State-of-the-Art in Cyber Threat Models and Methodologies

Transcription

1 State-of-the-Art in Cyber Threat Models and Methodologies Alan Magar Sphyrna Security Prepared By: Sphyrna Security 340 Ridgeside Farm Drive Kanata, Ontario K2W 0A1 PWGSC Contract Number: W FE01/001/ST Task 57 Technical Authority: Melanie Bernier, Defence Scientist, Disclaimer: The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada. Contract Report DRDC-RDDC-2016-C132 March 2016

2 INFORMATIVE STATEMENT: This Contract Report was produced for the Cyber Decision Making and Response project (05ac) under the DRDC Cyber Operations S&T program. Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2016 Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2016

3 State-of-the-Art in Cyber Threat Models and Methodologies prepared for Defence Research and Development Canada prepared by

4 Bell Canada 160 Elgin Street 17th Floor Ottawa, Ontario Sphyrna Security 340 Ridgeside Farm Drive Kanata, Ontario K2W 0A1 K1S 5N4 Final March 2016 March 2016 Bell Canada ii

5 Confidentiality This document is UNCLASSIFIED. Authors Bell / Sphyrna Team Role Alan Magar Security Architect Revision Control Revision Date Modifications March 2016 Draft Sections March 2016 Draft Report March 2016 Final Report March 2016 Bell Canada iii

6 Table of Contents 1.0 INTRODUCTION BACKGROUND PURPOSE DOCUMENT STRUCTURE CYBER THREAT CHARACTERIZATION ELEMENTS OVERVIEW THREAT CHARACTERIZATION THREAT TAXONOMIES THREAT METHODOLOGIES THREAT FRAMEWORKS THREAT MODELS Attacker-Centric System-Centric Asset-Centric MODEL 1 GENERIC THREAT MODEL OVERVIEW COMMON LANGUAGE SECURITY INCIDENT TAXONOMY THREAT ANALYSIS FRAMEWORK THREAT ATTRIBUTES & PROFILE THREAT ASSESSMENT METHODOLOGY APPLICATION TO CYBER DEFENCE GAPS MODEL 2 OCTAVE ALLEGRO MODEL March 2016 Bell Canada iv

7 4.1 OVERVIEW OCTAVE ALLEGRO METHODOLOGY IDENTIFICATION OF INFORMATION ASSET CONTAINERS IDENTIFICATION OF THREAT SCENARIOS APPLICATION TO CYBER DEFENCE GAPS TOWARDS A THREAT CHARACTERIZATION FRAMEWORK OVERVIEW ADVERSARY ATTACK ASSET EFFECT EXAMPLE USE CASE CONCLUSION & RECOMMENDATIONS REFERENCES ACRONYMS & ABBREVIATIONS ANNEX A ARMOUR ANNEX B - THREAT CHARACTERIZATION B.1 Cyber Adversary Characterization B.2 NNSA Threat Characterization ANNEX C THREAT TAXONOMIES/LIBRARIES C.1 AVOIDIT Cyber Attack Taxonomy C.2 CAPEC C.3 CNI Cyber Taxonomy C.4 Cyber Conflict Taxonomy March 2016 Bell Canada v

8 C.5 DSB Cyber Threat Taxonomy C.6 Intel Threat Agent Library (TAL) C.7 MACE Taxonomy C.8 Revised Attack Taxonomy C.9 Taxonomy of DDoS Attacks C.10 Taxonomy of Internet Infrastructure Attacks C.11 Taxonomy of Operational Cyber Security Risks ANNEX D THREAT METHODOLOGIES D.1 Attack Graphs D.2 Attack Trees D.3 Cyber Kill Chain D.4 Threat Genomics D.5 MACE Cyber Attack Classification D.6 MITRE s Cyber Prep Methodology D.7 Harmonized TRA Methodology ANNEX E THREAT FRAMEWORK E.1 CVSS E.2 RAMCAP ANNEX F THREAT MODEL F.1 Composite Threat Modelling F.2 Microsoft Threat Modelling F.3 Trike F.4 Verizon A 4 Threat Model March 2016 Bell Canada vi

9 List of Figures Figure 1 DRDC Threat Initiatives... 1 Figure 2 - Cyber Threat References... 4 Figure 3 - Common Language Security Incident Taxonomy Figure 4 - Threat Analysis Framework Figure 5 - Generic Threat Matrix Figure 6 - Threat Assessment Methodology Figure 7 - OCTAVE Allegro Methodology Figure 8 Towards a Threat Characterization Framework Figure 9 - Adversary Characterization Figure 10 - Attack Characterization Figure 11 - Asset Characterization Figure 12 - Effects Characterization Figure 13 - Example Use Case Figure 14 - AVOIDIT Cyber Attack Taxonomy Figure 15 - CNI Cyber Taxonomy Figure 16 - Cyber Conflict Taxonomy Figure 17 - DSB Cyber Threat Taxonomy Figure 18 - MACE Taxonomy March 2016 Bell Canada vii

10 Figure 19 - Revised Attack Taxonomy Figure 20 - DDoS Attacks Taxonomy Figure 21 - Internet Infrastructure Attacks Taxonomy Figure 22 - Taxonomy of Operational Cyber Security Risks Figure 23 - Example Scenario & Attack Graph Figure 24 - Attack Tree Figure 25 Cyber Kill Chain Figure 26 - Stages of a Cyber Attack Figure 27 - Harmonized TRA Phases & Processes Figure 28 - RAMCAP 7-Step Process Figure 29 - Microsoft Threat Modelling Process Figure 30 - Verizon A4 Threat Model March 2016 Bell Canada viii

11

12 1.3 Document Structure This report consists of the following sections: Section 1.0 Introduction: provides an overview of the report; Section 2.0 Cyber Threat Characterization Elements: provides an overview of relevant threat characterization, threat taxonomies/libraries, threat methodologies, threat frameworks, and threat models based on a literature search; Section Model 1 Generic Threat Model: describes the Generic Threat Model and assesses both its application for cyber defence and gaps; Section 4.0 Model 2 OCTAVE Allegro: describes the OCTAVE Allegro threat model and assesses both its application for cyber defence and gaps; Section 5.0 Towards a Threat Characterization Framework: summarizes the cyber threat characterization elements that can be used towards the development of a threat characterization framework; Section 6.0 Conclusions & Recommendations: summarizes the conclusions and recommendations derived from the development of this report; Section 7.0 References: lists the references used within the report; Section 8.0 Acronyms & Abbreviations: lists the acronyms and abbreviations used throughout this report; Annex A ARMOUR: provides a brief overview of the ARMOUR project; Annex B Threat Characterization: details threat characterization references; Annex C Threat Taxonomies: details threat taxonomy references; Annex D Threat Methodologies: details threat methodology references; Annex E Threat Frameworks: details threat framework references; and Annex F Threat Models: details threat model references. March 2016 Bell Canada 2

13 2.0 Cyber Threat Characterization Elements 2.1 Overview A threat is any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. 2 Threats can be described as who will target what, using how in order to achieve why. Who is the entity conducting the attack, including nation states, organized crime and activists. What is the ultimate target of the attack, such as credit card data or computer resources. How is the method by which attackers will get to the data, such as SQL injection or buffer overflows. Why captures the reason the target is important to the attacker. 3 Most threat models focus on the what and the how, as this allows the security analyst to identify potential vulnerabilities in the network or system. The who and the why are often considered to be somewhat less important, as in many cases the intent is less important than the results. The focus is on stopping the attack rather than determining who is conducting the attack and what their motivation is. While the intelligence community is very much interested in the who, the CDMR project is primarily interested in what more than who, and particularly in behaviour-based TTPs. 4 The purpose of this section is to define a number of concepts and determine what is available in terms of threat references in order to determine how they characterize threat. These threat references, which are illustrated in Figure 2, have been divided as follows: Threat Characterization - The purpose of threat characterization is to gain an understanding of, and an ability to anticipate, an adversary in order to ultimately build improved threat models; 2 NIST rev1 - Guide for Conducting Risk Assessments [Reference 2] TTPs are representations of the behaviour or modus operandi of cyber adversaries. It is a term taken from the traditional military sphere and is used to characterize what an adversary does and how they do it in increasing levels of detail. March 2016 Bell Canada 3

14

15 2.2 Threat Characterization In terms of this report, the threat characterization category is basically a catch-all for references that attempt to characterize threat but are not extensive enough to fall into one of the other categories. For example, a threat characterization effort may describe certain aspects of threat but is not extensive enough to be classified as a threat taxonomy. Annex B - Threat Characterization describes the following threat characterization efforts in considerably more detail: Cyber Adversary Characterization (B.1 Cyber Adversary Characterization) The Cyber Adversary Characterization, which consists of a number of presentations given at the Black Hat conference, provides a list of attacker techniques of interest. These include indirect versus direct penetration, customized penetration tool, insider placement versus recruitment, and diversion; National Nuclear Security Administration (NNSA) Threat Characterization (B.2 NNSA Threat Characterization) - The NNSA Threat Characterization attempts to characterize threat. Of interest, is the concept of insider/outsider collusion, a list of motivations that drive attackers (e.g., ideological, financial, revenge, ego, psychotic, coercion) and tactics employed by attackers. Insiders have the advantage of access, knowledge, and authority, as well as secondary advantages including time, tools, tests, and collusion. In contrast, outsiders are forced to resort to deceit, force, or stealth. 2.3 Threat Taxonomies Most taxonomies are attacker-centric in that they categorize attacks from the perspective of an attacker s tools, motivations and objectives. However, there have been efforts to develop defencecentric taxonomies based on how an attack manifests itself in the target system or even taxonomies focussed on the actors involved. While there are a wide array of threat taxonomies, no one taxonomy perfectly captures all aspects of cyber threat. However, various threat taxonomies bring something new or provide an interesting perspective. Annex C Threat Taxonomies/Libraries describes the following threat taxonomies in more detail: Attack Vector, Operational Impact, Defence, Information Impact, and Target (AVOIDIT) Cyber Attack Taxonomy ( C.1 AVOIDIT Cyber Attack Taxonomy) The AVOIDIT Cyber Attack Taxonomy, which was developed by researchers within the Department of Computer Science at the University of Memphis, uses five classifiers to characterize the nature of an attack; attack vector, attack target, operational impact, informational impact, and defence; March 2016 Bell Canada 5

16 Common Attack Pattern Enumeration and Classification (CAPEC) (C.2 CAPEC) MITRE s CAPEC is a dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses. This taxonomy organizes attack patterns based on the attack domain (e.g., social engineering, supply chain, communications, software, physical security, hardware); CNI Cyber Taxonomy (C.3 CNI Cyber Taxonomy) The CNI Cyber Taxonomy is interesting in that it attempts to categorize both offensive and defensive cyber operations. However, while the various categories include some good content, it is still considered to be a work in progress; Common Language Security Incident Taxonomy (Section 3.2) The Common Language Security Incident Taxonomy, which was developed at the Sandia National Laboratories, categorizes incidents by event, attack, and incidents. This taxonomy introduces the concept of an Action (e.g., probe, scan, flood, authenticate, bypass, spoof, read, copy, steal, modify, delete) and the concept of Objectives (which is similar in concept to motivation). This taxonomy has been included with the Generic Threat Model and selected for further examination in Section 3.0; Cyber Conflict Taxonomy (C.4 Cyber Conflict Taxonomy) The Cyber Conflict Taxonomy was authored by researchers at the Center for Secure Information Systems at George Mason University. The taxonomy is divided into categories and subjects. Categories are the taxonomic classifications that are applied to subjects and are further subdivided into subcategories. Subjects represent the real world events classified as cyber conflict and the real world entities such as individuals, groups or governments that participate in these events; The Defense Science Board (DSB) Cyber Threat Taxonomy (C.5 DSB Cyber Threat Taxonomy) The DSB Cyber Threat Taxonomy consists of a threat hierarchy to describe capabilities of potential attackers, organized by level of skills and breadth of available resources. The taxonomy introduces the concept of a threat hierarchy. The concepts of exploit pre-existing March 2016 Bell Canada 6

