Introduction

Although we are covering them in one chapter, forensics activities and post-mortem activities for cyber incidents are entirely different. We’re going to repeat a passage from the introduction to Chapter 14: while it’s helpful to break the entire incident response discipline into a series of discrete phases so that each can be described individually to assist with training and the command and control of response activities, it is rarely clear-cut when one process ends, and the next begins. There is often significant overlap, and as new information emerges, it is usually necessary to revisit a phase previously thought completed. For instance, while in recovery, monitoring activity may detect the presence of indicators of compromise identified for the current cyber incident and that may send you all the way back to the containment phase.

Bill draws the distinction between forensics for law enforcement versus what an organization might do for internal investigative value. Depending on your industry and the specific details of a breach, preserving evidence may be essential. Regardless of your organization’s desire to use the courts, regulatory and contractual obligations may force you to preserve evidence and establish the chain of custody. Bill goes on to discuss how to incorporate post-mortem reviews into your process for continual improvement.

Matt helps the reader prepare for forensic activities, including working with your legal team, law enforcement, suppliers and anyone else who will need to know in advance what actions they can and cannot take and what assets, physical and digital, need to be sequestered. He then reviews the lifecycle of forensic analysis so that the organization can be prepared to conduct such an analysis by pulling together the right combination of internal and external resources.

Gary begins his discussion with a review of forensics methods that apply to all layers of the stack, including the network, system, software, mobile, and IOT. He then guides the reader through the decision-making process and the requirements for both building a forensics capability in-house, including a build-out of the lab, and staffing a forensics team. The caution to the reader is that this can be expensive, and the needs change continually, so be prepared for an ongoing investment.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What is digital forensics and what value does it bring to the business?

♦  What resources are required to develop a digital forensics lab and should the CISO build one?

♦  What roles and resources are needed to field a digital forensics team?

Planning for Forensic Investigations – Stamper

Unless your organization and your security team are quite large, it’s unlikely that you will have dedicated expertise and resources available to facilitate forensic investigations of security-related matters, notably breaches. Nevertheless, there will be scenarios where having access to forensic capabilities will be necessary. Similar to the incident and breach responses, planning for forensic analysis in advance should be an essential priority associated with the CISO’s security program, even for smaller organizations. Let’s take a look at some of the core planning required to prepare you for when a forensic analysis is needed.

Why do we need forensic capabilities as part of our overall security program? There are two principal reasons. First, forensics supports legal claims and actions. Essentially, we use forensic analysis to determine if a crime has been committed and, ideally, determine attribution and present evidence that is legally admissible to support our claim in a court of law. This analysis can be required when there are disputes related to intellectual property, rogue employees, or corporate espionage. Another reason we might need forensic analysis is simply the matter of determining what took place and how – documenting “packet truth.” Forensics provides a great set of capabilities to evaluate the “history” of our environment (what took place at each stage or phase of the kill chain) and how actors who were not authorized made changes to that environment.

While there is overlap between these two capabilities, there are certain conditions precedent that need to be defined. If a forensic analysis is going to be used to support legal proceedings, effectively legally-defensible analyses, the activities must be legally authorized. Few things are worse than having evidence of a crime that would corroborate your case only to have the evidenced determined to be not legally admissible because the forensic analysis was not appropriately authorized, or the chain of custody did not offer the right assurance. To ensure proper chain of custody practices, you need to plan how you will handle forensic evidence (more on this below).

Preparing for a Forensic Analysis

When preparing for forensic analysis, make sure that you speak with your legal counsel and outline some of the scenarios where forensic analysis would be valuable. As discussed in Chapter 15, we should anticipate certain types of incidents. Revisit the list of potential incidents that you have planned for and determine what kind of forensic analysis to use in these scenarios. Recognize that just like threats and risks, evidence can come from many potential sources.

Evidence can be left behind by perpetrators outside of your organization (such as APTs, criminal elements, corporate espionage, state-sponsored actors, in-laws, among other unsavory actors). It can originate from inside the organization (for example, disgruntled and rogue employees). And it can come from your supplier and vendor ecosystem (this could include third-party service providers, “vetted” independent contractors, and the manufacturers and suppliers of systems, software, and hardware used in your environment). Anticipate needing to collect evidence outside of your “four walls,” and plan how you will get it. Further, with the advent of connecting more operational technology (IoT, ICS, and SCADA) to our networks, it’s important not to overlook these systems as potential sources of evidence.

