First version of the TRI Threat Risk Index

2024-12-03 15:37:15 +00:00 · 2016-05-11 08:01:29 +02:00 · 2016-05-11 08:01:29 +02:00 · 2f92675808
commit 2f92675808
4 changed files with 158 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,52 @@
+Threats Risk Index (TRI)
+------------------------
+
+**Work in progress**
+
+Threats Risk Index (TRI) is a different way to calculate risks in information security. As we have seen that a lot of risks model based on
+generic cases, we wanted to create a risk evaluation which is based on current existing threats. The model of calculation is based on a simple way to sum the measures not implemented.
+
+Threats Risk Index = (Threat probability) * (1+SUM(recommendations not implemented))
+
+threats
+=======
+
+Threats file is a list of known and seen threats in a specific region by a CSIRT or any organization capables of analysis security incidents. The threat is defined by a simple description and id. Probability values are assigned per region (country-code) and defined on the overall probability of an incident to occur among the overall set of incidents seen. The probability value is a float (from 0 to 1). As the probability depends on the organization doing the analysis, it could be really scoped to their view on threats. Multiple threats and their respective probability can be combined from various sources in a sum. If a threat is no more seen or actively exploited by an attacker, it should be removed from the list.
+
+[Current threats](./desc/threats.json)
+
+recommendations
+===============
+
+Recommendations file is a list of known counter-measure implemented that should have at least one positive effect to limit one of the known threats. A recommendation is expressed in a description, a related question and an id.
+
+[Current recommendations](./desc/recommendations.json)
+
+counter-measures
+================
+
+Counter-measure file is a list of the combined recommendations for each known threat. An impact value is associated to each recommendations defining the level of impact if the recommendation is not implemented.
+
+[Current counter-measures](./desc/counter-measures.json)
+
+
+Example
+-------
+
+Cryptoransomware
+================
+
+Backup = 3
+Testing of backup = 4
+Offline backup = 4
+Patching of browser extension = 2
+
+If none of the counter-measures are taken, the following risk can be calculated:
+
+(0.03) (1+3+4+4+2) = .42
+
+If backup are operational but the browser extensions are never patched:
+
+(0.03) (1+2) = .09
+
+
--- a/desc/counter-measures.json
+++ b/desc/counter-measures.json
@ -0,0 +1,48 @@
+{
+  "values": [
+    {
+      "recommendations": [
+        {
+          "value": "system-dedicated",
+          "impact": 4
+        },
+        {
+          "value": "backup-testing",
+          "impact": 1
+        },
+        {
+          "value": "backup-offline",
+          "impact": 1
+        },
+        {
+          "value": "backup",
+          "impact": 1
+        }
+      ],
+      "id": "financialmalware-retailbanking"
+    },
+    {
+      "recommendations": [
+        {
+          "value": "backup",
+          "impact": 3
+        },
+        {
+          "value": "backup-testing",
+          "impact": 4
+        },
+        {
+          "value": "backup-offline",
+          "impact": 4
+        },
+        {
+          "value": "browser-extension-patching",
+          "impact": 2
+        }
+      ],
+      "id": "cryptoransomware"
+    }
+  ],
+  "description": "List of counter-measures against known threats.",
+  "version": 1
+}
--- a/desc/recommendations.json
+++ b/desc/recommendations.json
@ -0,0 +1,31 @@
+{
+  "values": [
+    {
+      "description": "Backup located at an offline location and not being directly from the infrastructure where the backups are performed.",
+      "question": "Are your backup located at an offline location? and remain independant of your backup infrastucture?",
+      "id": "backup-offline"
+    },
+    {
+      "description": "Testing your backup infrastructure to ensure that you can restore the information following a specific retention period.",
+      "question": "Do you regularly test your backup backup infrastructure to ensure that information can be restored following a specific retention period?",
+      "id": "backup-testing"
+    },
+    {
+      "description": "Backup of the information under your responsibility.",
+      "question": "Do you have regular backups of the information under your responsibility?",
+      "id": "backup"
+    },
+    {
+      "description": "Using dedicated and partially disconnected system to perform some core activities.",
+      "question": "Do you use dedicated and partially disconnected system to perform some core activities?",
+      "id": "system-dedicated"
+    },
+    {
+      "description": "Patching and controlling extensions and plugins of the deployed Internet browsers.",
+      "question": "Do you patch and control extensions and plugins of the deployed Internet browsers?",
+      "id": "browser-extension-patching"
+    }
+  ],
+  "description": "List of known recommendations or counter-measures.",
+  "version": 1
+}
--- a/desc/threats.json
+++ b/desc/threats.json
@ -0,0 +1,27 @@
+{
+  "values": [
+    {
+      "probability": {
+        "LU": 0.03
+      },
+      "description": "Cryptographic ransomware encrypting the information of the victim and asking for a ransom.",
+      "id": "cryptoransomware"
+    },
+    {
+      "probability": {
+        "LU": 0.02
+      },
+      "description": "Financial malware targeting banking systems used by businesses.",
+      "id": "financialmalware-business"
+    },
+    {
+      "probability": {
+        "LU": 0.015
+      },
+      "description": "Financial malware targeting retail banking systems.",
+      "id": "financialmalware-retailbanking"
+    }
+  ],
+  "description": "List of known threats",
+  "version": 1
+}