Threat Hunting for ISO 27001 Risk Assessment

Now that you've identified your assets, it's time to identify the threats that could harm them. Threat identification is a critical component of ISO 27001's risk assessment process (Clause 6.1.2).

What is a Threat?

A threat is any circumstance or event with the potential to adversely impact organizational operations, assets, or individuals through unauthorized access, destruction, disclosure, modification of information, or denial of service.

Threat = Something that could cause harm to your assets

Threat vs. Vulnerability

Don't confuse these two concepts:

• Threat: The potential cause of an incident (e.g., hacker, fire, disgruntled employee)
• Vulnerability: A weakness that can be exploited by a threat (e.g., unpatched software, no fire suppression, weak access controls)

Example:

• Threat: Cybercriminal
• Vulnerability: Weak passwords
• Risk: Unauthorized access to customer database

Threat Categories

ISO 27001 requires you to consider various threat types. Here's a comprehensive categorization:

1. Deliberate/Intentional Threats

External Malicious Actors:

• Cybercriminals - Financially motivated attackers seeking ransom or data theft
• Hacktivists - Ideologically motivated groups targeting specific organizations
• State-sponsored actors - Nation-state attackers conducting espionage or sabotage
• Competitors - Industrial espionage and theft of intellectual property
• Script kiddies - Unskilled attackers using existing tools for recognition

Internal Malicious Actors:

• Disgruntled employees - Current staff seeking revenge or financial gain
• Negligent insiders - Careless employees causing security incidents
• Compromised accounts - Legitimate users with stolen credentials
• Third-party contractors - External personnel with internal access

Specific Attack Types:

• Malware (ransomware, trojans, worms, spyware)
• Phishing and social engineering
• SQL injection and code injection
• Denial of Service (DoS/DDoS)
• Man-in-the-middle attacks
• Zero-day exploits
• Supply chain attacks

2. Accidental/Unintentional Threats

Human Error:

• Misconfiguration of security controls
• Accidental data deletion
• Sending sensitive information to wrong recipient
• Improper disposal of confidential documents
• Password sharing or writing down passwords
• Falling victim to social engineering
• Installing unauthorized software

Operational Failures:

• System crashes and failures
• Software bugs and errors
• Database corruption
• Backup failures
• Configuration drift
• Capacity overload

3. Environmental Threats

Natural Disasters:

• Fire
• Flooding
• Earthquakes
• Severe weather (hurricanes, tornadoes)
• Lightning strikes
• Extreme temperatures

Infrastructure Failures:

• Power outages
• HVAC failures
• Water damage (pipes, sprinklers)
• Building structural issues
• Environmental contamination

4. Technical Threats

Hardware:

• Equipment failure
• Hard drive crashes
• Network equipment malfunction
• End of life/obsolescence
• Physical theft of devices

Software:

• Application vulnerabilities
• Operating system flaws
• Unpatched systems
• License expiration
• Incompatibility issues

Network:

• Bandwidth saturation
• Network segmentation failures
• DNS hijacking
• Wireless interception
• Routing errors

5. Third-Party/Supply Chain Threats

• Cloud service provider outages
• Vendor bankruptcy or acquisition
• Supplier security breaches
• Outsourced service failures
• Software supply chain attacks
• Dependency vulnerabilities

6. Legal and Compliance Threats

• Regulatory changes
• New privacy laws
• Contractual violations
• Intellectual property disputes
• Litigation
• Audit failures

Threat Identification Methodology

Step 1: Review Historical Data

Look at your organization's history:

• Previous security incidents
• Help desk tickets
• System logs and alerts
• Insurance claims
• Industry incident reports

Questions to ask:

• What has happened to us before?
• What incidents have our competitors experienced?
• What's happening in our industry?