17 known vulnerabilities, discover unknown vulnerabilities, and create vulnerabilities using full spectrum 5 are particularly interesting; Intel Threat Agent Library (C.6 Intel Threat Agent Library (TAL)) The TAL provides a reference for describing the human agents that pose threats to IT systems and other information assets. The taxonomy uses eight attributes to define each threat agent uniquely; intent, access, outcome, limits, resources, skills, objective, and visibility; Military Activities and Cyber Effects (MACE) Taxonomy (C.7 MACE Taxonomy) MACE was originally developed by DRDC as the foundation for the modeling, simulation and experimentation of cyber attacks and the effects they can produce, but was then expanded to describe the linkages to military activities and their desired effects. The taxonomy consists of six main categories which together can provide the underlying structure for the development of a threat model or it can easily provide the details required to develop scenario vignettes for cyber related experiments and exercises; attack types, level of access, attack vectors, adversary types, cyber effects, and military activities. The MACE taxonomy remains a work in progress. Specifically, the Attack Types requires additional thought, as the current incarnation is more of a list of attacks than an attempt to categorize them. In addition, the attack vectors may need to be expanded; Revised Attack Taxonomy (C.8 Revised Attack Taxonomy) The Revised Attack Taxonomy was developed by researchers in the Faculty of Computer Science at the Bundeswehr University Munich. It is quite extensive in that it uses 17 classes to describe smart attacks, although none of them are particularly comprehensive. Perhaps the most interesting of the attack categories is Attack Automation which consist of semi-automatic, manual, and automatic; Taxonomy of Distributed Denial of Service (DDoS) Attacks (C.9 Taxonomy of DDoS Attacks) The Taxonomy of DDoS Attacks was developed by three researchers from the Computer Science Department at the University of California. As with the Revised Attack Taxonomy, this taxonomy has a classification by degree of automation. Other than that, it is DDoS specific; 5 Full spectrum in this case refers to the use of all tools and techniques at the attackers disposal, including the exploit of pre-existing known vulnerabilities and discovering unknown vulnerabilities. March 2016 Bell Canada 7

18 Taxonomy of Internet Infrastructure Attacks (C.10 Taxonomy of Internet Infrastructure Attacks) The Taxonomy of Internet Infrastructure Attacks, which was developed by researchers in the Dependable Computing & Network Laboratory at Iowa State University, includes four specific Internet infrastructure attacks; Domain Name System (DNS) hacking, routing table poisoning, packet mistreating, and denial of service; and Taxonomy of Operational Cyber Security Risks (C.11 Taxonomy of Operational Cyber Security Risks) The Taxonomy of Operational Cyber Security Risks, which was developed by researchers at Carnegie-Mellon University, attempts to identify and organize the sources of operational cyber security risk into four classes: 1) actions of people, 2) systems and technology failures, 3) failed internal processes, and 4) external events. In terms of actions of people, the sub-categories of inadvertent (includes mistakes, errors, omissions) and deliberate (fraud, sabotage, theft, vandalism) are of interest. 2.4 Threat Methodologies A methodology can be defined as a process with which to achieve a particular goal or a set of principles, tools and practices, which can be used to guide processes to achieve a particular goal. Therefore, a threat methodology can be defined as a means with which to accomplish some aspect of threat characterization. Annex D Threat Methodologies describes the following threat methodologies in more detail: Attack Graphs (D.1 Attack Graphs) Attack graphs, which are a means to depict all the ways in which an attacker can exploit vulnerabilities in order to compromise a network or system, are used extensively in threat research. Specifically, they provide the threat researcher with a means to analyze the manner in which an attacker can achieve his objective by compromising the network; Attack Trees (D.2 Attack Trees) Attack trees, also sometimes called threat trees, are a means to characterize and analyze threats. While similar in some respects to attack graphs, attack trees do not seem to be used as extensively; Cyber Kill Chain (D.3 Cyber Kill Chain) The Cyber Kill Chain, which was developed by Lockheed Martin, provides a means to model both the actions of the attackers and the reactions of the defenders. It consists of seven phases; reconnaissance, weaponization, delivery, exploitation, installation, command & control, and action. The Cyber Kill Chain has received a great deal of publicity, but in the author s opinion both Threat Genomics and MACE Cyber Attack Classification provide a better breakdown for analyzing cyber threats; March 2016 Bell Canada 8

19 Threat Genomics (D.4 Threat Genomics) - Threat Genomics, which was mentioned earlier, was developed by the Microsoft Trustworthy Computing (TwC) group. It provides a very good breakdown of the sequence attackers follow in order to compromise a network. Of particular interest is the possibility of employing this model to connect threats that are all part of the same effort to compromise the network. Specifically, it includes the following ten steps; reconnaissance, commencement, entry, foothold, lateral movement, acquire control, acquire target, implement/execute, conceal & maintain, and withdraw; MACE Cyber Attack Classification (D.5 MACE Cyber Attack Classification) MACE is primarily a taxonomy (Section 2.3) but also includes a cyber attack classification. This outlines seven steps to execute an attack; reconnaissance (passive & active), gain access, command & control, footprint expansion, maintain access, execute, and retreat & removal. It is a variation on the Cyber Kill Chain; MITRE s Cyber Prep Methodology (D.6 MITRE s Cyber Prep Methodology) While MITRE s Cyber Prep Methodology is defined as a conceptual framework, together with a practical methodology, it has been included under methodology. It provides five Cyber Prep levels to correspond to fairly distinct break points in adversary capabilities, intent, and technical sophistication, as well as in the operational complexity involved in an attack. They are cyber vandalism, cyber theft/crime, cyber incursion/surveillance, cyber sabotage/espionage, and cyber conflict/warfare. It also provides specific, and well thought out, examples of the TTPs employed by adversaries at each level; Threat Assessment Methodology (Section 3.5) The Threat Assessment Methodology, which was developed by Sandia National Laboratories, proposed a means by which threats could be assessed and the resulting report used to provide input into future threat assessments. This methodology has been included with the Generic Threat Model and selected for further examination in Section 3.0; and Harmonized Threat and Risk Assessment (TRA) Methodology (D.7 Harmonized TRA Methodology) - The Harmonized TRA Methodology was a joint Communication Security Establishment (CSE) and Royal Canadian Mounted Police (RCMP) project to develop a single harmonized TRA for the Government of Canada (GC) that was flexible, modular, simple, consistent, general, and that would facilitate automation. March 2016 Bell Canada 9

20 2.5 Threat Frameworks A framework can be defined as the basic structure underlying a system, concept, or text or refers to a coherent set of concepts and relationships that are posited about some phenomena. Consequently, a threat framework provides a basic structure with which to analyze threats, and can encompass threat characterization, threat taxonomies, threat methodologies, and threat models. Annex E Threat Framework describes the following threat frameworks in more detail: Common Vulnerability Scoring System (CVSS) (E.1 CVSS) - The CVSS, which was designed by the National Institute of Standard and Technology (NIST) and a team of industry partners, provides a means to quantify the severity and risk of a vulnerability to an information asset in a computing environment. Consequently, it allows organizations to compare one vulnerability to another in terms of prioritizing their patching efforts. It is comprised of six base metrics; Access Vector (AV), Access Complexity (AC), Authentication (Au), Confidentiality Impact (CC), Integrity Impact (IC), and Availability Impact (AC). CVSS is widely considered to be the industry standard for vulnerability assessment; Risk Analysis and Management for Critical Asset Protection (RAMCAP) (E.2 RAMCAP) RAMCAP is a framework for analyzing and managing the risks associated with terrorist attacks against critical infrastructure assets. It is comprised of seven steps; asset characterization and screening, threat characterization, consequence analysis, vulnerability analysis, threat assessment, risk assessment, and risk management. Although we are primarily interested in threat characterization, RAMCAP does provide a larger framework with which to examine it; and Sandia Threat Analysis Framework (Section 3.3) The Sandia Threat Analysis Framework can be used to identify the elements required to quantify threats against critical infrastructure assets and provide a means of distributing actionable threat information to critical infrastructure entities for the protection of infrastructure assets. Specifically, it identifies and describes five key elements needed to perform a comprehensive analysis of threat: the identification of an adversary, the development of generic threat profiles, the identification of generic attack paths, the discovery of adversary intent, and the identification of mitigation strategies. This framework has been included with the Generic Threat Model and selected for further examination in Section 3.0. March 2016 Bell Canada 10

21 2.6 Threat Models A model is a simplified representation of something else. A model ignores, masks, or abstracts unimportant or unnecessary details, thereby highlighting the details of interest. Whereas a framework is general in nature, a model is often considered a more developed and tested framework. A threat model highlights the details of interest regarding a threat, class of threat, or threats in general. A threat model will generally address both a threat s capabilities and its intent. 6 Basically, threat modeling is a structured approach that allows cyber security threats to be identified in terms of objectives and vulnerabilities, as well as identifying appropriate countermeasures to prevent, or mitigate the effects of, threats to the system. There are at least three general approaches to threat modelling: Attacker-centric; System-centric; and Asset-centric. It should be noted that of the three general approaches to threat modelling DRDC is most interested in attacker-centric and asset-centric, and particularly interested in a way that they can be combined so as to consider both aspects in order to characterize cyber threats Attacker-Centric Attacker-centric threat modelling focuses on attackers, their specific goals, and the manner in which they can achieve them. The attacker-centric threat models discussed in Annex F Threat Model include the following: Generic Threat Model - The Generic Threat Model, which was developed by researchers at the Sandia National Laboratories, is one of the two models selected for further analysis (Section 3.0); and 6 Cyber Threat Metrics [Reference 3]. March 2016 Bell Canada 11

22 Verizon A 4 Threat Model (F.4 Verizon A 4 Threat Model) - The A 4 Threat Model was developed by Verizon s RISK team. In the model, a security incident is viewed as a series of events that adversely affects the information assets of an organization. While there does not appear to be a great deal of information available on the Verizon A 4 Threat Model, what information that is available describes an interesting approach whereby all cyber threats can be described using four elements; agent, action, asset and attribute. The benefit to this model is that any threat event can effectively be referenced using a number between 1 and 315 (the number of distinct threat events) System-Centric System-centric threat modelling, which is sometimes called 'software-centric,' 'design-centric,' or 'architecture-centric', focuses on the system being built or the software being developed. Specifically, it looks at the design of the system/software, and determines the type of attacks that can be undertaken against each element. The system-centric threat models discussed in Annex F Threat Model include the following: Composite Threat Modelling (F.1 Composite Threat Modelling) - The U.S. Department of Transportation National Highway Traffic Safety Administration (NHTSA) proposed a composite threat model, combining common elements of STRIDE (F.2.1 STRIDE), Trike (F.3 Trike), and Application Security Frame (ASF), for the automotive sector. It is primarily of interest due to the fact that it combines aspects from multiple threat models to produce its own threat model; Microsoft Threat Modelling (F.2 Microsoft Threat Modelling) - The Microsoft threat modelling process consists of the following five steps; identify security objectives, survey the application, decompose the application, identify threats, and identify vulnerabilities. In terms of identifying threats, the Microsoft threat modelling process leverages a classification scheme for characterizing known threats and another scheme to quantify the various threats. These are STRIDE (Spoofing identity, Repudiation, Information disclosure, DoS, Elevation of privilege) and DREAD (Damage potential, Reproducibility, Exploitability, Discoverability) respectively. While STRIDE could be considered as part of threat characterization, it is most often considered as part of the Microsoft Threat Model ; and Trike (F.3 Trike) Trike is a system-centric threat model that focuses on modeling threats from a defensive perspective, not that of an attacker. Once the set of threats for the application have been determined and the implementation model completed, the attack graph is built and the system examined to verify all weaknesses in the system. Once this is March 2016 Bell Canada 12

23 done, the vulnerabilities to the system can be determined and the appropriate mitigations applied Asset-Centric Asset-centric threat modelling focuses on the information that the attacker is attempting to compromise. The asset-centric threat models discussed include the following: Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro (Error! eference source not found.) - OCTAVE Allegro, which was created by CERT at Carnegie Mellon University, is an approach used to assess an organization's information security needs. OCTAVE Allegro focuses on information assets. It is one of the two models selected for further analysis (Section 4.0). 3.0 Model 1 Generic Threat Model 3.1 Overview Sandia National Laboratories 7 is operated and managed by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation. Sandia Corporation operates Sandia National Laboratories as a contractor for the U.S. Department of Energy s NNSA. One of the areas in which it conducts a considerable amount of research is cyber and infrastructure security. Within this area of research, Sandia National Laboratories conducts research into cyber threats and threat characterization. These research efforts, which have been bundled together in this paper under the title Generic Threat Model, form a threat analysis model. While the model was originally proposed to determine threat capabilities and identify/prioritize expenditures in an unclassified venue for use by critical infrastructure providers and utility owners, it is sufficiently generic that it can be applied in other environments as well. The Generic Threat Model will be examined in terms of the following: Common Language Security Incident Taxonomy; 7 Additional information on Sandia National Laboratories can be found at March 2016 Bell Canada 13

