SlideShare a Scribd company logo

Science of Security: Cyber Ecosystem Attack Analysis Methodology

Shawn Riley
Shawn Riley

Shawn Riley presented on the science of security and cyber intelligence analysis. He discussed analyzing the cyber attack lifecycle using the cyber ecosystem model, which views cybersecurity as an interacting system of people, processes, and technology. Riley's threat intelligence method uses the OODA loop to observe attacks, orient on threat actors, decide on indicators, and act by disseminating intelligence reports. His active defense method applies the PDCA cycle to plan defenses based on intelligence, implement countermeasures, check their effectiveness, and provide feedback to improve security over time.

Related slideshows

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Operational Security
Operational SecurityOperational Security
Operational Security
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
1 of 26
Download to read offline
www.securitytodayinfo.com November 18 &19, 2014 Gaylord Texan │Grapevine, TX Science of Security: Cyber Intelligence Analysis Shawn Riley Executive Vice President, CSCSS Americas
www.securitytodayinfo.com About Me • Attack Analysis Scientist, Multisource Cyber Intelligence Analyst, & Sci-Fi Geek • Veteran – US Navy Cryptology Community • Former Lockheed Martin Senior Fellow • Former member UK Cybercrime Experts Working Group (UK Govt CSOC / OCSIA)
www.securitytodayinfo.com Outline • Science of Security • Cyber Ecosystem – Cyber Terrain • Cyber Attack Lifecycle • Cyber Ecosystem Attack Analysis Method – Threat Actor’s Cyber Offense Ecosystem • Threat Intelligence Method – Defender’s Cyber Defense Ecosystem • Active Defense Method
www.securitytodayinfo.com Science of Security (SoS) • The Science of Security term has been around since 2010 when an independent science and technology advisory committee for the U.S. Department of Defense concluded there is a science of (cyber) security discipline. • The following year, 2011, the White House released “Trustworthy Cyberspace: Strategic Plan For The Federal Cybersecurity Research And Development Program” formally establishing the Science of Security as 1 of 4 key strategic thrusts for U.S. Federal cybersecurity R&D programs. • A cyber security scientist, in a broad sense, is one engaging in a systematic activity to acquire and organize knowledge in the cyber security domain.
www.securitytodayinfo.com SoS – Core Themes • In 2011 Canada, United States, and United Kingdom established 7 core, inter-related themes that make up the Science of Security domain. SoS Attack Analysis Common Language Core Principles Measurable Security Agility Risk Human Factors
www.securitytodayinfo.com Cyber Ecosystem • Ecosystem is defined as “a community of living organisms in conjunction with the nonliving components of their environment, interacting as a system”. • DHS defines a cyber ecosystem as: “Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non-profits, governments, individuals, processes, and cyber devices (computers, software, and communication technologies) – that interact for multiple purposes.” People ProcessesTechnology http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
www.securitytodayinfo.com Cyber Terrain • (Content)
www.securitytodayinfo.com Cyber Terrain – Layers 0-1 • CAPEC-ID:455 – Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components • CAPEC-ID:453 – Malicious Logic Insertion via Counterfeit Hardware • CAPEC-ID:547 – Physical Destruction of Device or Component • CAPEC-ID:397 – Cloning Magnetic Strip Cards • CAPEC-ID:391 – Bypassing Physical Locks • CAPEC-ID:507 – Physical Theft • CAPEC-ID:414 – Pretexting via Delivery Person • CAPEC-ID:413 – Pretexting via Tech Support • CAPEC-ID:407 – Social Information Gathering via Pretexting • CAPEC-ID:406 – Social Information Gathering via Dumpster Diving CAPEC = Common Attack Pattern Enumeration Classification (463 total attack patterns in CAPEC V2.6) Website: http://capec.mitre.org
www.securitytodayinfo.com Cyber Terrain – Layers 2-7 • CAPEC-ID:383 – Harvesting Usernames or UserIDs via Application API Event Monitoring (Application Layer) • CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:291 – DNS Zone Transfers (Application Layer) • CAPEC-ID:315 – TCP/IP Fingerprinting Probes (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:310 – Scanning for Vulnerable Software (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:309 – Network Topology Mapping (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:293 – Traceroute Route Enumeration (Network Layer & Transport Layer) • CAPEC-ID:316 – ICMP Fingerprinting Probes (Network Layer)
