Most approaches to cyber security risk scoring are based on findings on assets against various defect checks, e.g. vulnerabilities, compliance, configurations, etc. With the growing availability of threat intelligence, this risk scoring should be enhanced to incorporate threat intelligence so that known threats can be taken into account. The diagram above shows the relationship between findings and threat intelligence. Threat campaigns employ various TTPs that utilize a certain set of exploit targets. These exploit targets can be any combination of vulnerabilities, weaknesses or misconfigurations, i.e. the defect checks that are assessed in the findings. Thus, each defect check or finding should be scored to take into account known threats that utilize the weakness, vulnerability or misconfiguration in each finding as exploit targets. A few colleagues and I have come up with the following formula to do this:
- D = Defect check being scored
- n = Number of threats that have defect check D as an Exploit Target
- Ti = Weight of Threati
- Ki = Number of assets that are known to be exploitable by Threati
- Ui = Number of assets that are potentially exploitable by Threati
- a = Weight applied to K, constant value greater than b
- b = Weight applied to U, constant value less than a
An asset is known to be exploitable by a threat if it fails all of the defect checks required for exploit by that threat. E.g. if a threat requires failures in three defect checks for exploit and the asset fails all three defect checks, then that asset is known to be exploitable; or, if a threat requires a failure in any one of the defect checks for exploit and the asset fails one of those defect checks, then it is also known to be exploitable. An asset is potentially exploitable by a threat if it fails some of the defect checks required for exploit by that threat.
The end result is a numeric score that is assigned to each defect check. The absolute value of the score itself is not important as the objective is to enable a relative comparison of defect checks so that those defect checks with more known threats that exploit them can be given a higher priority. Of course, whether or not you are able to (or should) do this depends on the quality and completeness of your threat intelligence.