Full Report
Interesting post by Michael Dahn at pcianswers.com discussed (again) the difference between compliance and security. Do you know the joke about the difference between a canary? Apparently, its one leg is the same. Well, according to the post, the difference between compliance and security is… there is no spoon. I’m sounding facetious, but the post is actually not bad. Read more… But actually, there was another part of the post that caught my eye. Its the comments about ‘Attack Vector based Risk Management’ or ‘AVRM’. Not much is said about this except:
Analysis Summary
# Best Practices: Attack Vector Based Risk Management (AVRM)
## Overview
These practices focus on shifting security strategy from purely meeting compliance checklists to actively managing risk based on the current, evolving threat landscape. This involves deeply understanding how adversaries attack specific environments ("Attack Vectors") to prioritize highly effective and economically feasible defenses.
## Key Recommendations
### Immediate Actions
1. **Assess Current Threat Landscape:** Immediately catalog known, active attack techniques relevant to your industry and technology stack (e.g., recent phishing campaigns, trending vulnerability exploits).
2. **Identify Primary Attack Vectors:** Conduct a rapid internal assessment to determine the 3-5 most plausible, high-impact ways an attacker could currently compromise your critical assets (This directly maps to understanding the "car theft" scenario).
3. **Review Control Mapping:** Do a quick review to see which current security controls directly mitigate the identified high-priority attack vectors, and flag gaps where compliance controls are not addressing active external threats.
### Short-term Improvements (1-3 months)
1. **Implement Continuous Threat Monitoring:** Establish an ongoing process to monitor threat intelligence feeds specific to your sector, moving beyond annual or point-in-time audits.
2. **Prioritize Defense by Vector:** Reallocate resources (budget, staff time) to enhance controls that directly block the most likely attack vectors identified in the immediate phase, rather than merely fulfilling low-risk compliance requirements.
3. **Develop "Bad Guy" Narratives:** Create simple threat scenarios (e.g., "Attacker X uses technique Y to gain initial access via Vector Z") to socialize and prioritize remediation efforts with management.
### Long-term Strategy (3+ months)
1. **Integrate Attack Vector Analysis into SDLC/Procurement:** Mandate that the threat modeling derived from AVRM feeds directly into the Secure Software Development Lifecycle (SDLC) and the procurement process for new technologies.
2. **Establish Ongoing Review and Maintenance Cycle:** Institutionalize an internal, recurring process for risk review and control maintenance that replaces reliance on external, point-in-time compliance assessments.
3. **Adopt Corporate Threat Modeling (CTM):** Formally adopt structured threat modeling frameworks (similar to SensePost's CTM concept) to consistently evaluate systems against adversary motivations and methods.
## Implementation Guidance
### For Small Organizations
- **Scrap Non-Essential Compliance Checks:** Focus resources exclusively on controls that directly protect the most critical assets against currently exploited vectors.
- **Leverage Cloud/Vendor Security:** Prioritize configurations that utilize built-in security features from cloud providers or SaaS vendors, as these are often better maintained against evolving threats than self-managed legacy systems.
### For Medium Organizations
- **Dedicated Vector Review Time:** Allocate specific weekly time slots for security personnel to research and analyze recent attack trends relevant to their specific tech stack.
- **Internal Validation:** Begin using "ethical hacking" or internal penetration testing focused *specifically* on confirming if the top 3 attack vectors are actually blocked by current defenses.
### For Large Enterprises
- **Formalize CTM Program:** Establish a formal Corporate Threat Modeling program integrated across engineering, operations, and security teams.
- **Automate Contextual Reporting:** Develop dashboards that map security control effectiveness directly against a centralized, evolving list of relevant attack vectors, replacing generic audit scorecards.
- **Budget Allocation Review:** Institute an annual review where budgets for security maintenance are justified based on the mitigation effectiveness against current, known attack patterns, not just historical audit findings.
## Configuration Examples
*None explicitly detailed in the source text, as the advice is strategic rather than technical. Implementation requires applying existing security standards (like hardening guides or MFA implementation) specifically to the identified vectors.*
## Compliance Alignment
This approach is framework-agnostic but aligns philosophically with the continuous improvement mandate found in modern standards:
- **NIST Cybersecurity Framework (CSF):** Strong emphasis on the **Identify** (Threat Landscape understanding) and **Protect** (prioritization based on risk) functions.
- **ISO 27001/27002:** Supports the principle of risk assessment driving the selection and implementation of controls, moving beyond minimum baseline requirements.
- **PCI DSS Context:** Highlights the need to move beyond point-in-time QSA assessments toward an *ongoing process of review and maintenance*.
## Common Pitfalls to Avoid
- **Confusing Compliance with Security:** Assuming that achieving certification means risks from current, evolving threats are adequately managed.
- **Defense-in-Depth without Context:** Building overly complex, expensive, or redundant defenses against theoretical threats while ignoring a known, easily exploitable vector (like the analogy of locking the doors when car theft is the real issue).
- **Static Risk Assessments:** Allowing the threat landscape analysis to become an annual activity; AVRM requires continuous adjustment based on attacker evolution.
## Resources
- **SensePost CTM Slides (Defanged Link):** Referencing the concept of Corporate Threat Modeling for developing adversary pattern understanding: `http://www.sensepost.com/research/ctm/CSI_NetSec07_Corp_Threat_Model_publish_1.ppt.zip`
- **External Threat Intelligence Feeds:** Utilizing industry-specific threat feeds to stay current on active attack patterns.