| Recently I focused more on the phenomenon of BIAS and supporting decision makers to minimize BIAS in their decisions. I provide a Quadrant Crunching Cyber example here. To demonstrate that these are things that the BCM manager and the Risk Manager can deliver (together). The example serves only as an academic illustration, not as a thoroughly developed analysis for a logistics organization. | In this contribution I give my own opinion, not that of any organization. |
Author: Manu Steens
I recently gave a first introduction to Structured Analytic Techniques for Intelligence Analysis, which can be used in risk analysis exercises and crisis exercises in decision making.
One question I received was, “Can this also be used in BCM?” The answer was “Yes”. And promise is debt, of course. The idea was that Quadrant Crunching is useful for identifying weaknesses of an organization in the face of a threat.
As an example here, I’ll throw in a logistics institution with cyber risks as a threat.
Contents
What does the analysis technique “Quadrant Crunching” do
Quadrant Crunching helps the analyst avoid surprises by systematically examining the extensiveness of possible combinations of selected key variables. Those Key Variables are “parameters” that make up a hypothesis of a crisis. Thus, the more extensive the number of meaningful combinations, to the more extensive the number of possible types of crises.
In this way, Quadrant Crunching greatly broadens the view of possible vulnerabilities, and avoids such things as tunnel vision, group thinking, recency bias, etc. …
When do you use Quadrant Crunching
You use it in very complex and highly ambiguous situations with little data available and with a lot of potential for surprises.
You can use Classic Quadrant Crunching here to generate many possibilities and systematically challenge the assumptions made.
How does the analysis procedure work: The Method
- The starting point is a well-defined “lead hypothesis”. This is a sentence that describes a crisis with the essential components listed in it. These are the answers to the questions journalists tend to ask. These are the ‘Who’, ‘What’, ‘Where’, ‘When’, ‘Why’ and the ‘How’ from a ‘STAR’ analysis.
- This lead hypothesis is divided into its components. These components are the “key assumptions” of the lead hypothesis. One further unravels the key assumptions into key dimensions.
- After these key assumptions, the analyst generates two, four, … more examples of ‘contrary assumptions’. He does this by varying the assumptions and dimensions of the lead hypothesis.
- Combinations of two contrary dimensions are placed in sets of 2 x 2 matrices. With 4 quadrants each. The number of combinations increases rapidly according to the number of dimensions. This can make placing in quadrants a lengthy task.
- Create one or more stories for each quadrant.
- Identify and remove the wrong combinations. These are combinations that cannot or are difficult to combine. For example, a ransomware attack that is simultaneously a wiping attack.
- Select a few stories that deserve the most attention according to a set of predetermined criteria. These will be the most important scenarios. These criteria are criteria for the benefit of the opponent’s goals. If useful, combine a number of stories from different matrices.
- Make a list of indicators for each story.
- Determine and implement measures for the most important stories / scenarios. Determine further measures for when a scenario (story) starts up.
- Monitor the system according to the indicators.
- Determine which scenario starts as soon as an indicator indicates it.
- Notify the decision makers. Decide on further steps.
Illustration using an example
The example here for illustration is that of a Cyber-attack on a logistics organization. Whether by hybrid war or NSA (Non State Actors) or not.
The method works by starting with an initial scenario that is sufficiently well defined. A tool here to establish this first scenario is the STAR method, which actually focuses on the questions Journalists often ask: Who, What, Where, When, Why, How. The “lead hypothesis” here, which we will assume in this exercise, is:
“A ransomware attack, on the cloud services of the ICT provider (of a logistics organization), carried out by an NSA, against customers in the logistics organization’s supply chain as victims.“
I take out the “of a logistics organization” component because in this case it is always against its own organization. If it were a study regarding all possible organizations, it is possible to keep this component.
When generating a lead hypothesis, it is permissible, even good, to use a recent incident from the news as inspiration.
This base scenario is then unraveled into its components, called key assumptions, as follows:
- a ransomware attack,
- on the cloud services of the IT supplier
- carried out by an NSA,
- against customers in the supply chain of the logistics organization as victims
Against these key assumptions in the scenario we now systematically place so-called contradictory assumptions and their dimensions. Doing this increases the number of scenarios very quickly, because one can then randomly start combining them. Some possibilities (non-exhaustive list) are:
| First scenario | Conflicting assumptions | Dimensions |
| A ransomware attack | Other type of attack | DDOS attack |
| Wiping attack | ||
| Phishing attack | ||
| Social engineering | ||
| Data theft | ||
| Data corruption | ||
| Easter eggs | ||
| Logical bomb | ||
| Malware attack | ||
| Rootkit attack | ||
| Hardware theft | ||
| Spyware | ||
| Man in the middle attack | ||
| Hacking | ||
| Identity theft | ||
| Combination of the above | ||
| On the cloud services of the ICT supplier | At the organization itself | On the servers at the organization itself (Purchase, Sales, Maintenance, HR, Warehouse,…) (ERP package, distribution,…) |
| On the servers at the organization itself (Firewall, monitoring systems, helpdesk, website,…) | ||
| On the PLC/ SCADA systems | ||
| On an employee’s laptop (Office systems, communication systems…) | ||
| On an employee’s smartphone (address book, Whatsapp, Messenger, Teams, Photos…) | ||
| On an employee’s tablet (Office systems,…) | ||
| At the internet provider | Attack on their confidentiality | |
| Attack on their availability | ||
| Attack on their integrity | ||
| Attack on non-repudiation | ||
| At the customer | On the servers | |
| On a laptop | ||
| At their ICT supplier | ||
| At their internet provider | ||
| At a commodity supplier | On the servers | |
| At a laptop | ||
| At their ICT supplier | ||
| At their internet provider | ||
| At their software | ||
| At banks | On the method of payment | |
| Attack on their confidentiality | ||
| Attack on their availability | ||
| Attack on their integrity | ||
| Attack on non-repudiation | ||
| Conducted by an NSA | By an acquaintance | By an employee |
| By a consultant | ||
| By a visitor | ||
| By a relative of an employee | ||
| By an action group | ||
| By a State Actor | By military IT services | |
| By spies | ||
| By intelligence services | ||
| By unknown persons | By Anonymous | |
| By an unknown cybercriminal collective | ||
| Against customers in the logistics organization’s supply chain as victims | Damage to customers of customers | The man in the street (B2C customers). |
| Firms that ordered from the customer B2B. | ||
| Damage to suppliers of the organization | Payment systems of the organization | |
| Communication systems | ||
| Against people of the organization | Members of the C-suite or the board | |
| For gaining profit at the expense of the organization | Extortion | |
| Theft of finances | ||
| Intellectual theft | ||
| Theft of goods | ||
Further progression
Plot each of the possible two-by-two combinations of dimensions in matrices. For each cell in each matrix, give 1 to 3 possible examples of scenarios. In some quadrants, there may be no realistic scenarios. You then ignore those. Some quadrants will prompt thought, and cause new dynamics to be considered.
