Using FAIR with CTI – Some key definitions
This post won’t cover all the Factor Analysis of Information Risk (FAIR) definitions. It will provide the ones I think are vital for using FAIR with Threat Intelligence (TI) and Cyber Threat Intelligence (CTI). I’m paraphrasing several sources, but it’s the way I understand the definitions I learned over the years. If you want in-depth/exact definitions from my sources, for FAIR, lookup: Measuring and Managing Information’s Risk, The Open Group’s Open FAIR Risk Taxonomy and Risk Analysis whitepapers, the RiskLens FAIR study guide (provided as part of the course). For Threat Intelligence, lookup: Effective Threat Intelligence, and Intelligence Analysis 6th edition.
As I said last time, FAIR doesn’t use definitions the same way the Information Technology or Cyber Security communities do. In Measuring and Managing Information Risk: A FAIR Approach, the authors, Jack Freund and Jack Jones, point that out. They also point out why it is a problem. When Cyber Security leaders are talking about risk, they’re using the same words, but not in the way that the Insurance industry, or even most Business people understand them. This confusion in terms is most likely one of the reasons why it is hard to secure a company’s Information Systems.
First, let’s define what Threat Intelligence and Cyber Threat Intelligence are. We’ll break them down into smaller parts and then put them together. Some of these are going to contain terms that will get defined later.
Threat – I’m going to use the FAIR definition for this one. A threat is someone, some group, or something that can take independent action to change the value or liability related to an asset. One of the Keys here is “independent action.” The majority of these will be people or groups, but things can be threats. A blizzard could be considered a threat. It can damage buildings, too much snow on the building roof, or cause power outages impacting the availability of things. A blizzard can do other things, too; those were quick examples.
Intelligence – Providing timely actionable information to decision-makers to reduce uncertainty in their decision-making process.
Cyber – I like my Cyber Crime I professor’s definition on this one. The act of using an information technology system (computer, internet, phone, etc.) to do things. For example, Cyberstalking is still stalking but makes use of a computer. Cyber extortion is still extortion but uses the computer and the internet to deliver the extortion message. Cyber fraud is still fraud but uses the computer and internet to defraud the victim.
So, using the above:
Threat Intelligence – Is providing decision-makers timely actionable information about people or things that can take independent action against the company’s assets in a way that changes their value to the company.
Cyber Threat Intelligence – Threat Intelligence about people, and in some cases, automated malware that takes action against the assets while using Information Technology systems.
Moving to the FAIR based definitions:
Asset – Something that has a monetary value or can increase company liability (money spent, also known as operational costs).
Contact Frequency – How often a threat comes into contact with an asset over a given time span. There are three types, random contact, regular contact, and intentional contact.
Random contact is when the threat randomly comes in to contact with an asset, like the blizzard that collapses the roof of the data center.
Regular contact is when the threat interacts with the system regularly, like a system admin doing daily backups.
Intentional contact is when the asset is specifically sought out, like someone scanning the network for Cross-Site Scripting flaws.
Loss Event – When an asset’s value or liability is changed due to a threat’s actions. The loss event is tied to confidentiality, integrity, availability, monetary value, or actual money.
Loss Event Frequency – The number of times a threat successfully changes an asset’s confidentiality, integrity, availability, or financial impact over a given time span.
Loss Magnitude – The amount of money spent in the six loss forms that FAIR tracks. Those forms not covered here are Production, Response, Replacement, Competitive Advantage, Fines and Judgements, and Reputation. Loss forms are tracked to the Primary Stakeholder (the company) or Secondary Stakeholders (people who do business with the company). Not part of what goes into CTI’s area of influence but nice to know.
Probability of Action – How likely is a Threat to act against an asset. Probability of Action is based on the threat’s perceived value of the targeted asset, the level of effort of the contact, and personal risk.
Resistance Strength / Difficulty – A sliding scale related to the controls used to protect an asset. Making the asset more secure / harder to exploit increases its Resistance Strength / Difficulty, requiring a higher Threat Capability.
Risk – The amount of money expected to be lost/spent due to Loss Events over a given time frame. Risk is typically measured on an annual scale. In Incident Response, it is the amount of money spent due to a loss event.
Threat – See the definition used in the Intelligence section above.
Threat Capability (Tcap) – The knowledge and experience (skills) of a threat and the time and materials (resources) they can use. Tcap is used as a sliding scale to show how capable a threat is.
Threat Community – A collection of threats with shared characteristics, and controls against their attacks. Typically broken into Nation-State, Organized Crime, Script Kiddie / Hacktivist groupings.
Threat Event Frequency – The number of times a threat takes action against an asset, regardless of success in the action over a given time span.
Threat Library / Threat Agent Library – A collection of Threat Profiles.
Threat Profile – A table that describes a threat or threat community and its observed characteristics. While not included in the FAIR version, the one I will be talking about in the future, designed to help more than the Risk Management team, will include TTPs.
Vulnerability – How susceptible an asset is to a threat’s actions; it is measured on a scale comparing Tcap to Resistance Strength. This definition is entirely different from how IT uses it; to describe a flaw a threat can exploit.
Other quick definitions:
Decision-Maker – The customer of TI/CTI. Anyone that needs additional information to remove uncertainty from their decision-making process. Typically they are considered business leaders trying to make strategic budget decisions. But it could be at the operational or tactical level, someone needing more information on more immediate actions without financial expenditure.
Scope Scenarios – From FAIR, it’s a targeted asset, the threat community doing the targeting, the type of action the threat is doing, and effect/impact. There will be a future post on this in more detail.
Tactics, Techniques, and Procedures – the way a threat attempts to achieve its goals. A more detailed version of the Tcap information.
Victim Profile – A table that describes a victim and the victim’s characteristics.