We're proud to be named a 2024 Publisher's Choice winner!

We're an RSA Conference 2024 Innovation Sandbox Finalist!

Organizations have widely adopted the Crown Jewels concept in their efforts to build cost-effective cybersecurity strategies and plans in the ever-growing world of risks and challenges. However, the Crown Jewels concept could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack. It is time for the adoption of new concepts and new methodologies.

In this post, we will look into the process of Crown Jewels Analysis, what it lacks, and how it can be fixed to address current and future challenges.

Crown Jewels Analysis

Crown Jewels Analysis (CJA) is a process for identifying the digital assets that are critical to the accomplishment of the missions of an organization and that if compromised, would have a major business impact.

The Crown Jewels Analysis is often viewed as the first step in the process of building a comprehensive cybersecurity plan for an organization. It is usually followed by an analysis of the threats that adversaries may pose to the assets identified as crown jewels, and the selection and implementation of the most appropriate methods for protecting them.

As it is practically impossible to protect every component of an organization’s IT infrastructure against a possible cyber-attack, the identification of the most important components seems to be the most logical thing to do in order to help the cybersecurity teams focus their (rather limited) efforts and resources in an effective and efficient manner.

But is it so?

Critical Asset Vs. Critical Pathway

Let us look at a specific digital asset that can be found in almost every organization: a system administrator’s computer. System administrators (aka sys-admins) keep computer networks in order. To do that efficiently, they need to have very good visibility of the organization’s IT infrastructure.

From an attacker’s point of view, a sys-admin’s computer could provide invaluable information, including high privileged access credentials, network maps, business correspondence, cybersecurity architectures, software and hardware inventories, business correspondence and more.

It would be reasonable to assume that, at least for some cases, cyber attackers will tend to “gravitate” towards sys-admin computers as they attempt to gain access to an organization’s crown jewels. A Sys-admin computer can, therefore, be considered as a central asset in the attacker’s critical pathway towards the organization’s crown jewels.

A Crown Jewels Analysis, however, will rarely identify a sys-admin’s computer as part of the crown jewels set of an organization, and rightly so: defining these types of assets as “critical to the accomplishment of the missions of the organization” requires a very broad, rather impractical, interpretation of the crown jewels concept.

The debate on whether or not a certain digital asset is a crown jewel is not purely theoretical. As described above, this definition determines the level of attention that cybersecurity teams will pay to protecting these assets, and not others, against cyber-attacks.

A cybersecurity team implementing only Crown Jewels Analysis could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack, by failing to prioritize assets in the critical pathways: the digital assets that, although not crown jewels, are attractive for attackers as they have a critical role in their operational plan to compromise the crown jewel. Sys-admin computers are just an illustrative example of these unique types of assets.

From Crown Jewels to Centers of Gravity

CJA is a fundamental phase in building an organization’s cybersecurity posture — but it is not sufficient. Organizations should also be able to identify critical pathways and digital assets with high probability of being compromised by cyber attackers on their path to the “crown jewels”.

Identifying these “gravitational” nodes requires not only an in-depth understanding of an organization’s digital landscape (including its “crown jewels”), but also a deep understanding of the threat landscape and the attacker’s mindset, modus operandi and TTPs.

By combining the defender’s perspective and the attacker’s analysis of the organization, these “gravitational” nodes (“Centers of Gravity” or CoGs) are revealed. Identifying the CoGs reduces blind spots and improves the CISO’s ability to develop a thorough security strategy that fits the current and future challenges.

Let me know what you think of the CoG concept.

Whitepaper: The 9 Fundamental Ways Incident Response Is Different in the Cloud


May 3, 2024

Don't miss these stories:

Mitiga Wins Global InfoSec Award for Cloud Threat Detection Investigation & Response (TDIR)

We’re proud to report that at the open of today’s RSAC24, Mitiga was awarded the Publisher's Choice Cloud Threat Detection Investigation & Response (TDIR) from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Why Did AWS Replace My Role’s ARN with a Unique ID in My Policy?

After several years of working with AWS, IAM remains one of the most frequently used services in my daily routine. Yet, despite my familiarity with it, a recent production incident taught me that there’s always more to learn.