Professional Documents
Culture Documents
Implementation Framework-Cyber Threat Prioritization
Implementation Framework-Cyber Threat Prioritization
September 2013
CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.1
Copyright 2013 Carnegie Mellon University
This material is based upon work funded and supported by ODNI under Contract
No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the
Software Engineering Institute, a federally funded research and development center
sponsored by the United States Department of Defense.
This material has been approved for public release and unlimited distribution except
as restricted below.
External use:* This material may be reproduced in its entirety, without modification,
and freely distributed in written or electronic form without requesting formal
permission. Permission is required for any other external and/or commercial use.
Requests for permission should be directed to the Software Engineering Institute at
permission@sei.cmu.edu.
DM-0000620
4.2 Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE
Implementation Framework –
Cyber Threat Prioritization
Background
The Software Engineering Institute (SEI) Emerging Technology Center at legitimate threats to the organization. Instead of prioritizing a cyber threat
Carnegie Mellon University studied the state of cyber intelligence across solely on the capability and intent of threats actors, the framework enables
government, industry, and academia to advance the analytical capabilities analysts to see the utility of also understanding the threat’s relevance to
of organizations by using best practices to implement solutions for shared their organization, strengthening their threat prioritization as they come to
challenges. The study, known as the Cyber Intelligence Tradecraft Project realize that a somewhat capable actor with a desire to deface websites
(CITP), defined cyber intelligence as the acquisition and analysis of should not be considered in the same category as a highly capable actor
information to identify, track, and predict cyber capabilities, intentions, and intent on extracting confidential, strategic documents for extortion or
activities to offer courses of action that enhance decision making. blackmail.
A significant challenge that emerged from the CITP was the way in which
analysts prioritize cyber threats. The SEI team observed a diverse array of
approaches, from analysts relying on the media and third-party intelligence
service providers to using data-centric models based on a narrow scope
of factors.
When threat prioritization models are too narrow, they prevent analysts
from effectively monitoring the changes and evolution of the most relevant
and severe cyber threats. This hinders cyber intelligence and security
professionals from proactively implementing defenses to guard against
the latest attack trends and techniques. Among the CITP’s government
participants, most intelligence analysts prioritized cyber threats by the
likelihood of an actor executing an attack, which they quantified through
the summation of an actor’s sophistication (capability) measured against
their desire to target the organization (intent). The SEI team noted that as
these analysts transitioned to the private sector, so too did this approach.
Conversely, private sector CITP participants without experienced
government intelligence analysts tended to discount the utility of knowing
the threat actor and prioritized cyber threats by the impact attack methods
had on the organization or the risk attack methods posed because of the
organization’s known vulnerabilities.
CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.3
Examples
of
how
assessing
threats
according
to
this
elements
and
factors
augments
an
analyst’s
cyber
in
Factor Factor Factor Factor
Description,
Description,
Description,
Description,
Examples
• Identify
Examples
cyber
threats
Examples
using
the
three
Examples
core
components
of
a
threat.
Implementation
Examples:
Indicators
of
Success
Here’s how analysts can leverage the Cyber Threat Prioritization 4. A Likelihood:
ssess the likelihood, impact,Threat
and risk actors
of the-‐
cyber
State-‐sponsored,
threats. Use thecompetitors,
c
Implementation Framework to augment their organization’s cyber factors
Examples
of
how
assessing
andasub-elements
threats
Impact:
ccording
to
tA in
ttack
his
each athreat
types
element
scomponent’s
-‐
D
nd
its
DoS,
stealing
ub-‐ spider graph
intellectual
property
(
intelligence efforts: elements
and
factors
ato rate the
ugments
an
corresponding elements cas
analyst’s
cyber
intelligence
a low, medium, or high priority
apabilities.
Risk:
Known
vulnerabilities
-‐
High-‐profile
employees,
unpat
attribute of the threat. The average of these ratings
then determines
1. Adopt these definitions:
the likelihood, impact,
• Identify
cyber
threats
using
the
three
core
components
of
a
threat.
and risk of the threat, which combine to indicate
Threat = Likelihood + Impact + Risk Assess
the
litikelihood,
whether should be considered impact,
aand
low,risk
medium,of
the
orcyber
threats.
high priority Use
the
factor
threat.
