Implementation Framework Cyber Threat Prioritization

Transcription

1 Implementation Framework Cyber Threat Prioritization Troy Townsend Jay McAllister September 2013 CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE Implementation Framework Cyber Threat Prioritization 4.1

2 Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by ODNI under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of ODNI or the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHEDON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and No Warranty statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. * These restrictions do not apply to U.S. government entities. DM Implementation Framework Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE

3 Implementation Framework Cyber Threat Prioritization Background The Software Engineering Institute (SEI) Emerging Technology Center at Carnegie Mellon University studied the state of cyber intelligence across government, industry, and academia to advance the analytical capabilities of organizations by using best practices to implement solutions for shared challenges. The study, known as the Cyber Intelligence Tradecraft Project (CITP), defined cyber intelligence as the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities to offer courses of action that enhance decision making. legitimate threats to the organization. Instead of prioritizing a cyber threat solely on the capability and intent of threats actors, the framework enables analysts to see the utility of also understanding the threat s relevance to their organization, strengthening their threat prioritization as they come to realize that a somewhat capable actor with a desire to deface websites should not be considered in the same category as a highly capable actor intent on extracting confidential, strategic documents for extortion or blackmail. A significant challenge that emerged from the CITP was the way in which analysts prioritize cyber threats. The SEI team observed a diverse array of approaches, from analysts relying on the media and third-party intelligence service providers to using data-centric models based on a narrow scope of factors. When threat prioritization models are too narrow, they prevent analysts from effectively monitoring the changes and evolution of the most relevant and severe cyber threats. This hinders cyber intelligence and security professionals from proactively implementing defenses to guard against the latest attack trends and techniques. Among the CITP s government participants, most intelligence analysts prioritized cyber threats by the likelihood of an actor executing an attack, which they quantified through the summation of an actor s sophistication (capability) measured against their desire to target the organization (intent). The SEI team noted that as these analysts transitioned to the private sector, so too did this approach. Conversely, private sector CITP participants without experienced government intelligence analysts tended to discount the utility of knowing the threat actor and prioritized cyber threats by the impact attack methods had on the organization or the risk attack methods posed because of the organization s known vulnerabilities. This Cyber Threat Prioritization Implementation Framework leverages the best practices of CITP participants and SEI expertise to offer a holistic approach to prioritizing cyber threats using a customized, tiered threat prioritization framework. The framework breaks down cyber threats into three core components: the likelihood of threat actors executing attacks, the impact threats have on an organization s business, and the risk threats pose because of an organization s known vulnerabilities. By assessing threats according to these components, analysts come to fully understand the causes and effects of relevant threats, which significantly improves the efficiency of their organization s cyber intelligence efforts because they have the necessary context to accurately align analytical and security resources to the current and future cyber attacks posing the most CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE Implementation Framework Cyber Threat Prioritization 4.3