www.securitytodayinfo.com Cyber Terrain – Layers 8-11 • CAPEC-ID:37 – Lifting Data Embedded in Client Distributions • CAPEC-ID:205 – Lifting Credential Key Material Embedded in Client • CAPEC-ID:8 – Buffer Overflow in an API Call • CAPEC-ID:14 – Client-side Injection-induced Buffer Overflow • CAPEC-ID:118 – Gather Information • CAPEC-IDS:268 – Audit Log Manipulation • CAPEC-ID:270 – Modification of Registry Run Keys • CAPEC-ID:17 – Accessing, Modifying or Executing Executable Files • CAPEC-ID:69 – Target Programs with Elevated Privileges • CAPEC-ID:76 – Manipulating Input to File System Calls • CAPEC-ID:35 – Leverage Executable Code in Non-Executable Files • CAPEC-ID:472 – Browser Fingerprinting • CAPEC-ID:151 – Identity Spoofing • CAPEC-ID:156 – Deceptive Interactions
www.securitytodayinfo.com Cyber Terrain – Layers 12-14 • CAPEC-ID:404 – Social Information Gathering Attacks • CAPEC-ID:410 – Information Elicitation via Social Engineering • CAPEC-ID:416 – Target Influence via Social Engineering • CAPEC-ID:527 – Manipulate System Users • CAPEC-ID:156 – Deceptive Interactions • CAPEC-ID:98 – Phishing • CAPEC-ID:163 – Spear Phishing • CAPEC-ID:164 – Mobile Phishing (aka MobPhishing)
www.securitytodayinfo.com Cyber Terrain - Complete • (Content)
www.securitytodayinfo.com Cyber Ecosystem w/ Terrain Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Organization Layer Government Layer Technology / Cyber Terrain People Processes / TTPs
www.securitytodayinfo.com Cyber Attack Lifecycle “Use a cyber attack lifecycle as a framework for observing and understanding an adversary’s actions and for defining an active defense strategy that makes effective use of information available through both internal and external sources throughout the lifecycle.” Recon Weaponize Deliver Exploit Control Execute Maintain Cyber Attack Lifecycle from: http://www.mitre.org/publications/technical-papers/cyber-resiliency-and-nist-special-publication-800-53-rev4-controls Key recommendation from NIST Guide To Cyber Threat Information Sharing (DRAFT) http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf
www.securitytodayinfo.com Cyber Ecosystem Attack Analysis Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Geographic Layer Physical Layer Logical Layers Communications Ports & Protocols Machine Language Layer Operating System Layer Software App Layer Persona Layer Organization Layer Organization Layer Government Layer Government Layer Technology / Cyber Terrain Processes / TTPs Threat Actors / People Defenders Threat Actor’s use of technology and observable technical indicators Threat Actor’s Modus Operandi (Methods of Operation) Defender’s technology based mitigations and countermeasures Defender’s process based mitigations and countermeasures Recon Weaponize Deliver Exploit Control Execute Maintain Threat Intelligence is based on analysis of the Threat Actor’s Cyber Offense Ecosystem. Active Defense is based on analysis of the Defender’s Cyber Defense Ecosystem. Offense Defense Offense informs Defense
www.securitytodayinfo.com Boyd Cycle / OODA Loop • Decision cycle developed by USAF Colonel John Boyd who applied it to combat operations. Often applied to understand commercial operations and learning processes. http://en.wikipedia.org/wiki/OODA_loop
www.securitytodayinfo.com Threat Intelligence Method 1. Observe – Observe each stage of the attack, collect and process available data and information about the attack for each layer of the cyber ecosystem. 2. Orient – Analyze and synthesize the attack data and information for each stage and layer. Orient on the Threat Actor’s methods of operation and use of technology to identify observable indicators in the attack data for each stage across one or more layers of the cyber ecosystem. 3. Decide – Based on the Threat Actor’s modus operandi identify observables and indicators, decide if this attack is from a new threat actor or if the attack is part of a larger campaign. Produce threat intelligence report. 4. Act – Disseminate the threat intelligence report.
