Implementation Framework –

Cyber Threat Prioritization

Troy Townsend
Jay McAllister

September 2013

CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.1
 Copyright 2013 Carnegie Mellon University

This material is based upon work funded and supported by ODNI under Contract
No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the
Software Engineering Institute, a federally funded research and development center
sponsored by the United States Department of Defense.

Any opinions, findings and conclusions or recommendations expressed in this

material are those of the author(s) and do not necessarily reflect the views of ODNI
or the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE

ENGINEERING INSTITUTE MATERIAL IS FURNISHEDON AN “AS-IS” BASIS.
CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED
TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY,
OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON
UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO
FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution except
as restricted below.

Internal use:* Permission to reproduce this material and to prepare derivative

works from this material for internal use is granted, provided the copyright and “No
Warranty” statements are included with all reproductions and derivative works.

External use:* This material may be reproduced in its entirety, without modification,
and freely distributed in written or electronic form without requesting formal
permission. Permission is required for any other external and/or commercial use.
Requests for permission should be directed to the Software Engineering Institute at
permission@sei.cmu.edu.

* These restrictions do not apply to U.S. government entities.

DM-0000620

4.2 Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE
Implementation Framework –
Cyber Threat Prioritization

Background

The Software Engineering Institute (SEI) Emerging Technology Center at
Carnegie Mellon University studied the state of cyber intelligence across
government, industry, and academia to advance the analytical capabilities
of organizations by using best practices to implement solutions for shared
challenges. The study, known as the Cyber Intelligence Tradecraft Project
(CITP), defined cyber intelligence as the acquisition and analysis of
information to identify, track, and predict cyber capabilities, intentions, and
activities to offer courses of action that enhance decision making.
legitimate threats to the organization. Instead of prioritizing a cyber threat
solely on the capability and intent of threats actors, the framework enables
analysts to see the utility of also understanding the threat’s relevance to
their organization, strengthening their threat prioritization as they come to
realize that a somewhat capable actor with a desire to deface websites
should not be considered in the same category as a highly capable actor
intent on extracting confidential, strategic documents for extortion or
blackmail.

A significant challenge that emerged from the CITP was the way in which
analysts prioritize cyber threats. The SEI team observed a diverse array of
approaches, from analysts relying on the media and third-party intelligence
service providers to using data-centric models based on a narrow scope
of factors.

When threat prioritization models are too narrow, they prevent analysts
from effectively monitoring the changes and evolution of the most relevant
and severe cyber threats. This hinders cyber intelligence and security
professionals from proactively implementing defenses to guard against
the latest attack trends and techniques. Among the CITP’s government
participants, most intelligence analysts prioritized cyber threats by the
likelihood of an actor executing an attack, which they quantified through
the summation of an actor’s sophistication (capability) measured against
their desire to target the organization (intent). The SEI team noted that as
these analysts transitioned to the private sector, so too did this approach.
Conversely, private sector CITP participants without experienced
government intelligence analysts tended to discount the utility of knowing
the threat actor and prioritized cyber threats by the impact attack methods
had on the organization or the risk attack methods posed because of the
organization’s known vulnerabilities.

This Cyber Threat Prioritization Implementation Framework leverages the

best practices of CITP participants and SEI expertise to offer a holistic
approach to prioritizing cyber threats using a customized, tiered threat
prioritization framework. The framework breaks down cyber threats into
three core components: the likelihood of threat actors executing attacks,
the impact threats have on an organization’s business, and the risk threats
pose because of an organization’s known vulnerabilities. By assessing
threats according to these components, analysts come to fully understand
the causes and effects of relevant threats, which significantly improves
the efficiency of their organization’s cyber intelligence efforts because
they have the necessary context to accurately align analytical and
security resources to the current and future cyber attacks posing the most

CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.3
 Examples  of  how  assessing  threats  according  to  this  
elements  and  factors  augments  an  analyst’s  cyber  in
Factor Factor Factor Factor
                                           Description,  
Description,                                                                      Description,  
                                            Description,  
Examples    • Identify   Examples   cyber     threats  Examples   using  the     three   Examples    
core  components   of  a  threat.    
Implementation
Examples:  
Indicators  of  Success
Here’s how analysts can leverage the Cyber Threat Prioritization 4. A Likelihood:  
 ssess the likelihood, impact,Threat  
and risk actors  
of the-­‐  cyber
State-­‐sponsored,  
threats. Use thecompetitors,  c
Implementation Framework to augment their organization’s cyber factors
Examples  of  how  assessing   andasub-elements
 threats   Impact:  
ccording   to  tA in
ttack  
his   each athreat
types  
element   scomponent’s
-­‐  D
nd  its   DoS,  stealing  
ub-­‐ spider graph
intellectual   property  (
intelligence efforts: elements  and  factors  ato rate the
ugments   an  corresponding elements cas
analyst’s  cyber  intelligence   a low, medium, or high priority
apabilities.  
Risk:  Known  vulnerabilities  -­‐  High-­‐profile  employees,  unpat
                                                                                                                                                            attribute of the threat. The average of these ratings   then determines
1. Adopt these definitions:   the likelihood, impact,
• Identify  cyber  threats  using  the  three  core  components   of  a  threat.     and risk of the threat, which combine to indicate
Threat = Likelihood + Impact + Risk Assess   the  litikelihood,  
whether should be considered impact,  aand   low,risk  
medium,of  the  orcyber   threats.  
high priority Use  the  factor
threat.
Likelihood Examples:   = Capability + Intent spider  graph  to  rate  the  corresponding  elements  as  a  low,  medium,  or  hig
Impact = Operations Likelihood:   + Strategic Threat   Interests actors  -­‐  State-­‐sponsored,  
Example: Acnompetitors,  organization wants criminals,  
to know hactivists,  
how it should recreational  
prioritize hackers  
these  ratings  then  determines  the  likelihood,  impact,  and  risk  of  the  threa
Risk = People   + Cyber Footprint
Impact:  Attack  types  -­‐  DDoS,  stealing  intellectual  property  (IP),  damaging/incapacitating   its analytical and network defense efforts for a possible network  assets      
considered   a  low,  medium,  
recreational hacker DDoS or  high   attack priority  
on thethreat.    
organization’s secure
Risk:  Known  vulnerabilities  -­‐  High-­‐profile  employees,  unpatched  devices,  unsecured  remote   access  
Example:  
payment   site. Analysis indicates the likelihood of the recreational
2. Become   familiar with the provided spider graphs to gauge the factors hacker executing
An   organization   the attack wants   is high to  due
know  to his attack
how   methods
it  should   prioritize  its  a
that comprise each Assess   of thetthree he  likelihood,   threat components. impact,  and  risk  of  the  cyber  threats.  and Use   the  factors  
resources. However, and  sthe ub-­‐elements  
impact of thein   DDoSeach   threat  
attack is component’s  