24 Threat Analysis Framework; Threat Attributes & Profile; Threat Assessment Methodology; Application to Cyber Defence; and Gaps. 3.2 Common Language Security Incident Taxonomy The Common Language Security Incident Taxonomy 8, which is illustrated in Figure 3, was authored by two researchers at Sandia National Laboratories. The taxonomy, which was developed to provide a common language for computer security incidents, uses the following three main terms and a number of secondary terms: Event - an action directed at a target which is intended to result in a change of state (status) of the target; o Action - a step taken by a user or process in order to achieve a result, such as to probe, scan, flood, authenticate, bypass, spoof, read, copy, steal, modify, or delete; o Target a computer or network logical entity (account, process, or data) or physical entity (component, computer, network or internetwork); Attack - a series of steps taken by an attacker to achieve an unauthorized result. The first two steps in an attack, tool and vulnerability, are used to cause an event on a computer or network. More specifically, during an individual attack, an attacker uses a tool to exploit a vulnerability that causes an action against a target. The logical end of a successful attack is an unauthorized result; o Tool - a means of exploiting a computer or network vulnerability; o Vulnerability - a weakness in a system allowing unauthorized action; o Unauthorized Result an unauthorized consequence of an event; Incident - a group of attacks that can be distinguished from other attacks because of the distinctiveness of the attackers, attacks, objectives, sites, and timing; o Attacker an individual who attempts one or more attacks in order to achieve an objective; o Objective the purpose or end goal of an incident. 8 The content in this section of the report was taken from A Common Language for Computer Security Incidents [Reference 4]. March 2016 Bell Canada 14

25 Figure 3 - Common Language Security Incident Taxonomy Threat Analysis Framework The Threat Analysis Framework is discussed both in Threat Analysis Framework [Reference 5] and within Categorizing Threat Building and Using a Generic Threat Matrix [Reference 6]. These papers describe a framework that identifies the important elements to identify, characterize, and mitigate the effects to threat. The Threat Analysis Framework, which is illustrated in Figure 4, provides the appropriate threat information to allow asset owners to position their infrastructure assets for protection from adversarial attack. Specifically, five key elements are needed to perform a comprehensive analysis of threat: the identification of an adversary, the development of generic threat profiles, the identification of generic attack paths, the discovery of adversary intent, and the identification of mitigation strategies. The threat attributes and profile (Section 3.4), and Generic 9 This figure was taken directly from A Common Language for Computer Security Incidents [Reference 4]. March 2016 Bell Canada 15

26 Threat Matrix, are used to help identify threat characteristics. It is also worth mentioning that attack paths are used to define the adversary access points and the necessary elements to initiate, sustain, and propagate an attack. Figure 4 - Threat Analysis Framework Threat Attributes & Profile 11 A threat attribute is a discrete characteristic, or distinguishing property, of a threat. The combined characteristics of a threat describe the threat s willingness and ability to pursue its goal. There are two families of threat attributes: commitment attributes that describe the threat s willingness and resource attributes that describe the threat s ability. There are the following three attributes in the commitment family: 10 This figure was taken from Threat Analysis Framework [Reference 5]. 11 Content for this section of the report was taken from Categorizing Threat Building and Using a Generic Threat Matrix [Reference 6]. March 2016 Bell Canada 16

27 Intensity - The threat attribute of Intensity describes the diligence, or persevering determination, of a threat in the pursuit of its goal. This attribute also includes the passion felt by the threat for its goal. Intensity is a measure of how far a threat is willing to go and what a threat is willing to risk to accomplish its goal. Threats with higher intensity are, therefore, considered more dangerous because of their driving ambition in pursuit of a goal; Stealth - The threat attribute of Stealth describes the ability of the threat to maintain a necessary level of secrecy throughout the pursuit of its goal. The maintenance of secrecy may require the ability to obscure any or all details about the threat organization, including its goal, its structure, or its internal operations. A higher level of stealth allows a threat to hide its intended activities, as well as its internal structure, from the outside world. This hinders intelligence gathering and pre-emptive measures to counter, or prevent, attacks by the threat; and Time - The threat attribute of Time quantifies the period of time that a threat is capable of dedicating to planning, developing, and deploying methods to reach an objective. In the case of a cyber or kinetic attack, it includes any time necessary for all steps of implementation up to actual execution. The more time a threat is willing and able to commit to preparing an attack, the more potential the threat has for devastating impacts. There are three attributes in the resource family: Personnel - The threat attribute of Technical Personnel quantifies the number of group members that a threat is capable of dedicating to the building and deployment of the technical capability in pursuit of its goal. Technical Personnel includes only group members with specific types of knowledge or skills, such as kinetic or cyber, and those directly involved with the actual fabrication of the group s weapons. A threat with a higher level of Technical Personnel has greater potential for innovative design and development, allowing for the possibility of new methods of reaching a goal that may not have been available in the past. In addition, a higher level of technical personnel also expedites the design and development of a threat s plans for attack; Knowledge - The threat attribute of Knowledge defines the threat s level of theoretical and practical proficiency and the threat s capability of employing that proficiency in pursuit of its goal. Knowledge also includes the ability of a threat to share information, acquire training in a necessary discipline, and maintain a research and development program. However, this attribute does not include any proficiency found or purchased outside the threat organization. This attribute includes knowledge pertaining to both an offensive and March 2016 Bell Canada 17

28 defensive capability within the category. The greater the knowledge of a threat as a whole, the more capability a threat has to pursue its goal with fewer resources and in less time. Also, a threat s knowledge provides a means to differentiate between threats that are cyber-, kinetic-, or hybrid-based; and Access - The threat attribute of Access defines a threat s ability to place a group member within a restricted system whether through cyber or kinetic means in pursuit of the threat s goal. A restricted system is considered to be any system, whether cyber or physical, where access is granted based on privileges or credentials. The characteristic of Access details a threat s ability to infiltrate a restricted system, whether through a privileged group member, the blackmail and coercion of an innocent bystander, or the corruption of an under-protected network or computer system. Infiltration by a threat can lead to a wide variety of effects: the need for fewer resources to achieve an objective, the implementation of a long-term scheme of product-tampering, or an increased level of intimate knowledge of a target. The columns of the Generic Threat Matrix, which is illustrated in Figure 5, describe possible attributes of a threat, while the rows define the capability of a threat to act upon each attribute. Threat level 1 is the most capable of achieving an objective or goal, while level 8 is the least capable. March 2016 Bell Canada 18

29 Figure 5 - Generic Threat Matrix Threat Assessment Methodology Cyber Threat Metrics [Reference 3], which was also written by Sandia researchers, had an interesting methodology for threat assessments. This methodology, which is illustrated in Figure 6, has three inputs for the threat assessment; 1) relevant threats 2) new threat information 3) catalogued threat information. The output, in the form of a threat report, serves as input into future threat assessments. This methodology builds upon the as is process which lacked any explicit accommodation for feedback and learning. Specifically, the threat rankings and statements generated by analysts should serve as useful inputs in future iterations. Figure 6 - Threat Assessment Methodology Application to Cyber Defence In terms of its application to cyber defence, the Generic Threat Model is definitely of interest. Specifically, the Common Language Security Incident Taxonomy provides some good definitions and a useful, well-structured taxonomy. In addition, the threat attributes and profile are useful from the 12 This figure was taken directly from Categorizing Threat Building and Using a Generic Threat Matrix [Reference 25]. 13 This figure was taken from Cyber Threat Metrics [Reference 21]. March 2016 Bell Canada 19

30 perspective of determining the attacker s capabilities. The idea of combining commitment attributes (e.g., intensity, stealth, and time) with resource attributes (e.g., personnel, knowledge, and access) to characterize attackers is particularly well thought out. The resulting threat level in the Generic Threat Matrix can then be used to assess the overall level of the threat. When combined with attack paths, it can be used to assess the manner in which a threat can successfully implement an attack in a specific environment. 3.7 Gaps The primary gap in terms of the Generic Threat Model is that it is not actually a cohesive threat model, but rather a number of related research efforts that have been included together for the purpose of this report. We have no idea as to whether or not this was the authors intention. For example, while there is a Sandia research paper proposing a taxonomy, the other research papers do not refer to it or recommended another threat taxonomy be used in this capacity. As a result, while the amalgamated Generic Threat Model goes one step further than a framework, it does not provide sufficient detail, or the cohesiveness, to be considered a complete model. The other identified gap is that the Generic Threat Model is completely attacker-centric. In all likelihood it should be supplemented with an asset-centric threat model in order to increase its breadth. This concept is explored in Section Model 2 OCTAVE Allegro Model 4.1 Overview OCTAVE Allegro 14, which is the sixth iteration of the threat assessment methodology released in 2007, is based on the original OCTAVE Framework, which was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in This version of the model is not intended to supplant previous versions. Rather, it is a variant that focuses specifically on information assets, and specifically on how information assets are used, where they are stored, transported, and processed, and how they are exposed to threats, vulnerabilities, and disruptions as a result. This section of the report will examine the following: 14 Additional information on OCTAVE Allegro can be found at from and Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process [Reference 7]. March 2016 Bell Canada 20

31 OCTAVE Allegro Methodology; Identification of Information Asset Containers; Identification of Threat Scenarios; Application to Cyber Defence; and Gaps. 4.2 OCTAVE Allegro Methodology 15 OCTAVE Allegro consists of the following eight steps, as illustrated in Figure 7, that are organized into four phases: Step 1 Establish Risk Measurement Criteria: The first step in the OCTAVE Allegro process establishes the organizational drivers that will be used to evaluate the effects of a risk to an organization s mission and business objectives; Step 2 Develop Information Asset Profile: The OCTAVE Allegro methodology focuses on the information assets of the organization and Step 2 begins the process of creating a profile for those assets. A profile is a representation of an information asset describing its unique features, qualities, characteristics, and value; Step 3 Identify Information Asset Containers: Containers describe the places where information assets are stored, transported, and processed. Information assets reside not only in containers within an organization s boundaries but they also often reside in containers that are not in the direct control of the organization; Step 4 Identify Areas of Concern: Step 4 begins the risk identification process by brainstorming about possible conditions or situations that can threaten an organization s information asset. These real-world scenarios are referred to as areas of concern and may represent threats and their corresponding undesirable outcomes. Areas of concern may characterize a threat that is unique to an organization and its operating conditions. The purpose of this step is not to capture a complete list of all possible threat scenarios for an 15 The content for this section of the report was taken from Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process [Reference 7]. March 2016 Bell Canada 21

32 information asset; instead, the idea is to quickly capture those situations or conditions that come immediately to the minds of the analysis team; Step 5 Identify Threat Scenarios: In the first half of Step 5, the areas of concern captured in the previous step are expanded into threat scenarios that further detail the properties of a threat. But the collection of threats developed from these areas of concern does not necessarily provide a robust consideration of possible threats to an organization s information asset. Thus, in the second half of Step 5, a broad range of additional threats is considered by examining threat scenarios. A range of threat scenarios can be represented visually in a tree structure commonly referred to as a threat tree; Step 6 Identify Risks: In Step 5 threats are identified, and in Step 6 the consequences to an organization if a threat is realized are captured, completing the risk picture. A threat can have multiple potential impacts on an organization; Step 7 Analyze Risks: In Step 7 of this assessment, a simple quantitative measure of the extent to which the organization is impacted by a threat is computed. This relative risk score is derived by considering the extent to which the consequence of a risk impacts the organization against the relative importance of the various impact areas, and possibly the probability; and Step 8 Select Mitigation Approach: In Step 8, the final step of the OCTAVE Allegro process, organizations determine which of the risks they have identified require mitigation and develop a mitigation strategy for those risks. This is accomplished by first prioritizing risks based on their relative risk score. Once risks have been prioritized, mitigation strategies are developed that consider the value of the asset and its security requirements, the containers in which it lives, and the organization s unique operating environment. March 2016 Bell Canada 22