Once you’ve evaluated these potential sources, coordinate a discussion with legal counsel to understand the repercussions of gathering evidence from these sources. Work out a process that is consistent with your organization’s priorities (e.g., attribution and prosecution when cases arise or – potentially in conflict with those two items – the restoration of services). For scenarios that involve the collection of evidence used to determine if there was a rogue insider involved, engage both human resources and legal counsel in this process.

While in the United States there are limited expectations of privacy in the workplace, we cannot say the same for organizations that operate outside of the U.S. As a case in point, privacy in the workplace in a European context is expected by employees and legally enforced. Knowing what can and cannot be collected in support of an investigation in advance is critical. Where legal privacy protections preclude the collection of the evidence systematically, you’ll need to look at alternative approaches such as user analytics that anonymize activity that can be unmasked subsequently with appropriate legal justification (e.g., a search warrant).

Equally important, the collection of evidence needs to be legally authorized. This authorization requires that practices are consistent with applicable laws and regulations. In the United States, Federal Rules of Evidence govern this process. Changes as recent as December 2017 to section 902, subsection 14 (902(14)) reflect the evolving nature of digital forensics and are focused on streamlining the admissibility of electronic evidence by standardizing certain practices and expectations.

Specifically, the hashing value to determine the integrity of forensic evidence (essentially a presumption of authenticity). Documented and strong chain-of-custody practices should be front and center in your forensics program. Bottom line, CISOs should proactively work with their legal counsel to pre-validate evidence collection procedures in a manner consistent with the organization’s objectives, priorities, and legal requirements.

As noted above, it’s important that your forensics program is also used to determine the fact pattern of incidents where the end game is not attribution and legal proceedings but rather improvements to the security practices and architecture of the firm. Under these circumstances, forensic analysis is used to make internal improvements to the security program and reduce the risk of a similar issue taking place in the future.

Beyond collaborating proactively with legal counsel and HR, a good investment in your forensic preparation would be to meet with your local FBI office or your local sheriff’s or police department’s cybercrimes units to validate their requirements when they are working a case. Learn what they would need from your organization. Many law enforcement cybercrime teams are real experts in forensic analysis and have learned to investigate many technically-distinct scenarios – frequently with open source tools, given their budget challenges.

While they are certainly not attorneys, you may also gain some insights from them around what you can and cannot obtain without authorization. In meeting with your local or regional law enforcement cyber teams, you may also learn more about the tricks of the trade and develop some valuable relationships with the agents and teams that may be called upon when you have a case.  It’s better to establish these relationships sooner rather than later, so be proactive.

Introduction

Incident response is the most visible function for a typical CISO. For good or for ill, it is the primary way CISOs are judged. Beyond the immediate impact of demonstrating the organization’s resilience to customers, management and employees, how an organization deals with incident response says a lot about its culture. Does the organization recognize the challenges and opportunities of doing business in the twenty-first century? Does management invest in and support the security hygiene and preparation it takes to protect long-term value delivery while competing in a digital world?

Bill starts by focusing the reader on the training and preparation that must be done, specifically triage training for the security team and situational training for the whole organization. Quickly recognizing and responding to incidents can be the difference between a minor disruption and a major breach. Communicating effectively during an incident is also critical to maintaining the confidence of the organization’s many stakeholders, and preparation is key to success here as well.

Matt reminds us of the ongoing yet still emerging convergence of information technology (IT) and operational technology (OT). The ability of errors in code or network misconfigurations to contribute to the physical harm done to a person or group adds a new dynamic to data protection. In addition to increased technical complexity, this now forces a level of due care that is new to many industries. Just as interactions between the physical and digital world are exploding in scope, so too are people becoming more aware of the peril of being an open book to merchants and criminals and demanding greater say over and greater protection for the use of their online identities.

Gary shows how organizations can demonstrate value in their incident response program by first understanding that the business must be the focus. Once the organization realizes that incident response is about staying in business, not playing spy-catcher and whack-a-hacker, investing in incident response becomes investing in the organization, its customers, and its people. He then walks us through building the incident response program and measuring its success.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What is the business value of an Incident Response Program (IRP)?

