Sandia offers framework for characterizing cyber threats
Many organizations have fallen into the practice of creating and sharing lists of cyber threats, or malevolent actors. But few can describe these cyber threats and even fewer have established a way to measure them in a meaningful way, say authors of a March report (.pdf) from Sandia National Laboratories.
"Good threat measurement supports good risk management...Unfortunately, the practice of defining and applying good threat metrics remains immature," finds the report, which was obtained by the Federation of American Scientists and published to Secrecy News May 8.
The cyber domain resists easy measurement, and "in some cases, appears to defy any measurement," note authors. Despite this challenge, report authors offer models and metrics for characterizing cyber threats.
The report uses what it calls a "generic threat matrix" as a threat model for ordering relevant metrics.
"The generic threat matrix enables government entities and intelligence organizations to categorize threats into a common vocabulary," say authors. In turn, this allows analysts to "identify potential attack paths that could be supported by the asserted capability" and "identify proper mitigation," says the report.
In the matrix, the columns describe possible attributes of a threat, while the rows define the threat's ability to act upon each attribute, explain authors.
The report recommends analysts look at two families of threat attributes: "commitment," or willingness to act, and "resources," which is the threat's actual ability. The Sandia team's suggestion to consider commitment and resources differs from MITRE's Cyber Prep Methodology, which looks at three categories--capability, intent and targeting--when characterizing threats.
"The generic threat matrix is a useful threat model. It does not, however, capture all possible threat metrics," say report authors.
Other threat information may be needed to supplement the matrix and provide a closer look at certain characteristics. Additional sources of threat information include incident data, threat multipliers, attack vectors, target characteristics, attack trees and attack frequency, they say.
The matrix could inform the operational threat assessment methodology the Homeland Security Department will use to provide an unclassified estimate of current threats acting on agency and department systems, as part of DHS's Federal Network Security program, say authors.
Report authors also say that further research on threat observation is needed--especially a study on how novice threat analysts and experienced intelligence analysts categorize threat information.
- download SAND2012-2427 (.pdf)
Be afraid of the cyber threat from Tehran, advises House panel
Continuous monitoring bill would cost $710M to implement says CBO
Agencies have cybersecurity control flexibility, reminds DHS