Likelihood Examples:
= Capability + Intent spider
graph
to
rate
the
corresponding
elements
as
a
low,
medium,
or
hig
Impact = Operations Likelihood:
+ Strategic Threat
Interests actors
-‐
State-‐sponsored,
Example: Acnompetitors,
organization wants criminals,
to know hactivists,
how it should recreational
prioritize hackers
these
ratings
then
determines
the
likelihood,
impact,
and
risk
of
the
threa
Risk = People
+ Cyber Footprint
Impact:
Attack
types
-‐
DDoS,
stealing
intellectual
property
(IP),
damaging/incapacitating
its analytical and network defense efforts for a possible network
assets
considered
a
low,
medium,
recreational hacker DDoS or
high
attack priority
on thethreat.
organization’s secure
Risk:
Known
vulnerabilities
-‐
High-‐profile
employees,
unpatched
devices,
unsecured
remote
access
Example:
payment
site. Analysis indicates the likelihood of the recreational
2. Become
familiar with the provided spider graphs to gauge the factors hacker executing
An
organization
the attack wants
is high to
due
know
to his attack
how
methods
it
should
prioritize
its
a
that comprise each Assess
of thetthree he
likelihood,
threat components. impact,
and
risk
of
the
cyber
threats.
and Use
the
factors
resources. However, and
sthe ub-‐elements
impact of thein
DDoSeach
threat
attack is component’s
recreational
hacker
DDoS
attack
on
the
organization’s
secu
Spider graph spider
key: graph
Titletof o
threat rate
tcomponent he
corresponding
elements
as
a
low,
assessed medium,
asor
low high
because priority
the asecure ttribute
of
the
payment site threat.
has minimal The
average
of
Description and example from the
recreational
hacker
executing
the
attack
is
high
due
to
these
ratings
then
determines
the
likelihood,
impact,
and
risk
of
the
threat,
which
combine
to
indicate
whether
it
should
b impact on the organization’s operations and strategic interests
a CITP participant due toimpact
it still being of
the
DDoS
abeta
in internal ttack
is
assessed
testing. This alsoameans s
low
the
because
the
s
considered
a
low,
medium,
or
high
priority
threat.
Threat Component (likelihood, impact, or risk) organization’s
risk associated with theoattack perations
is lowabecause nd
strategic
of the isecurenterests
due
to
it
s
Example:
payment site’s limited interaction with people and cyber
Description the
risk
associated
with
the
attack
is
low
because
of
the
sec
An
organization
wants
to
know
how
it
should
prioritize
footprint. its
analytical
and
network
initiallydappeared
efense
efforts
a for
a
poss
and
Therefore,
cyber
footprint.
this threat, which
Therefore,
this
threat,
towbe hich
initially
a
recreational
hacker
DDoS
attack
on
the
organization’s
high priority, snow ecure
canpbe ayment
classified site.
as aAmediumnalysis
to indicates
low threatthe
likelihood
requiring
as
a
m edium
t o
l ow
t hreat
r equiring
m inimal
a nalytical
and
Element of the the
Element recreational
of the hacker
executing
the
attack
is
high
minimal
due
to
analyticalhis
attack
and mnetworkethods
defense attention. However,
the
and
resources.
Threat Component Threat Component
Note: Always factor timing into the threat prioritization assessment. When
Description impact
Description of
the
DDoS
attack
is
assessed
as
low
because
the
secure
payment
site
has
minimal
impact
on
the
Note:
a threat Always
actor or factor
organization timing
does into
something
the
threat
canprioritization
be just as important assessment.
as When
organization’s
operations
and
strategic
why interests
or how. A due
actor
threat to
it
may
still
have
being
no in
desireinternal
to beta
target an torganization,
esting.
This
also
mean
be
just
as
important
as
why
or
how.
A
threat
actor
may
have
no
desire
to
t
the
risk
associated
with
the
attack
ibut s
low
since because
it is a national of
the
holiday, secure
thepayment
organization site’s
limited
becomes interaction
a target of with
peop
holiday,
the
organization
becomes
a
target
of
opportunity
for
the
actor
to
Sub-element Sub-element Sub-element Sub-element
and
cyber
footprint.
Therefore,
this
threat,
which
initially
appeared
to
be
a
high
priority,
now
can
be
classif opportunity for the actor to test a new tool simply because none of its
Description Description Description Description security
network esecurity
mployees
employees are
at
are work.
at work.
as
a
medium
to
low
threat
requiring
minimal
analytical
and
network
defense
attention.
Factor
Factor Factor Factor
5. Plot
Plot
all
all threatsfor
threats
for eeach
ach
component on o
component
graphs similar
n
graphs
to the following:
similar
to
the
following:
Example Example Example Example•
Note:
Always
factor
timing
into
the
threat
prioritization
assessment.
When
a
threat
actor
or
organization
does
something
Factor Factor
be
just
why
or
how.
A
tFactor
as
important
as
Factor hreat
actor
may
have
no
dLikelihood
esire
to
t
arget
an
organization,
bImpact
ut
since
i
t
i
s
a
n
ational
Example Example Example Example (to
organization) (
holiday,
the
organization
becomes
a
target
of
opportunity
for
t(by
he
tahreat
ctor
atctor)
o
test
a
new
tool
simply
because
none
of
its
netwo
Medium High Medium High
security
employees
are
at
work.
