Professional Documents
Culture Documents
A Common Cyber Threat Framework Overview
A Common Cyber Threat Framework Overview
This is a work of the U.S. Government and is not subject to copyright protection in the United States.
UNCLASSIFIED
• Apartment • Flat
• French Fries • Chips
• Elevator • Lift
• Gasoline • Petrol
• Bin • Bin
• Active • Active
3/13/2017 2
UNCLASSIFIED
3/13/2017 3
UNCLASSIFIED
3/13/2017 4
UNCLASSIFIED
3/13/2017 5
UNCLASSIFIED
3/13/2017 6
UNCLASSIFIED
1) Foundation
4) Analysis
Intent Reconnaissance Development Staging Delivery Configure Maneuver Exploitation C2 Effect NSA 10 Step
Lockheed Martin
Reconnaissance Weaponization Delivery Exploitation Installation C2 Actions on Objective
Kill Chain ®
Malware Hacking Social Environmental threat Physical threat Misuse Error VERIS Categories of Threat Actions
Foot printing Scanning Enumeration Gain access Privilege Situational Covering Creating
JCAC Exploitation
(exploitation) escalation awareness tracks Backdoors
3/13/2017 8
UNCLASSIFIED
3/13/2017 9
UNCLASSIFIED
3/13/2017 11
UNCLASSIFIED
3/13/2017 12
UNCLASSIFIED
Effect/Consequence
3/13/2017 13
UNCLASSIFIED
3/13/2017 14
UNCLASSIFIED
3/13/2017 15
UNCLASSIFIED
3/13/2017 16
UNCLASSIFIED
3/13/2017 17
UNCLASSIFIED
Analysis
• Depending on the information selected and its presentation,
one can begin to conduct a variety of analysis:
– Trends – change over time
• What caused the change
– Predictive – what’s next
– Environmental
• Was the threat different than expected
• What vulnerabilities were missed
• How to optimize remedial action
– Vulnerability – risk analysis
– Defensive posture
3/13/2017 18
UNCLASSIFIED
Threat
Preparation Engagement Presence Effect/Consequence
Actor
Threat Actor A
Threat Actor B
Threat Actor C
Threat Actor D
Threat Actor E
Threat Actor F
Threat Actor G
Threat Actor H
0 1 2 3 4 5 6 7 8 90 2 4 6 8 10 0 2 4 6 8 10 0 1 2 3 4 5 6
Preparation Engagement Presence Effect/Consequence
3/13/2017 19
UNCLASSIFIED
Information Technology 15
Nuclear Reactors,
Material, Waste 1 Chemical, Pharmaceutical Commercial Facilities Communications, Media
3/13/2017 20
UNCLASSIFIED
Plan activity
Preparation
Develop capability
Interact with intended victim
Exploit vulnerabilities
Deliver malicious capability
Hide
Expand presence
Refine focus of activity
Establish persistence
Effect/Consequence
Deny Access
Extract data
Alter data and/or computer, network
or system behavior
Destroy HW/SW/data
3/13/2017 21
UNCLASSIFIED
Summary
• The Cyber Threat Framework supports the characterization
and categorization of cyber threat information through the
use of standardized language.
• The Cyber Threat Framework categorizes the activity in
increasing “layers” of detail (1- 4) as available in the
intelligence reporting.
• The Cyber Threat Framework can be used to support analysis
3/13/2017 22
UNCLASSIFIED
Questions?
3/13/2017 23