♦  What are the processes to create an IRP?

♦  What are some methods to measures the effectiveness of an organization’s IRP and why is it important to the CISO?

Incident Response – a CISO’s Best Friend – Hayslip

I want to set the stage for us. In the early morning hours, as the CISO for a global software company, you are awakened from a deep sleep by the chirping of an emergency number on your smartphone. As you proceed to talk in hushed whispers, you are informed by your managed security services provider (MSSP) that their SOC analysts are reporting an anomalous incident in your organization’s primary datacenter.

The MSSP used the incident response communications tree and contacted the company network team and security liaison staff, who are now reporting they see suspicious network traffic and upon investigation have found evidence of a malware outbreak in several production servers. As you wake up and shift into troubleshooting mode, you receive more troubling information. This issue doesn’t affect just a couple of servers but has manifested itself as ransomware on critical production databases. With this information, as the CISO, it’s time to transition into your role as the Incident Response Team Manager and begin the activation of the company’s Security Incident Response Plan.

Cybersecurity leaders today know their roles have matured and they must align their departments and security programs to the business and support its strategic goals to be successful. However, one area many organizations and CISOs still need assistance with is incident response. In 2016, SANS surveyed 591 security professionals about the state of incident response in their organizations (Bromiley 2016). There was some good news – 76% of those security professionals had dedicated internal IR teams, an increase from the SANS 2015 survey.

However, there is still much work to be done. Approximately 21% said that their time to detect malware in their networks, or “dwell time,” was two to seven days, while 40% indicated that they could detect an incident in less than one day. Some other bleak statistics: malware remains the underlying cause of most reported breaches, at 69%, with unauthorized access seen as a rising menace due to attackers taking advantage of weak, outdated remote access and authentication mechanisms. This report noted that 65% of the security professionals surveyed were still dealing with a shortage of skilled personnel, and only 58% of organizations admit to regularly reviewing and updating their IR processes.

The report demonstrates that incident response, as a program, is in a state of change in organizations today and when there is a security incident, many lack the ability to lead a coordinated response to the event. I am sure there are reasons why organizations do not have formal incident response policies or documented incident response methodologies. Some companies focus on purchasing technology in the belief that when an event occurs, the purchased hardware and software will save the day. Unfortunately, they are missing a critical point – incident response isn’t about technology, it is really about business.

It’s About the Business

At its core, incident response is about an organization’s strategy and business processes, it is tactical and will incorporate stakeholders from many departments within the company as well as external partners. Incident response is an action plan for dealing with incidents like internal and external intrusions, cybercrime, disclosure of sensitive information, or denial-of-service attacks. In typical organizations, the CISO is tasked with developing the Incident Response Plan and managing the Incident Response Team. This is why the questions we will discuss focus on the business value of your incident response, the processes to follow for an effective program, and how the CISO can measure the effectiveness of their IR program.

Cybercriminals are successfully targeting and compromising businesses of every size across all industry sectors. This ongoing digital onslaught demonstrates the need for organizations to be prepared to respond to the inevitable data breach. They should guide their response with a methodical plan designed to manage a cybersecurity incident with the goals of limiting impact to business operations, increasing the confidence of external stakeholders, and reducing recovery time and incident remediation costs. These goals mean that organizations need to require their CISOs to create an incident response program tailored to the company’s strategic operations.

However, many organizations lose sight of their incident response program’s strategic value. Instead, incident response documentation describing how to act in the event of a breach is forgotten and soon out of date. The documentation quickly becomes ineffective for key decision makers; too generic, and unhelpful for making critical, informed decisions. I therefore chose the first question for our discussion to be about the business value of an incident response program. As CISO, there will be times when you will need to defend the resources needed for the incident response program, and you will need to be able to describe several business cases that demonstrate the value it brings to the company and its operations.

This leads us to our first question: “What is the business value of an Incident Response Program (IRP)?”

Cybersecurity incidents are on the rise and now frequently headline news around the world. Many of the recent attacks have brought severe damage to organizations of all types, including governments and international nonprofits. An organization with a mature incident response program would have a methodical course of action for responding to these attacks in a fast, effective, and comprehensive manner. However, many organizations do not see incident response as a mature process. Instead, they see it as a collection of disjointed practices and procedures, thus they prefer to contract it out to third parties.