recreational  hacker  DDoS  attack  on  the  organization’s  secu
Spider graph spider   key: graph   Titletof o  threat rate  tcomponent he  corresponding  elements  as  a  low,  assessed medium,  asor   low high  
because priority   the asecure ttribute   of  the  
payment site threat.  
has minimal The  average  of
Description and example from the  recreational  hacker  executing  the  attack  is  high  due  to  
these  ratings  then  determines  the  likelihood,  impact,  and  risk  of  the  threat,  which  combine  to  indicate  whether  it  should  b impact on the organization’s operations and strategic interests
a CITP participant due toimpact  
it still being of  the   DDoS  abeta
in internal ttack   is  assessed  
testing. This alsoameans s  low  the
because  the  s
considered  a  low,  medium,  or  high  priority  threat.    
Threat Component (likelihood, impact, or risk) organization’s  
risk associated with theoattack perations   is lowabecause nd  strategic  
of the isecurenterests  due  to  it  s
Example:     payment site’s limited interaction with people and cyber
Description the  risk  associated  with  the  attack  is  low  because  of  the  sec
An  organization  wants  to  know  how  it  should   prioritize  
footprint. its  analytical   and   network  
initiallydappeared
efense  efforts   a for  a  poss
and  Therefore,
cyber  footprint.   this threat, which
Therefore,   this  threat,  towbe hich   initially  a
recreational  hacker  DDoS  attack  on  the  organization’s   high priority, snow ecure  canpbe ayment  
classified site.  
as aAmediumnalysis  to indicates  
low threatthe  likelihood
requiring
as   a   m edium   t o   l ow   t hreat   r equiring   m inimal   a nalytical   and
Element of the the  Element recreational   of the hacker  executing  the  attack   is  high  minimal
due  to  analyticalhis  attack   and mnetworkethods  defense attention. However,  the
and  resources.  
Threat Component Threat Component   Note: Always factor timing into the threat prioritization assessment. When
Description impact   Description of  the  DDoS  attack  is  assessed  as  low  because  the  secure  payment  site  has  minimal  impact  on  the  
Note:  
a threat Always  
actor or factor  
organization timing  does into  something
the  threat   canprioritization  
be just as important assessment.  
as When
organization’s  operations  and  strategic   why interests  
or how. A due  actor
threat to  it  may
still  have
being   no in  
desireinternal  
to beta  
target an torganization,
esting.  This  also  mean
be  just  as  important  as  why  or  how.  A  threat  actor  may  have  no  desire  to  t
the  risk  associated  with  the  attack  ibut s  low  
since because  
it is a national of  the  holiday, secure   thepayment  
organization site’s   limited  
becomes interaction  
a target of with  peop
holiday,  the  organization  becomes  a  target  of  opportunity  for  the  actor  to
Sub-element Sub-element Sub-element Sub-element
and  cyber  footprint.  Therefore,  this  threat,  which  initially  appeared  to  be  a  high  priority,  now  can  be  classif opportunity for the actor to test a new tool simply because none of its
Description Description Description Description security  
network esecurity
mployees   employees are  at  are work.  
at work.  
as  a  medium  to  low  threat  requiring   minimal   analytical   and  network   defense  attention.    
 
