Organizations have widely adopted the Crown Jewels concept in their efforts to build cost-effective cybersecurity strategies and plans in the ever-growing world of risks and challenges. However, the Crown Jewels concept could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack. It is time for the adoption of new concepts and new methodologies.
In this post, we will look into the process of Crown Jewels Analysis, what it lacks, and how it can be fixed to address current and future challenges.
Crown Jewels Analysis (CJA) is a process for identifying the digital assets that are critical to the accomplishment of the missions of an organization and that if compromised, would have a major business impact.
The Crown Jewels Analysis is often viewed as the first step in the process of building a comprehensive cybersecurity plan for an organization. It is usually followed by an analysis of the threats that adversaries may pose to the assets identified as crown jewels, and the selection and implementation of the most appropriate methods for protecting them.
As it is practically impossible to protect every component of an organization’s IT infrastructure against a possible cyber-attack, the identification of the most important components seems to be the most logical thing to do in order to help the cybersecurity teams focus their (rather limited) efforts and resources in an effective and efficient manner.
But is it so?
Let us look at a specific digital asset that can be found in almost every organization: a system administrator’s computer. System administrators (aka sys-admins) keep computer networks in order. To do that efficiently, they need to have very good visibility of the organization’s IT infrastructure.
From an attacker’s point of view, a sys-admin’s computer could provide invaluable information, including high privileged access credentials, network maps, business correspondence, cybersecurity architectures, software and hardware inventories, business correspondence and more.
It would be reasonable to assume that, at least for some cases, cyber attackers will tend to “gravitate” towards sys-admin computers as they attempt to gain access to an organization’s crown jewels. A Sys-admin computer can, therefore, be considered as a central asset in the attacker’s critical pathway towards the organization’s crown jewels.
A Crown Jewels Analysis, however, will rarely identify a sys-admin’s computer as part of the crown jewels set of an organization, and rightly so: defining these types of assets as “critical to the accomplishment of the missions of the organization” requires a very broad, rather impractical, interpretation of the crown jewels concept.
The debate on whether or not a certain digital asset is a crown jewel is not purely theoretical. As described above, this definition determines the level of attention that cybersecurity teams will pay to protecting these assets, and not others, against cyber-attacks.
A cybersecurity team implementing only Crown Jewels Analysis could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack, by failing to prioritize assets in the critical pathways: the digital assets that, although not crown jewels, are attractive for attackers as they have a critical role in their operational plan to compromise the crown jewel. Sys-admin computers are just an illustrative example of these unique types of assets.
CJA is a fundamental phase in building an organization’s cybersecurity posture — but it is not sufficient. Organizations should also be able to identify critical pathways and digital assets with high probability of being compromised by cyber attackers on their path to the “crown jewels”.
Identifying these “gravitational” nodes requires not only an in-depth understanding of an organization’s digital landscape (including its “crown jewels”), but also a deep understanding of the threat landscape and the attacker’s mindset, modus operandi and TTPs.
By combining the defender’s perspective and the attacker’s analysis of the organization, these “gravitational” nodes (“Centers of Gravity” or CoGs) are revealed. Identifying the CoGs reduces blind spots and improves the CISO’s ability to develop a thorough security strategy that fits the current and future challenges.
Let me know what you think of the CoG concept.
In an upcoming blog series, I will elaborate on the CoG approach and describe the methodology for identifying these assets.