4 Implementation Here s how analysts can leverage the Cyber Threat Prioritization Implementation Framework to augment their organization s cyber intelligence efforts: 1. Adopt these definitions: Threat = Likelihood + Impact + Risk Likelihood = Capability + Intent Impact = Operations + Strategic Interests Risk = People + Cyber Footprint 2. Become familiar with the provided spider graphs to gauge the factors that comprise each of the three threat components. Spider graph key: Title of threat component and example from a CITP participant Element of the Threat Component Sub-element Threat Component (likelihood, impact, or risk) Sub-element Indicators of Success s of how assessing threats according to this element and its sub-elements and factors augments an analyst s cyber intelligence capabilities. Element of the Threat Component Sub-element Sub-element 3. Identify cyber threats using the three core components of a threat. s: Likelihood: Threat actors - State-sponsored, competitors, criminals, hactivists, recreational hackers Impact: Attack types - distributed denial-of-service (DDoS), stealing intellectual property (IP), damaging/ incapacitating network assets Risk: Known vulnerabilities - High-profile employees, unpatched devices, unsecured remote access 4. Assess the likelihood, impact, and risk of the cyber threats. Use the factors and sub-elements in each threat component s spider graph to rate the corresponding elements as a low, medium, or high priority attribute of the threat. The average of these ratings then determines the likelihood, impact, and risk of the threat, which combine to indicate whether it should be considered a low, medium, or high priority threat. : An organization wants to know how it should prioritize its analytical and network defense efforts for a possible recreational hacker DDoS attack on the organization s secure payment site. Analysis indicates the likelihood of the recreational hacker executing the attack is high due to his attack methods and resources. However, the impact of the DDoS attack is assessed as low because the secure payment site has minimal impact on the organization s operations and strategic interests due to it still being in internal beta testing. This also means the risk associated with the attack is low because of the secure payment site s limited interaction with people and cyber footprint. Therefore, this threat, which initially appeared to be a high priority, now can be classified as a medium to low threat requiring minimal analytical and network defense attention. Note: Always factor timing into the threat prioritization assessment. When a threat actor or organization does something can be just as important as why or how. A threat actor may have no desire to target an organization, but since it is a national holiday, the organization becomes a target of opportunity for the actor to test a new tool simply because none of its network security employees are at work. 5. Plot all threats for each component on graphs similar to the following: Capability Likelihood (by threat actor) Medium High Low Medium Strategic Interests Intent Risk (by known vulnerabilities) Medium High People Low Medium Cyber Footprint Impact (to organization) Medium High Low Operations Medium Use all three graphs to holistically evaluate the overall cyber threat environment to efficiently align analytical and security resources to the current and future cyber attacks that pose the most legitimate threats to the organization. : If cyber intelligence analysts rate all components of a threat actor executing a worm (likelihood) against an organization s network servers for industrial espionage purposes (impact) that has no worm mitigation in place (risk) as a high priority threat, then the organization should immediately position itself to focus on this threat over others where the likelihood is equally as high, but impact and risk are lower. 4.4 Implementation Framework Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE

5 Overall Indicators of Success Threat prioritization influences which potential threats get addressed by security operations and how network security resources are allocated. Collection management is streamlined and organizations are able to better communicate their requirements to third party intelligence vendors. Cyber threats are widely communicated to the organization and employees are aware of the most relevant threats. Cyber threats are proactively monitored and prioritized, with updates available to inform security operations, intelligence analysts, and decision makers. Analytical production aligns with threat prioritization. For instance, the organization develops a tiered system to communicate threat information to stakeholders: - Tier 1: Potential threat averages a high rating. Analysis required within 90 minutes. - Tier 2: Potential threat averages a medium rating. Analysis required within 8 hours. - Tier 3: Potential threat averages a low rating. Analysis required between 3 and 5 days. - Tier 4: Potential threat does not compute a rating, but is an indirect threat for anyone using the Internet. No specific timeframe for analysis. Analysts use threat prioritization to do predictive analysis, like developing scenarios to test how defenses will react to the full spectrum of cyber threats. CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE Implementation Framework Cyber Threat Prioritization 4.5