Factor   Factor Factor Factor
5. Plot
Plot   all  all threatsfor  
threats   for eeach
ach  component on o
component   graphs similar
n  graphs   to the following:
similar   to  the  following:    
Example Example Example Example•
Note:  Always  factor  timing  into  the  threat  prioritization  assessment.  When  a  threat  actor  or  organization  does  something  
Factor Factor
be  just   why  or  how.  A  tFactor
as  important  as  Factor hreat  actor  may  have  no  dLikelihood  
esire  to    t    arget  
          an  organization,  bImpact  
ut  since  
               i  t  
     i  s  
       a          n
     ational  
   
Example Example Example Example (to  organization) (
holiday,  the  organization  becomes  a  target  of  opportunity  for  t(by   he  tahreat  
ctor  atctor)
o  test  a  new  tool  simply  because  none  of  its  netwo
Medium High Medium High
security  employees  are  at  work.    
Indicators of Success Strategic  
Capability People
Examples of how assessing   Interests
Low Medium Low Medium
threats according to this element
• Plot  all  threats  for  each  component  on  graphs  similar  to  the  following:    
and its sub-elements and factors Intent Operations
augments an analyst’s
Likelihood                   Impact                                                       Risk                                                                                  
cyber intelligence capabilities. •(to  oUse   all  three  graphs  to  holistically   (by  known  ve valuate  the  overall  cyber  threat  enviro
ulnerabilities)
(by  threat  actor) rganization)
Medium High
resources  
Medium High to  the  current  and  fMedium
uture  cyber  
High attacks  that  pose  the  most  legit
3. Identify cyber threats using the three core components of a threat.
Example:     People Strategic  
Capability
Interests
Examples: Likelihood: Threat
Lowactors -Medium
State-sponsored, If  cyber  intelligence  
Low analysts  
Medium rate  all  components  of  a  threa Low Medium
competitors, criminals, hactivists, recreational organization’s  nCyber   etwork   servers  for  industrial  espionage  pur
Intent Operations Footprint
hackers   then  the  organization  s
place  (risk)  as  a  high  priority  threat,  
• Use  all  three  graphs  to  holistically  evaluate  the  overall   Use allcyber  
three tgraphshreat  toenvironment  
holistically evaluate to  efficiently  
the overallalign  
cyberanalytical  
threat and  security
Impact: Attack types - distributed denial-of-service environment to threat  
efficiently over  
align others  
analytical where  
and the  likelihood  
security resources is  toequally  
the as  high,  b
resources  to  the  current  and  future  cyber  attacks  that  pose  the  most  legitimate  threats  to  the  organization.        
(DDoS), stealing intellectual property (IP), damaging/     current and future cyber attacks that pose the most legitimate threats to
Example:  
incapacitating network   assets
Overall  Indicators  
the organization. of  Success  

If  cyber  intelligence  analysts     rate  all  components  of  a  threat  actor  executing  a  worm  (likelihood)  against  an
Risk: Known vulnerabilities - High-profile employees,
organization’s  network  servers   or  iExample:
• fThreat   ndustrial   Ifecyber intelligence
spionage  
prioritization   analysts
purposes  
influences   rate
(impact)  
which   all tcomponents as  no  ofw
hat  thhreats  
potential   gaet  
threat
orm   mitigation  
addressed   by  isn  ec
unpatched devices, unsecured remote access actor executing a worm (likelihood) against an organization’s
resources  
place  (risk)  as  a  high  priority  threat,   then  tahe  
re  oarganization  
llocated.   should  immediately  position  itself  to  focus  on  thi
network servers for industrial espionage purposes (impact) that
threat  over  others  where  the  likelihood  is  equally  as  high,  but  impact  and  risk  is  lower.  
has no worm mitigation in place (risk) as a high priority threat,
    then the organization should immediately position itself to focus
Overall  Indicators  of  Success   on this threat over others where the likelihood is equally as high,
  but impact and risk are lower.
• Threat  prioritization  influences  which  potential  threats   get  addressed  by  security  operations  and  how  network  security  
4.4 Implementation resources   are  Threat
Framework – Cyber Prioritization
allocated.   CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE
Overall Indicators of Success
• Threat prioritization influences which potential threats get addressed by
security operations and how network security resources are allocated.

• Collection management is streamlined and organizations are able

to better communicate their requirements to third party intelligence
vendors.

• Cyber threats are widely communicated to the organization and

employees are aware of the most relevant threats.

• Cyber threats are proactively monitored and prioritized, with updates

available to inform security operations, intelligence analysts, and
decision makers.

• Analytical production aligns with threat prioritization. For instance,

the organization develops a tiered system to communicate threat
information to stakeholders:

- Tier 1: Potential threat averages a high rating. Analysis required

within 90 minutes.

- Tier 2: Potential threat averages a medium rating. Analysis

required within 8 hours.

- Tier 3: Potential threat averages a low rating. Analysis required

between 3 and 5 days.

- Tier 4: Potential threat does not compute a rating, but is an

indirect threat for anyone using the Internet. No specific
timeframe for analysis.

• Analysts use threat prioritization to do predictive analysis, like

developing scenarios to test how defenses will react to the full spectrum
of cyber threats.

CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.5
Likelihood
Understanding the capabilities and intentions of cyber threat actors determines the likelihood of them targeting an organization. To determine this
likelihood, a CITP participant from industry monitored open source publications from an organization known to sponsor cyber threat actors who frequently
targeted the organization. Analyzing this accessible data provided insight into the motivations of the sponsored cyber threat actors, allowing the CITP
participant to narrow down the types of data likely to be targeted, and work with network security experts to create diversions, honey pots, and employ
other measures to proactively defend against the threat.

