Observatory

When dealing with decision-making around cybersecurity issues, most of the business leaders face a difficult challenge : they struggle to find a reliable source of information that would help them to assess the requests they are getting from their technical teams or specialists. The two main sources of information are indeed strongly biased :

• On the one hand, the mainstream media are in the attention business and will broadcast content that gets the public's attention. This may lead to the most relevant information being left in the shadows.
• On the other hand, security vendors are going to push information supporting their business proposition. This is perfectly legitimate, but not too helpful when trying to assess in the most neutral way what the most critical security gaps to be covered for a given organisation are.

The purpose of NC3 Observatory is to provide elements of information with as much neutrality and reliability as possible, while being focused on cybersecurity threats from an organisation's perspective. Called the "Threat Observatory Platform" (T.O.P.), it aims to support its users with evidence-based information on emerging threats, in order to facilitate their decision-making processes regarding the prevention strategies to be undertaken. NC3 TOP collects evidence on cyber risks and trends, and uses various models and benchmarking to provide organisations with insights into how they may be exposed to existing or emerging types of threats.

The observatory collects and exploits available IT technical information from various sources. It started with the data available in the MISP instance of the private sector in Luxembourg. It will extend to other feeds as the platform grows and gets feedback from its users' community. In order to transform the original data into digested and actionable insights for users, a formalised risk characterisation model was build, focused on the victim's perspective. By doing so, it contributes to raise the awareness of economic actors on cyber threats, and provides sound information using an understandable language while avoiding technical jargon.

The model can be interpreted by considering two different dimensions:

1. The hazard and threat dimension, which describes the elements that constitute the attack process; it consists of an agent, an offensive means (e.g., an artefact, a specific technique) and a transfer mode used to exploit or to implement the threat;
2. The victim dimension, which describes the elements that characterise the processes that may lead to an impact; it describes how the attacker can reach (Internal Transfer Pathway) the IT target and can generate an impact (e.g. theft of sensitive data).

The two dimensions have one element in common, i.e. the point of access. This element can be an IT system, a piece of hardware, or any other type of item that can establish a functional connection between the threat agent and the victim. This entry point is characterised by a vulnerability (e.g a flaw, a backdoor, etc.) which enables the attacker to penetrate the cybersecurity perimeter of the victim. The last element of the proposed conceptual model considers the nature of the IT impact, i.e., the gained value for the attacker and the loss for the victim. There are various threats and attack modes that differ in their level of complexity and purpose. The objective of the Observatory is to interpret and reduce this complexity in order to provide information that can be used by end users according to a simple and unambiguous interpretation scheme. One of the first instruments defined by the Observatory to disseminate information about emerging threats and risks is the NC3 Threat Observatory Platform bulletin.