www.securitytodayinfo.com Pivot & Chain Into Campaigns Attack 1 Attack 2 Attack 3 APT 1 Attack 1 Attack 2 Attack 3 Attack 4 Attack 1 Attack 2 Attack 3 Attack 4 Attack5 Attack 1 Attack 2 Attack 3 Attack 4 Attack 5 Attack 6 APT 2 APT 1 APT 1 APT 2 APT 2 APT 2 CC1 CC1 CC1 CC1 CC1 CC2 CC2 CC2 CC2 CC2 CC2
www.securitytodayinfo.com PDCA – Plan Do Check Act • Iterative four-step management method used in business for the control and continuous improvement of processes and products. AKA Deming circle/cycle/wheel, Shewhart cycle, or as seen in ISO 9001. http://en.wikipedia.org/wiki/PDCA
www.securitytodayinfo.com Active Defense Method 1. Plan – Plan active defense courses of action based on threat intelligence for each stage of the Threat Actor’s attack, consider both technical and process based mitigations and countermeasures for each layer of the Defender’s cyber defense ecosystem. 2. Do – Implement the intelligence based courses of action to mitigate and counter the Threat Actor’s attack and to increase the defender’s resilience to future attacks by this threat actor. 3. Check – Measure the quality of the threat intelligence and effectiveness of the mitigations and countermeasures over time. 4. Act – Provide feedback on the quality of the threat intelligence and effectiveness of the mitigations and countermeasures, take action to continuously improve the security and resilience of the cyber ecosystem.
www.securitytodayinfo.com Methods Combined 2009 | | | | | | | | | | | | 2010 | | | | | | | | | | | | 2011 | | | | | | | | | | | | 2012 | | | | | | | | | | | | 2013 | | | | | | | | | | | | 2014 | | | | | | | | | | | | 2015 | | | | | | | | | | | Threat Intelligence Cycle Active Defense Cycle
www.securitytodayinfo.com Cyber Ecosystem Attack Analysis Methodology Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Geographic Layer Physical Layer Logical Layers Communications Ports & Protocols Machine Language Layer Operating System Layer Software App Layer Persona Layer Organization Layer Organization Layer Government Layer Government Layer Technology / Cyber Terrain Processes / TTPs Threat Actors / People Defenders Threat Actor’s use of technology and observable technical indicators Threat Actor’s Modus Operandi (Methods of Operation) Defender’s technology based mitigations and countermeasures Defender’s process based mitigations and countermeasures Recon Weaponize Deliver Exploit Control Execute Maintain Offense Defense Threat Intelligence Cycle Active Defense Cycle
www.securitytodayinfo.com Benefits • Takes a more holistic approach by considering the attack across both the Threat Actor’s cyber offense ecosystem and the Defender’s defense ecosystem. • Enables the Defender to better identify, chain, and track Threat Actors and Campaigns over time. • Enables a more resilient cyber defense ecosystem by having multiple observable indicators for each stage of attack across different layers of the ecosystem. • Costs the Threat Actor considerable more to defeat layered intelligence based mitigations and countermeasures.
