1. What is the expected level of Attacker for the organization?
The first step to determine your suggested SecCon level is to consider the skill of the attack likely for an environment. The attacker type determines the baseline SecCon level which helps identify the controls necessary to prevent, restrict, or detect the attacker.
Non-Interactive – Attacks at this level are automated to look for known vulnerabilities, default credentials, and systems exposed to the internet. Examples include bots and worms.
Known – The Known Attacker uses basic software tools to look for targets of opportunity. This attacker leverages automated viruses and exploits, commonly delivered through phishing campaigns.
Intermediate – This relatively skilled attacker is usually a single person motivated by monetary gain or political hacktivism. Targeted spear phishing is a common means of creating an initial compromise, usually allowing the attacker to escalate privileges and move laterally within the target. While the attacks used may be known, they require skill to execute. Non-technical insider threats who already have access to the environment are also in this category.
Advanced – Skilled-criminal organizations are an example of advanced attackers, often breaching through 3rd parties. They leverage persistence to gain access to sensitive information, especially proprietary information, in attempts to sell it. These teams have protection if caught. Technical insider threats, who already have privileged access to the environment, are also in this category.
Expert – Expert attackers are nation-state sponsored, and use persistent or zero-day exploits. Goals of expert attackers are typically espionage, military information, and political disruption. Experts use technical and non-technical attacks which take place over extended time periods. These teams typically operate during their normal business hours, as this is a government job.
3. What is the organization’s tolerance to Risk?
Understanding the culture of an organization is important to determining the extent of the mitigation strategy. Similar to a low vs. high deductible on car insurance, the lower the tolerance, the more significant the investment in security.
Very High – Organization prioritizes acceptance over mitigation. Changes to the environment are not tracked, and downtime incurred is acceptable.
High – Organization prioritizes transference and acceptance over mitigation. Changes to the environment are loosely tracked, but not audited, and some downtime is acceptable.
Average – Organization has a balance of risk acceptance, mitigation, and transference. Changes are discussed before implementing, but there could be some downtime after hours.
Low – Organization accepts little risk, but evaluates or implements mitigation or transference tactics where available. Accepted risks are documented and reviewed. Changes to the environment are reviewed before implementing so downtime can be kept to a minimum.
Very Low – Organization does not accept risk, and strives to mitigate or transfer. A risk register is maintained and audited regularly. Proposed changes are documented and reviewed before implementation during a scheduled window to maintain availability of systems.