Indicators of Success Strategic
Capability People
Examples of how assessing
Interests
Low Medium Low Medium
threats according to this element
• Plot
all
threats
for
each
component
on
graphs
similar
to
the
following:
and its sub-elements and factors Intent Operations
augments an analyst’s
Likelihood
Impact
Risk
cyber intelligence capabilities. •(to
oUse
all
three
graphs
to
holistically
(by
known
ve valuate
the
overall
cyber
threat
enviro
ulnerabilities)
(by
threat
actor) rganization)
Medium High
resources
Medium High to
the
current
and
fMedium
uture
cyber
High attacks
that
pose
the
most
legit
3. Identify cyber threats using the three core components of a threat.
Example:
People Strategic
Capability
Interests
Examples: Likelihood: Threat
Lowactors -Medium
State-sponsored, If
cyber
intelligence
Low analysts
Medium rate
all
components
of
a
threa Low Medium
competitors, criminals, hactivists, recreational organization’s
nCyber
etwork
servers
for
industrial
espionage
pur
Intent Operations Footprint
hackers
then
the
organization
s
place
(risk)
as
a
high
priority
threat,
• Use
all
three
graphs
to
holistically
evaluate
the
overall
Use allcyber
three tgraphshreat
toenvironment
holistically evaluate to
efficiently
the overallalign
cyberanalytical
threat and
security
Impact: Attack types - distributed denial-of-service environment to threat
efficiently over
align others
analytical where
and the
likelihood
security resources is
toequally
the as
high,
b
resources
to
the
current
and
future
cyber
attacks
that
pose
the
most
legitimate
threats
to
the
organization.
(DDoS), stealing intellectual property (IP), damaging/
current and future cyber attacks that pose the most legitimate threats to
Example:
incapacitating network
assets
Overall
Indicators
the organization. of
Success
If
cyber
intelligence
analysts
rate
all
components
of
a
threat
actor
executing
a
worm
(likelihood)
against
an
Risk: Known vulnerabilities - High-profile employees,
organization’s
network
servers
or
iExample:
• fThreat
ndustrial
Ifecyber intelligence
spionage
prioritization
analysts
purposes
influences
rate
(impact)
which
all tcomponents as
no
ofw
hat
thhreats
potential
gaet
threat
orm
mitigation
addressed
by
isn
ec
unpatched devices, unsecured remote access actor executing a worm (likelihood) against an organization’s
resources
place
(risk)
as
a
high
priority
threat,
then
tahe
re
oarganization
llocated.
should
immediately
position
itself
to
focus
on
thi
network servers for industrial espionage purposes (impact) that
threat
over
others
where
the
likelihood
is
equally
as
high,
but
impact
and
risk
is
lower.
has no worm mitigation in place (risk) as a high priority threat,
then the organization should immediately position itself to focus
Overall
Indicators
of
Success
on this threat over others where the likelihood is equally as high,
but impact and risk are lower.
• Threat
prioritization
influences
which
potential
threats
get
addressed
by
security
operations
and
how
network
security
4.4 Implementation resources
are
Threat
Framework – Cyber Prioritization
allocated.
CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE
Overall Indicators of Success
• Threat prioritization influences which potential threats get addressed by
security operations and how network security resources are allocated.
CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.5
Likelihood
Understanding the capabilities and intentions of cyber threat actors determines the likelihood of them targeting an organization. To determine this
likelihood, a CITP participant from industry monitored open source publications from an organization known to sponsor cyber threat actors who frequently
targeted the organization. Analyzing this accessible data provided insight into the motivations of the sponsored cyber threat actors, allowing the CITP
participant to narrow down the types of data likely to be targeted, and work with network security experts to create diversions, honey pots, and employ
other measures to proactively defend against the threat.
Likelihood
Capability Intent
An actor’s sophistication, tools, and resources to execute The actor’s purpose and the expected outcome of the cyber
a cyber attack determine their capability. Assessing attack determine the intent. Prioritizing actors by their intent
capability as an independent variable of likelihood means allows analysts to focus on the most relevant threats.
organizations can avoid the pitfalls of devoting time and
attention to “paper tiger” threats.
Indicators of Success
• Analysts have a repository of current and historical threat actor tactics, • Analysts understand threat actors’ intentions well enough to assign them to
techniques, and procedures (TTPs) to generate profiles that are fed into data different categories, such as nation-state, criminal, hactivist, recreational, or
collection platforms to separate known threats that automated defensive competitor; enabling them to identify the most likely threats their organization
actions can mitigate from unknown threats requiring an analyst’s attention. faces through profiling.