33 Figure 7 - OCTAVE Allegro Methodology Identification of Information Asset Containers A container describes the places where information assets are stored, transported and processed, both within an organization s boundaries but also when not in direct control of the organization (e.g., service providers). A container can be a person, an object (e.g., a piece of paper, CDROM/DVD) or a technology (e.g., database). However, containers are usually used to refer to technology such as hardware, software, application systems, servers and networks. The concept of a container helps to simplify information asset management because it effectively bounds the technical environment and infrastructure that must be examined for risk. Threats and risks to information assets are determined to a large degree by the information asset s container. In other words, an information asset will inherit all of the risks to its container. Consequently, security controls need to be applied by the container to protect the information asset commensurate with the sensitivity of the information asset and the threats/risks to the container. For example, to protect a database on a server, a series of controls are applied such as restricting access to the server room to authorized personnel and limiting network access to the database to authorized individuals. 16 This figure was taken from Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process [Reference 7]. March 2016 Bell Canada 23

34 4.4 Identification of Threat Scenarios 17 OCTAVE Allegro defines threat scenarios as a situation in which an information asset can be compromised. It generally consists of an actor, a motive, a means (access), and an undesired outcome. Threat scenarios are simplified ways to determine if a risk exists that could affect your information asset. An actor is who or what may violate the security requirements (confidentiality, integrity, availability) of an asset. A motive is the intent of an actor (e.g., deliberate or accidental). A means is how the asset is accessed by an actor (e.g., technical means, physical means). An outcome is the immediate result (disclosure, modification, destruction, loss, interruption) of violating the security requirements of an asset. A threat tree is used to represent these threat scenarios visually. 4.5 Application to Cyber Defence In terms of its application to cyber defence, OCTAVE Allegro has some aspects that are of interest. It is worth noting that the model is focussed on information assets, and specifically on how information assets are used, where they are stored, transported, and processed, and how they are exposed to threats, vulnerabilities, and disruptions as a result. While OCTAVE Allegro is directly applicable to cyber defence, it takes a slightly different approach by focussing on the information asset rather than on the attacker. Specifically, an organization's important assets are identified and assessed based on the information assets to which they are connected. Of particular interest is the concept of asset containers, which can be defined as the place where information assets are stored, transported, and processed. 4.6 Gaps The gaps that come to mind when assessing OCTAVE Allegro have less to do with the model itself, and more to do with the perceived limitations of an asset-centric threat model. Specifically, step 5, identify threat scenarios, seems rather vague given the detailed threat characteristics and TTPs that attacker-centric threat models propose. An asset-centric threat model needs to be supplemented with an attacker-centric threat model in order to cover all aspects. This concept is explored in Section The content for this section of the report was taken from Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process [Reference 7]. March 2016 Bell Canada 24

35

36 5.2 Adversary The adversary, as illustrated in Figure 9, has the following characteristics: Type This category identifies the various types of cyber attackers. The adversary type was taken directly from the MACE Taxonomy (C.7 MACE Taxonomy). However, it was supplemented with the concept of insider/outsider collusion, which was taken from NNSA Threat Characterization (B.2 NNSA Threat Characterization); Motivation Motivation is an important indicator for both level of malevolence and likelihood of attempt. The adversary motivation was divided into hostile and non-hostile motivations. This concept was taken from Intel TAL (C.6 Intel Threat Agent Library (TAL)). The list of hostile motivations was taken from NNSA Threat Characterization (B.2 NNSA Threat Characterization), while the list of non-hostile motivations was taken from the Taxonomy of Operational Cyber Security Risks (C.11 Taxonomy of Operational Cyber Security Risks); Commitment The adversary commitment, which was taken directly from the Generic Threat Model (Section 3.4), is used to describe the threat s willingness. However, it was influenced by the adversary advantages described in NNSA Threat Characterization ( B.2 NNSA Threat Characterization); and Resources The adversary resources, which were taken directly from the Generic Threat Model (Section 3.4), are used to describe the ability. However, it was influenced by the adversary advantages described in NNSA Threat Characterization (B.2 NNSA Threat Characterization). March 2016 Bell Canada 26

37

38

39

40

41

42 6.0 Conclusion & Recommendations This report evaluated the state-of-the-art not only in cyber threat models and frameworks, but threat characterization efforts, taxonomies, and frameworks as well. While each of these threat references had a different perspective, two models were selected for additional investigation; the Generic Threat Model and OCTAVE Allegro. The Generic Threat Model consisted, at least in this report, of the amalgamation of a number of independent threat research initiatives at the Sandia National Laboratories. This attacker-based threat model provided some good content but lacked the cohesiveness of a formal model. Asset-based threat models, including OCTAVE Allegro developed by SEI at Carnegie Mellon University, lack the detailed threat characteristics and TTPs that attackercentric threat models propose. Consequently, it was decided to combine the best elements of the threat characteristic references identified in the report, including those from the Generic Threat Model and OCTAVE Allegro, in order to make an initial attempt at starting the development of a threat characterization framework. The lack of effort that has been expended developing cohesive and complete cyber threat models, and specifically cyber threat models combining attacker and asset-centric perspectives, is somewhat surprising. Consequently, there is little point in spending additional time researching existing models that could be employed in this capacity. Instead, it is the recommendation of this report that DRDC should focus on developing, initially, its own cyber threat characterization framework, and ultimately, its own cyber threat model. March 2016 Bell Canada 32

43 7.0 References [Reference 1] A. Magar, Soltra Edge Open Cyber Intelligence Platform, DRDC, March Available at: (Date of Access: 27 March 2016); [Reference 2] NIST Revision 1 Guide for Conducting Risk Assessments, NIST, September Available at: (Date of Access: 27 March 2016); [Reference 3] M. Mateski et al., Cyber Threat Metrics, Sandia National Laboratories, March Available at: (Date of Access: 27 March 2016); [Reference 4] J.D. Howard and T.A. Longstaff, A Common Language for Computer Security Incidents, Sandia National Laboratories, October Available at: (Date of Access: 27 March 2016); [Reference 5] D.P. Duggan and J.T. Michalski, Threat Analysis Framework, Sandia National Laboratories, September Available at: Analysis_Framework.pdf (Date of Access: 27 March 2016); [Reference 6] D. Duggan et al., Categorizing Threat Building and Using a Generic Threat Matrix, Sandia National Laboratories, September Available at: Categorizing_Threat.pdf (Date of Access: 27 March 2016); March 2016 Bell Canada 33

44 [Reference 7] R. Caralli et al., Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, Software Engineering Institute, May Available at: 01_14885.pdf (Date of Access: 27 March 2016); [Reference 8] System Concept of Operations (CONOPS) for the Automated Computer Network Defence (ARMOUR) Technology Demonstration (TD) Contract, General Dynamics Canada, DRDC-RDDC-2014-C78, Mar Available at: 28&r=0 (Date of access: 27 March 2016); [Reference 9] Architectural Design Document for the Automated Computer Network Defence (ARMOUR) Technology Demonstration (TD) Contract, General Dynamics Canada, DRDC-RDDC-2014-C73, Mar Available at: 27&r=0 (Date of access: 27 March 2016); [Reference 10] Automated Computer Network Defence Technology Demonstration Project Detailed Design Document, General Dynamics, 21 October 2015; [Reference 11] C. Simmons et al., AVOIDIT: A Cyber Attack Taxonomy, Department of Computer Science, University of Memphis, Available at: Mag.pdf (Date of Access: 27 March 2016); [Reference 12] S.D. Applegate and A. Stavrou,Towards a Cyber Conflict Taxonomy, Center for Secure Information Systems, George Mason University, Available March 2016 Bell Canada 34

45 at: (Date of Access: 27 March 2016); [Reference 13] Resilient Military Systems and the Advanced Cyber Threat, DSB, DoD, October Available at: eat.pdf (Date of Access: 27 March 2016); [Reference 14] T. Casey, Threat Agent Library Helps Identify Information Security Risks, Intel, February Available at: (Date of Access: 27 March 2016); [Reference 15] M. Bernier, Military Activities and Cyber Effects (MACE) Taxonomy, DRDC, December 2013; [Reference 16] R. Koch, M. Golling, and G.D. Rodosek, A Revised Attack Taxonomy for a New Generation of Smart Attacks, Faculty of Computer Science, Bundeswehr University Munich, Available at: (Date of Access: 27 March 2016); [Reference 17] J. Mirkovic, J. Martin, and P. Reiher, A Taxonomy of DDOS Attacks and DDoS Defense Mechanisms, Computer Science Department, University of California, Available at: f (Date of Access: 27 March 2016); [Reference 18] A. Chakrabarti and G. Manimaran, Internet Infrastructure Security: A Taxonomy, Iowa State University, Available at: March 2016 Bell Canada 35

46 pdf (Date of Access: 27 March 2016); [Reference 19] J. Cebula and L. Young, A Taxonomy of Operational Cyber Security Risks, Software Engineering Institute, December Available at: (Date of Access: 27 March 2016); [Reference 20] X. Ou and A. Singhal, Quantitative Security Risk Assessment of Enterprise Networks, Springer, Available at: SpringerBriefs/dp/ (Date of Access: 27 March 2016); [Reference 21] E. Hutchins, M. Cloppert, and R. Amin, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin Corporation, Available at: ocuments/lm-white-paper-intel-driven-defense.pdf (Date of Access: 27 March 2016); [Reference 22] J. Espenschied and A. Gunn, Threat Genomics, Microsoft Trustworthy Computing (TwC), Available at: Genomics-Espenschied-Gunn-2012.pdf (Date of Access: 27 March 2016); [Reference 23] D. Bodeai, R. Graubart, and J. Greene, Improving Cyber Security and Mission Assurance via Cyber Preparedness (Cyber Prep) Levels, Mitre, Available at: (Date of Access: 27 March 2016); March 2016 Bell Canada 36

47 [Reference 24] Harmonized TRA Methodology, CSE/RCMP, October 23, Available at: (Date of Access: 27 March 2016); [Reference 25] A. Wang, M. Xia, and F. Zhang, Metrics for Information Security Vulnerabilities, Southern Polytechnic State University, Available at: (Date of Access: 27 March 2016); [Reference 26] C. McCarthy, Characterization of Potential Security Threats in Modern Automobiles, NHTSA, October Available at: al%20publications/2014/812074_characterization_potentialthreatsa utos(1).pdf (Date of Access: 27 March 2016); [Reference 27] P. Saitta, B. Larcom, and M. Eddington, Trike v.1 Methodology Document, July 13, Available at: cument-draft.pdf (Date of Access: 27 March 2016); and [Reference 28] Verizon 2012 Data Breach Investigations Report, Verizon, Available at: Data-Breach-Report-2012.pdf (Date of Access: 27 March 2016). March 2016 Bell Canada 37

48 8.0 Acronyms & Abbreviations AC AC APT ASF Au AV AVOIDIT C2 CAF Access Complexity Availability Impact Advanced Persistent Threat Application Security Framework Authentication Access Vector Attack Vector, Operational Impact, Defence, Information impact, and Target Command & Control Canadian Armed Forces CAPEC Common Attack Pattern Enumeration and Classification CC CDMR CND CORA CSE CTM&M CVSS DND DDoS DMZ DNS Confidentiality Impact Cyber Decision Making and Response Computer Network Defence Centre for Operational Research and Analysis Communications Security Establishment Cyber Threat Models & Methodologies Common Vulnerability Scoring System Department of National Defence Distributed Denial of Service De-Militarized Zone Domain Name System March 2016 Bell Canada 38

49 DoD DoS DRDC Department of Defense Denial of Service Defence Research & Development Canada DREAD Damage potential, Reproducibility, Exploitability, Discoverability DSB FTP GC HTTP IC IE IP MACE Defense Science Board File Transfer Protocol Government of Canada HyperText Transfer Protocol Integrity Impact Internet Explorer Internet Protocol Military Activities and Cyber Effects NHTSA National Highway Traffic Safety Administration NIST NNSA OCTAVE National Institute of Standards and Technology National Nuclear Security Administration Operationally Critical Threat, Asset, and Vulnerability Evaluation OWASP Open Web Application Security Project PDF R&D RAMCAP RCMP S&T SEI SLA Portable Document Format Research & Development Risk Analysis and Management for Critical Asset Protection Royal Canadian Mounted Police Science & Technology Software Engineering Institute Service Level Agreement March 2016 Bell Canada 39