Likelihood

Capability
An actor’s sophistication, tools, and resources to execute
a cyber attack determine their capability. Assessing
capability as an independent variable of likelihood means
organizations can avoid the pitfalls of devoting time and
attention to “paper tiger” threats.
Intent
The actor’s purpose and the expected outcome of the cyber
attack determine the intent. Prioritizing actors by their intent
allows analysts to focus on the most relevant threats.

Attack Methods Resources Motive Targeted Data

Humans are creatures of habit. Although
threat actors take great care to avoid
detection, at some level they too succumb
to this adage. Tracking how threat actors
operate exposes patterns that analysts can
use to combat their effectiveness.
Infrastructure
Sophisticated threats often require
an infrastructure to operate. This
can be assessed by looking for hop
points used during an attack, the
command and control network, or
the size and scope of a botnet.
Technology
Technology used or manipulated for
an attack can indicate the capability
of a threat actor. More sophisticated
actors target SCADA or ICS devices,
web-enabled products, or mobile
devices in addition to traditional
servers and clients.
Coding
Nuances and personal preferences in
coding not only assist with
attribution, but also can indicate actor
sophistication.
Maturity
The maturity of the actor takes into
account their planning process,
pre-attack activities (research/
recon/social engineering), and post
attack actions (such as tool updates
or incorporating lessons learned).
Targets
Capability can be assessed by
looking at what is targeted.
Does the actor rely on mass phishing
emails, identify specific targets
(network, website, employee,
mobile platform) or exploit a specific
vulnerability (Adobe, Windows,
SQL, etc.)?
Understanding what is available to threat
actors offers context to the sophistication
of their attacks. Leverage government,
industry, and intelligence service provider
information sharing arrangements to learn
about actors resources.
Money
Obtaining and maintaining
capabilities incur costs. Well-
resourced/sponsored threat actors
are often more dangerous than less
resourced actors, with other variables
being equal.
People
From collaborators and co-workers
to teachers and mentors, the number
and type of people involved in a
campaign can be indicative of its
capability.
Tools
Tools often hint at the capability of
an actor, but the lack of a custom
tool does not always imply a novice
attacker. Most sophisticated actors
will use the right tool for the job; if
open source tools will work, there is
no need to customize one.
Training
The type and quality of training
available to the threat actor can help
determine their capability. Online
videos, IRC channels, certification
courses, military training, or formal
academic education all yield
different levels of sophistication.
Why do threat actors attack? Determining
an actor’s motive provides insight into the
possible direction of their behavior, and
determines their interest in targeting the
organization.
Intrinsic (personally
rewarding)
Fame, bragging rights, thirst for
knowledge/access, justification of
skills, satisfying boredom,
patriotism, and hactivist allegiance;
all reasons a hacker might be
motivated to target an organization.
Extrinsic (receive external
reward or avoid punishment)
Extrinsic motives revolve around two
key concepts: reward or avoiding
punishment. These motives include
everything from state-sponsored
denial and deception operations,
misinformation campaigns, and
psychological operations to financial
incentives from competing
businesses, organized crime, and
blackmail.
Understanding what a threat actor is after
will factor into determining their intent to
target the organization.
Personally Identifiable
Information (PII)
Are the attackers stealing personal
information from your customers?
From your employees?
Determining if this type of
information is vulnerable can help
assess the likelihood that the actor
targets the organization.
Research and Development
Some actors exist to steal corporate
R&D data. Organizations with heavy
R&D missions are more likely to be
targeted by actors specializing in
corporate espionage or supporting
nation-states.
Business Process
Certain categories of actors,
especially insider threats, target the
inner workings of the organization.
From hiring and firing information to
time cards and audit findings,
organizations likely will be targeted
if this information is accessible.
Industrial Control Systems
Certain actors specialize in
compromising industrial control
systems and the associated
human-machine interface.
Organizations operating these
systems should prioritize these
threat actors accordingly.