6 Likelihood Understanding the capabilities and intentions of cyber threat actors determines the likelihood of them targeting an organization. To determine this likelihood, a CITP participant from industry monitored open source publications from an organization known to sponsor cyber threat actors who frequently targeted the organization. Analyzing this accessible data provided insight into the motivations of the sponsored cyber threat actors, allowing the CITP participant to narrow down the types of data likely to be targeted, and work with network security experts to create diversions, honey pots, and employ other measures to proactively defend against the threat. Likelihood Capability An actor s sophistication, tools, and resources to execute a cyber attack determine their capability. Assessing capability as an independent variable of likelihood means organizations can avoid the pitfalls of devoting time and attention to paper tiger threats. Intent The actor s purpose and the expected outcome of the cyber attack determine the intent. Prioritizing actors by their intent allows analysts to focus on the most relevant threats. Attack Methods Humans are creatures of habit. Although threat actors take great care to avoid detection, at some level they too succumb to this adage. Tracking how threat actors operate exposes patterns that analysts can use to combat their effectiveness. Infrastructure Sophisticated threats often require an infrastructure to operate. This can be assessed by looking for hop points used during an attack, the command and control network, or the size and scope of a botnet. Technology Technology used or manipulated for an attack can indicate the capability of a threat actor. More sophisticated actors target SCADA or ICS devices, web-enabled products, or mobile devices in addition to traditional servers and clients. Coding Nuances and personal preferences in coding not only assist with attribution, but also can indicate actor sophistication. Maturity The maturity of the actor takes into account their planning process, pre-attack activities (research/ recon/social engineering), and post attack actions (such as tool updates or incorporating lessons learned). Targets Capability can be assessed by looking at what is targeted. Does the actor rely on mass phishing s, identify specific targets (network, website, employee, mobile platform) or exploit a specific vulnerability (Adobe, Windows, SQL, etc.)? Resources Understanding what is available to threat actors offers context to the sophistication of their attacks. Leverage government, industry, and intelligence service provider information sharing arrangements to learn about actors resources. Money Obtaining and maintaining capabilities incur costs. Wellresourced/sponsored threat actors are often more dangerous than less resourced actors, with other variables being equal. People From collaborators and co-workers to teachers and mentors, the number and type of people involved in a campaign can be indicative of its capability. Tools Tools often hint at the capability of an actor, but the lack of a custom tool does not always imply a novice attacker. Most sophisticated actors will use the right tool for the job; if open source tools will work, there is no need to customize one. Training The type and quality of training available to the threat actor can help determine their capability. Online videos, IRC channels, certification courses, military training, or formal academic education all yield different levels of sophistication. Motive Why do threat actors attack? Determining an actor s motive provides insight into the possible direction of their behavior, and determines their interest in targeting the organization. Intrinsic (personally rewarding) Fame, bragging rights, thirst for knowledge/access, justification of skills, satisfying boredom, patriotism, and hactivist allegiance; all reasons a hacker might be motivated to target an organization. Extrinsic (receive external reward or avoid punishment) Extrinsic motives revolve around two key concepts: reward or avoiding punishment. These motives include everything from state-sponsored denial and deception operations, misinformation campaigns, and psychological operations to financial incentives from competing businesses, organized crime, and blackmail. Targeted Data Understanding what a threat actor is after will factor into determining their intent to target the organization. Personally Identifiable Information (PII) Are the attackers stealing personal information from your customers? From your employees? Determining if this type of information is vulnerable can help assess the likelihood that the actor targets the organization. Research and Development Some actors exist to steal corporate R&D data. Organizations with heavy R&D missions are more likely to be targeted by actors specializing in corporate espionage or supporting nation-states. Business Process Certain categories of actors, especially insider threats, target the inner workings of the organization. From hiring and firing information to time cards and audit findings, organizations likely will be targeted if this information is accessible. Industrial Control Systems Certain actors specialize in compromising industrial control systems and the associated human-machine interface. Organizations operating these systems should prioritize these threat actors accordingly. Indicators of Success Analysts have a repository of current and historical threat actor tactics, techniques, and procedures (TTPs) to generate profiles that are fed into data collection platforms to separate known threats that automated defensive actions can mitigate from unknown threats requiring an analyst s attention. Analysts gain perspective on the tools threat actors use to assess how they access an organization or if they outsource tool development. A basic netflow analysis could show the majority of attacks come from well known, prepackaged scripts, which analysts can easily combat using remediation efforts posted on open source websites. Analysts realize that sophisticated actors use the lowest common denominator for attacks. If a threat actor can use an off-the-shelf tool to accomplish their goal, they ll wait to deploy customized tools on harder targets. Analysts understand that the targeting of Adobe or Windows software vulnerabilities usually equates to a threat of lower sophistication than one targeting Windows operating systems. Analysts understand threat actors intentions well enough to assign them to different categories, such as nation-state, criminal, hactivist, recreational, or competitor; enabling them to identify the most likely threats their organization faces through profiling. Analysts realize that if a threat actor is targeting their organization for fame, the likelihood increases for the actor to choose a DDoS attack to the organization s website as the attack method. From their organization being the first result in a Google search to knowing over what holidays certain actors like to conduct attacks, analysts recognize the importance of timing when it comes to assessing the overall likelihood of a threat. 4.6 Implementation Framework Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE

7 Impact Analyzing the effects cyber attacks have on an organization s operations and strategic interests provides quantifiable, business-related information to justify its impact on the organization. A CITP participant quantified the impact of cyber threats to their leadership by assessing how much money the organization would pay to reroute its product distribution channels after a hacker compromised the network and disclosed specific travel routes to competitors intent on disrupting this distribution. Impact Operations Cyber attacks adversely affect an organization s day-to-day operations. Since the effects often are financially quantifiable, analysts can use dollar amounts to communicate the impact attacks have on how an organization functions. Strategic Interests Some impacts are harder to quantify, but they are no less important. Strategic interests capture the intangible aspects of the organization that can be affected by a cyber threat. Direct Costs Cyber attacks have a financial impact on organizations. Prioritizing threats according to their cost in terms of remediation and mitigation can resonate with technical and non-technical stakeholders. Business Operations In addition to the known costs of responding to an attack, organizations also should consider the cascading effects an attack can cause and their associated costs. Organizational Interests Plans, people, and products offer tremendous insight into why an organization is targeted and where a threat can do the most damage if certain information is compromised. External Interests Organizations do not operate in a bubble, and neither should threat prioritization. Consider the ramifications cyber attacks can have on organizational partnerships, reputation, culture, geopolitics, and market space. Incident Response Consider the costs to perform an investigation, remediation, and forensics; including required software/ licenses for incident response tools. Downtime Business costs of a network-reliant service being unavailable, including missed transactions or loss of potential revenue also play a role Mitigation and/or Prevention in costs of additional hardware/software required to mitigate a specific threat. Supply Chain Costs associated with the inability to meet demand, delay to operations, and having to supplement/replace suppliers can significantly impact an organization. Logistics An organization must function whether it is enduring an attack or not, so make sure to consider the cost of continuing operations during and after an attack, such as re-routing communications, securing intellectual property, adding equipment/personnel to avoid another similar attack, and upgrading systems/networks/processes. Future Earnings Loss of intellectual property may reveal R&D investments or R&D strategies, delay product releases, affect future acquisitions, and cause a loss of competitive advantage. Strategic Planning Consider the impact of losing strategic vision data, such as annual reports, 1/3/5 year strategic outlooks, operational policies, mergers, and acquisitions. Stakeholders Assess how threats impact shareholders, board of directors, and employees. Organizational Culture in the impact of legal/regulatory requirements from governments, law enforcement, regional entities (European Union), and external business arrangements. Also consider changes to the organization's culture, including work-from-home policies, complex password requirements, and restricted network access. Market/Industry How are competitors affected by the cyber threat? Is the industry equally affected by the threat? Consider national and foreign competition in threat prioritization. Geopolitical Does the threat affect political relationships, or the ability to operate in foreign countries? Will the impact of the threat affect the stock market? Is the local/regional economy impacted? All of these factors play a role that decision makers will want information on. Partnerships Consider the impact to third parties, including information-sharing partners (government/industry/ service provider) and other business relations (companies/governments/ regions). Assess the validity of shared data if strategic partners are affected. Brand Reputation Brand Reputation: Understand the impact to the brand and its implications on public opinion. Indicators of Success Internally, analysts establish frequent communication with the business units responsible for operations to discuss threats, alter threat prioritization, and predict new threats. These business units can include R&D, physical security, risk management, IT, human resources, insider threat, and business intelligence. Analysts identify and remediate the cascading effects a cyber attack could have by targeting one part of the organization s operational network and systems. Analysts recognize how a cyber attack could impact the organization s ability to operate and communicate to stakeholders and institute appropriate contingencies to eliminate this impact when an attack occurs in the future. Knowledge of the impact cyber attacks can have on an organization s operations enables analysts to determine the financial costs to recover and repair damage done by the threats that the analysts prioritization efforts deem most likely to harm the organization. Analysts ensure that threat prioritization isn t based off personal biases or those of decision makers, stakeholders, service providers, or the media. Analysts correlate logs of IPs accessing the parts of their organization s website containing data on strategic planning and intellectual property with known bad IPs to predict where threats will be concentrated now and in the future. Analysts understand the financial cost associated with a geopolitical event in a country threatening their organization s Internet presence in that market. Analysts recognize that if peers in their industry and the organization s economic interests are being attacked, the likelihood of being targeted increases and they take preventative measures to ensure that doesn t happen. CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE Implementation Framework Cyber Threat Prioritization 4.7

