A Common Cyber Threat Framework - Dni.gov

UNCLASSIFIEDA Common Cyber Threat FrameworkA Foundation for CommunicationThis is a work of the U.S. Government and is not subject to copyright protection in the United States.

UNCLASSIFIEDWe both speak English? 3/13/2017ApartmentFrench FriesElevatorGasolineBinActive FlatChipsLiftPetrolBinActive2

UNCLASSIFIEDWhat You Need to Know Define Cyber Threat Framework Recognize the benefits of using standardized language todescribe cyber activity and enable consistent categorization Understand the Cyber Threat Framework hierarchy and itsfour layers of information Understand how the Cyber Threat Framework can be used tosupport analysis3/13/20173

UNCLASSIFIEDCyber Threat Framework (CTF) OverviewThe Cyber Threat Framework was developed by the US Government toenable consistent characterization and categorization of cyber threat events,and to identify trends or changes in the activities of cyber adversaries. Theframework captures the adversary life cycle from (a) “PREPARATION” ofcapabilities and targeting to (b) initial “ENGAGEMENT” with the targets ortemporary nonintrusive disruptions by the adversary to (c) establishing andexpanding the “PRESENCE” on target networks, to (d) the creation of“EFFECTS and CONSEQUENCES” from theft, manipulation, or disruption. Theframework categorizes the activity in increasing “layers” of detail (1- 4) asavailable in the intelligence reporting.3/13/20174

UNCLASSIFIEDThere are many cyber threat models orframeworks – why build another? Began as a construct to enhance data-sharing throughout the USGovernment Facilitates efficient situational analysis based on objective (typically,sensor-derived) data Provides a simple, yet flexible, collaborative way of characterizing andcategorizing activity that supports analysis, senior-level decision making,and cybersecurity Offers a common backbone (‘cyber Esperanto’); easier to map uniquemodels to a common standard than to each other Facilitates cyber threat trend and gap analysis, and assessment ofcollection posture3/13/20175

UNCLASSIFIEDMerging Disparate Data Layers into a CommonFramework is a Standard Practice Weather – overlaying satellite (clouds), doppler (rain), and thermometer(temperature) data atop a map yields a forecast: “take your umbrella andwear a light coat” Air Traffic Control – integrating weather, regional/ground control radars,scheduling data, aircraft/ground handler status to control air traffic: “youare cleared to land” In a similar fashion, a cyber threat framework based on measurable datafacilitates visualization, analysis, and realization of a Common OperatingPicture of threat activity It can also be matched with other data layers (e.g., vulnerability, sharedconnections) to become more actionable3/13/20176

UNCLASSIFIEDCyber Threat Framework Evolution3) Presentation2) ence1) Foundation4) Analysis1) Created consensus around a foundation2) Added context to validate linkages and demonstrate that you could move upand down the framework3) Developed presentation models4) Current focus – encompass analytics and automation3/13/20177

UNCLASSIFIEDDeriving a ‘Best of Breed’ Common pmentIntentIntentTarget verCompromiseDeliveryEnvironmental ageAdministrationDeny AccessDetectionavoidanceExtract DataStagingPrepare3/13/2017Maintain/expandTarget accessReconnaissanceAdministerFoot printingEffect/ConsequenceEstablish/modifyNetwork iveryStagingDevelopmentPresenceGain ationPhysical sC2EffectSTIXTMEffectNSA 10 StepEffectALAEffectsCNEActions on ObjectiveErrorCoveringtracksLockheed MartinKill Chain VERIS Categories of Threat ActionsCreatingBackdoorsJCAC Exploitation8

UNCLASSIFIEDCyber Threat Framework Layer 1External actions“Left of Intrusion”Pre-execution actionsThe progression of cyberthreat actions over timeto achieve objectivesStagesPreparationInternal actions“Right of Intrusion”Operational actionsEngagementLayer 1PresenceEffect/ConsequenceLayer 2 Threat activity based on measurable/observable actions Every victim and all reported activity accounted for Layered data hierarchy providing activity traceability3/13/20179