How Incident Response Adds Value

To address this, I will discuss some of the issues companies see when looking at incident response and describe several cases that highlight how incident response can provide value to an organization. As we begin, some of the contention around investing in an internal incident response program is as follows:

♦  There are too many common definitions of what constitutes a cybersecurity incident. With this wide variety of interpretations resulting in organizations adopting different views on how to manage them. Many organizations consider it difficult to address this effectively and understand the level of incident response capability they require.

◊  Response – That is true for many companies when they first start the process of addressing incident response and allocating resources for their CISO to build an IRP. However, there are amazing references from both NIST SP 800-61r2 (NIST 2012) and ISO/IEC 27035 (ISO 2016) to begin this process, so it is not unattainable.

♦  There are different sources and types of cybersecurity incidents. Some appear to originate from minor criminal groups and produce annoying disruptions, others from major organized crime syndicates that result in business-ending events. Plus, there are so many types of cyber incidents, such as hacking, malware, or social engineering. All of this generates confusion, and organizations just want something that is manageable. Given all this, why not outsourceit to a partner who specializes in incident response?

◊  Response – There are always some incident response services that can be outsourcedto a third party. With that said, the business still has accountability for how it manages its assets during a breach and must be able to answer the questions of “reasonable care.” For example, did the organization implement reasonable security controls and follow industry best practices to reduce risk exposure as much as possible? If a company doesn’t have an incident response program, they are likely not meeting a “reasonable care” standard.

Even if a contracted third party does the primary work for the incident response program, the business still have an incident response plan. The plan will cover communication with its partners, what resources to activate for an incident, who has overall responsibility to manage the incident, and how and when to report its findings to executive leadership. In a sea of misinformation on how to deal with an incident, an incident response program provides the business clarity to reduce the incident’s impact and return business operations to normal.

♦  Many organizations do not understand their state of readiness; they lack insight into how they would respond to a cybersecurity incident. In fact, many organizations are typically not well prepared in terms of having any personnel assigned to an incident response team or providing training to grow sufficient technical skills for team members. Even if they have an incident response program, they lack clear policies that provide guidelines on how to identify a cybersecurity incident, investigate the incident, take appropriate remediation action based on the incident, and recover critical business systems.

Many organizations also don’t fully understand the location or use of their critical business data. They lack a complete picture of how their enterprise network topology is architected, and they don’t know all of their egress/ingress points to the Internet. Finally, many of them lack information on the incidents themselves. Having no incident response program or an immature one at best, they respond to an incident after it impacts the organization and rarely collect internal threat intelligence on when, where, and how the incident occurred.

◊  Response – An incident response plan, policies, and program provide a framework that enables quick decisions and provides a communication process to access critical third partieswhen needed. The IRP would have procedures to help team members know what they need to do, how to do it, and when to do it during a time-critical cybersecurity incident. The IRP process, led by the CISO, will also provide organizations with an understanding of the lifecycle of their data and how their networks are architected, and help in determining what event logs are considered appropriate for collecting and storage.

During the remediation process, the collection of event logs will enable team members to understand when, where, and how the incident occurred. Finally, the IRP helps the organization define their business priorities; it provides understanding about its interdependencies between processes, support systems, and partners, such as cloud providers or MSPs.

♦  Many organizations opt to purchase the services of properly qualifiedthird-party  Yes, this option can significantly help organizations. It can provide qualified personnel with the experience to handle cyber incidents more effectively and appropriately. However, the company must interface and work with these competent individuals because they need context into the organization’s networks, its data, applications, and business practices to be effective. Even having the full IRP process contracted out, organizations will still have to participate in a cybersecurity-related incident. There is no sitting on the sidelines.

◊  Response – Outsourcingto a managed security services provider (MSSP) to access more experienced, dedicated technical staff to respond to sophisticated cybersecurity incidents is prudent. If the organization lacks the resources to employ an internal IRP fully, then I would suggest a hybrid approach to augment those internal staff who will execute and manage the organization’s response to an incident. A hybrid approach is one in which the company has an incident response program, created and managed by the CISO, with members from across the organization and trusted external partners. The program specifies in detail the business’ response to particular types of incidents and documents when MSSP staff are required to assist in conducting technical investigations or performing post-incident analysis.

