Cyber Threat Framework (Version 4) Translating Cyber Into .

UNCLASSIFIEDCyber Threat Framework (Version 4)Translating Cyber into EnglishThis is a work of the U.S. Government and is not subject to copyright protection in the United States.

UNCLASSIFEDWe both speak English? 1/30/2017ApartmentFrench FriesElevatorGasolineSoccerCookie ODNI Public Affairs OfficeFlatChipsLiftPetrolFootballBiscuit2

UNCLASSIFEDWhat You Need to Know Define Cyber Threat Framework Recognize the benefits of using standardized language todescribe cyber activity and enable consistent categorization Understand the Cyber Threat Framework hierarchy and itsfour layers of information Understand how the Cyber Threat Framework can be used tosupport analysis1/30/2017ODNI Public Affairs Office3

UNCLASSIFEDCyber Threat Framework (CTF) OverviewThe Cyber Threat Framework was developed by the US Government toenable consistent characterization and categorization of cyber threat events,and to identify trends or changes in the activities of cyber adversaries. Theframework captures the adversary life cycle from (a) “PREPARATION” ofcapabilities and targeting to (b) initial “ENGAGEMENT” with the targets ortemporary nonintrusive disruptions by the adversary to (c) establishing andexpanding the “PRESENCE” on target networks, to (d) the creation of“EFFECTS and CONSEQUENCES” from theft, manipulation, or disruption. Theframework categorizes the activity in increasing “layers” of detail (1- 4) asavailable in the intelligence reporting.1/30/2017ODNI Public Affairs Office4

UNCLASSIFEDThere are many cyber threat models orframeworks – why build another? Began as a construct to enhance data-sharing throughout the USGovernment Facilitates efficient situational analysis based on objective (typically,sensor-derived) data Provides a simple, yet flexible, collaborative way of characterizing andcategorizing activity that supports analysis, senior-level decision making,and cybersecurity Offers a common backbone (‘cyber Esperanto’); easier to map uniquemodels to a common standard than to each other Facilitates cyber threat trend and gap analysis, and assessment ofcollection posture1/30/2017ODNI Public Affairs Office5

UNCLASSIFEDMerging Disparate Data Layers into a CommonFramework is a Standard Practice Weather – overlaying satellite (clouds), doppler (rain), and thermometer(temperature) data atop a map yields a forecast: “take your umbrella andwear a light coat” Air Traffic Control – integrating weather, regional/ground control radars,scheduling data, aircraft/ground handler status to control air traffic: “youare cleared to land” In a similar fashion, a cyber threat framework based on measurable datafacilitates visualization, analysis, and realization of a Common OperatingPicture of threat activity It can also be matched with other data layers (e.g., vulnerability, sharedconnections) to become more actionable1/30/2017ODNI Public Affairs Office6

UNCLASSIFEDCyber Threat Framework Evolution3) Presentation2) ence1) Foundation4) Analysis1) Created consensus around a foundation2) Added context to validate linkages and demonstrate that you could move upand down the framework3) Developed presentation models4) Current focus – encompass analytics and automation1/30/2017ODNI Public Affairs Office7

UNCLASSIFEDDeriving a ‘Best of Breed’ Common pmentIntentIntentTarget verCompromiseDeliveryEnvironmental ageAdministrationDeny AccessDetectionavoidanceExtract DataStagingPrepare1/30/2017Maintain/expandTarget accessReconnaissanceAdministerFoot printingEffect/ConsequenceEstablish/modifyNetwork iveryStagingDevelopmentPresenceGain ationPhysical sODNI Public Affairs OfficeC2EffectSTIXTMEffectNSA 10 StepEffectALAEffectsCNEActions on ObjectiveErrorCoveringtracksLockheed MartinKill Chain VERIS Categories of Threat ActionsCreatingBackdoorsJCAC Exploitation8