UNCLASSIFIEDCTF Layer 1 Definition – PreparationPreparation3/13/2017 Activities undertaken by a threatactor, their leadership and/orsponsor to prepare forconducting malicious cyberactivities, e.g., establishgovernance and articulatingintent, objectives, and strategy;identify potential victims andattack vectors; securing resourcesand develop capabilities; assessintended victim's cyberenvironment; and definemeasures for evaluating thesuccess or failure of threatactivities.10

UNCLASSIFIEDCTF Layer 1 Definition – EngagementEngagement3/13/2017 Threat actor activities taken priorto gaining but with the intent togain unauthorized access to theintended victim's physical orvirtual computer or informationsystem(s), network(s), and/ordata stores.11

UNCLASSIFIEDCTF Layer 1 Definition – PresencePresence3/13/2017 Actions taken by the threat actoronce unauthorized access tovictim(s)' physical or virtualcomputer or information systemhas been achieved thatestablishes and maintainsconditions or allows the threatactor to perform intended actionsor operate at will against the hostphysical or virtual computer orinformation system, networkand/or data stores.12

UNCLASSIFIEDCTF Layer 1 Definition – Effect/Consequence Outcomes of threat actor actionson a victim's physical or virtualcomputer or informationsystem(s), network(s), and/ordata stores.Effect/Consequence3/13/201713

UNCLASSIFIEDCyber Threat Framework (v4) Layer 2 DetailsExternal actions“Left of Intrusion”Pre-execution actionsThe progression of cyberthreat actions over timeto achieve objectivesStagesPreparationInternal actions“Right of Intrusion”Operational actionsLayer 1EngagementPresenceEffect/ConsequenceLayer 2Plan activityConduct research &analysisThe purpose ofconducting an actionor a series of actionsObjectivesDeploy capabilityEstablish controlledaccessInteract withintended victimHideDevelop resources &capabilitiesAcquire victimspecific knowledgeCompletepreparationsEnable other operationsDeny accessExtract dataExpand presenceExploitvulnerabilitiesDeliver maliciouscapabilityRefine focus ofactivityAlter data and/orcomputer, network orsystem behaviorEstablish persistenceDestroy HW/SW/dataLayer 3Actions and associatedresources used by anthreat actor to satisfyan objectiveDiscrete cyberthreat intelligencedata3/13/2017ActionsLayer 4Indicators14

UNCLASSIFIEDCyber Threat Framework (v4) Layer 3 ExemplarsPre-execution actionsThe progression of cyberthreat actions over timeto achieve objectivesStagesPreparationOperational actionsLayer 1EngagementPresenceEffect/ConsequenceLayer 2Plan activityConduct research &analysisThe purpose ofconducting an actionor a series of actionsObjectivesDeploy capabilityEstablish controlledaccessInteract withintended victimHideDevelop resources &capabilitiesAcquire victimspecific knowledgeCompletepreparationsEnable other operationsDeny accessExtract dataExpand presenceExploitvulnerabilitiesDeliver maliciouscapabilityRefine focus ofactivityAlter data and/orcomputer, network orsystem behaviorEstablish persistenceDestroy HW/SW/dataLayer 3Actions and associatedresources used by anthreat actor to satisfyan objective3/13/2017Actions Dedicateresources Create capabilities Establishpartnerships Persuade peopleto act on thethreat actorsbehalf (e.g.,conduct socialengineering) Obtain alegitimate useraccount Increase userprivileges Move laterally Establish commandand control node Establish hop point Add victim systemcapabilities to botnet Exfiltrate passwords,credentials15