Typical business continuity/disaster recovery plans inadequately cover the impact cybersecurity incidents can have on organizations. These incidents can affect the ability to operate strategic business units and can lead to loss of reputation in a competitive industry and financial losses due to fleeing customers or third-party lawsuits. These are just some of the effects that a business can experience due to a cybersecurity incident if they have no IRP and are not prepared to defend themselves.

However, if an organization funds an incident response program they now have a platform to focus on upcoming security issues, facilitate the centralized reporting of incidents, and coordinate a response to those incidents. In fact, an IRP managed by the CISO can provide a platform to educate staff on security awareness, promote good cyber hygiene, and provide contacts to legal and criminal investigative units both internal and external to the business. I believe that all of these positive outcomes make the case that a mature IRP process provides value to any organization. Incident response is not about technology; it is about business and how the company responds using people, processes, technology, and data to defend that business.

Building Your Incident Response Program

As organizations begin to build their incident response capability, they will want to identify the best strategy for putting an incident response program in place. They will not only want to know what has worked well for others within their industry, but also want some guidance on the process itself and requirements they should follow to establish an effective incident response capability. With that, let us move on to our next discussion: “What are the processes to create an IRP?”

The primary objective of incident response should be to guide the incident response team members in a methodical process to respond to and remediate an incident. Focus this process on managing the cyber event in a methodical manner to reduce its impact on the company, reduce the recovery time for full operations, and minimize the costs to triage the incident. There are numerous questions that the CISO and the company will need to answer as they start the process of establishing an Incident Response Program (IRP).

Introduction

While drafting and editing the material for this book, we thought we could offer additional value by providing an essay on each topic by all three authors, independently edited, to preserve their unique perspective and voice.

It is a technique that was intended to provide multiple viewpoints that would both explore the topics more thoroughly and provide options for readers to use these different viewpoints to help them solve different problems depending on their needs at the time.

We appreciate your tolerance with our construct, and hope we’ve achieved what we intended. In this final chapter, we’ve decided to stitch together our combined perspective and present an integrated essay on building your strategic plan.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What components should the CISO use in developing their cybersecurity strategic plan?

♦  How should the CISO align their strategic plan to the organization’s business objectives?

♦  What steps can the CISO use to leverage the cybersecurity strategic plan for future growth?

Strategic Plan – Bonney, Hayslip & Stamper

How Did I Get into This?

There are many ways you may have come into this responsibility. In larger companies, you may have been the subject of a recruiting process or an internal vetting process. You may be replacing someone or inheriting an issue with board visibility. In this case, you’re probably going to have something in place. In the best case you can carry forward most of the existing plan, but you may be faced with a complete overhaul.

If you’re coming into the position at a smaller company, you could still be subject to an internal vetting process, perhaps as the former “network” or “compliance” person. In this case, you’re likely to have at most a bare skeleton of a plan. It might not be much more than a budget or an organization chart, possibly just a list of services the other IT managers are looking forward to getting off their plates.

We are drawing attention to the latter condition because as we mentioned in the preface to Volume 1, cybercrime will continue to move “down the food chain” as more relative economic value is managed via interconnected computer networks. As a result, many smaller to medium-sized organizations have requirements to have specific security practices and capabilities in place given regulatory obligations or increased diligence necessitated by the organization’s customers and other stakeholders. CISOs hired or promoted by these companies will be scrambling to build security programs from scratch.

We’ll cover the building blocks of a sound strategic plan, aligning the plan to the organization’s business objectives, and using the strategic plan as a roadmap for the future of your cybersecurity function. While we walk through developing the plan, we’ll continue to offer both a complete treatment grounded in best practice and reveal our thought process to maintain the instructional approach to ensure this is helpful to CISOs just stepping into the role.

Structure of Your Strategic Plan

The cybersecurity strategic plan needs to be concise and easy to understand and reflect realistic expectations for funding that are in line with what the organization can afford. The plan document is not the place to surface a 300% increase in funding. That is a discussion that should already have taken place between you and the management team and, as appropriate, the board. The document should be organized in a methodical manner that makes it easy for the stakeholders to read and its objectives should be aligned with current business functions and processes. We recommend the following structure:

1.  MissionStatement – This is the declaration of the organization’s core purpose that normally doesn’t change over time.