• Analysts gain perspective on the tools threat actors use to assess how • Analysts realize that if a threat actor is targeting their organization for
they access an organization or if they outsource tool development. A basic fame, the likelihood increases for the actor to choose a DDoS attack to the
netflow analysis could show the majority of attacks come from well known, organization’s website as the attack method.
prepackaged scripts, which analysts can easily combat using remediation
• From their organization being the first result in a Google search to knowing
efforts posted on open source websites.
over what holidays certain actors like to conduct attacks, analysts recognize
• Analysts realize that sophisticated actors use the lowest common denominator the importance of timing when it comes to assessing the overall likelihood of
for attacks. If a threat actor can use an off-the-shelf tool to accomplish their a threat.
goal, they’ll wait to deploy customized tools on harder targets.
• Analysts understand that the targeting of Adobe or Windows software
vulnerabilities usually equates to a threat of lower sophistication than one
targeting Windows operating systems.
4.6 Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE
Impact
Analyzing the effects cyber attacks have on an organization’s operations and strategic interests provides quantifiable, business-related information to
justify its impact on the organization. A CITP participant quantified the impact of cyber threats to their leadership by assessing how much money the
organization would pay to reroute its product distribution channels after a hacker compromised the network and disclosed specific travel routes to
competitors intent on disrupting this distribution.
Impact
Brand Reputation
Brand Reputation: Understand
the impact to the brand and its
implications on public opinion.
Indicators of Success
• Internally, analysts establish frequent communication with the business • Analysts ensure that threat prioritization isn’t based off personal biases or
units responsible for operations to discuss threats, alter threat prioritization, those of decision makers, stakeholders, service providers, or the media.
and predict new threats. These business units can include R&D, physical
• Analysts correlate logs of IPs accessing the parts of their organization’s
security, risk management, IT, human resources, insider threat, and business
website containing data on strategic planning and intellectual property with
intelligence.
known bad IPs to predict where threats will be concentrated now and in the
• Analysts identify and remediate the cascading effects a cyber attack could future.
have by targeting one part of the organization’s operational network and
• Analysts understand the financial cost associated with a geopolitical event in
systems.
a country threatening their organization’s Internet presence in that market.
• Analysts recognize how a cyber attack could impact the organization’s
• Analysts recognize that if peers in their industry and the organization’s
ability to operate and communicate to stakeholders and institute appropriate
economic interests are being attacked, the likelihood of being targeted
contingencies to eliminate this impact when an attack occurs in the future.
increases and they take preventative measures to ensure that doesn’t happen.
• Knowledge of the impact cyber attacks can have on an organization’s
operations enables analysts to determine the financial costs to recover and
repair damage done by the threats that the analysts’ prioritization efforts deem
most likely to harm the organization.
CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE Implementation Framework – Cyber Threat Prioritization 4.7
Risk
Assessing how people and the organization’s cyber footprint make the organization vulnerable to cyber attacks determines what areas within it are
the most at risk of being targeted. One CITP participant’s CEO is active with companies and institutes that are separate from the organization. The CITP
participant’s cyber intelligence analysts maintain an awareness of these activities, so when hacktivists publicly threatened attacks against one of the
institutes, the analysts knew this could have implications for their organization and altered network defenses to prepare for a potential attack.
Risk
Indicators of Success
• Whether it is an employee alerting about a suspicious email they received • Analysts understand the organization’s operating environment well enough
or a vendor providing a list of bad IPs, analysts have engaged enough with that with system updates and patches, they alleviate ~80% of threats; freeing
individuals associated with the organization that they actively contact the them to focus on the ~20% that could significantly impact the organization.
analysts about issues that could alter how threats are prioritized.
• Analysts recognize their organization is only as secure as its supply chain. If
• Employee feedback influences threat prioritization because analysts offer it acquires software and analysts don’t know who did the actual coding, the
feedback mechanisms via all of their cyber intelligence communication code’s reliability, or to what extent it has been error tested, then they won’t
platforms; emails, analytical products, briefings, or awareness campaigns. know how threat actors could use potential vulnerabilities within the code to
conduct an attack.
• If the CEO or a junior analyst blogs about topics that likely will bring the
attention of threat actors, analysts are aware of these activities and consider • Analysts incorporate timing into their prioritization efforts to align increases
the position, influence, popularity, and online presence of these individuals in in network defenses with the different times during the year (holidays, system
order to predict how they should change the organization’s security posture. upgrades) when the organization’s network is most vulnerable.
• Analysts become aware of the fact that every vulnerability is not a threat
worthy of further analysis and mitigation.
4.8 Implementation Framework – Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY | SOFTWARE ENGINEERING INSTITUTE