threats from actively exploited attacks and campaigns that combine attacks to achieve larger goals. This ensures the resulting Threat Profile mapping is narrowly focused on the specific event and the insights it enables are tailored to users' immediate needs. This also helps us identify additional Threat Profiles needed, if and when previously mapped events become part of larger attack scenarios.
- Track the Threat: CyberGRX resources dedicatedly follow ongoing security research into a threat as it evolves. Sources of this research include applicable CVEs, detection rules from SIEM, XDR and EDR platforms, as well as disclosures from the affected companies, software or open source project.
- Identify MITRE ATT&CK Techniques: CyberGRX employs the MITRE ATT&CK Framework to identify findings (learn more here). In the event of a cyber attack, we identify techniques that align with the TTPs discussed in the ongoing threat research. When vulnerabilities have previously been disclosed in a CVE, this effort includes cross-referencing its description and reference with candidate MITRE techniques to determine applicability.
- Maintain Updated Techniques List: The above mentioned effort is ongoing in the days and weeks following a cyber event to ensure our technique list remains aligned with those disclosed by other researchers. CyberGRX is also diligent in ensuring the technique list is as comprehensive as possible, even as the threat evolves and additional techniques become applicable as new CVEs are discovered and assigned.
- Identify Primary CyberGRX Controls: Once the MITRE ATT&CK techniques are known, we must identify which controls within the CyberGRX Assessment are critical to the prevention and/or the mitigation of those techniques. This effort yields the primary controls list used during scoring analysis.
- Identify Supporting CyberGRX Controls: For each primary control we must also identify the supporting controls that help ensure better performance. For example: patching-related controls can be supported by asset-related controls by helping to ensure all affected systems are identified and verified.
- Develop New Framework: Finally, the CyberGRX team compiles all the information and knowledge gathered through the steps listed above into a custom control framework where each 'custom control' reflects a MITRE Technique used in the commission of the threat.
- Continual Monitoring: With the development and delivery of any Threat Profile, CyberGRX is dedicated to the continual monitoring of the threat so that we can adjust our output based on emerging findings, as they become available.
Please sign in to leave a comment.