Thoughts on Bejtlich's Information Security Incident Ratings
Check out Richard Bejtlich’s Information Security Incident Rating post. In it, he establishes qualitative, color-based scales for various asset-states in relation to the aggregate threat community. As Richard states, he’s not modeling risk, but rather he’s somewhat modeling half of risk (in FAIR terms, an attempt at TEF/LEF/TCap information, just not the loss magnitude side).
I say “somewhat” modeling because I find interesting is that Richard seems to be discussing probabilistic statements in the “greens” there (“my opinion/guess is that it would take some degree of force to compromise asset in question based on my admittedly incomplete knowledge of the control state”) , and then adding to that nature-state assessments (“here is the current state of attack/compromise”) in the rest of the spectrum.
Now obviously the probabilistic statements would eventually require more effort once some substantial level of organizational maturity has been achieved, but this sort of asset-state spectrum would be useful in establishing high-level assessments of the asset landscape. It would allow the CISO (esp. a new CISO who finds herself in an environment fraught with “unknown, unknowns”) to create a relatively quick view of enterprise “vulnerability” (to borrow FAIR’s concept) and help begin the achievement of knowledge around enterprise risk management capability.
Other uses could eventually contribute significantly to risk models. Obtaining accurate current/past Category 3 (the orange there) information would be *really* useful for creating probabilistic statements around threat models and risk models. As I mentioned above, the Vuln ratings can be broken down to assist risk and risk management modeling (yeah, I continue to maintain that they are two different things despite what all the standards out there say, more on that tomorrow). Finally, studying time frames and abilities around the post-compromise state (Breach 3-1, there) around incidents would be useful in establishing risk management model belief statements, as well.
One small problem I would have using this on an aggregate level would be the lack of granularity around the threat community w/regards to “impact” levels 1-5. I might not really care if a script kiddie is doing reconnaissance, but if the recon is coming from someone in an internal administrative role, a contractor who has privileges, etc…
That said, my significant problem with Bejtlich’s model there has to do with *why* he created it. He asks:
What do you think of this rating system? I am curious to hear how others explain the seriousness of an incident to management.
To which my obvious response is, “why should management care about any of this when it doesn’t include impact”? Even at it’s darkest colors, the scale is subject what I call the tree falling in the woods problem – does vulnerability or compromise matter independent of an impact statement? Without impact, are we just “multiplying by zero”?
More directly, can you imagine going to a CFO with this but without impact information? Wouldn’t you kind of look foolish if you said, when questioned about (probable) impact, “Well, then we would be modeling risk, and you know we can’t do that”?
It’s true, the scale can be consolidated a little more:
1-3: $#!+ could happen
4-6: Really looks like some kind of $#!+ could happen
7-10: OMG, $#!+ has happened
But it appears that the “so what?”/impact question has been ignored in favor of two general positions:
1. If they get access to any asset, it’s Bad.
2. If they get access to any sensitive information, it’s Really Bad.
Some of this falls apart when you consider IPS hits to be #4, though, because this has little bearing on the real probability of compromise. You’re taking control strength and capability into account with 1-3, but not with 4 (unless you assume it’s to increase capability).
I hate to say it (well, okay, I don’t), but this looks like a scale devised by someone who is too used to Threat Level Colors and binary thinking when it comes to attacks and intrusions. It looks like it’s designed to track the progression of risk to a single asset, not a network.