Sourcing a threat assessment
Service delivery teams should be aware of the potential threat actors who may try to harm your organisation as well as their motivation, intentions and capabilities.
Many organisations will have a threat assessment that applies to the whole organisation which should be used to inform your own digital service level assessment. Before commissioning your own, explore whether there is a recent threat assessment available within your organisation to use as your starting point, or if there is an internal specialist team that can perform one. Any existing organisation threat assessment may need to be adapted to take into account new threats identified for your service.
The threat landscape is constantly changing and increasingly capable threat actors are likely to target government services. Sourcing a threat assessment will allow you to:
- understand and assess the threat actors aiming to compromise your assets and disrupt your service
- focus your defences so you can implement and iterate proportional security measures
- identify threat actor tactics, techniques and procedures (TTPs) as part of threat modelling so you can design appropriate security controls
It’s highly recommended to have a threat assessment before you perform threat modelling or carry out a risk assessment.
It should be sourced during the discovery or alpha phases of the service delivery lifecycle and reviewed whenever there are updates to the service that have security implications.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to adopt a risk-driven approach.
Who is involved
This is an activity performed by specialists from outside your delivery team.
The commissioning and distribution of the threat assessment should be led by your programme manager with support from the Senior Responsible Officer (SRO), service owner and technical security professionals within your team.
How to source a threat assessment
Step 1: Understand what a threat assessment is
A threat assessment involves research into potential threat actors using Cyber Threat Intelligence (CTI).
This is a task undertaken by trained security professionals who understand the latest cyber security landscape and collaborate on platforms such as the Cyber Security Information Sharing Partnership (CISP).
Some of this research (such as National Cyber Security Centre (NCSC) threat reports) is publicly available, giving service delivery teams enough information to make an informed judgement about the type of threats that could face their service. However this information should not replace the need for your own threat assessment.
The fresources listed at the end of this activity provide information for senior leaders and delivery teams to help them understand how CTI is sourced and used.
Step 2: Appoint a specialist threat analyst
This step should only be followed if there is no recent threat assessment available from your organisation and no internal specialist team who can provide one for your service. If you can source one from within your organisation, move on to step 3.
You could appoint threat analysts from the National Cyber Security Centre (NCSC), National Protective Security Authority (NPSA) or a private sector CTI provider to complete a threat assessment specific to your organisation and service.
When sourcing an appropriate provider check that their processes include:
- intelligence gathered from reputable sources
- their own reconnaissance about the organisation, team and service
- investigating the history of previous attacks on the organisation, or similar organisations
- research into the type and sensitivity of data handled by the service
Step 3: Tailor your threat assessment
Whether you’ve sourced a threat assessment from inside or outside your organisation, the outcome should be a report that includes a list of potential threat actors that might want to harm your organisation, such as investigative journalists, hacktivists, cyber criminals, disgruntled employees or organised criminals.
The report should include threat ratings (from very low to very high) for each actor and details on their:
- threat type – malicious and intentional, or accidental and unintentional
- motivation – for example, financial gain or ideological causes
- intent – for example, gaining unauthorised access to data
- capability – for example, malware development or data exfiltration
Review this information, considering how each threat applies to specific areas of your service. If there are elements that may have implications on your organisation’s overall threat profile, feed this information to your Chief Information Security Officer (CISO) and security advisors so they can adapt their assessment and integrate the information into their strategic plans.
This information should be considered a sensitive asset and only shared with those who are required to use it. This may include:
- the people within your service responsible for performing threat modelling and carrying out risk assessments
- senior leaders such as your CISO and Senior Security Adviser (SSA) who are responsible for deciding on appropriate responses to security risks
Threat briefings should be delivered when the initial threat assessment has been produced and whenever there are significant updates that require attention.