When Christopher Krebs was director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), his job was to make sure he understood the risk management landscape so the agency could fulfill its role as the nation’s risk management advisor. CISA became a household name in the aftermath of the 2020 elections, when Krebs told the nation that this was the most secure election cycle in the nation’s history. Speaking to a virtual audience at Checkpoint’s 2021 CPX360 conference, Krebs revealed how that was possible. The agency relied on threat modeling.
The Risk Formula
To assist its partners (civilian organizations and, in the case of the elections, state agencies) in assessing the risk landscape, Krebs said they approached things through a risk formula, where risk equals threat times vulnerability times consequence. They also took into account the likelihood of an attack when determining risk.
“The importance of this risk formula, as we saw it, was that it doesn’t focus just on the threat actor, but included vulnerabilities in the software services and systems that we use on a daily basis, as well as the potential consequences of a successful attack on any of these key systems or our nation’s critical infrastructure,” Krebs explained. Working closely with intelligence agencies, it became clear that, yes, there were a lot of nation-state threat actors that wanted to launch attacks against our critical infrastructure. And their capabilities spanned a wide range of intents and strategies, ranging from scanning for unpatched systems to sophisticated attacks on the supply chain, like the one involving Solar Winds.
But nation-states aren’t the only threat actors out there. Cybercriminals are also making their presence known in a very visible and damaging way, and those attacks end up being even more disruptive and destructive to functions that support our economy and our way of life.
Threat Modeling to Develop Risk Defenses
While threat modeling can be an effective tool against cyberattacks, it requires an all-encompassing approach. It’s not a matter of thinking like a cybercriminal to determine how they’ll attack, but rather understanding what they are after and what the ultimate consequences would be for the organization if the criminals were successful. It is knowing where your vulnerabilities are throughout the entire network, because a cybercriminal is more likely to come in through the open door of an outdated legacy system.
Krebs and his team spent more than three years developing a threat model for the 2020 elections. They worked with election directors in all 50 states to protect voter databases, all the while knowing that, at the last minute, a threat actor could launch a ransomware attack that would lock up the entire voting system. CISA thought through dozens upon dozens of scenarios in which a capable and determined cyberattacker could disrupt the election, providing a wealth of understanding on what could potentially go wrong. That information was shared with state election officials, and with Congress, so additional resources could be put in place to defend against attacks.
“That threat modeling piece is what I firmly believe transformed our ability as an agency, centered around indiscreet risk management activity, to dramatically improve our defensive posture,” Krebs said. CISA used the model applied to the 2020 elections on COVID-19, as well, to assist healthcare facilities in preventing potential ransomware attacks, especially in New York City, where any downtime in hospital networks would be catastrophic.
Threat modeling is about constantly evaluating both your internal and your external conditions, Krebs said, and will put you in a position to be more effective in your response to any sort of threat actor.
“Threat modeling led to not just a broadening of the actors that we were concerned about,” he said, “But also how we could more strategically invest to improve defense going forward.”