Mitiga Appoints Charlie Thomas as CEO READ THE RELEASE

Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

Organizations have widely adopted the Crown Jewels concept in their efforts to build cost-effective cybersecurity strategies and plans in the ever-growing world of risks and challenges. However, the Crown Jewels concept could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack. It is time for the adoption of new concepts and new methodologies.

In this post, we will look into the process of Crown Jewels Analysis, what it lacks, and how it can be fixed to address current and future challenges.

Crown Jewels Analysis

Crown Jewels Analysis (CJA) is a process for identifying the digital assets that are critical to the accomplishment of the missions of an organization and that if compromised, would have a major business impact.

The Crown Jewels Analysis is often viewed as the first step in the process of building a comprehensive cybersecurity plan for an organization. It is usually followed by an analysis of the threats that adversaries may pose to the assets identified as crown jewels, and the selection and implementation of the most appropriate methods for protecting them.

As it is practically impossible to protect every component of an organization’s IT infrastructure against a possible cyber-attack, the identification of the most important components seems to be the most logical thing to do in order to help the cybersecurity teams focus their (rather limited) efforts and resources in an effective and efficient manner.

But is it so?

Critical Asset Vs. Critical Pathway

Let us look at a specific digital asset that can be found in almost every organization: a system administrator’s computer. System administrators (aka sys-admins) keep computer networks in order. To do that efficiently, they need to have very good visibility of the organization’s IT infrastructure.

From an attacker’s point of view, a sys-admin’s computer could provide invaluable information, including high privileged access credentials, network maps, business correspondence, cybersecurity architectures, software and hardware inventories, business correspondence and more.

It would be reasonable to assume that, at least for some cases, cyber attackers will tend to “gravitate” towards sys-admin computers as they attempt to gain access to an organization’s crown jewels. A Sys-admin computer can, therefore, be considered as a central asset in the attacker’s critical pathway towards the organization’s crown jewels.

A Crown Jewels Analysis, however, will rarely identify a sys-admin’s computer as part of the crown jewels set of an organization, and rightly so: defining these types of assets as “critical to the accomplishment of the missions of the organization” requires a very broad, rather impractical, interpretation of the crown jewels concept.

The debate on whether or not a certain digital asset is a crown jewel is not purely theoretical. As described above, this definition determines the level of attention that cybersecurity teams will pay to protecting these assets, and not others, against cyber-attacks.

A cybersecurity team implementing only Crown Jewels Analysis could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack, by failing to prioritize assets in the critical pathways: the digital assets that, although not crown jewels, are attractive for attackers as they have a critical role in their operational plan to compromise the crown jewel. Sys-admin computers are just an illustrative example of these unique types of assets.

From Crown Jewels to Centers of Gravity

CJA is a fundamental phase in building an organization’s cybersecurity posture — but it is not sufficient. Organizations should also be able to identify critical pathways and digital assets with high probability of being compromised by cyber attackers on their path to the “crown jewels”.

Identifying these “gravitational” nodes requires not only an in-depth understanding of an organization’s digital landscape (including its “crown jewels”), but also a deep understanding of the threat landscape and the attacker’s mindset, modus operandi and TTPs.

By combining the defender’s perspective and the attacker’s analysis of the organization, these “gravitational” nodes (“Centers of Gravity” or CoGs) are revealed. Identifying the CoGs reduces blind spots and improves the CISO’s ability to develop a thorough security strategy that fits the current and future challenges.

Let me know what you think of the CoG concept.

Whitepaper: The 9 Fundamental Ways Incident Response Is Different in the Cloud

LAST UPDATED:

November 14, 2024

Don't miss these stories:

Can vulnerabilities in on-prem resources reach my cloud environment?

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

How Transit Gateway VPC Flow Logs Help Incident & Response Readiness

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.

Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On?

On September the 16th, Uber announced they experienced a major breach in their organization in which malicious actor was able to log in and take over multiple services and internal tools used at Uber. What are some of the logs that IR teams should be focusing on in their investigation?

Viral Outbreaks: Thinking of Microsoft’s New Wormable Vulnerability in a Coronavirus Context

But today, in the midst of a pandemic outbreak of Coronavirus (COVID-19) and while governments and global organizations work to contain and eradicate the virus, we’re hearing of a new wormable vulnerability in Microsoft’s SMBv3 protocol.How can we learn from these unfortunate events to provide us with a different context and an opportunity to rethink our level of readiness for unexpected, viral cyber events?

Unlocking Cloud Security with Managed Detection and Response

See how Mitiga’s Cloud Managed Detection and Response tackles complex cyber threats with proactive threat management and advanced automation at scale.