50 SSH STRIDE TAL TD TRA TTP TwC UML USB Secure Shell Spoofing identity, Repudiation, Information disclosure, DoS, Elevation of Privilege Threat Agent Library Technology Demonstrator Threat and Risk Assessment Tactics, Techniques, and Procedures Trustworthy Computing Unified Modeling Language Universal Serial Bus March 2016 Bell Canada 40

51 18 19 Annex A ARMOUR The ARMOUR Technology Demonstrator (TD) is intended to create and demonstrate an integrated system that will substantially improve the security of DND networks by providing an Automated Computer Network Defence (CND) capability. The system will serve to provide the ability to preempt attacks and offer a planning capability to ensure networks are securely designed, even before they are procured. ARMOUR will integrate individual CND solutions that gather and analyze infrastructure, noninfrastructure, security and operational data regarding the network s current security posture and automate the resolution of identified vulnerabilities/risks. Where existing capabilities are insufficient or where capabilities are entirely non-existent, ARMOUR will initiate new or leverage existing Research and Development (R&D) efforts to develop a solution that meets the business objectives. Initially, network information is captured using deployed tools and operational impact is entered into the system. This information is correlated, and abstracted into sets of useful data. The data is analyzed to determine the relative operational importance of hosts and software. The data is combined with rules describing attack techniques to compute all possible attack paths (given the rules and data) in the network. The potential attacks are chained together and stored in a graph data structure giving the pre-conditions and post-conditions for each attack step. The network s exposure to threats is measured with quantitative metrics, thus minimizing operator subjectivity and training requirements. Optimal courses of action are generated and prioritized based on the return on investment. The goal is to minimize the ability of an attack to progress through the network by maximally denying assets the attack is likely to depend on (e.g., through removal or reconfiguration), thereby maximizing network security. Each course of action is composed of a combination of actions that together decrease the attack capability against the network. Courses of action include one or more specific 18 Additional information on ARMOUR can be found in the following references: ARMOUR System Concept of Operations (CONOPS) [Reference 8]; ARMOUR Architectural Design Document [Reference 9]; and ARMOUR Detailed Design [Reference 10]. 19 The content for this section of the report was taken from ARMOUR System Concept of Operations (CONOPS) [Reference 8]. March 2016 Bell Canada 41

52 actions, for example, the application of a patch or upgrade, reconfiguration of connectivity, activating or deactivating a host service, or altering host configuration settings. The courses of action are implemented in either a semi-automated (man-in-the-loop) fashion, where the operator will select the course of action to implement, or in a fully-automated fashion, where courses of action will automatically be effectuated up to a set threshold of investment in mitigation actions. In the fully-automated case, operators will be notified of actions taken, but no manual intervention is required by the ARMOUR operator. March 2016 Bell Canada 42

53 Annex B - Threat Characterization The purpose of threat characterization is to gain an understanding of, and an ability to anticipate, an adversary in order to build improved threat models. This section will examine the following threat characterization efforts: Cyber Adversary Characterization; and National Nuclear Security Administration (NNSA) Threat Characterization. B.1 Cyber Adversary Characterization Cyber Adversary Characterization was a session of presentations 20 given at the Black Hat conference in One of the presentations, entitled Threat Assessment and Cyberterrorism, covers some familiar concepts but attempts to list threat techniques of interest, as follows: Direct Penetration Workstation; Direct Penetration Server; Direct Penetration Infrastructure Component; Indirect Penetration - Workstation; Indirect Penetration Server; Indirect Penetration Infrastructure Component; Customized Penetration Tool; Insider Placement; Insider Recruitment; Malicious Code Direct; Malicious Code Indirect; Denial of Service; Distributed Denial of Service; Directed Energy; Interception/Sniffing; Spoofing/Masquerading; Substitution/Modification; and Diversion. 20 Content from this section of the report was taken from March 2016 Bell Canada 43

54 B.2 NNSA Threat Characterization The NNSA has attempted to characterize threat 21 primarily in terms of the following: Types of Adversaries The types of adversaries has been divided into the following three types: o Insiders Any individual with authorized access to nuclear facilities or transport who might attempt unauthorized removal or sabotage, or who could aid outsiders to do so. Within this threat characterization, insiders can be internally motivated or externally coerced. Furthermore, insider can be passive or active, and of those that are active, they can be either nonviolent or violent; o Outsiders For this threat characterization there are three types of outsiders; terrorists, criminals, and anti-nuclear extremists; o Insider/Outsider Collusion This type of adversary combines an insider s knowledge and access with outside resources and skills; Motivation According to the threat characterization, motivation is an important indicator for both level of malevolence and likelihood of attempt. Motivations provided include the following: o Ideological fanatical conviction; o Financial wants/needs money; o Revenge disgruntled employee or customer; o Ego look what I am smart enough to do ; o Psychotic mentally unstable but capable; o Coercion family or self threatened; and o Tactics Insiders have a number of secondary advantages including time, tools, tests, and collusion. However, their primary advantages include access, knowledge, and authority. Outsiders are forced to resort to deceit, force, or stealth. 21 The information for this section of the report was taken from Unfortunately, additional detail, including the goal of the research, was not provided in the presentation. March 2016 Bell Canada 44

55 Annex C Threat Taxonomies/Libraries Taxonomies are simply efforts to classify information. By classifying threats using a taxonomy it allows for better understanding of attacks. Most taxonomies are attacker-centric in that they categorize attacks from the perspective of an attacker s tools, motivations and objectives. However, there have been efforts to develop defence-centric taxonomies based on how an attack manifests itself in the target system or even taxonomies focussed on the actors involved. Similar to threat taxonomies, are attack libraries. The threat taxonomies and libraries examined in this section include the following: AVOIDIT Cyber Attack Taxonomy; Common Attack Pattern Enumeration and Classification (CAPEC); CNI Cyber Taxonomy; Cyber Conflict Taxonomy; DSB Cyber Threat Taxonomy; Intel Threat Agent Library; MACE Taxonomy; Revised Attack Taxonomy; Taxonomy of DDoS Attacks; Taxonomy of Internet Infrastructure Attacks; and Taxonomy of Operational Cyber Security Risks. C.1 AVOIDIT Cyber Attack Taxonomy The Attack Vector, Operational Impact, Defence, Information Impact, and Target (AVOIDIT) cyber attack taxonomy 22 was developed by a number of researchers within the Department of Computer Science at the University of Memphis. The taxonomy was developed in part as a means to classify blended attacks by providing the ability to label various vulnerabilities of an attack in a tree-like structure. The intent is that AVOIDIT can be used to provide useful information to the network administrator by providing a means to classify vulnerabilities that lead to cyber attacks with methods to mitigate and remediate vulnerabilities to help alleviate the impact of a successful exploitation. As can be seen in Figure 14, AVOIDIT uses the following five classifiers to characterize the nature of an attack: 22 The content from this section of the report was taken from AVOIDIT: A Cyber Attack Taxonomy [Reference 11]. March 2016 Bell Canada 45

56 Classification by Attack Vector An attack vector is defined as a path by which an attacker can gain access to a host; Classification by Attack Target Various attacks target a variety of hosts, leaving the defender unknowingly susceptible to the next attack; Classification by Operational Impact Classification by Operational Impact involves the ability for an attack to culminate and provide high level information known by security experts, as well those less familiar with cyber attacks; Classification by Informational Impact An attack on a targeted system has potential to impact sensitive information in various ways; and Classification by Defence - We extend previous attack taxonomy research to include a defense classification. In this section we highlight several strategies a defender can employ to remain vigilant in defending against pre- and post- attacks. March 2016 Bell Canada 46

57 C.2 CAPEC Figure 14 - AVOIDIT Cyber Attack Taxonomy 23 MITRE s CAPEC 24 is a dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance 23 This figure was taken directly from AVOIDIT: A Cyber Attack Taxonomy [Reference 11]. 24 Content from this section of the report was taken from March 2016 Bell Canada 47

58 defenses. The attack patterns can be viewed by either the mechanism of attack or by domain of attack. The mechanisms of attack view organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system. They do not represent the consequences or goals of the attacks. Specifically, this view consists of the following: Gather Information; Deplete Resources; Injection; Deceptive Interactions; Manipulate Timing and State; Abuse of Functionality; Probabilistic Techniques; Exploitation of Authentication; Exploitation of Authorization; Manipulate Data Structures; Manipulate Resources; Analyze Target; Gain Physical Access; Execute Code; Alter System Components; and Manipulate System Users. The domains of attack view organizes attack patterns hierarchically based on the attack domain. Specifically, this view consists of the following: Social Engineering; Supply Chain; Communications; Software; Physical Security; and Hardware. C.3 CNI Cyber Taxonomy The CNI taxonomy was developed by the CAF intelligence community for use in their internal production tracking system. A work in progress, the taxonomy was developed using examples from existing literature (e.g., using C.7 MACE taxonomy) supplemented by the personal experience and knowledge of the author. March 2016 Bell Canada 48

59 Figure 15 - CNI Cyber Taxonomy March 2016 Bell Canada 49

60 C.4 Cyber Conflict Taxonomy The Cyber Conflict Taxonomy 25, which is illustrated in Figure 16, was authored by two researchers at the Center for Secure Information Systems at George Mason University. The objective of this taxonomy is to describe cyber conflict events and the actors involved in them in a manner that is useful to security practitioners and researchers working in the domain of cyber operations. The taxonomy is divided into categories and subjects. Categories are the taxonomic classifications that are applied to subjects and are further subdivided into subcategories. Subjects represent the real world events classified as cyber conflict and the real world entities such as individuals, groups or governments that participate in these events. Subjects of the taxonomy are entered as either Events or Entities and are then categorized using the categories and subcategories of Actions or Actors. The Events subject heading is used to organize and list the actual, real world cyber conflict incidents which will be described in this taxonomy. The Entities subject heading is used to organize and list the actual, real world individuals, groups, organizations or governments that initiated, were targeted or took part in cyber conflict events. The Actions category is used to describe cyber conflict events and the characteristics of those events in a manner that is useful for researchers and operators. The Actors category classifies the entities participating in cyber conflict by type. Figure 16 - Cyber Conflict Taxonomy Content for this section of the report was taken from Towards a Cyber Conflict Taxonomy [Reference 12]. 26 This figure was taken directly from Towards a Cyber Conflict Taxonomy [Reference 12]. March 2016 Bell Canada 50

61 C.5 DSB Cyber Threat Taxonomy The Defense Science Board (DSB) Cyber Threat Taxonomy 27, which is illustrated in Figure 17, was developed in order to help improve the resilience of Department of Defense (DoD) systems to cyber attacks. It consists of a threat hierarchy to describe capabilities of potential attackers, organized by level of skills and breadth of available resources. Specifically, it consists of the following tiers: Tiers I and II attackers primarily exploit known vulnerabilities; Tiers III and IV attackers are better funded and have a level of expertise and sophistication sufficient to discover new vulnerabilities in systems and to exploit them; and Tiers V and VI attackers can invest large amounts of money (billions) and time (years) to actually create vulnerabilities in systems, including systems that are otherwise strongly protected. Higher-tier competitors will use all capabilities available to them to attack a system but will usually try lower-tier exploits first before exposing their most advanced capabilities. Tier V and VI level capabilities are today limited to just a few countries such as the United States, China and Russia. It is worth mentioning that Existential Cyber Attack is defined as an attack that is capable of causing sufficient wide scale damage for the government potentially to lose control of the country, including loss or damage to significant portions of military and critical infrastructure: power generation, communications, fuel and transportation, emergency services, financial services, etc. Figure 17 - DSB Cyber Threat Taxonomy Content for this section of the report was taken from Resilient Military Systems and the Advanced Cyber Threat [Reference 13]. 28 This figure was taken directly from Resilient Military Systems and the Advanced Cyber Threat [Reference 13]. March 2016 Bell Canada 51