Indicators of Success
• Analysts have a repository of current and historical threat actor tactics,
techniques, and procedures (TTPs) to generate profiles that are fed into data
collection platforms to separate known threats that automated defensive
actions can mitigate from unknown threats requiring an analyst’s attention.
• Analysts gain perspective on the tools threat actors use to assess how
they access an organization or if they outsource tool development. A basic
netflow analysis could show the majority of attacks come from well known,
prepackaged scripts, which analysts can easily combat using remediation
efforts posted on open source websites.
• Analysts realize that sophisticated actors use the lowest common denominator
for attacks. If a threat actor can use an off-the-shelf tool to accomplish their
goal, they’ll wait to deploy customized tools on harder targets.
• Analysts understand that the targeting of Adobe or Windows software
vulnerabilities usually equates to a threat of lower sophistication than one
targeting Windows operating systems.
• Analysts understand threat actors’ intentions well enough to assign them to
different categories, such as nation-state, criminal, hactivist, recreational, or
competitor; enabling them to identify the most likely threats their organization
faces through profiling.
• Analysts realize that if a threat actor is targeting their organization for
fame, the likelihood increases for the actor to choose a DDoS attack to the
organization’s website as the attack method.
• From their organization being the first result in a Google search to knowing
over what holidays certain actors like to conduct attacks, analysts recognize
the importance of timing when it comes to assessing the overall likelihood of
a threat.

4.6 Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE
Impact
Analyzing the effects cyber attacks have on an organization’s operations and strategic interests provides quantifiable, business-related information to
justify its impact on the organization. A CITP participant quantified the impact of cyber threats to their leadership by assessing how much money the
organization would pay to reroute its product distribution channels after a hacker compromised the network and disclosed specific travel routes to
competitors intent on disrupting this distribution.

Impact

Operations Strategic Interests

Cyber attacks adversely affect an organization’s day-to-day Some impacts are harder to quantify, but they are no less
operations. Since the effects often are financially quantifi- important. Strategic interests capture the intangible aspects
able, analysts can use dollar amounts to communicate the of the organization that can be affected by a cyber threat.
impact attacks have on how an organization functions.

Direct Costs Business Operations Organizational Interests External Interests

Cyber attacks have a financial
impact on organizations. Prioritizing
threats according to their cost in
terms of remediation and mitigation can
resonate with technical and
non-technical stakeholders.
In addition to the known costs of
responding to an attack, organizations
also should consider the cascading
effects an attack can cause and their
associated costs.
Plans, people, and products offer
tremendous insight into why an
organization is targeted and where a
threat can do the most damage if certain
information is compromised.
Organizations do not operate in a bubble,
and neither should threat prioritization.
Consider the ramifications cyber attacks
can have on organizational partnerships,
reputation, culture, geopolitics, and
market space.