www.securitytodayinfo.com Additional Recommendations • Adopt STIX, TAXII, and CYBOX for Threat Intelligence with MAEC, CAPEC, CWE, CVE, CCE extensions. (http://msm.mitre.org) – Automation – Interoperability • Semantic Interoperability • Technical Interoperability • Policy Interoperability http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
www.securitytodayinfo.com Summary • Following this methodology will reduce the defender’s cost per attack while increasing the threat actor’s cost to overcome • Based on methods used by many organizations already - OSI Model, OODA Loop, and PDCA cycle • Maturing from a reactive, passive defense posture to a more proactive, active defense posture
www.securitytodayinfo.com Thank You! • Please feel free to reach out with any questions or comments. • You can find me on LinkedIn at: www.linkedin.com/in/shawnriley71/

More Related Content

Science of Security: Cyber Ecosystem Attack Analysis Methodology

  • 1. www.securitytodayinfo.com November 18 &19, 2014 Gaylord Texan │Grapevine, TX Science of Security: Cyber Intelligence Analysis Shawn Riley Executive Vice President, CSCSS Americas
  • 2. www.securitytodayinfo.com About Me • Attack Analysis Scientist, Multisource Cyber Intelligence Analyst, & Sci-Fi Geek • Veteran – US Navy Cryptology Community • Former Lockheed Martin Senior Fellow • Former member UK Cybercrime Experts Working Group (UK Govt CSOC / OCSIA)
  • 3. www.securitytodayinfo.com Outline • Science of Security • Cyber Ecosystem – Cyber Terrain • Cyber Attack Lifecycle • Cyber Ecosystem Attack Analysis Method – Threat Actor’s Cyber Offense Ecosystem • Threat Intelligence Method – Defender’s Cyber Defense Ecosystem • Active Defense Method
  • 4. www.securitytodayinfo.com Science of Security (SoS) • The Science of Security term has been around since 2010 when an independent science and technology advisory committee for the U.S. Department of Defense concluded there is a science of (cyber) security discipline. • The following year, 2011, the White House released “Trustworthy Cyberspace: Strategic Plan For The Federal Cybersecurity Research And Development Program” formally establishing the Science of Security as 1 of 4 key strategic thrusts for U.S. Federal cybersecurity R&D programs. • A cyber security scientist, in a broad sense, is one engaging in a systematic activity to acquire and organize knowledge in the cyber security domain.
  • 5. www.securitytodayinfo.com SoS – Core Themes • In 2011 Canada, United States, and United Kingdom established 7 core, inter-related themes that make up the Science of Security domain. SoS Attack Analysis Common Language Core Principles Measurable Security Agility Risk Human Factors
  • 6. www.securitytodayinfo.com Cyber Ecosystem • Ecosystem is defined as “a community of living organisms in conjunction with the nonliving components of their environment, interacting as a system”. • DHS defines a cyber ecosystem as: “Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non-profits, governments, individuals, processes, and cyber devices (computers, software, and communication technologies) – that interact for multiple purposes.” People ProcessesTechnology http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
  • 8. www.securitytodayinfo.com Cyber Terrain – Layers 0-1 • CAPEC-ID:455 – Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components • CAPEC-ID:453 – Malicious Logic Insertion via Counterfeit Hardware • CAPEC-ID:547 – Physical Destruction of Device or Component • CAPEC-ID:397 – Cloning Magnetic Strip Cards • CAPEC-ID:391 – Bypassing Physical Locks • CAPEC-ID:507 – Physical Theft • CAPEC-ID:414 – Pretexting via Delivery Person • CAPEC-ID:413 – Pretexting via Tech Support • CAPEC-ID:407 – Social Information Gathering via Pretexting • CAPEC-ID:406 – Social Information Gathering via Dumpster Diving CAPEC = Common Attack Pattern Enumeration Classification (463 total attack patterns in CAPEC V2.6) Website: http://capec.mitre.org
  • 9. www.securitytodayinfo.com Cyber Terrain – Layers 2-7 • CAPEC-ID:383 – Harvesting Usernames or UserIDs via Application API Event Monitoring (Application Layer) • CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:291 – DNS Zone Transfers (Application Layer) • CAPEC-ID:315 – TCP/IP Fingerprinting Probes (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:310 – Scanning for Vulnerable Software (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:309 – Network Topology Mapping (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:293 – Traceroute Route Enumeration (Network Layer & Transport Layer) • CAPEC-ID:316 – ICMP Fingerprinting Probes (Network Layer)