8 Risk Assessing how people and the organization s cyber footprint make the organization vulnerable to cyber attacks determines what areas within it are the most at risk of being targeted. One CITP participant s CEO is active with companies and institutes that are separate from the organization. The CITP participant s cyber intelligence analysts maintain an awareness of these activities, so when hacktivists publicly threatened attacks against one of the institutes, the analysts knew this could have implications for their organization and altered network defenses to prepare for a potential attack. Risk People Cyber threats generally have one thing in common; at some point a human interacts with the threat. This interaction must be a part of threat prioritization to understand an attacker s most commonly targeted vulnerability: people. Cyber Footprint The greater an organization s online exposure, the more opportunity an attacker has to find vulnerabilities. Consider the organization s infrastructure, supply chain, online exposure, and components most susceptible to attacks. Relevance From leadership to rank-and-file employees, the Internet offers a communication platform that allows anyone to make their organization more visible to threat actors. Access Employees with administrator privileges or access to sensitive data are more attractive targets for threat actors. Determining who has what access can significantly aid in identifying the risk to employees. Infrastructure The unknown provenance of software and hardware complicates risk determination in the cyber environment. Overcoming this limitation requires researching where, when, and how an organization s infra-structure is most susceptible to cyber threats. Online Presence The content and services an organization provides on the Internet serve as attractive targets for threat actors. Analysts can assess severity of risk based on this insight into likely attack vectors. Online Presence Maintain awareness of information employees put online and their popularity on blogs/social media both can garner the attention of threat actors. Information posted online can unwittingly reveal vulnerabilities and flaws in security policy, or incite threat actors to target the organization. Extracurricular Activities Be mindful of the activities employees participate in outside of work. Employees status with external institutions, such as non-profits, may increase their risk of being targeted. Motive There always is a rhyme or reason for why people enable cyber attacks. Whether it s ignorance, financial trouble, disgruntlement, or boredom, by knowing these vulnerabilities analysts can diminish their effectiveness through prevention. Physical and Network-Based Access Individuals have varying access to both physical and network-based sections of an organization that threat actors can leverage to execute an attack. Assess which employees are at higher risk of being targeted based on their access. Position As with access points, consider how threat actors can exploit the different roles people play throughout the organization, from network administrator or HR representative to CEO, supply chain manager, or a recently fired employee. Abnormal Activity Develop baseline or expected network behavior for key users. Consider what deviations may indicate potential nefarious activity and consistently watch for them. Some examples can involve an employee working off-hours, ing attachments to personal accounts, or accessing information that is unrelated to their normal job. Hardware Develop a blueprint of where network appliances, workstations, and third party equipment connect to the organization s network and identify the most likely risks for cyber threat activities. Software Most organizations rely on software to accomplish day-to-day operations. A robust threat prioritization assesses the risks associated with relying on particular software, which network users require access to high-risk software, and the organization s ability to detect if a software vulnerability has been exploited. Supply Chain The most stringent network defenses can be subverted by counterfeit equipment or software. Understanding and assessing threats to the organization s supply chain provides additional data points to measure risk of compromise through the organization s network infrastructure. Website Analyze how threat actors might leverage an organization s website to plan and execute an attack. This includes compromising customer account log-ins, collecting employee contact information, defacing the site, or denying legitimate access to it. Additional Exposure An organization s public relations and marketing departments track how social media and other aspects of the Internet help bring attention to the organization. Threat prioritization efforts also should track how this attention affects its cyber threat environment. Additional Services FTP, Telnet, VPN access, webmail, remote desktop, and other web-based services used by an organization increase the risk of potential cyber attacks, and should be factored into threat prioritization. Indicators of Success Whether it is an employee alerting about a suspicious they received or a vendor providing a list of bad IPs, analysts have engaged enough with individuals associated with the organization that they actively contact the analysts about issues that could alter how threats are prioritized. Employee feedback influences threat prioritization because analysts offer feedback mechanisms via all of their cyber intelligence communication platforms; s, analytical products, briefings, or awareness campaigns. If the CEO or a junior analyst blogs about topics that likely will bring the attention of threat actors, analysts are aware of these activities and consider the position, influence, popularity, and online presence of these individuals in order to predict how they should change the organization s security posture. Analysts become aware of the fact that every vulnerability is not a threat worthy of further analysis and mitigation. Analysts understand the organization s operating environment well enough that with system updates and patches, they alleviate ~80% of threats; freeing them to focus on the ~20% that could significantly impact the organization. Analysts recognize their organization is only as secure as its supply chain. If it acquires software and analysts don t know who did the actual coding, the code s reliability, or to what extent it has been error tested, then they won t know how threat actors could use potential vulnerabilities within the code to conduct an attack. Analysts incorporate timing into their prioritization efforts to align increases in network defenses with the different times during the year (holidays, system upgrades) when the organization s network is most vulnerable. 4.8 Implementation Framework Cyber Threat Prioritization CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE