General security

Cyber Threat Analysis [Updated 2019]

February 8, 2019 by Dimitar Kostadinov

1. Definition & Objective

A threat could be anything that leads to interruption, meddling or destruction of any valuable service or item existing in the firm’s repertoire. Whether of “human” or “nonhuman” origin, the analysis must scrutinize each element that may bring about conceivable security risk.

Cyber threat analysis is a process in which the knowledge of internal and external information vulnerabilities pertinent to a particular organization is matched against real-world cyber attacks. With respect to cyber security, this threat-oriented approach to combating cyber attacks represents a smooth transition from a state of reactive security to a state of proactive one. Moreover, the desired result of a threat assessment is to give best practices on how to maximize the protective instruments with respect to availability, confidentiality and integrity, without turning back to usability and functionality conditions.

Components of Threat Analysis as a Process


a.) Scope

Scope gives info on what is included and what is not in the analysis. In terms of cyber security, items under consideration are those that must be protected. Although they need to be identified in the first place, the level of sensitivity of what is being guarded should be defined as well by analysis drafters.

b.) Data Collection

In every respectable organization there are some sort of policies and procedures. Those need to be identified for compliance purposes. In reality, almost one-fourth of the defensive capabilities corporations have in place fail to meet the minimum security standards. In the opinion of Art Gilliland, a senior vice president of security products unit of Hewlett-Packard, “[t]he reason for that is that they were often pushing to meet a policy – checkboxing for compliance.”

Amassing detailed information about real cyber incidents (e.g., URLs to malicious links, phishing email header and content, and uncovered hostile Command and Control (C2) infrastructure of domain names and IP addresses) is the first step. The focus should fall on targeted threats existing in reality, and scope settings need to filter out those perceived as such but not real, which can merely distract your attention from other ongoing security affairs.

An IT analyst must have unrestricted access to data in order to transform it into intelligence. Sources of information are, for example, intrusion incidents, detection system logs, firewall logs, the reverse engineering of malware, open source Internet searches, honeypots, digital forensic analysis, etc. Of course, one source simply cannot provide all of the information needed for a thorough threat analysis, and the analyst should incorporate multiple data wells seamlessly. Once all corporate policies and procedures are collected, they should be examined to show whether they match the compliance level in the organization. Consequently, logically processing vast amounts of data and thinking critically are qualities that will form a good cyber analysis.

c.) Threat/Vulnerability Analysis of Acceptable Risks

Here we test what is being gathered to determine the level of current exposure — most of all — whether the current defences are solid enough to neutralize information threats in terms of availability, confidentiality and integrity. This part should include as well an evaluation of whether the existing procedures, policies and security measures are adequate. Vulnerability analysis also encompasses penetration testing, which in turn seeks to acquire something valuable from the adversary’s arsenal like a classified document, code or password.


When a Cyber Attack Encircles the Rings of Protection

An important remark – threat analysis is a continual process that one should review once in a while to ensure that all safeguards work properly. The threat/risk evaluations are to be an integral part of the organization’s overall life cycle.

d.) Mitigation & Anticipation

When all previous steps are completed, a competent security analyst can use this corpus of threat data to arrange in groups activity patterns of close similarity, attribute each pattern to specific threat actors, promptly implement mitigation measures, and anticipate the emergence of similar cyber attacks in the future.

Threat Analyst and His Assessment Abilities

Based on both vulnerability and risk assessment, the analyst approaches to determine the level of risk within his organization. He further defines what security measures need to be taken or remove the ineffective ones. In addition, the analyst should be careful not to push ahead with a too overprotective security system, as it may prove unfoundedly costly to the organization.

HP’s Gilliland estimated that roughly 86% of security budgets available to cyber security teams are expended on warding off malicious attempts at the infiltration stage. Many organizations face the issue of avoiding false positives, an immanent occurrence in assessment of applications. The best way to mitigate the problem is to ensure that applications in question are up-to-date with latest patches and signatures.

Becoming a strong technical expert is a must. Glancing through tons of practice and reading countless of security books and blogs is perhaps the right kind of bushido code to master your skills – there is no substitution for hard work.

Additionally, the data in hand is often derived from intelligence products. Technical writing skills are necessary since analysts need to create security reports. Evidentially, the ability to construe security events and read off appliances are among the most important sets of skills an analyst should possess. At times this ability is not an exact science, it is more like an art where the person simply has to have a flair for it.

