Cybersecurity and Fraud Protection
Using a Threat Grid to Evaluate Cyberattack Intelligence
Amy Chang, Senior Threat Intelligence Analyst for Cybersecurity Operations, discusses how the firm assesses cybersecurity threats.
Amy Chang is a Senior Threat Intelligence Analyst for Cybersecurity Operations at the firm. She is responsible for collecting, analyzing and disseminating intelligence related to external threats to the firm. Chang also serves as a liaison to the Financial Systemic Analysis & Resilience Center, where she works closely with top financial institutions, US government partners and the intelligence community to identify and analyze threats to the financial sector.
Previously, Chang served as the Staff Director of the Asia and the Pacific Subcommittee for the US House of Representatives Committee on Foreign Affairs. She was responsible for federal oversight and legislation on political, security, and economic issues in the greater Indo-Asia-Pacific region. She is an Affiliate (Non-Resident) with the Belfer Center’s Cyber Security Project at the Harvard Kennedy School.
Q: Financial services firms are routinely targeted by cybercriminals. How does the firm assess and prioritize cyberthreats?
A: Our firm operates an internal Threat Intelligence organization that collects, analyzes and disseminates information related to cybersecurity threats to the firm and other institutions. Recently we developed a “threat grid” methodology used to profile and rank what the cybersecurity industry calls “threat actors,” “threat actor groups” and “threat groups.” These actors and groups are the entities responsible for cyberattacks.
The grid is an important tool because it allows us to rapidly process information, helps us to prioritize threats and enables us to take action to better defend the firm.
Q: What kinds of threat actors and threat actor groups are out there?
A: There are three major categories of threat actors. We call the first Advanced Persistent Threat (APT) groups, which are highly sophisticated actors with extensive funding. They possess significant research and development funding and logistical resources, and they are often sponsored by a nation-state. Typically motivated by nation-state interests, APT groups focus on espionage, surveillance, intellectual property or data theft, and disinformation campaigns.
Cybercriminal groups, a second category, have varying levels of planning and targeting skills. Some are highly organized and possess or are able to access sophisticated tools and technical and engineering skills. Typically they are motivated by financial gain, and their schemes may include ransomware attacks, extortion, credential stealing and various phishing and “vishing” scams.
Hacktivist groups, a third category, often use publicly available tools and scripts developed by others because they do not possess the resources, knowledge or skills to develop or re-engineer tools on their own. They are motivated by ideology and select their targets to achieve a vision of socioeconomic justice, drive a geopolitical or patriotic agenda, discredit authorities or seek attention.
Q: How does the grid and threat-scoring process work?
A: It’s a two-step process based on technical capability and intent. We use the grid to create a profile of the threat actor or group, weigh their technical skills and resources against each of the seven stages of the Cyber Kill Chain®, and assign an overall capability score. Next we score their intent based on their key motivations such as financial gain, military and defense goals, or political influence.
Capability scores and intent scores range from one (low) to five (high). We multiply the capability score by the intent score to arrive at the overall threat score. The threat score ranks the threat actor or group and the magnitude of the threat they may pose.
Capability × Intent = Threat Score
For example, if a threat actor scores 4.25 for capability and 3 for intent, their threat score would be 12.75 out of a possible 25 points, which means it’s a moderate threat. The higher the score, the greater the threat.
Q: What are the benefits of using a grid methodology?
A: The grid helps us monitor and prioritize cybersecurity threats facing the firm on an ongoing basis. It dynamically informs our cybersecurity program decisions—any significant cyber incident or geopolitical change will trigger a review of the actors involved—imparting effective intelligence.
We can hone in on the actors or groups with the greatest potential to do harm, map the tactics they use and predict how they may employ those tactics against us. This information enables us to bolster our defenses and helps to protect our clients and the firm.
Q: How can clients benefit from the grid concept?
A: Clients benefit from the work that we do to help protect them and the firm. Though we would not expect them to use a threat grid, developing a similar methodology specific to their industry may help organizations assess threats particular to their sector.
It also may reveal gaps in an organization’s cybersecurity defenses and allow the organization to adjust and strengthen them in effective ways.