Criteria to help evaluate here what is very realistic are:
- Maximum damage, maximum impact, provides maximum gain for the perpetrator(s).
- Difficult to detect (the preparation and implementation) (Or rapid implementation).
- Provides a difficult challenge to address.
Sometimes cells can be taken together. Combining additional ones makes many scenarios concrete.
Nightmare story: Wiping of the CAAS (Cloud as a service) by an intelligence services organization.
Duties of the CRO and Business Continuity Manager
- Consider what decision makers can do to prevent bad stories, mitigate the impact, and deal with the consequences.
- Generate a list of key indicators that help evaluate whether any of these attack plans are in the start-up phase.
- Monitoring hits on firewalls.
- Reports of regular intrusion detections
- Monitoring of honeypots
- Regularly hashing the root software, and comparing it to the original hash
- Monitor instabilities in systems
- Together with the ICT security specialist, implement security methods using ISO-27K standards and NIST standards and the like.
- Determine follow-up decisions for when a scenario unfolds as advice to decision makers. Determine the subsidiarity of decisions in that. Do this using action fiches.
An example of content for a fiche for a DDOS attack
Definition – Introduction: Distributed Denial of Service (DDOS attack)
A DDoS attack is a cyber-attack in which a large amount of data traffic is sent to the target website or Web server in a coordinated manner. The goal is to overload it and make it unreachable.
To avoid the worst, you need to (know/) do 2 things:
(1) (how) to prepare, and
(2) (how) to deal with the situation.
How to prepare
| What to do | Motivation |
| Create awareness – Risk communication. | People will then not start calling the IT help desk or IT operations en masse. So they will not be disturbed or less disturbed in dealing with the situation. |
| Monitor data traffic continuously | Measuring is knowing. You can automate detection and then react to unusual traffic. |
| Create a DDoS action plan and empower IT staff. | The IT department will know what to do and they can do it immediately. (Including offline retrieval of the sites.) |
| Train like you fight, practice ! | Gain experience with preventive shutdown of websites. |
| Increase bandwidth capacity. | You can handle more traffic before problems arise. |
| Protection services from specialized providers. | They can filter attack traffic before it arrives. That way, they ensure website availability. |
| Implement load balancing. | Less risk of overloading a single point |
| Rate-limiting. | Limit the number of connections from a single IP address. |
| Choose your ISP (Internet Service Provider) wisely. | Some have good tools to limit DDOS attacks |
How to deal with it
| What to do | Motivation |
| Monitoring gives alarm | There is an abnormal level of data traffic on the website |
| Fight like you train: start implementing the DDOS action plan | The alternative is that the website or service becomes slow or crashes completely |
| Crisis communication to employees with the MNS (Mass Notification System) | We know – We do – We care – We will be back to you. This message must exist in advance. |
| Communicate with the CMT (Crisis Management Team). | They can issue additional orders, if they deem it necessary |
| Check the “supply-chain ecosystem. | There may be attacks on other organizations in the supply-chain, or on other departments of one’s own organization. |
| Communicate with the CCB (Center for Cybersecurity Belgium). | A logistics organization is an important social service. Therefore, they may need to apply NIS2 regulations. I chose the CCB here because Belgium is a hub for logistics mobility in Europe. |
Contacts
| Who | Contact details | Who | Contact details |
| CMT & CISO | Permanent telephone number | COO | Telephone no |
| Employees | See Mass Notification System | ISP | Permanence phone no ISP |
| CCB Notification | info[at]ccb.belgium.be | Suppliers | Suppliers list URL |
Possible objectives of such an exercise
One of the main goals is to identify realistic scenarios and thereby generate a set of indicators needed to recognize the emergence of problems, or the recognition of an ongoing problem, or the emergence of new problems on the sidelines. This with the goal of creating EWSs (Early Warning Systems) that can alert the stakeholders of the concerned organization. To this end, one can already rely on the third column after drawing up the conflicting assumptions and associated dimensions.
The preparation of action fiches on possible types of attacks for the benefit of the CMT is also useful as an explanation of the course of the proposed approach to the crisis.
Another purpose, rather on the periphery, is to identify an exercise scenario, where the Business Continuity manager or the CRO would like to bring additional attention to a particular problem.
Most importantly, however, it counters tunnel vision by being an eye opener regarding cyber vulnerabilities for the CISO, CRO, help desk, IT operations and the Business Continuity Manager, and upper management.