In this line of work, making a correct analysis comes hand in hand with the analyst’s technical knowledge. For instance, a security analyst who does not comprehend routing protocols and infrastructure cannot analyse what happens when a threat actor sends malformed TCP packets to a company’s servers. The same can be said for a situation where the analyst cannot tell the difference between an ineffective zero-day and a zero-day that can inflict real damage.

On the other hand, other persons sometimes produce a bad analysis that can be misleading. Therefore, the analyst’s ability to distinguish good from bad is critical here, even more important than creating a good product.

3. Methodology

Threat metrics and models included in this part are supposed to help characterize specific threats, hereby fulfilling the purpose of threat analysis.

3.1. Threat Metrics

Adecent threat measurement can facilitate analysis through improved understanding of how trends and anomalies occur. It can also underscore the imminence of certain types of vulnerabilities and connect missing dots between threats and potential consequences. In other words, a qualitative threat measurement can yield accurate results concerning risk management. Unfortunately, defining and applying threat measures of proper quality is a practice that lacks maturity and consistence.

The notion “metric” denotes a unit of measure, while ‘measure’ stands for a given hallmark of performance. If we measure some event in a consistent way—using a good metric that is unambiguous and clear as well—the analyst will most likely improve his ability to understand that event (threat in our case), control, affect and defend against it to a certain extent. And if the nebulosity is not so dark, decision-making based on correct interpretation will be much simpler.

An example of a good quantitative portrayal in cyberspace would be the number of attacks per month. Measured for a long stretch of time, the count of cyber attacks can reveal the adversary’s capability and intent, allowing analysts in turn to calculate properly the risk and allocate needful resources to cope with it.

3.2. Threat Models

A stand-alone metric is oftentimes insufficient to encapsulate behavioural characteristics of complex systems/actors. A combination of metrics, the so-called “measurement framework”, might do the job.

A threat (in addition to the definition given at the beginning) is “a malevolent actor, whether an organization or an individual, with a specific political, social, or personal goal and some level of capability and intention to oppose an established government, a private organization, or an accepted social norm.” Whereas “[A] model is a simplified representation of something else.” Consequently, a threat model is a combination of these two definitions – it gives prominence to details relevant to a threat.

Uniform threat models promote consistency, and on the other hand, they reduce the negative effects of preconceived notions and personal bias. Furthermore, the index of success rate intensifies as the time goes by. For that reason, inter alia, the analyst is advised to store threat reports in a continuous manner in order to build up a reference database that can be used by other experts.

Threat Modeling Process

Sample № 1

Threat Modeling Process

Sample № 2

3.3. The Generic Threat Matrix

The generic threat matrix uses attributes of a threat that can help the analyst characterize the type of threat based on its overall nature. This kind of characterization allows analysts to describe the threat’s full spectrum without labelling it with preconceived notions. To get a new angle on the matter, we can say that “[t]he matrix is a framework or model for organizing a set of related metrics.” The threat matrix is graduated into levels of magnitude, with each level corresponding to a different kind of threat.

3.3.1. Threat Attributes

It is an independent feature of a threat. Normally, there are two major groups of threat attributes:

Commitment Attribute Group

The attributes in this group attest to the willingness of the threat to achieve its goal. A higher level of commitment means that these threats will stop at nothing on their way to the aim. Three attributes exist in this group:

1) Intensity (Question: How far the threat is willing to go?);

2) Stealth (Question: Do we have any confirmed information about the threat?);

3) Time (Question: How much time the threat is willing to invest?).

Resource Attribute Group

The attributes here indicate the amount of resources the threat is capable to deploy. Higher value means that a threat is more sophisticated and it may attain the goal easier. There are also three attributes in the resource family:

1) Technical Personnel (Question:
What is the number of individuals a threat is using to further its ends?)

2) Knowledge (Question:
What is the level of skill that propels the threat engine?)

3) Access (Question:
How good is the threat actor’s ability to compromise and infiltrate a restricted system?)

“Threat Matrix” Sample

3.4. Attack Vectors

This is the means or road used by a threat to access a device/system/network for the purpose of launching a cyber attack, information gathering, planting malware, etc. In essence, specific vectors used specific, associated attack metrics. Several attack vectors are as follows:

Phishing Attacks

Unsecured Wireless Networks

Removable Media

Mobile Devices

Malicious Web Components

Viruses and Malware

3.5. Target Characteristics

Some targets are more attractive, vulnerable or simply more frequently hit than others. This is just another source of useful information that can be expressed in metrics.