UNCLASSIFEDCyber Threat Framework Layer 1External actions“Left of Intrusion”Pre-execution actionsThe progression of cyberthreat actions over timeto achieve objectivesStagesPreparationInternal actions“Right of Intrusion”Operational actionsEngagementLayer 1PresenceEffect/ConsequenceLayer 2 Threat activity based on measurable/observable actions Every victim and all reported activity accounted for Layered data hierarchy providing activity traceability1/30/2017ODNI Public Affairs Office9

UNCLASSIFEDCTF Layer 1 Definition – PreparationPreparation1/30/2017 Activities undertaken by a threatactor, their leadership and/orsponsor to prepare forconducting malicious cyberactivities, e.g., establishgovernance and articulatingintent, objectives, and strategy;identify potential victims andattack vectors; securing resourcesand develop capabilities; assessintended victim's cyberenvironment; and definemeasures for evaluating thesuccess or failure of threatactivities.ODNI Public Affairs Office10

UNCLASSIFEDCTF Layer 1 Definition – EngagementEngagement1/30/2017 Threat actor activities taken priorto gaining but with the intent togain unauthorized access to theintended victim's physical orvirtual computer or informationsystem(s), network(s), and/ordata stores.ODNI Public Affairs Office11

UNCLASSIFEDCTF Layer 1 Definition – PresencePresence1/30/2017 Actions taken by the threat actoronce unauthorized access tovictim(s)' physical or virtualcomputer or information systemhas been achieved thatestablishes and maintainsconditions or allows the threatactor to perform intended actionsor operate at will against the hostphysical or virtual computer orinformation system, networkand/or data stores.ODNI Public Affairs Office12

UNCLASSIFEDCTF Layer 1 Definition – Effect/Consequence Outcomes of threat actor actionson a victim's physical or virtualcomputer or informationsystem(s), network(s), and/ordata stores.Effect/Consequence1/30/2017ODNI Public Affairs Office13

UNCLASSIFEDCyber Threat Framework (v4) Layer 2 DetailsExternal actions“Left of Intrusion”Pre-execution actionsThe progression of cyberthreat actions over timeto achieve objectivesStagesPreparationInternal actions“Right of Intrusion”Operational actionsLayer 1EngagementPresenceEffect/ConsequenceLayer 2Plan activityConduct research &analysisThe purpose ofconducting an actionor a series of actionsObjectivesDeploy capabilityEstablish controlledaccessInteract withintended victimHideDevelop resources &capabilitiesAcquire victimspecific knowledgeCompletepreparationsExpand presenceExploitvulnerabilitiesDeliver maliciouscapabilityEnable other operationsDeny accessExtract dataRefine focus ofactivityAlter computer, networkor system behaviorEstablish persistenceDestroy HW/SW/dataLayer 3Actions and associatedresources used by anthreat actor to satisfyan objectiveDiscrete cyberthreat intelligencedata1/30/2017ActionsLayer 4IndicatorsODNI Public Affairs Office14

UNCLASSIFEDCyber Threat Framework (v4) Layer 3 ExemplarsPre-execution actionsThe progression of cyberthreat actions over timeto achieve objectivesStagesPreparationOperational actionsLayer 1EngagementPresenceEffect/ConsequenceLayer 2Plan activityConduct research &analysisThe purpose ofconducting an actionor a series of actionsObjectivesDeploy capabilityEstablish controlledaccessInteract withintended victimHideDevelop resources &capabilitiesAcquire victimspecific knowledgeCompletepreparationsExpand presenceExploitvulnerabilitiesDeliver maliciouscapabilityEnable other operationsDeny accessExtract dataRefine focus ofactivityAlter computer, networkor system behaviorEstablish persistenceDestroy HW/SW/dataLayer 3Actions and associatedresources used by anthreat actor to satisfyan objective1/30/2017Actions Dedicateresources Create capabilities Establishpartnerships Persuade peopleto act on thethreat actorsbehalf (e.g.,conduct socialengineering) Obtain alegitimate useraccountODNI Public Affairs Office Increase userprivileges Move laterally Establish commandand control node Establish hop point Add victim systemcapabilities to botnet Exfiltrate passwords,credentials15