62 C.6 Intel Threat Agent Library (TAL) Intel developed a threat agent library (TAL) 29, illustrated in Table 1, that provides a reference for describing the human agents that pose threats to IT systems and other information assets. The library is designed to overcome the lack of standard threat agent definitions and the problem that threat information is often fragmented and sensationalized. The following eight attributes are used to define each threat agent uniquely: Intent - This defines whether the agent intends to cause harm. Agents fall into two categories depending on their intent: o Hostile: The agent starts with the intent to harm or inappropriately use Intel assets, and the agent takes deliberate actions to achieve that result; o Non-Hostile: The agent is friendly and intends to protect Intel assets, but accidentally or mistakenly takes actions that result in harm; Access This defines the extent of the agent s access to the company s assets; Outcome This usually defines the agent s primary goal what the agent hopes to accomplish with a typical attack. However, with non-hostile agents, such as an untrained employee, the outcome may be unintentional; Limits - These are the legal and ethical limits that may constrain the agent. This characteristic also defines the extent to which the agent may be prepared to break the law; Resources - This defines the organizational level at which an agent typically works, which in turn determines the resources available to that agent for use in an attack; Skills - The special training or expertise an agent typically possesses; Objective - The action that the agent intends to take in order to achieve a desired outcome; and Visibility - The extent to which the agent intends to conceal or reveal his or her identity. 29 Content for this section of the report was taken from Threat Agent Library Helps Identify Information Security Risks [Reference 14]. March 2016 Bell Canada 52

63 Table 1 - Threat Agent Library 30 C.7 MACE Taxonomy 31 The MACE taxonomy, which is illustrated in Figure 18, was originally developed as the foundation for the modeling, simulation and experimentation of cyber attacks and the effects they can produce, but was then expanded to describe the linkages to military activities and their desired effects. The taxonomy classifies cyber attacks based on the level of access required to launch the attack, the cyber effects the attack can produce and the military activities it can be used for. It consists of six main categories which together can provide the underlying structure for the development of a threat model. The six categories consist of the following: Attack Types: This category covers the most significant types of cyber attacks. This report does not attempt to provide a complete comprehensive list as new malicious computer 30 This table was taken directly from Threat Agent Library Helps Identify Information Security Risks [Reference 14]. 31 The content for this section of the report was taken from Military Activities and Cyber Effects (MACE) Taxonomy [Reference 15]. March 2016 Bell Canada 53

64 programs (malware) are created on a daily basis, but instead concentrates more broadly on the cyber attacks that have been observed in large computer networks; Levels of Access: This category describes the different levels of access to the targeted system or network that attackers may require in order to launch a type of attack. The level of access determines the restrictions on and privileges of what an attacker can do at the various levels; Attack Vectors: This category includes the methods and tools used to infiltrate computers and install malicious software. The delivery methods require some level of effort from the attacker in order to launch the attack while the delivery tools often do not require as much of an effort as they can spread and infect other computers autonomously; Adversary Types: This category identifies the various types of cyber attackers. The types are differentiated using a combination of skill level, maliciousness, motivation, and method used; Cyber Effects: This category describes the effects that can be produced in the cyber environment by employing the various cyber attacks. Each effect can affect the targeted systems themselves or the information that resides within them; and Military Activities: This category includes the military effects that can be produced in the cyber environment. It denotes the military context and language to this taxonomy that enables a common understanding between defence departments and other government departments. The MACE taxonomy remains a work in progress. Specifically, the Attack Types requires additional thought as the current incarnation is more of a list of attacks than an attempt to categorize them. In addition, the attack vectors may need to be expanded. March 2016 Bell Canada 54

65

66 optimization for the target, security mechanisms like (next generation) firewalls, IDPSs and antivirus programs are ineffective; ISO/OSI Layer - Typically, attacks on the application layer are most dangerous (e.g., when executed over encrypted connections, most IDPSs are not able to investigate the traffic) while attacks on the network layer are comparatively easier to detect; Target Type - If it is enough to hack an auxiliary device (e.g., a switch) instead of the actual target system, the attack may be even harder to detect. This is reflected in setting the auxiliary targets higher than the end devices; Location of Attack Subject The initial position of an attacker wrt. the system under consideration depends on (i) the physical position of the attacker and (ii) the initial access level (credentials) of the attacker for the system. The corresponding threat matrix expresses the degree of exposure of the respective combinations; Type of Object Location - The target can be connected to a reachable network (wired or wireless) or isolated. In the latter case, the system may be reached by mobile storage devices or by even more sophisticated techniques to bridge the air gap; Attacked Domain - The Attacked Domain can have a major influence on the severity of an attack. On the technical level, detection possibilities are given by the installation of security systems or the risk of noticeable system malfunctions during an attack (e.g., triggered by a faulty exploit). On the contrary, shortcomings on the organisational level can be even harder to detect. For example, insufficient measures for the safe disposal of confidential documents can result in divulging important information. Regarding the human source, effective and unremarkable social engineering can be done. Lastly, a combination of a careful information search in the different domains can be used to achieve an objective without attracting attention at all; Feedback - Feedback relates to the controllability of an attack by the originator; Attack Execution Initial Conditions - Enabling an attack only if a specific event happens represents a serious danger. In that case, it can stay hidden most time, limiting the detection possibilities. This is also possible by activating a malware only after a special period or at a special point in time; anyway, the target may not be in the desired state for the attack our may not have the wanted information, lowering the possibilities of successfully executing the attack. An activation by request enables the possibility to stay hidden, but also opens up the possibility that the attack will not be activated if the attacker can't reach the system; Impact Type - An attack can be active or passive, e.g., using exploits to penetrate a system or only sniffing on the wire. Of course, passive techniques are typically much harder to detect, therefore they are rated more dangerous than active ones; Attack Automation - A semi-automated attack can be very dangerous, combining efficiency and the possibility to react and interact. Manual attacks can be controlled in depth, but March 2016 Bell Canada 56

67 typically are much slower while automated attacks could be error-prone (e.g., locking the system while executing an exploit); Attack(ed) Entities - With an increasing number of Attack(ed) Entities, normally also the chances for a detection of the attack rise; Connection Quantity - Attacks can be executed over a single connection, a series of single connections over time (sequential) or by the use of parallel connections. Again, with an increasing number of connections, also the detection possibilities are rising; Attack Depth - By affecting a network (fully or partially), an attack can resist and penetrate an environment more dangerously, than by influencing only a single system; Attributability: The attribution of attacks is challenging. When anonymizing networks like TOR are used, identifying the source of an attack is most difficult; Implementation Type - Attacks can be executed onto up and running systems, e.g., by the execution of exploits - which is the typical case. On the other hand, malicious manipulations could have been done in advance, e.g., backdoors installed in COTS products. Pre-installed manipulations can be much more dangerous, because the (maybe detectable) installation process is not required any longer and also behaviour-based security systems can learn the initial bad behaviour of a new system as a benign one; and Attack Density - An attack can be executed in short-term horizon, trying to execute and complete as fast as possible even with an increasing risk of detection. On the other hand, stealth (paranoid) techniques can be used to stay as hidden as possible, expanding the attack over a long period of time. March 2016 Bell Canada 57

68 Figure 19 - Revised Attack Taxonomy 34 C.9 Taxonomy of DDoS Attacks The Taxonomy of Distributed Denial of Service (DDoS) Attacks 35, which is illustrated in Figure 20, was developed by three researchers from the Computer Science Department at the University of California. It was developed in order to introduce some structure to the DDoS field by developing a taxonomy of DDoS attacks and DDoS defence systems. In this taxonomy DDoS attacks are classified by the following: Classification by Degree of Autonomy - During the attack preparation, the attacker needs to locate prospective agent machines and infect them with the attack code. Based on the degree of automation of the attack, the taxonomy differentiates between manual, semi- 34 This figure was taken directly from A Revised Attack Taxonomy for a New Generation of Smart Attacks [Reference 16]. 35 Content for this section of the report was taken from A Taxonomy of DDOS Attacks and DDoS Defense Mechanisms [Reference 17]. March 2016 Bell Canada 58

69 automatic and automatic DDoS attacks. Only the early DDoS attacks belonged to the manual category. The attacker scanned remote machines for vulnerabilities, broke into them and installed the attack code, and then commanded the onset of the attack. All of these actions were soon automated, leading to development of semi- automatic DDoS attacks, the category where most contemporary attacks belong. Automatic DDoS attacks additionally automate the attack phase, thus avoiding the need for communication between attacker and agent machines; Classification by Exploited Vulnerability - Distributed denial-of-service attacks exploit different strategies to deny the service of the victim to its clients. Based on the vulnerability that is targeted during an attack, the taxonomy differentiates between protocol attacks and brute-force attacks. Protocol attacks exploit a specific feature or implementation bug of some protocol installed at the victim in order to consume excess amounts of its resources. Brute-force attacks are performed by initiating a vast amount of seemingly legitimate transactions; Classification by Attack Rate Dynamics - Depending on the attack rate dynamics the taxonomy differentiates between continuous rate and variable rate attacks. The majority of known attacks deploy a continuous rate mechanism. After the onset is commanded, agent machines generate the attack packets with full force. This sudden packet flood disrupts the victim's services quickly, and thus leads to attack detection. Variable rate attacks are more cautious in their engagement, and they vary the attack rate to avoid detection and response; and Classification by Impact - Depending on the impact of a DDoS attack on the victim we differentiate between disruptive and degrading attacks. The goal of disruptive attacks is to completely deny the victim's service to its clients. All currently known attacks belong to this category. The goal of degrading attacks would be to consume some (presumably constant) portion of a victim's resources. March 2016 Bell Canada 59

70 Figure 20 - DDoS Attacks Taxonomy 36 C.10 Taxonomy of Internet Infrastructure Attacks The Taxonomy of Internet Infrastructure Attacks 37, which is illustrated in Figure 21, was developed by two researchers in the Dependable Computing & Network Laboratory at Iowa State University. The purpose of this taxonomy is to develop a comprehensive understanding of the security threats and existing solutions, as part of a need to develop architectures, algorithms, and protocols to realize a dependable Internet infrastructure. The taxonomy classifies the Internet infrastructure attacks into the following four categories: DNS hacking attacks - DNS is a distributed, hierarchical global directory that translates machine/domain names to numeric Internet Protocol (IP) addresses. Due to its ability to map human memorable names to numerical addresses, its distributed nature, and its robustness, DNS has evolved into a critical component of the Internet; Routing table poisoning attacks - Routing tables are used to route packets over the Internet. They are created by exchange of routing information or updates between routers. Poisoning attacks refer to the malicious modification or poisoning of routing tables; 36 This figure was taken from A Taxonomy of DDOS Attacks and DDoS Defense Mechanisms [Reference 17]. 37 Content from this section of the report was taken from Internet Infrastructure Security: A Taxonomy [Reference 18]. March 2016 Bell Canada 60

71 Packet mistreating attacks - In this type of attacks, the ma- licious router mishandles packets, thus resulting in congestion, denial-of-service, and so on; and Denial of Service (DoS) attacks - These attacks are directed at specific hosts with an intention of breaking into the system or causing denial of service. Figure 21 - Internet Infrastructure Attacks Taxonomy 38 C.11 Taxonomy of Operational Cyber Security Risks Researchers at Carnegie-Mellon University have developed a taxonomy of operational cyber security risks. 39 The taxonomy was developed to be used as a tool to assist in the identification of all 38 This figure was taken directly from Internet Infrastructure Security: A Taxonomy [Reference 18]. 39 Content for this section of the report was taken from A Taxonomy of Operational Cyber Security Risks [Reference 19]. March 2016 Bell Canada 61

72 applicable operational cyber security risks in an organization. This taxonomy, which is illustrated in Figure 22, attempts to identify and organize the sources of operational cyber security risk into four classes: 1) actions of people, 2) systems and technology failures, 3) failed internal processes, and 4) external events. Figure 22 - Taxonomy of Operational Cyber Security Risks This figure was taken from A Taxonomy of Operational Cyber Security Risks [Reference 19]. March 2016 Bell Canada 62

