I have been looking at threat and risk modelling a lot recently. One aspect of this is looking at the various major properties of system defenses. I think at the meta level there are 5 primary properties, please note that specific system components and processes can of course provide more than 1 of these properties (indeed some provide all 5).
The reason for labelling and using these 5 primary properties is it allows us to more easily classify and determine the effectiveness of technical and process controls and technologies that we use to protect systems from attackers. These properties also follow a natural progression that starts with keeping the attacker out and ends in system recovery after everything has gone wrong. As such they can help guide us, for example if a system MUST have confidentiality than we will want to focus on keeping the attacker out and limiting the attackers ability to exfiltrate data for example.
The 5 main properties are:
Neutralize - You can neutralize the vulnerability, patching it, workaround, etc. The major aspect of neutralize is that you try to prevent attackers from having the ability to exploit vulnerabilities.
Detect - You can detect exploitation and then trigger a response (automated/human/both). The major aspect of detect is that you accept that attackers will exploit vulnerabilities and get in, so you detect and trigger a response in order to deal with it.
Limit - You can limit the impact of exploitation of the vulnerability (e.g. by implementing least privilege across your system). The major aspect of limit is that you accept that attackers will exploit vulnerabilities and get in, and you minimize the impact where possible.
Forensic - You can log and record information for later use. The major aspect of forensics is that you accept that attackers will exploit vulnerabilities and get in, you want to be able determine what and how it happened and know what systems need recovery so you can return the system to a known good state.
Recovery - You can implement technology and processes to aid in recovery (backups, etc.). The major aspect of recovery is that you accept that attackers will exploit vulnerabilities and get in, and you want to be able to return the system to a known good state.
Some simple examples would be:
- Patching CVE vulnerabilities (Neutralization)
- Using an IDS/IDP system to both prevent incoming data from containing XSS strings (Neutralization), detect and block outgoing strings containing XSS (Detect leading to Neutralization and/or Limit) and logging of all queries (Forensics)
- System backups can be used for both forensics (assuming you backed up the system after it got hacked) and for system recovery
I think these 5 properties embody the main things a defender cares about, but I could of course be wrong. If you have any thoughts or comments please reply here!
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]------------------------------