3.6. Attack Trees

Attack trees bring to the table another way to analyze information threats. An attack tree appears as a logical diagram, and it can be used either as a source of metrics or as a separate attack model. It is a structured and hierarchical way to collect and document the potential attacks on a given organization. The tree breaks down the types of attacks threat agents utilize, which is a reusable representation of security problems that facilitates focused efforts.


Creating Attack Trees

Benefits of attack trees:

  1. The power of deduction can be harnessed here to bring good results
  2. They provide a transparent and direct mode for analysis of attacks/attackers
  3. They are pliable enough to cover the entire spectrum of attacks and threats in the wild
  4. The data generated can be combined with another threat models

3.7. Attack Frequency

Attack frequency is an indicatory metric that can be coupled with the data on the type or sophistication of an attack; pairing attack frequency metric and vulnerability index is not a bad idea as well.

4. Conclusion: “Final Analysis”

In April 2014, the U.S. DOJ Antitrust Division and the FTC released a joint statement on creating a uniform policy for mutual threat information exchange. This policy has the potential to enhance “the security, availability, integrity, and efficiency of the nation’s information systems” without raising antitrust concerns because “the sharing of cybersecurity information is highly unlikely to lead to a reduction in competition and, consequently, would not be likely to raise antitrust concerns.” So exchanging threat information has been looked upon with a favourable eye, but that should be generally accepted practice for all entities in a particular field. Most of all, organizations should remember that not performing a threat and risk analysis will leave them open to cyber pests that can damage their business for good. Nothing is more detrimental in the world of cyber security than the feeling of invulnerability or trusting that your lucky star will extend by all means its reach to magically patch up the holes in your system through which threats are waiting to get in.

Interested in reading more? Check out these articles:

US Regions Most Vulnerable to a Cyber Attack [Updated 2018]

The Seven Steps of a Successful Cyber Attack

Reference List

Apple Inc. Risk Assessment and Threat Modeling. Retrieved on 07/08/2014 from

Cyber Squared Inc. Cyber Threat Analysis, not just for the Military. Retrieved on 07/08/2014 from

Goel, S. & Chen, V. (2005). Information Security Risk Analysis – A Matrix-based Approach. Retrieved on 07/08/2014 from

Hughe, J. & Cybenko, G. (2013). Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity. Retrieved on 07/08/2014 from

Hulme, G. (2014). CSOs need to more precisely understand the actual threats facing their organization. The fix? Threat modeling. Retrieved on 07/08/2014 from

Mateski, M., Trevino, C., Veitch, C., Michalski, J., Harris, J., Maruoka, S., Frye, J. (2012). Cyber Threat Metrics. Retrieved on 07/08/2014 from

Microsoft. Threat Modeling Principles. Retrieved on 07/08/2014 from

MSM. Cyber Intelligence Threat Analysis. Retrieved on 07/08/2014 from
Richards, K. (2014). RSA 2014: HP exec says security threat analysis should guide strategy.
Retrieved on 07/08/2014 from

SANS Institute (2002). An Overview of Threat and Risk Assessment. Retrieved on 07/08/2014 from

Tripwire Guest Authors (2014). Developing Your Cyber Intelligence Analyst Skills. Retrieved on 07/08/2014 from

White & Case LLP (2014). DOJ & FTC Release Cybersecurity Threat Information Exchange Policy. Retrieved on 07/08/2014 from


Fig. 2 is based on the Figure 5. “The three ingredients necessary and sufficient for cyber-physical vulnerabilities to exist” in Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity by Hughe, J. & Cybenko, G. Retrieved on 07/08/2014 from

Fig. 3 is based on information provided in Threat Modeling Principles by
(Representation of an attack tree paragraph).
Retrieved on 07/08/2014 from

“Threat Matrix” Sample is based on Table 5: Threat Matrix for GE Energy, Wind Division that can be found on page 7 in Information Security Risk Analysis – A Matrix-based Approach by Goel, S. & Chen, V. Retrieved on 07/08/2014 from

Posted: February 8, 2019
Articles Author
Dimitar Kostadinov
View Profile

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117