Rethinking Crown Jewels Analysis: Mitigating Cybersecurity Bias

Organizations have widely adopted the Crown Jewels concept in their efforts to build cost-effective cybersecurity strategies and plans in the ever-growing world of risks and challenges. However, the Crown Jewels concept could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack. It is time for the adoption of new concepts and new methodologies.

In this post, we will look into the process of Crown Jewels Analysis, what it lacks, and how it can be fixed to address current and future challenges.

Crown Jewels Analysis

Crown Jewels Analysis (CJA) is a process for identifying the digital assets that are critical to the accomplishment of the missions of an organization and that if compromised, would have a major business impact.

The Crown Jewels Analysis is often viewed as the first step in the process of building a comprehensive cybersecurity plan for an organization. It is usually followed by an analysis of the threats that adversaries may pose to the assets identified as crown jewels, and the selection and implementation of the most appropriate methods for protecting them.

As it is practically impossible to protect every component of an organization’s IT infrastructure against a possible cyber-attack, the identification of the most important components seems to be the most logical thing to do in order to help the cybersecurity teams focus their (rather limited) efforts and resources in an effective and efficient manner.

But is it so?

Critical Asset Vs. Critical Pathway

Let us look at a specific digital asset that can be found in almost every organization: a system administrator’s computer. System administrators (aka sys-admins) keep computer networks in order. To do that efficiently, they need to have very good visibility of the organization’s IT infrastructure.

From an attacker’s point of view, a sys-admin’s computer could provide invaluable information, including high privileged access credentials, network maps, business correspondence, cybersecurity architectures, software and hardware inventories, business correspondence and more.

It would be reasonable to assume that, at least for some cases, cyber attackers will tend to “gravitate” towards sys-admin computers as they attempt to gain access to an organization’s crown jewels. A Sys-admin computer can, therefore, be considered as a central asset in the attacker’s critical pathway towards the organization’s crown jewels.

A Crown Jewels Analysis, however, will rarely identify a sys-admin’s computer as part of the crown jewels set of an organization, and rightly so: defining these types of assets as “critical to the accomplishment of the missions of the organization” requires a very broad, rather impractical, interpretation of the crown jewels concept.

The debate on whether or not a certain digital asset is a crown jewel is not purely theoretical. As described above, this definition determines the level of attention that cybersecurity teams will pay to protecting these assets, and not others, against cyber-attacks.

A cybersecurity team implementing only Crown Jewels Analysis could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack, by failing to prioritize assets in the critical pathways: the digital assets that, although not crown jewels, are attractive for attackers as they have a critical role in their operational plan to compromise the crown jewel. Sys-admin computers are just an illustrative example of these unique types of assets.

From Crown Jewels to Centers of Gravity

CJA is a fundamental phase in building an organization’s cybersecurity posture — but it is not sufficient. Organizations should also be able to identify critical pathways and digital assets with high probability of being compromised by cyber attackers on their path to the “crown jewels”.

Identifying these “gravitational” nodes requires not only an in-depth understanding of an organization’s digital landscape (including its “crown jewels”), but also a deep understanding of the threat landscape and the attacker’s mindset, modus operandi and TTPs.

By combining the defender’s perspective and the attacker’s analysis of the organization, these “gravitational” nodes (“Centers of Gravity” or CoGs) are revealed. Identifying the CoGs reduces blind spots and improves the CISO’s ability to develop a thorough security strategy that fits the current and future challenges.

Let me know what you think of the CoG concept.

Whitepaper: The 9 Fundamental Ways Incident Response Is Different in the Cloud

LAST UPDATED:

November 14, 2024

Don't miss these stories:

Rippling Turning Into a Tsunami

In today’s digital workspace, SaaS applications like Slack, Google Drive, and Microsoft Teams have become the backbone of business communication and collaboration.

Make Cloud Attacks Yesterday’s Problem with Mitiga at RSA Conference 2025

Visit Mitiga at booth number N-4618 at RSA Conference 2025 to learn about cloud detection and response.

Uncovering Hidden Threats: Hunting Non-Human Identities in GitHub

In the last few days, two compromised GitHub Actions are actively leaking credentials, and a large-scale OAuth phishing campaign is exploiting developer trust.

Can vulnerabilities in on-prem resources reach my cloud environment?

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

How Transit Gateway VPC Flow Logs Help Incident & Response Readiness

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.