UNCLASSIFIEDCyber Threat Framework (v4) Layer 4 ExemplarExternal actions“Left of Intrusion”Pre-execution actionsThe progression of cyberthreat actions over timeto achieve objectivesStagesPreparationInternal actions“Right of Intrusion”Operational actionsLayer 1EngagementPresenceEffect/ConsequenceLayer 2Plan activityConduct research &analysisThe purpose ofconducting an actionor a series of actionsObjectivesDeploy capabilityEstablish controlledaccessInteract withintended victimHideDevelop resources &capabilitiesAcquire victimspecific knowledgeCompletepreparationsEnable other operationsDeny accessExtract dataExpand presenceExploitvulnerabilitiesDeliver maliciouscapabilityRefine focus ofactivityAlter data and/orcomputer, network orsystem behaviorEstablish persistenceDestroy HW/SW/dataLayer 3Actions and associatedresources used by anthreat actor to satisfyan objectiveActions Dedicateresources Create capabilities EstablishpartnershipsThese are representative Actions that cancontribute to achieving the Layer 2 Objectives.Layer 4Discrete cyberthreat intelligencedata3/13/2017IndicatorsCompany XXXreported to havecreated Malware QQThis is a simple example of the multitude ofpotential Indicators of threat actor Actions.16

UNCLASSIFIEDConsumer Needs Dictate Perspective and Content The foundation, based on empirical data, is the commonreference point for all subsequent views– The consumer provides the focus by defining the view and/or adjustingthe type of content (actor, activity, targeted sector, and victim)– The consumer defines the required granularity in each view but can“drill down” to see the underlying detail as desired The framework is applicable to a range of threat actors,activity, targeted sectors, and victims3/13/201717

UNCLASSIFIEDAnalysis Depending on the information selected and its presentation,one can begin to conduct a variety of analysis:– Trends – change over time What caused the change– Predictive – what’s next– Environmental Was the threat different than expected What vulnerabilities were missed How to optimize remedial action– Vulnerability – risk analysis– Defensive posture3/13/201718

ceEffect/ConsequenceCyber Threat Activity – CTF Layer 1 Stages ExemplarThreat actorThreat Actor AThreat Actor BThreat Actor CThreat Actor DThreat Actor EThreat Actor FThreat Actor GThreat Actor H0123456Preparation7890246Engagement810 0246Presence810 0123456Effect/ConsequenceReporting Period: January – March 20163/13/201719

UNCLASSIFIEDCTF Layer 2 ExemplarThreat Events by SectorChemical, PharmaceuticalCommercial FacilitiesCommunications, MediaCritical ManufacturingDamsDefense IndustyEmergency ServicesEnergyFinance, Investment,TradeFood, AgricultureGovernment Facilities15212015Healthcare, Public Health3Information TechnologyNuclear Reactors,Material, WasteOther DomesticOther Government(include DoD)Transportation SystemsWater & Wastewater153/13/2017Layer 2 Incidents71Other Govt(Includes DoD)Communications, MediaInformation TechnologyDefense Industry1021121021FinanceChemical, PharmaceuticalCommercial FacilitiesCommunications, MediaCritical ManufacturingDamsDefense IndustyEmergency ServicesEnergyFinance, Investment, TradeFood, AgricultureGovernment FacilitiesHealthcare, Public HealthInformation TechnologyNuclear Reactors, Material, WasteOther DomesticOther Government (include DoD)Transportation SystemsWater & Wastewater20

UNCLASSIFIEDCTF (v4) Layer 2 Objectives ExemplarThreat actorLayer 2ObjectivesLayer 1StagesThreatActor AThreatActor BThreatActor CThreatActor DThreatActor EThreatActor FThreatActor GThreatActor HPreparationDevelop capabilityPresenceConduct research & analysisEngagementPlan activityDevelop resources & capabilitiesAcquire victim specific knowledgeComplete preparationsInteract with intended victimExploit vulnerabilitiesDeliver malicious capabilityEstablish controlled accessHideExpand presenceRefine focus of activityEffect/ConsequenceEstablish persistenceEnable other operationsDeny AccessExtract dataAlter data and/or computer, networkor system behaviorDestroy HW/SW/data3/13/201721