  • 10. www.securitytodayinfo.com Cyber Terrain – Layers 8-11 • CAPEC-ID:37 – Lifting Data Embedded in Client Distributions • CAPEC-ID:205 – Lifting Credential Key Material Embedded in Client • CAPEC-ID:8 – Buffer Overflow in an API Call • CAPEC-ID:14 – Client-side Injection-induced Buffer Overflow • CAPEC-ID:118 – Gather Information • CAPEC-IDS:268 – Audit Log Manipulation • CAPEC-ID:270 – Modification of Registry Run Keys • CAPEC-ID:17 – Accessing, Modifying or Executing Executable Files • CAPEC-ID:69 – Target Programs with Elevated Privileges • CAPEC-ID:76 – Manipulating Input to File System Calls • CAPEC-ID:35 – Leverage Executable Code in Non-Executable Files • CAPEC-ID:472 – Browser Fingerprinting • CAPEC-ID:151 – Identity Spoofing • CAPEC-ID:156 – Deceptive Interactions
  • 11. www.securitytodayinfo.com Cyber Terrain – Layers 12-14 • CAPEC-ID:404 – Social Information Gathering Attacks • CAPEC-ID:410 – Information Elicitation via Social Engineering • CAPEC-ID:416 – Target Influence via Social Engineering • CAPEC-ID:527 – Manipulate System Users • CAPEC-ID:156 – Deceptive Interactions • CAPEC-ID:98 – Phishing • CAPEC-ID:163 – Spear Phishing • CAPEC-ID:164 – Mobile Phishing (aka MobPhishing)
  • 13. www.securitytodayinfo.com Cyber Ecosystem w/ Terrain Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Organization Layer Government Layer Technology / Cyber Terrain People Processes / TTPs
  • 14. www.securitytodayinfo.com Cyber Attack Lifecycle “Use a cyber attack lifecycle as a framework for observing and understanding an adversary’s actions and for defining an active defense strategy that makes effective use of information available through both internal and external sources throughout the lifecycle.” Recon Weaponize Deliver Exploit Control Execute Maintain Cyber Attack Lifecycle from: http://www.mitre.org/publications/technical-papers/cyber-resiliency-and-nist-special-publication-800-53-rev4-controls Key recommendation from NIST Guide To Cyber Threat Information Sharing (DRAFT) http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf
  • 15. www.securitytodayinfo.com Cyber Ecosystem Attack Analysis Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Geographic Layer Physical Layer Logical Layers Communications Ports & Protocols Machine Language Layer Operating System Layer Software App Layer Persona Layer Organization Layer Organization Layer Government Layer Government Layer Technology / Cyber Terrain Processes / TTPs Threat Actors / People Defenders Threat Actor’s use of technology and observable technical indicators Threat Actor’s Modus Operandi (Methods of Operation) Defender’s technology based mitigations and countermeasures Defender’s process based mitigations and countermeasures Recon Weaponize Deliver Exploit Control Execute Maintain Threat Intelligence is based on analysis of the Threat Actor’s Cyber Offense Ecosystem. Active Defense is based on analysis of the Defender’s Cyber Defense Ecosystem. Offense Defense Offense informs Defense
  • 16. www.securitytodayinfo.com Boyd Cycle / OODA Loop • Decision cycle developed by USAF Colonel John Boyd who applied it to combat operations. Often applied to understand commercial operations and learning processes. http://en.wikipedia.org/wiki/OODA_loop
  • 17. www.securitytodayinfo.com Threat Intelligence Method 1. Observe – Observe each stage of the attack, collect and process available data and information about the attack for each layer of the cyber ecosystem. 2. Orient – Analyze and synthesize the attack data and information for each stage and layer. Orient on the Threat Actor’s methods of operation and use of technology to identify observable indicators in the attack data for each stage across one or more layers of the cyber ecosystem. 3. Decide – Based on the Threat Actor’s modus operandi identify observables and indicators, decide if this attack is from a new threat actor or if the attack is part of a larger campaign. Produce threat intelligence report. 4. Act – Disseminate the threat intelligence report.