Step 2: Conduct Threat Workshops

Bring together stakeholders:

• IT security team
• System administrators
• Business unit managers
• Risk management
• Physical security
• Legal and compliance

Workshop Activities:

• Brainstorm potential threats
• Review industry threat intelligence
• Analyze recent news and incidents
• Consider emerging threats

Step 3: Use Threat Intelligence Sources

Industry Resources:

• CERT advisories and alerts
• NIST National Vulnerability Database
• MITRE ATT&CK framework
• Industry-specific ISACs (Information Sharing and Analysis Centers)
• Vendor security bulletins
• Threat intelligence feeds

Public Sources:

• News media
• Security blogs and forums
• Conference presentations
• Research papers
• Social media

Step 4: Asset-Based Threat Mapping

For each asset in your inventory, ask:

Step 5: Threat Actor Profiling

Consider who might want to harm your organization:

For each threat actor:

• Motivation: Why would they target you? (Financial, political, revenge, competition)
• Capability: What skills and resources do they have? (Low, Medium, High)
• Opportunity: How easy is it for them to attack? (Accessibility, vulnerabilities)
• Intent: How likely are they to attack? (Historical behavior, current environment)

Example Profile:

Threat Actor: Cybercriminal Groups

• Motivation: Financial gain through ransomware or data theft
• Capability: High - sophisticated tools and techniques
• Opportunity: Medium - we have remote access but MFA is implemented
• Intent: High - our industry is frequently targeted

Threat Assessment Worksheet

Use this template to document threats:

Likelihood Assessment

Rate how likely each threat is to occur:

• Very Low (1): May occur only in exceptional circumstances (< 1% annually)
• Low (2): Could occur at some time (1-10% annually)
• Medium (3): Might occur at some time (10-50% annually)
• High (4): Will probably occur in most circumstances (50-90% annually)
• Very High (5): Expected to occur frequently (> 90% annually)

Consider:

• Historical frequency
• Industry trends
• Current controls
• Threat actor motivation and capability
• Environmental factors

Impact Assessment

For each threat, assess the potential impact if it were to occur:

• Negligible (1): Minimal impact, easily managed
• Minor (2): Limited impact, manageable with existing resources
• Moderate (3): Significant impact, requires additional resources
• Major (4): Severe impact, major disruption to operations
• Catastrophic (5): Could threaten organizational survival

Impact Dimensions:

• Financial loss
• Reputational damage
• Operational disruption
• Legal and regulatory consequences
• Customer impact
• Employee safety

Emerging Threats to Consider

Stay aware of evolving threat landscape:

Technology Evolution:

• AI-powered attacks
• Deepfakes and synthetic media
• IoT vulnerabilities
• Cloud misconfigurations
• 5G network risks
• Quantum computing threats to encryption

Geopolitical:

• Cyber warfare
• Trade restrictions
• Supply chain disruptions
• Regional conflicts affecting infrastructure

Social/Economic:

• Remote work security challenges
• Economic downturns increasing insider threats
• Talent shortages affecting security posture
• Disinformation campaigns

Common Mistakes in Threat Identification

Too Generic:

• "Cyber attack" - Be specific: ransomware, phishing, DDoS, etc.
• "Natural disaster" - Specify: flood, fire, earthquake

Focusing Only on Technical Threats:

• Don't ignore physical, environmental, and human threats
• Business threats are just as important as IT threats

Ignoring Insider Threats:

• Both malicious and accidental insider actions
• Third-party contractors and vendors

One-Time Activity:

• Threat landscape constantly evolves
• Schedule regular threat intelligence reviews
• Update after significant incidents

Not Involving the Right People:

• IT can't identify all threats alone
• Involve business units, facilities, HR, legal

Practical Exercise: Threat Hunting Worksheet

Complete this exercise:

1. Select 5 critical assets from your asset inventory

2. For each asset, identify:

   • 3 deliberate threats
   • 2 accidental threats
   • 2 environmental threats

3. Document each threat:

   • Clear description
   • Threat source
   • Potential impact on CIA
   • Initial likelihood estimate

4. Identify your top 10 threats across all assets based on:

   • Likelihood of occurrence
   • Potential business impact
   • Current control gaps

5. Create action items:

   • Which threats need immediate attention?
   • What additional information is needed?
   • Who should be consulted?

Integration with Risk Assessment

Threat identification feeds into your risk calculation:

Risk = Asset Value x Threat x Vulnerability

• You've identified your Assets (previous lesson)
• You've identified your Threats (this lesson)
• Next: Identify Vulnerabilities and calculate risk levels

Resources and Tools

Threat Intelligence Platforms:

• MITRE ATT&CK framework
• NIST Cybersecurity Framework
• OWASP Top 10
• SANS threat intelligence
• Vendor threat reports (Microsoft, Cisco, etc.)

Industry Resources:

• Your industry's ISAC
• Sector-specific threat briefings
• Regulatory body warnings
• Professional associations

Next Lesson: Design your Risk Matrix to evaluate and prioritize the threats you've identified.