UNCLASSIFEDCyber Threat Framework (v4) Layer 4 ExemplarExternal actions“Left of Intrusion”Pre-execution actionsThe progression of cyberthreat actions over timeto achieve objectivesStagesPreparationInternal actions“Right of Intrusion”Operational actionsLayer 1EngagementPresenceEffect/ConsequenceLayer 2Plan activityConduct research &analysisThe purpose ofconducting an actionor a series of actionsObjectivesDeploy capabilityEstablish controlledaccessInteract withintended victimHideDevelop resources &capabilitiesAcquire victimspecific knowledgeCompletepreparationsExpand presenceExploitvulnerabilitiesDeliver maliciouscapabilityEnable other operationsDeny accessExtract dataRefine focus ofactivityAlter computer, networkor system behaviorEstablish persistenceDestroy HW/SW/dataLayer 3Actions and associatedresources used by anthreat actor to satisfyan objectiveActions Dedicateresources Create capabilities EstablishpartnershipsThese are representative Actions that cancontribute to achieving the Layer 2 Objectives.Layer 4Discrete cyberthreat intelligencedata1/30/2017IndicatorsCompany XXXreported to havecreated Malware QQThis is a simple example of the multitude ofpotential Indicators of threat actor Actions.ODNI Public Affairs Office16

UNCLASSIFEDConsumer Needs Dictate Perspective and Content The foundation, based on empirical data, is the commonreference point for all subsequent views– The consumer provides the focus by defining the view and/or adjustingthe type of content (actor, activity, targeted sector, and victim)– The consumer defines the required granularity in each view but can“drill down” to see the underlying detail as desired The framework is applicable to a range of threat actors,activity, targeted sectors, and victims1/30/2017ODNI Public Affairs Office17

UNCLASSIFEDAnalysis Depending on the information selected and its presentation,one can begin to conduct a variety of analysis:– Trends – change over time What caused the change– Predictive – what’s next– Environmental Was the threat different than expected What vulnerabilities were missed How to optimize remedial action– Vulnerability – risk analysis– Defensive posture1/30/2017ODNI Public Affairs Office18

eEffect/ConsequenceCyber Threat Activity – CTF Layer 1 Stages ExemplarThreat actorThreat Actor AThreat Actor BThreat Actor CThreat Actor DThreat Actor EThreat Actor FThreat Actor GThreat Actor H0123456Preparation7890246810 02Engagement46Presence810 0123456Effect/ConsequenceReporting Period: January – March 20161/30/2017ODNI Public Affairs Office19

UNCLASSIFEDCTF (v4) Layer 2 Objectives ExemplarThreat actorLayer 2ObjectivesLayer 1StagesThreatActor AThreatActor BThreatActor CThreatActor DThreatActor EThreatActor FThreatActor GThreatActor HPreparationDevelop capabilityPresenceConduct research & analysisEngagementPlan activityDevelop resources & capabilitiesAcquire victim specific knowledgeComplete preparationsInteract with intended victimExploit vulnerabilitiesDeliver malicious capabilityEstablish controlled accessHideExpand presenceRefine focus of activityEffect/ConsequenceEstablish persistenceEnable other operationsDeny AccessExtract dataAlter/manipulate computer, networkor system behaviorDestroy HW/SW/data1/30/2017ODNI Public Affairs Office20

UNCLASSIFEDSummary The Cyber Threat Framework supports the characterizationand categorization of cyber threat information through theuse of standardized language. The Cyber Threat Framework categorizes the activity inincreasing “layers” of detail (1- 4) as available in theintelligence reporting. The Cyber Threat Framework can be used to support analysis1/30/2017ODNI Public Affairs Office21

UNCLASSIFEDQuestions?1/30/2017ODNI Public Affairs Office22

The Cyber Threat Framework supports the characterization and categorization of cyber threat information through the use of standardized language. The Cyber Threat Framework categorizes the activity in increasing “layers” of detail (1- 4) as available in the intelligence reporting.