The unprecedented volume of cyberattacks on state and local governments means agencies need to significantly shore up defenses across their organizations. Beyond vulnerabilities in traditional networks and applications that power an agency’s mission, the attack surface has increased via connected Operational Technology (OT) and a growing number of Internet of Things (IoT) devices. Concerns among citizens about data privacy compound the need for stringent protections.
Government agencies have an unequalled responsibility to safeguard citizen data while sustaining constituent services. Dissatisfied citizens are not able to switch to a different agency as they could with an unsatisfactory commercial provider, increasing the pressure on government agencies to deliver citizen services even more securely than the largest corporations.
Given the breadth of the attack surface, determining where to focus limited resources has become a continual challenge for security leaders. A risk-based cybersecurity approach starting with threat inventories and threat modeling lets agencies determine the priority of assets to protect. Yet, conducting threat modeling assessments is difficult without the proper supporting constructs, including steps that many agencies struggle with or simply lack relevant expertise to perform.
As a result, many agency security leaders tend to focus on compliance, where costs of violations are far easier to quantify than intangibles around. While it’s important to meet compliance requirements, the current threat environment demands an understanding of true risk, with threat modeling as a foundational step to build the right levels of protection.
Cyber teams at agencies often feel overwhelmed by the concept of threat modeling—fearing that establishing the necessary constructs and performing a threat modeling exercise will take too long when leadership looks for quick wins. Pursuing some parallel activities can help overcome those pressures. Look for exposed network protocols, examine the organization’s patching regimen, assess backup cadence and test recovery capabilities, and of course, conduct regular user awareness training.
Then, when the team is ready to start a modeling exercise, these five steps will guide a risk-based approach built on the real threats that are most relevant to your agency:
- Choose an established methodology.
There are multiple threat modeling methodologies that offer structured guidance for undertaking this kind of effort. An agency should select one that can complement its existing internal practices and level of cyber maturity. Security teams may want to start with the risk-centric Process for Attack Simulation and Threat Analysis (PASTA) methodology, which includes seven threat modeling principles that combine business objectives and technical requirements. There are multiple models to choose from—VAST, OCTAVE, LINDUN, and Trike — but regardless of the chosen methodology, the team must have a structured guideline as layers of detail are unpacked.
- Determine roles and responsibilities.
Involve dedicated representatives from across the organization to support each risk modeling phase, from establishing the model to working through it and then remediating identified issues. The chief information security officer (CISO) should not determine the sensitivity of different data types in a vacuum. That decision requires input from business owners who are intimately familiar with the different data types and the impact should the organization experience a data compromise. Cross-agency representatives also need to advise on the business needs around particular data or applications to inform the correct recovery time objectives. Lacking strong organizational alignment and cooperation before, during, and after the risk assessment means the effort will not work effectively, leaving the organization at increased risk.
- Assess the organization’s environment.
Identify everything on the network, its specific value, the probability of an incident and the impacts should an incident occur. Feed the collected data into the agency’s chosen threat model to assess the overall likelihood of harm occurring. When determining the probability of an incident, consider what threats exist that the team could tie to known vulnerabilities. Agencies need to accurately identify the vulnerabilities most relevant to them, and often benefit from a vendor-cultivated threat feed to help.
- Prioritize potential threats.
Once this information gets fed into a model, assess the likelihood of specific incidents occurring. Only then can the team start to confidently identify the highest priorities for its mitigation and remediation efforts. Focus on addressing more sever threats first; address those that are uncommon or low-risk later.
- Strategically adopt automation.
All of this requires a lot of dynamic data to manage. With copious on-premises and cloud-based systems in use, thousands or even millions of network connections, and a distributed workforce moving data seemingly everywhere, it’s more than the agency can achieve manually. There are tools available to automate many activities needed for threat modeling, ensuring that the team won’t miss important correlations. When new threats arise, update the threat feed to stay on top of needed adjustments in the agency’s defense posture.
With tight budgets and scarce talent pools, agencies must invest their scarce resources properly. While security teams may find threat modeling challenging and that it doesn’t always yield immediate wins, when done properly, it makes agencies more cost effective, efficient, and secure long-term.
John Evans, chief technology advisor, public sector, World Wide Technology