  • 18. www.securitytodayinfo.com Pivot & Chain Into Campaigns Attack 1 Attack 2 Attack 3 APT 1 Attack 1 Attack 2 Attack 3 Attack 4 Attack 1 Attack 2 Attack 3 Attack 4 Attack5 Attack 1 Attack 2 Attack 3 Attack 4 Attack 5 Attack 6 APT 2 APT 1 APT 1 APT 2 APT 2 APT 2 CC1 CC1 CC1 CC1 CC1 CC2 CC2 CC2 CC2 CC2 CC2
  • 19. www.securitytodayinfo.com PDCA – Plan Do Check Act • Iterative four-step management method used in business for the control and continuous improvement of processes and products. AKA Deming circle/cycle/wheel, Shewhart cycle, or as seen in ISO 9001. http://en.wikipedia.org/wiki/PDCA
  • 20. www.securitytodayinfo.com Active Defense Method 1. Plan – Plan active defense courses of action based on threat intelligence for each stage of the Threat Actor’s attack, consider both technical and process based mitigations and countermeasures for each layer of the Defender’s cyber defense ecosystem. 2. Do – Implement the intelligence based courses of action to mitigate and counter the Threat Actor’s attack and to increase the defender’s resilience to future attacks by this threat actor. 3. Check – Measure the quality of the threat intelligence and effectiveness of the mitigations and countermeasures over time. 4. Act – Provide feedback on the quality of the threat intelligence and effectiveness of the mitigations and countermeasures, take action to continuously improve the security and resilience of the cyber ecosystem.
  • 21. www.securitytodayinfo.com Methods Combined 2009 | | | | | | | | | | | | 2010 | | | | | | | | | | | | 2011 | | | | | | | | | | | | 2012 | | | | | | | | | | | | 2013 | | | | | | | | | | | | 2014 | | | | | | | | | | | | 2015 | | | | | | | | | | | Threat Intelligence Cycle Active Defense Cycle
  • 22. www.securitytodayinfo.com Cyber Ecosystem Attack Analysis Methodology Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Geographic Layer Physical Layer Logical Layers Communications Ports & Protocols Machine Language Layer Operating System Layer Software App Layer Persona Layer Organization Layer Organization Layer Government Layer Government Layer Technology / Cyber Terrain Processes / TTPs Threat Actors / People Defenders Threat Actor’s use of technology and observable technical indicators Threat Actor’s Modus Operandi (Methods of Operation) Defender’s technology based mitigations and countermeasures Defender’s process based mitigations and countermeasures Recon Weaponize Deliver Exploit Control Execute Maintain Offense Defense Threat Intelligence Cycle Active Defense Cycle
  • 23. www.securitytodayinfo.com Benefits • Takes a more holistic approach by considering the attack across both the Threat Actor’s cyber offense ecosystem and the Defender’s defense ecosystem. • Enables the Defender to better identify, chain, and track Threat Actors and Campaigns over time. • Enables a more resilient cyber defense ecosystem by having multiple observable indicators for each stage of attack across different layers of the ecosystem. • Costs the Threat Actor considerable more to defeat layered intelligence based mitigations and countermeasures.
  • 24. www.securitytodayinfo.com Additional Recommendations • Adopt STIX, TAXII, and CYBOX for Threat Intelligence with MAEC, CAPEC, CWE, CVE, CCE extensions. (http://msm.mitre.org) – Automation – Interoperability • Semantic Interoperability • Technical Interoperability • Policy Interoperability http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
  • 25. www.securitytodayinfo.com Summary • Following this methodology will reduce the defender’s cost per attack while increasing the threat actor’s cost to overcome • Based on methods used by many organizations already - OSI Model, OODA Loop, and PDCA cycle • Maturing from a reactive, passive defense posture to a more proactive, active defense posture
  • 26. www.securitytodayinfo.com Thank You! • Please feel free to reach out with any questions or comments. • You can find me on LinkedIn at: www.linkedin.com/in/shawnriley71/