73 Annex D Threat Methodologies A methodology is a set of principles, tools and practices which can be used to guide processes to achieve a particular goal. Threat methodologies examined in this section include the following: Attack Graphs; Attack Trees; Cyber Kill Chain; Threat Genomics; MACE Cyber Attack Classification; MITRE s Cyber Prep Methodology; Threat Assessment Methodology; and Harmonized TRA Methodology. D.1 Attack Graphs Attack graphs are a means to depict all the ways in which an attacker can exploit vulnerabilities in order to compromise a network or system. An attack graph enumerates all of the possible sequences attackers can exploit as part of their multi-step attacks. In addition to illustrating potential attacks, attack graphs provide information about relationships among network components and model how vulnerabilities may be combined for an attack. This enables security practitioners to compose individual measures of vulnerabilities, resources, and configurations into a global measure of network security. An example of an attack graph is shown in Figure 23 for a small enterprise network, where there are three subnets mediated by an external and an internal firewall. The web server is in the De- Militarized Zone (DMZ) subnet and is directly accessible from the Internet through the external firewall. The database server is located in the Internal subnet and holds sensitive information. It is only accessible from the web server and the User subnet. The User subnet contains the user workstations used by the company s employees. The firewalls allow all out-bound traffic from the User subnet. The web server contains the vulnerability CVE in the Apache HyperText Transfer Protocol (HTTP) service which can result in a remote attacker possibly executing arbitrary code on the machine. The database server contains the vulnerability CVE in the MySQL database service which could allow administrator access. The user workstations contain the vulnerability CVE in the Internet Explorer (IE). If a user accesses malicious content using the vulnerable IE browser the machine may be compromised. There are two types of vertices in the March 2016 Bell Canada 63

74 attack graph. The diamond vertices represent privileges an attacker could obtain through exploiting the vulnerabilities in the system. An elliptic vertex represents an attack step that can lead to a privilege. 41 Figure 23 - Example Scenario & Attack Graph 42 D.2 Attack Trees Attack trees, also sometimes called threat trees, are a means to characterize and analyze threats. Specifically, they are conceptual diagrams illustrating how an asset, or target, might be attacked. Typically, the goal is included as the root node, and the different ways of achieving that goal as leaf nodes. And nodes represent different steps in achieving a goal, while or nodes represent different ways of achieving the same goal. For example, the attack tree illustrated in Figure This example scenario was taken from Quantitative Security Risk Assessment of Enterprise Networks [Reference 20]. 42 This figure was taken directly from Quantitative Security Risk Assessment of Enterprise Networks [Reference 20]. March 2016 Bell Canada 64

75 details the manner by which a safe can be opened. Each route through the tree is referred to as an attack path. An analyst can then assess which attacks each level of threat can perform. Figure 24 - Attack Tree 43 D.3 Cyber Kill Chain The Cyber Kill Chain, depicted in Figure 25, was developed by Lockheed Martin. It is a variation of the U.S. military targeting doctrine (find, fix, track, target, engage, assess) that has been adapted for use in the cyber environment. The Cyber Kill Chain has received a great deal of press due to both its simplicity and the weight of the company behind it. It is used to model both the actions of the attackers and the reactions of the defenders. Specifically, it consists of the following seven phases: 44 Reconnaissance Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for addresses, social relationships, or information on specific technologies; 43 This figure was taken directly from 44 Description for the seven phases of the Cyber Kill Chain were taken from Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [Reference 21]. March 2016 Bell Canada 65

76 Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable; Delivery Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by Advanced Persistent Threat (APT) actors are attachments, websites, and Universal Serial Bus (USB) removable media; Exploitation After the weapon is delivered to victim host, exploitation triggers intruders code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code; Installation Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment; Command and Control (C2) Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have hands on the keyboard access inside the target environment; and Actions on Objectives Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network. Figure 25 Cyber Kill Chain This figure was taken from March 2016 Bell Canada 66

77 D.4 Threat Genomics The threat genomics methodology 46 allows qualitative characterization and labeling of security events so that they may be normalized and correlated into a coherent whole bridging the gap between individual signatures or detections to extended attacks involving multiple tools, targets, and modes of activity. The 10 base types used to construct a threat sequence are labels or categories into which an attacker s actions can be sorted, with sufficient precision to distinctly characterize the attack for analysis, without forcing evaluation against quantitative metrics which may be unavailable or subjectively applied. Fragments of correlated activity can be compared against known whole sequences to potential subsequent actions, or to investigate otherwiseoverlooked past activity. The threat genomics methodology, although providing largely the same functionality as the Cyber Kill Chain, differs significantly. Specifically, the threat genomics methodology expands upon the strategy of the attacker once it has achieved a foothold in the organization. The 10 base types are as follows: 1) Reconnaissance - Reconnaissance includes knowledge-gathering activities such as area target identification, point target identification, target refinement to identify assets and entities, technical mapping of an environment, probing for vulnerabilities, and any other activities that are observational and can be applied to future adversarial actions; 2) Commencement - Commencement is the point at which an adversary deploys tools or actions. The start of an attack does not necessarily mark the end of (1) Reconnaissance, as observation and knowledge gathering may continue, but the adversary has passed a threshold of observation and identification of vulnerabilities, and proceeded into engagement; 3) Entry - The traversal of a primary security boundary or network border can be characterized as entry by the entity responsible for that border. This traversal may take many forms, including a first successful entry or direct breach of a system, an 0day exploit against an external-facing application, a social engineering compromise of a person with basic privileges, or physical intrusion into controlled but not critical areas; 46 The content for this section of the report was taken from Threat Genomics [Reference 22]. March 2016 Bell Canada 67

78 4) Foothold - The most common form of foothold is an adversary s breach of a system with low privileges or local credentials. The adversary is able to stay resident in the environment (actions that give only access would be characterized as multiple entries), but control or credentials used to stay resident are not privileged beyond the compromised system or applications; 5) Lateral Movement - Lateral movement is the freedom to explore from within. When an adversary has the ability to move beyond a system or non-privileged environment in which they ve established a foothold, the immediate network and adjacent logical environments are at risk; 6) Acquire Control - Acquiring or establishing privileged control in an environment allows an adversary free movement and access to assets and resources. It may be possible to detect and observe an adversary taking these types of actions, but it becomes difficult to dislodge an adversary that wields privileged access and control over a whole environment; 7) Acquire Target - When an adversary can access a target asset, neutralize point target protections, and otherwise consolidate control over an asset, resources, or capabilities, that adversary is said to have acquired a target; 8) Implement/Execute - Implementation of a process, or execution of attack code on an acquired target, mark this base type of action. Indicators may include alteration in the function of key applications, consolidation and integration of control, exfiltration or destruction of data, or even communication of demands for ransom or other actions; 9) Conceal & Maintain - With sufficient control of an environment and its contained systems, an adversary may be able to remove or alter security logs, implement decoy(s), periodically check backdoor access, or otherwise conceal and maintain their presence and activities; and 10) Withdraw - Withdrawal shows an attacker or adversary has completed its significant actions and intentionally departed under its own terms or capacity. March 2016 Bell Canada 68

79 D.5 MACE Cyber Attack Classification 47 The MACE Cyber Attack Classification attempts to build upon both the Cyber Kill Chain and the Threat Genomics by taking the most relevant features of both to describe the attack steps. It was the authors belief that the Cyber Kill Chain was missing some important elements and that the Threat Genomics consisted of too many steps. Most adversaries will follow a common series of seven steps in order to execute an attack, as shown in Figure 26. For the purpose of this paper the seven stages of a cyber attack are described as follows: Reconnaissance. This is considered the planning step of an attack where the adversary gathers as much information as possible about the target prior to the attack. Passive reconnaissance involves techniques such as gathering publicly available information, using search engines, and dumpster diving (i.e. going through the bins). Active reconnaissance on the other hand involves using tools to actively interact with the target, such as network scanning; Gain Access. This step is the initial intrusion into the target network. Through the reconnaissance step the adversary will have identified and correlated vulnerabilities that can be exploited to penetrate the network and gain initial access. This step can also be achieved through user exploitation such phishing or social engineering techniques; Command and Control. Typically, in malware attacks the compromised system must call out to a control server to send out found information or to receive additional instruction. The malware will establish a command and control channel with the control server (often through encrypted channels that are hard to detect) and in turn provide the adversary with the means to get inside the target network; Footprint Expansion. In the case of data exploitation or if the goal is simply to infect as many systems as possible, the malware will need to move laterally within the network from system to system to either find the target data or to infect each of the systems found. Another facet of this stage is privilege escalation where the adversary can escalate from limited privileges (user access) to administrator privileges (root access) so that they are not constrained to any specific part of the network; 47 The content for this section of the report was taken from Military Activities and Cyber Effects (MACE) Taxonomy [Reference 15]. March 2016 Bell Canada 69

80 Maintain Access. This stage involves maintaining long-term access to the target system and network, which allows the adversary the benefits of time to collect the information they need for the purpose of their attack. Access can be maintained by launching virtual network clients from within the network to provide access to external systems, and similar services like File Transfer Protocol (FTP) and Secure Shell (SSH), or by uploading rootkits, backdoors and Trojans; Execute Attack. The adversary takes actions that accomplish his objectives. The actions taken will depend on the goal of the adversary where the most common may be exfiltration of data but could also involve the modification, fabrication, interception and even destruction of data; and Retreat and Removal. This phase closes the loop, where the adversary removes all evidence of his presence on the target system and network. It should be noted that a skilled adversary will always cover their tracks to avoid early detection. Gaining root level access and administrative access is a big part of hiding their presence as they can re move log entries, deactivate alarms, and even upgrade or patch outdated software in which a vulnerability was exploited. Figure 26 - Stages of a Cyber Attack 48 D.6 MITRE s Cyber Prep Methodology Cyber Prep 49, which was developed by MITRE, is a conceptual framework, together with a practical methodology, which an organization uses to define and implement its strategy for addressing threats related to its dependence on cyberspace. MITRE defined the five Cyber Prep levels to 48 This figure was taken from Military Activities and Cyber Effects (MACE) Taxonomy [Reference 15]. 49 Content for this section of the report was taken from Improving Cyber Security and Mission Assurance via Cyber Preparedness (Cyber Prep) Levels [Reference 23]. March 2016 Bell Canada 70

81 correspond to fairly distinct break points in adversary capabilities, intent, and technical sophistication, as well as in the operational complexity involved in an attack. They are as follows: 1) Cyber Vandalism; 2) Cyber Theft/Crime; 3) Cyber Incursion/Surveillance; 4) Cyber Sabotage/Espionage; and 5) Cyber Conflict/Warfare. The Cyber Prep Methodology also provides specific examples of the TTPs employed by adversaries at each level. These can be seen in Table 2. March 2016 Bell Canada 71

82 Table 2 - Sample TTPs Adversaries Might Use This table was taken directly from Improving Cyber Security and Mission Assurance via Cyber Preparedness (Cyber Prep) Levels [Reference 23]. March 2016 Bell Canada 72

83 D.7 Harmonized TRA Methodology The Harmonized TRA Methodology 51 was a joint Communication Security Establishment (CSE) and Royal Canadian Mounted Police (RCMP) project to develop a single harmonized TRA for the GC that was flexible, modular, simple, consistent, general, and that would facilitate automation. As can be seen from Figure 27 the Harmonized TRA Methodology is quite involved. Specifically, it consists of the following five phases: Phase 1 Preparation: The Preparation Phase includes four important processes (management commitment, mandate of the TRA project, scope of assessment, and team composition) that leads to one output (TRA work plan); Phase 2 Asset Identification and Valuation: The Asset Identification and Valuation Phase is comprised of three successive processes (asset identification, injury assessment, and asset valuation) and one major output (prioritized asset listing); Phase 3 - Threat Assessment: The Threat Assessment Phase is comprised of four successive processes (threat identification, likelihood assessment, gravity assessment, and threat assessment) and one major output (prioritized threat listing); Phase 4 Risk Assessment: The fourth phase is conducted in two sequential segments, namely Vulnerability Assessment and the Calculation of Residual Risk. The Vulnerability Assessment consists of five successive processes (safeguard identification, safeguard effectiveness assessment, vulnerability identification, vulnerability impact analysis, and vulnerability assessment) and one major output (prioritized vulnerability assessment table). The Calculation of Residual Risk consists of a single process (computation of residual risk) and one major output (prioritized list of residual risks); and Phase 5 Recommendations: The Recommendations Phase is comprised of four sequential processes (identification of unacceptable risks, selection of potential safeguards, calculation of costs, and assessment of projected residual risks) and one major output (final TRA report). 51 Additional information on the Harmonized TRA Methodology can be found in the Harmonized TRA Methodology [Reference 24]. March 2016 Bell Canada 73

84 Figure 27 - Harmonized TRA Phases & Processes This figure was taken from the Harmonized TRA Methodology [Reference 24]. March 2016 Bell Canada 74