Incident Response Supply Chain Strategic Planning Market/Industry

Consider the costs to perform an
investigation, remediation, and
forensics; including required software/
licenses for incident response tools.
Downtime
Business costs of a network-reliant
service being unavailable, including
missed transactions or loss of
potential revenue also play a role
Mitigation and/or Prevention
Factor in costs of additional
hardware/software required to
mitigate a specific threat.
Costs associated with the inability
to meet demand, delay to
operations, and having to
supplement/replace suppliers can
significantly impact an organization.
Logistics
An organization must function
whether it is enduring an attack or
not, so make sure to consider the
cost of continuing operations during
and after an attack, such as
re-routing communications, securing
intellectual property, adding
equipment/personnel to avoid
another similar attack, and upgrading
systems/networks/processes.
Future Earnings
Loss of intellectual property may
reveal R&D investments or R&D
strategies, delay product releases,
affect future acquisitions, and cause
a loss of competitive advantage.
Consider the impact of losing
strategic vision data, such as annual
reports, 1/3/5 year strategic
outlooks, operational policies,
mergers, and acquisitions.
Stakeholders
Assess how threats impact
shareholders, board of directors,
and employees.
Organizational Culture
Factor in the impact of
legal/regulatory requirements from
governments, law enforcement,
regional entities (European Union),
and external business arrangements.
Also consider changes to the
organization's culture, including
work-from-home policies, complex
password requirements, and
restricted network access.
How are competitors affected by the
cyber threat? Is the industry equally
affected by the threat? Consider
national and foreign competition in
threat prioritization.
Geopolitical
Does the threat affect political
relationships, or the ability to
operate in foreign countries? Will
the impact of the threat affect the
stock market? Is the local/regional
economy impacted? All of these
factors play a role that decision
makers will want information on.
Partnerships
Consider the impact to third parties,
including information-sharing
partners (government/industry/
service provider) and other business
relations (companies/governments/
regions). Assess the validity
of shared data if strategic partners
are affected.

Brand Reputation
Brand Reputation: Understand
the impact to the brand and its
implications on public opinion.

Indicators of Success
• Internally, analysts establish frequent communication with the business • Analysts ensure that threat prioritization isn’t based off personal biases or
units responsible for operations to discuss threats, alter threat prioritization, those of decision makers, stakeholders, service providers, or the media.
and predict new threats. These business units can include R&D, physical
• Analysts correlate logs of IPs accessing the parts of their organization’s
security, risk management, IT, human resources, insider threat, and business
website containing data on strategic planning and intellectual property with
intelligence.
known bad IPs to predict where threats will be concentrated now and in the
• Analysts identify and remediate the cascading effects a cyber attack could future.
have by targeting one part of the organization’s operational network and
• Analysts understand the financial cost associated with a geopolitical event in
systems.
a country threatening their organization’s Internet presence in that market.
• Analysts recognize how a cyber attack could impact the organization’s
• Analysts recognize that if peers in their industry and the organization’s
ability to operate and communicate to stakeholders and institute appropriate
economic interests are being attacked, the likelihood of being targeted
contingencies to eliminate this impact when an attack occurs in the future.
increases and they take preventative measures to ensure that doesn’t happen.
• Knowledge of the impact cyber attacks can have on an organization’s
operations enables analysts to determine the financial costs to recover and
repair damage done by the threats that the analysts’ prioritization efforts deem
most likely to harm the organization.

CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.7
Risk
Assessing how people and the organization’s cyber footprint make the organization vulnerable to cyber attacks determines what areas within it are
the most at risk of being targeted. One CITP participant’s CEO is active with companies and institutes that are separate from the organization. The CITP
participant’s cyber intelligence analysts maintain an awareness of these activities, so when hacktivists publicly threatened attacks against one of the
institutes, the analysts knew this could have implications for their organization and altered network defenses to prepare for a potential attack.

Risk

People Cyber Footprint

Cyber threats generally have one thing in common; at some The greater an organization’s online exposure, the more
point a human interacts with the threat. This interaction must opportunity an attacker has to find vulnerabilities. Consider
be a part of threat prioritization to understand an attacker’s the organization’s infrastructure, supply chain, online
most commonly targeted vulnerability: people. exposure, and components most susceptible to attacks.

Relevance Access Infrastructure Online Presence

From leadership to rank-and-file employees,
the Internet offers a communication
platform that allows anyone to make their
organization more visible to threat actors.
Employees with administrator privileges or
access to sensitive data are more attractive
targets for threat actors. Determining who
has what access can significantly aid in
identifying the risk to employees.
The unknown provenance of software and
hardware complicates risk determination in
the cyber environment. Overcoming this
limitation requires researching where, when,
and how an organization’s infra-structure is
most susceptible to cyber threats.
The content and services an organization
provides on the Internet serve as attractive
targets for threat actors. Analysts can
assess severity of risk based on this insight
into likely attack vectors.

