III.A     Threat Identification and Assessment

Action Summary

Management should do the following:

  • Identify and assess threats.
  • Use threat knowledge to drive risk assessment and response.
  • Design policies to allow immediate and consequential threats to be dealt with expeditiously.

Threat identification and assessment involves discovering knowledge about threat sources and vulnerabilities and analyzing the potential for exploitation. This is much more focused than the risk identification process described in the "Risk Identification" section of this booklet. Information gained from threat identification and assessment should be used in risk assessment and response to drive protective and detective strategies and tactics. Strategies involve the information security program's policies, standards, and procedures, and the implementing technologies. Examples of tactics include threat signatures used for incident identification and management of threat behaviors. NIST notes that types of threat sources include the following:

  • Hostile cyber or physical attacks.
  • Human errors of omission or commission.
  • Structural failures of organization-controlled resources (e.g., hardware, software, and environmental controls).
  • Natural and man-made disasters, accidents, and failures beyond the control of the organization.NIST SP 800-30, revision 1, " Information Security: Guide for Conducting Risk Assessments," September 2012.

Management should develop procedures for obtaining, monitoring, assessing, and responding to evolving threat and vulnerability information. The identification of threats involves the sources of threats, their capabilities, and their objectives. Information about threats generally comes from government (e.g., US-CERT), information-sharing organizations (e.g., FS-ISAC), industry sources, the institution, and third parties. Third-party information may be from organizations that specifically track and report on threats or from third-party reports of past activity. Some of those reports compile knowledge from incidents reported by many organizations worldwide. Different types of information supporting an assessment may be available through the following:

  • Incident data from reports published by security providers and others.
  • Attack data from sources including FS-ISAC and managed security service providers.
  • Threat data through reports available either free or for a fee.

The availability of threat information is often ad hoc, although some providers present threat information within a defined framework that readily lends itself to analytical operations. By using a threat taxonomy, the institution may greatly reduce the complexity of threat assessment and enable efficient understanding of reasonable risk mitigations. Specific factors in the threat assessment may include a description, context for operation, capabilities and intent, and, from the threat-source perspectives, benefits and negative consequences associated with an attack.

Knowledge of threat sources is especially important to help identify vulnerabilities. Vulnerabilities can occur in many areas, such as the system design, the system operation, security procedures, business line controls, and the implementation of the system and controls. Self-assessments, audits, scans, penetration tests, and reviews of SIEM reports can identify vulnerabilities. Additionally, external individuals or groups can identify vulnerabilities.

Tools for analyzing vulnerabilities in a layered security environment include attack trees, event trees, and kill chains. These tools attempt to model an attacker's actions to enable identification of the most effective and efficient remediation options.

Once a threat is identified and potential vulnerabilities are assessed, the significance of the threat should trigger a response. The response should be commensurate with the risk posed by the threat and should include remediation options. Management should design policies to allow for immediate and consequential threats to be dealt with expeditiously, while less significant threats are addressed as part of a broader risk management process. When management receives vulnerability information from external individuals or groups, management should have appropriate processes and procedures to evaluate the credibility of the information to appropriately address it.


Previous Section
III Security Operations
Next Section
III.B Threat Monitoring