Welcome » IT Booklets » Information Security » III Security Operations » III.A Threat Identification and Assessment
Management should do the
Threat identification and assessment involves discovering knowledge
about threat sources and vulnerabilities and analyzing the
potential for exploitation. This is much more focused than the risk
identification process described in the "Risk Identification"
section of this booklet. Information gained from threat
identification and assessment should be used in risk assessment and
response to drive protective and detective strategies and tactics.
Strategies involve the information security program's policies,
standards, and procedures, and the implementing technologies.
Examples of tactics include threat signatures used for incident
identification and management of threat behaviors. NIST notes that
types of threat sources include the following:
Management should develop procedures for obtaining, monitoring,
assessing, and responding to evolving threat and vulnerability
information. The identification of threats involves the sources of
threats, their capabilities, and their objectives. Information
about threats generally comes from government (e.g., US-CERT),
information-sharing organizations (e.g., FS-ISAC), industry
sources, the institution, and third parties. Third-party
information may be from organizations that specifically track and
report on threats or from third-party reports of past activity.
Some of those reports compile knowledge from incidents reported by
many organizations worldwide. Different types of information
supporting an assessment may be available through the
The availability of threat information is often ad hoc, although
some providers present threat information within a defined
framework that readily lends itself to analytical operations. By
using a threat taxonomy, the institution may greatly reduce the
complexity of threat assessment and enable efficient understanding
of reasonable risk mitigations. Specific factors in the threat
assessment may include a description, context for operation,
capabilities and intent, and, from the threat-source perspectives,
benefits and negative consequences associated with an attack.
Knowledge of threat sources is especially important to help
identify vulnerabilities. Vulnerabilities can occur in many areas,
such as the system design, the system operation, security
procedures, business line controls, and the implementation of the
system and controls. Self-assessments, audits, scans, penetration
tests, and reviews of SIEM reports can identify vulnerabilities.
Additionally, external individuals or groups can identify
Tools for analyzing vulnerabilities in a layered security
environment include attack trees, event trees, and kill chains.
These tools attempt to model an attacker's actions to enable
identification of the most effective and efficient remediation
Once a threat is identified and potential vulnerabilities are
assessed, the significance of the threat should trigger a response.
The response should be commensurate with the risk posed by the
threat and should include remediation options. Management should
design policies to allow for immediate and consequential threats to
be dealt with expeditiously, while less significant threats are
addressed as part of a broader risk management process. When
management receives vulnerability information from external
individuals or groups, management should have appropriate processes
and procedures to evaluate the credibility of the information to
appropriately address it.