Online Presence Physical and Network-Based Hardware Website

Maintain awareness of information
employees put online and their
popularity on blogs/social media—
both can garner the attention of
threat actors. Information posted
online can unwittingly reveal
vulnerabilities and flaws in security
policy, or incite threat actors to
target the organization.
Extracurricular Activities
Be mindful of the activities
employees participate in outside of
work. Employees’ status with
external institutions, such as
non-profits, may increase their risk
of being targeted.
Motive
There always is a rhyme or reason
for why people enable cyber attacks.
Whether it’s ignorance, financial
trouble, disgruntlement, or boredom,
by knowing these vulnerabilities
analysts can diminish their
effectiveness through prevention.
Access
Individuals have varying access
to both physical and network-based
sections of an organization that threat
actors can leverage to execute an
attack. Assess which employees are at
higher risk of being targeted based on
their access.
Position
As with access points, consider
how threat actors can exploit the
different roles people play
throughout the organization,
from network administrator or HR
representative to CEO, supply
chain manager, or a recently
fired employee.
Abnormal Activity
Develop baseline or expected
network behavior for key users.
Consider what deviations may
indicate potential nefarious activity
and consistently watch for them.
Some examples can involve an
employee working off-hours,
emailing attachments to personal
email accounts, or accessing
information that is unrelated to their
normal job.
Develop a blueprint of where
network appliances, workstations,
and third party equipment connect to
the organization’s network and
identify the most likely risks for
cyber threat activities.
Software
Most organizations rely on software
to accomplish day-to-day operations.
A robust threat prioritization assesses
the risks associated with relying on
particular software, which network
users require access to high-risk
software, and the organization’s
ability to detect if a software
vulnerability has been exploited.
Supply Chain
The most stringent network
defenses can be subverted by
counterfeit equipment or software.
Understanding and assessing
threats to the organization’s supply
chain provides additional data points
to measure risk of compromise
through the organization’s
network infrastructure.
Analyze how threat actors might
leverage an organization’s website
to plan and execute an attack.
This includes compromising
customer account log-ins, collecting
employee contact information,
defacing the site, or denying
legitimate access to it.
Additional Exposure
An organization’s public relations
and marketing departments track
how social media and other aspects
of the Internet help bring attention
to the organization. Threat
prioritization efforts also should
track how this attention affects its
cyber threat environment.
Additional Services
FTP, Telnet, VPN access, webmail,
remote desktop, and other
web-based services used by an
organization increase the risk of
potential cyber attacks, and should
be factored into threat prioritization.

Indicators of Success
• Whether it is an employee alerting about a suspicious email they received
or a vendor providing a list of bad IPs, analysts have engaged enough with
individuals associated with the organization that they actively contact the
analysts about issues that could alter how threats are prioritized.
• Employee feedback influences threat prioritization because analysts offer
feedback mechanisms via all of their cyber intelligence communication
platforms; emails, analytical products, briefings, or awareness campaigns.
• If the CEO or a junior analyst blogs about topics that likely will bring the
attention of threat actors, analysts are aware of these activities and consider
the position, influence, popularity, and online presence of these individuals in
order to predict how they should change the organization’s security posture.
• Analysts become aware of the fact that every vulnerability is not a threat
worthy of further analysis and mitigation.
• Analysts understand the organization’s operating environment well enough
that with system updates and patches, they alleviate ~80% of threats; freeing
them to focus on the ~20% that could significantly impact the organization.
• Analysts recognize their organization is only as secure as its supply chain. If
it acquires software and analysts don’t know who did the actual coding, the
code’s reliability, or to what extent it has been error tested, then they won’t
know how threat actors could use potential vulnerabilities within the code to
conduct an attack.
• Analysts incorporate timing into their prioritization efforts to align increases
in network defenses with the different times during the year (holidays, system
upgrades) when the organization’s network is most vulnerable.

4.8 Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE