George Washington University, District of Columbia
April 19, 2024
April 19, 2024
April 20, 2024
12
10.18260/1-2--45741
https://peer.asee.org/45741
55
Branko Bokan is a PhD candidate at the School of Engineering and Applied Science, George Washington University under professor Joost Santos.
Branko is a Cybersecurity expert at the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS). In his professional role he is responsible for defending the Federal Civilian Executive Branch of the U.S. government against cyber threats and building a cyber resilient federal enterprise.
To prioritize limited resources available to protect against, detect, and respond to cybersecurity attacks, organizations must follow a risk management approach to select commensurate protections (cybersecurity capabilities). Risk management practice necessitates a proper framing of risk, which requires a ‘set of triplets’ to exist – a scenario (in which a threat exploits a vulnerability), the likelihood (or uncertainty to be more precise) of the scenario taking place, and the impact of the scenario taking place. While the other elements of risk triplets are relatively easy to assess, the threat factor remains the most elusive.
The traditional threat modeling methodologies work well on a small scale (e.g., when evaluating targets such as a single data field, a software application, or an information system component)—but they do not allow for comprehensive evaluation of an entire enterprise architecture to identify gaps (blind spots) where cybersecurity protections do not exist and where future investments are needed. They also do not enumerate and consider all threats that are actually observed in the wild.
This paper proposes a decision-making framework for selecting cybersecurity architectural capability portfolios that maximize protections against known cybersecurity threats using a new threat modeling approach - a cybersecurity architecture review.
This new threat modeling methodology allows organizations to look at their cybersecurity protections from the standpoint of an adversary and allows them evaluate entire cybersecurity architectures. It uses a cyber threat framework such as MITRE ATT&CK to enumerate all threats previously observed in the wild and then scores cybersecurity capabilities for their ability to: a) detect; b) protect against; and c) help in recovery from adversarial tactics, techniques, and procedures (TTPs). The results form a matrix called capability coverage map – a visual representation of protections coverage, gaps, and overlaps against TTPs. To allow for prioritization, TTPs can be organized in a threat heat map – a visual representation of threat technique’s prevalence and maneuverability that can be overlaid on top of a coverage map.
The paper will provide a proof of concept for proposed future research to determine how commonly used cybersecurity capabilities protect against known TTPs, whether organizations use the most efficient portfolio of capabilities, whether these portfolios are selected based on the actual threat landscape or vendor pressure, how different demographics perceive their protection coverage, and to what extent those common protections overlap.
Bokan, B. S., & Santos, J. R. (2024, April), Threat Modeling for Optimal Enterprise Protections Against Known Cybersecurity Threats Paper presented at ASEE Mid-Atlantic Section Spring Conference, George Washington University, District of Columbia. 10.18260/1-2--45741
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2024 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015