85 Annex E Threat Framework A framework is typically used to provide the overall structure of a project. In the case of threat frameworks, it is used to give a general idea as to the preferred approach for characterizing threats. Threat frameworks examined in this section of the report include the following: Common Vulnerability Scoring System (CVSS); and RAMCAP. E.1 CVSS While the Open Web Application Security Project (OWASP) lists CVSS as a threat model, it has been classified as a threat framework for the purpose of this report. However, The CVSS 53, which was designed by NIST and a team of industry partners, provides a means to quantify the severity and risk of a vulnerability to an information asset in a computing environment. Consequently, it allows organizations to compare one vulnerability to another in terms of prioritizing their patching efforts. CVSS, which is widely considered to be the industry standard, differs from other vulnerability databases by offering an open framework for comparing and ranking vulnerabilities in a consistent fashion. The following six base metrics are used to describe the fundamental features of a vulnerability: Access Vector (AV): It measures how the vulnerability is exploited, for instance, locally or remotely. The more remote an attacker can be to attack an information asset, the greater the vulnerability score; Access Complexity (AC): It measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. The lower the required complexity, the higher the vulnerability score; Authentication (Au): It measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. The fewer authentication instances that are required, the higher the vulnerability score; Confidentiality Impact (CC): It measures the impact on confidentiality of a successfully exploited vulnerability. Increased confidentiality impact increases the vulnerability score; Integrity Impact (IC): It measures the impact on integrity of a successfully exploited vulnerability. Increased integrity impact increases the vulnerability score; and Availability Impact (AC): It measures the impact on availability of a successfully exploited vulnerability. Increased availability impact increases the vulnerability score. 53 Content for this section of the report was taken from Metrics for Information Security Vulnerabilities [Reference 25]. March 2016 Bell Canada 75

86 E.2 RAMCAP The Risk Analysis and Management for Critical Asset Protection (RAMCAP) 54 is a framework for analyzing and managing the risks associated with terrorist attacks against critical infrastructure assets. The framework, which is illustrated in Figure 28, is comprised of the following seven steps: Asset Characterization and Screening - Asset characterization and screening is the analysis of a facility or system s operational processes to identify critical assets and hazards, while making a preliminary forecast of potential consequences from a terrorist act. The assets evaluated include both physical and cyber assets. The analysis includes identification of existing layers of protection; Threat Characterization - Threat characterization is the identification of specific and general modes of attack that may be used by terrorists against a given target. DHS has developed a set of baseline threats that are to be evaluated for each asset or system. These threats are based on the collective activities of law enforcement and intelligence organizations that are charged with developing an understanding of the means, methods and motivations of terrorists. The threats include various modes of attack (e.g., air, land, and water), and various sizes of attacks (e.g., small, medium, large). The owner/operator then applies these threats to the facility or system based on in- depth knowledge of the operation s assets. Consequently, not all threats apply to all assets, so some threats will be scre ened from further consideration; Consequence Analysis - Consequence analysis is the identification of the worst reasonable consequences that could be generated by the specific threat. This step looks at facility or system design, layout and operation in order to identify the types of consequences that might result. Consequences that are quantified include financial costs, fatalities and injuries. Consequences that are noted qualitatively are psychological impacts and effects on national security or government functions; Vulnerability Analysis - Vulnerability analysis is the determination of the likelihood for a successful attack using a specific threat on a particular asset. This involves analyzing the existing security capabilities, countermeasures and mitigation strategies and their effectiveness in reducing the probability of a successful attack; 54 Content for this section of the report was taken from March 2016 Bell Canada 76

87 Threat Assessment - Threat assessment includes two steps: an evaluation of asset attractiveness and a full threat assessment. Asset assessment considers the perceived value to the terrorist of attacking a given facility or system considering the deterrence value of security measures and the robustness of the potential target. This area is assessed by the owner/operator. Threat assessment is performed by DHS and includes normalized assessments of attractiveness in light of the high level objectives of terrorists and intelligence-based assessments of adversary capabilities and intent; Risk Assessment - Risk assessment is a systematic and comprehensive evaluation of the previously developed terrorism related data for a given facility or system. The owner/operator risk assessment creates a foundation for selecting strategies and tactics to defend against terrorist attacks by establishing priorities based on risk; and Risk Management - Risk management is the deliberate process of understanding risk and deciding upon and implementing action (e.g., defining security countermeasures, consequence mitigation features or characteristics of the asset) to achieve an acceptable level of risk at an acceptable cost. Risk management is characterized by the identification, evaluation and control of risks to a level commensurate with an assigned or accepted value. Figure 28 - RAMCAP 7-Step Process This figure was taken directly from March 2016 Bell Canada 77

88 Annex F Threat Model Informally, a model is a simplified representation of something else. A model ignore s, masks, or abstracts unimportant or unnecessary details, thereby highlighting the details of interest. For example, a model of a real-world computer network will abstract away certain details and highlight others. Clearly, a threat model is a model of a threat. Per the definition of model above, a threat model highlights the details of interest regarding a threat, class of threat, or threats in general. A threat model will generally address both a threat s capabilities and its intent. 56 Basically, threat modeling is a structured approach that allows cyber security threats to be classified. There are at least three general approaches to threat modelling: Attacker-centric - Attacker-centric threat modelling focuses on attackers, their specific goals, and the manner in which they can achieve them; System-centric System-centric threat modelling, which is sometimes called 'softwarecentric,' 'design-centric,' or 'architecture-centric', focuses on the system being built or the software being developed. Specifically, it looks at the design of the system/software, and determines the type of attacks that can be undertaken against each element; and Asset-centric Asset-centric threat modelling focuses on the information that the attacker is attempting to compromise. This section of the report will examine the following threat models; Composite Threat Modelling (System-centric); Microsoft Threat Modelling (System-centric); Trike (System-centric); and Verizon A 4 Threat Model (Attacker-centric). The Generic Threat Model (attacker-centric) and OCTAVE Allegro (asset-centric) were examined in Sections 3.0 and 4.0 respectively. 56 Cyber Threat Metrics [Reference 3]. March 2016 Bell Canada 78

89 F.1 Composite Threat Modelling The U.S. Department of Transportation National Highway Traffic Safety Administration (NHTSA) proposed a composite threat model 57, combining common elements of STRIDE (F.2.1 STRIDE), Trike (F.2.2 DREAD), and Application Security Frame (ASF), for the automotive sector. Specifically, the threat model was developed in order to describe a composite modeling approach for potential cyber security threats in modern vehicles. It is primarily of interest due to the fact that it combined aspects from multiple threat models to produce its own threat model. Rather than picking a single threat model, the NHTSA decided to extract the common elements from various models in order to establish a composite model. F.2 Microsoft Threat Modelling The Microsoft threat modelling process 58, which is illustrated in Figure 29, was developed as part of Microsoft s security improvement program and specifically to allow organizations to determine the correct controls and to produce effective countermeasures within budget. It consists of the following five steps: 1) Identify Security Objectives - The business (or project management) leadership, in concert with the software development and quality assurance teams, all need to understand the security objectives. To facilitate this, start by breaking down the application s security objectives into the following categories: a. Identity: Does the application protect user identity from abuse? Are there adequate controls in place to ensure evidence of identity (as required for many banking applications?); b. Financial: Assess the level of risk the organization is prepared to absorb in remediation, as a potential financial loss. For example, forum software may have a lower estimated financial risk than an Internet banking application. c. Reputation: Quantify or estimate of the loss of reputation derived from the application being misused or successfully attacked; 57 Content for this section of the report was taken from Characterization of Potential Security Threats in Modern Automobiles [Reference 26]. 58 Content for this section of the report was taken from March 2016 Bell Canada 79

90 d. Privacy and Regulatory: To what extent will the application have to protect user data? Forum software by its nature is public, but a tax preparation application is subject to tax regulations and privacy legislation requirements in most countries; e. Availability Guarantees: Is the application required to be available per a Service Level Agreement (SLA) or similar guarantee? Is it a nationally protected infrastructure? To what level will the application have to be available? High availability techniques are significantly more expensive, so applying the corre ct controls up front will save a great deal of time, resources, and money; 2) Survey the Application - Once the security objectives have been defined, analyze the application design to identify the components, data flows, and trust boundaries. Do this by surveying the application s architecture and design documentation. In particular, look for Unified Modeling Language (UML) component diagrams. Such high level component diagrams are generally sufficient to understand how and why data flows to various places. For example, data movement across a trust boundary (such as from the Internet to the web tier, or from the business logic to the database server), needs to be carefully analyzed, whereas data that flows within the same trust level does not need as much scrutiny; 3) Decompose the Application Once the application architecture is understood then decompose it further, to identify the features and modules with a security impact that need to be evaluated. For example, when investigating the authentication module, i t is necessary to understand how data enters the module, how the module validates and processes the data, where the data flows, how the data is stored, and what fundamental decisions and assumptions are made by the module; 4) Identify Threats STRIDE (F.2.1 STRIDE) is a classification scheme for characterizing known threats, while DREAD (F.2.2 DREAD) provides a means to quantify the various threats; and 5) Identify Vulnerabilities Once the application has been decomposed and the threats have been identified, specific vulnerabilities can also be identified. March 2016 Bell Canada 80

91 F.2.1 STRIDE Figure 29 - Microsoft Threat Modelling Process 59 STRIDE 60 is a classification scheme for characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker). STRIDE is an acronym derived from the following six threat categories: Spoofing identity. An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password; Tampering with data. Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet; Repudiation. Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Nonrepudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package; 59 This figure was taken directly from 60 Content for this section of the report was taken from and March 2016 Bell Canada 81

92 Information disclosure. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers; Denial of service. Denial of service (DoS) attacks deny service to valid users for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability; and Elevation of privilege. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed. F.2.2 DREAD DREAD 61 is a classification scheme for quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat. The DREAD acronym is formed from the first letter of each category below: Damage potential: How great is the damage if the vulnerability is exploited?; Reproducibility: How easy is it to reproduce the attack?; Exploitability: How easy is it to launch an attack?; Affected users: As a rough percentage, how many users are affected?; and Discoverability: How easy is it to find the vulnerability? F.3 Trike Trike 62 is a unified conceptual framework for security auditing from a risk management perspective through the generation of threat models in a reliable, repeatable manner. Trike is distinguished from other threat modeling methodologies by the high levels of automation possible within the system, the defensive perspective of the system, and the degree of formalism 61 Content for this section of the report was taken from and 62 The content for this section of the report was taken from Trike v.1 Methodology Document [Reference 27]. March 2016 Bell Canada 82

93 present in the methodology. It differs in focus from other existing approaches to threat modeling in that it focuses on modeling threats from a defensive perspective, not that of an attacke r. Once the set of threats for the application have been determined and the implementation model completed, the attack graph is built and the system examined to verify all weaknesses in the system. Once this is done, the vulnerabilities to the system can be determined and the appropriate mitigations applied. F.4 Verizon A 4 Threat Model The A 4 Threat Model 63 was developed by Verizon s RISK team. In the model, a security incident is viewed as a series of events that adversely affects the information assets of an organization. Every event is comprised of the following elements (the four A s): Agent: Whose actions affected the asset; Action: What actions affected the asset; Asset: Which assets were affected; and Attribute: How the asset was affected. According to the model, the four A s represent the minimum information necessary to adequately describe any incident or threat scenario. Furthermore, this structure provides a framework within which to measure frequency, associate controls, link impact, and many other concepts required for risk management. If we calculate all the combinations of the A 4 model s highest-level elements, (three Agents, seven Actions, five Assets, and three Attributes), 315 distinct threat events emerge. The grid in Figure 30 graphically represents these and designates a Threat Event Number (hereafter referenced by TE#) to each. TE1, for instance, coincides with External Malware that affects the Confidentiality of a Server. Note that not all 315 combinations are feasible. 63 The content for this section of the report was taken from the Verizon 2012 Data Breach Investigations Report [Reference 28]. The report only provides a limited overview of the threat model, so information, such as the original purpose of the model, has n ot been included in this report. March 2016 Bell Canada 83

94 Figure 30 - Verizon A4 Threat Model This figure was taken from Verizon 2012 Data Breach Investigations Report [Reference 28]. March 2016 Bell Canada 84