Example: Develop and execute a proactive, company-wide security program based on Organization’s strategic business objectives.

2.  Vision Statement – An aspirational description of what the organization would like to achieve or accomplish in the mid-term or long-term future.

Example: Incorporate a continuous security mindset into all aspects of our business functions.

3.  Introduction – This is a statement describing the business and the environment in which the security program currently operates. The executive leadership team typically will use this section to communicate broad information about the cybersecurity program and its critical role in the strategic plan for the business and key stakeholders.

4.  Governance – This portion of the document will explain how the strategic plan will be implemented, who will audit the process, and what committees or personnel will be part of the overall process of assessing its effectiveness and recommending changes to it over time. This is a long-term plan, and there should be a documented process of how this plan will be managed and audited and who will be responsible for it over time.

5.  Strategic Objectives – The strategic objectives define how the cybersecurity organization should invest its time and resources to manage the security risks discovered in the assessment and SWOT data previously described. In laying out the objectives, the CISO is assuming there will be sufficient resources for people, processes, and technology. The objectives typically are arrayed over a one- to a three-year timeline. Understand that timelines can be shortened with additional resources. Each objective will have several initiatives, derived from the analyzed security gap data, which need to be completed to achieve the objective.

Objective Examples:

♦  Improved Security of System and Network Services

♦  Proactive Risk Management

♦  Business Process Enablement

♦  Security Incident Management

Your objectives will typically mirror the gaps found in your assessment and the improvements or investments you want to make in currently effective processes that you want to continue to mature.

6.  Key Initiatives – An initiative will state what objectives it satisfies when completed, it will have a description of the security/risk issues it will alleviate, and it should state the benefits it brings to the business when completed.

The following is an example of an initiative:

Initiative 1 – Security Policy, Standards, and Guidelines Framework

Enables Objectives – Improved security of system and network services, proactive risk management and crisis and security incident management.

Description – Develop, approve, and launch a suite of information security policies, standards, and guidelines based on the ISO/IEC27001 code of best practices for information security. These policies will formally establish the organization’s Cybersecurity Program and set forth employee responsibility for information protection. The policy, standards, and guideline framework will also take into consideration the multitude of Federal, State, and Industry regulations that govern the use of personal, financial, customer, and vendor data managed by the business.

Key Benefits

♦  Clear security baselines for all departments

♦  Policy-based foundation to measure results

♦  Consistent application of security controls across the enterprise

Developing Your Plan

We’ve mentioned throughout these two volumes that how you approach any task is going to depend on the needs of the organization. Part of your value to the organization is that you bring your experience and your human network to help the organization assess and adjust to reality, and plan for the future. As with other divisions within your organization, your strategic plan should address your current state cybersecurity practices, near-term objectives to be addressed in the next 12 months, midterm objectives to be addressed in the next 18-24 months, and long-term objectives to be addressed over the next three years.

We’ve also mentioned that cybersecurity is not something you can do in a vacuum. It is very much a contact sport. Resist the temptation to hide away and work on your plan in isolation. Engage with your business partners and involve all of your stakeholders in the process of identifying the priorities for your strategic plan. The role of the CISO is to help the organization reduce the inherent risks of its business model and mitigate the residual risks that cannot be avoided. You exist to serve the business, not the other way around. Determine what the management teams need and what the board needs from your cybersecurity program and develop a strategic plan to deliver that.

Recognize, however, that these stakeholders may not be familiar with the more “formal” language of enterprise risk management (ERM) or other risk-management practices we’ve expounded on in the CISO Desk Reference Guide. The founder’s family or close-knit executive teams often dominate many smaller to medium-sized organizations. They are confronting globalization, new competitors, enhanced regulatory oversight, and several other factors that strain their capabilities to understand what the risk environment is for the organization. Tailor your discovery to your audience. Your job is to help these stakeholders navigate this environment in a manner that is financially prudent for the organization, while also reflecting the security “debt” that you may have inherited.

In each of the previous chapters, we’ve given you a series of assignments that, taken together, should provide the bulk of your discovery. The next step is to determine how to apply this information and come up with a plan that emphasizes your strengths, shores up your weaknesses, and buys you the time you need to implement the program the organization needs. One tool you might consider using is a Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis. In figure 1 we show a typical set of definitions for a SWOT analysis that you can use to assess capabilities.