OCR of the Document

View the Document >>

Office of the Director of National Intelligence, Cyber Threat Framework (How to Use), Version 4, April 2017. Unclassified.

UNCLASSIFIED Cyber Threat Framework version 4 How to Use This is a work of the U S Government and is not subject to copyright protection in the United States UNCLASSIFED What You Need to Know o Recognize and understand how to interpret data tagged to the Cyber Threat Framework CTF o Understand how to tag reporting to the Cyber Threat Framework o Understand how CTF-tagged reporting can be used in analysis 1 30 2017 ODNI Public Affairs Office 2 UNCLASSIFED Cyber Threat Framework CTF Overview The Cyber Threat Framework was developed by the US Government to enable consistent categorization and characterization of cyber threat events and to identify trends or changes in the activities of cyber adversaries The framework captures the adversary life cycle from a PREPARATION of capabilities and targeting to b initial ENGAGEMENT with the targets or temporary nonintrusive disruptions by the adversary to c establishing and expanding the PRESENCE on target networks to d the creation of EFFECTS and CONSEQUENCES from theft manipulation or disruption The framework categorizes the activity in increasing layers of detail 1- 4 as available in the intelligence reporting 1 30 2017 ODNI Public Affairs Office 3 UNCLASSIFED Cyber Threat Framework v4 Layers 1 and 2 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations 1 30 2017 Deploy capability Expand presence Exploit vulnerabilities Deliver malicious capability ODNI Public Affairs Office Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data 4 UNCLASSIFED Cyber Threat Framework v4 Layer 3 Exemplars Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective 1 30 2017 Actions o Dedicate resources o Create capabilities o Establish partnerships o Persuade people to act on the threat actors behalf e g conduct social engineering o Obtain a legitimate user account ODNI Public Affairs Office o Increase user privileges o Move laterally o Establish command and control node o Establish hop point o Add victim system capabilities to botnet o Exfiltrate passwords credentials 5 UNCLASSIFED Cyber Threat Framework v4 Layer 4 Exemplar External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective Actions o Dedicate resources o Create capabilities o Establish partnerships These are representative Actions that can contribute to achieving the Layer 2 Objectives Layer 4 Discrete cyber threat intelligence data 1 30 2017 Indicators Company XXX reported to have created Malware QQ This is a simple example of the multitude of potential Indicators of threat actor Actions ODNI Public Affairs Office 6 Cyber Threat Framework Representations o The Cyber Threat Framework's presentation can be adjusted to include only the information of most interest to an intended audience Executive Executive Tactical Tactical 1 30 2017 ODNI Public Affairs Office 7 Reading the Framework o Products tagged to the Cyber Threat Framework may represented in a variety of ways on products Presented layers can be adjusted to fit the intended audience 1 30 2017 ODNI Public Affairs Office Example 1 U Cyber Threat Framework Layer 1 Layer 2 Preparation N A Engagement Deliver Payload Presence N A Effect Consequence N A Example 2 U Cyber Threat Framework Example 3 Layer 1 Engagement Layer 2 Deliver Payload U Cyber Threat Framework Layer 1 Stages Layer 2 Objectives Layer 3 Actions Layer 4 Indicators 8 UNCLASSIFED Tagging Information to the Cyber Threat Framework Tools to help you o Cyber Threat Framework one page overview o Cyber Threat Framework Lexicon outline o Cyber Threat Framework Lexicon 1 30 2017 ODNI Public Affairs Office 9 UNCLASSIFED Cyber Threat Framework v4 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 This one page outline can help identify layer 1 or layer 2 category of reported information The purpose of conducting an action or a series of actions Objectives Plan activity Conduct research analysis Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective Discrete cyber threat intelligence data 1 30 2017 Actions Layer 4 Indicators ODNI Public Affairs Office 10 Cyber Threat Framework v4 Lexicon Outline o The outline provides a multilayer view of a segment of the entire framework Enable other activities Deny access Disrupt degrade communication links Conduct Denial of Service DoS and or Distributed Denial of Service DDoS attack Disrupt degrade the network Execute ransomware Extract data Relocate and store data on victim's computer information system s network s and or data stores Exfiltrate data information Alter computer network and or system behavior Change process run-state on victim system s Change decisions Change machine-to-machine MtM communications Destroy hardware software data 1 30 2017 ODNI Public Affairs Office 11 Cyber Threat Framework v4 Lexicon Includes definitions of exemplar terms to aid in accurate data classification as a living document the number of terms will increase based on user input 1 30 2017 ODNI Public Affairs Office 12 UNCLASSIFED Sample Report #1 o According to a local report last year over 120 million personnel files were electronically exfiltrated by an identified nation state cyber actor 1 30 2017 ODNI Public Affairs Office 13 UNCLASSIFED Sample Report #1 Highlighted o According to a local report last year over 120 million personnel files were electronically exfiltrated by an identified nation state cyber actor 1 30 2017 ODNI Public Affairs Office 14 UNCLASSIFED Sample Report #1 Tagged to Layer 1 and 2 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Engagement Layer 1 Presence Effect Consequence Layer 2 Plan activity Deploy capability Establish initial control Interact with target Hide Conduct research analysis The purpose of conducting an action or a series of actions Objectives Develop resources capabilities Enable other operations Deny access Extract data Expand presence Conduct reconnaissance Exploit vulnerabilities Stage operational tools capabilities Initiate operations Deliver payload Refine targeting Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective 1 30 2017 Actions According to a local report last year over 120 million personnel files were exfiltrated by an identified nation state cyber actor ODNI Public Affairs Office 15 UNCLASSIFED Sample Report #1 Tagged to Layers 1 2 and 3 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective 1 30 2017 Actions According to a local report last year over 120 million personnel files were exfiltrated by an identified nation state cyber actor ODNI Public Affairs Office o o Relocate and store data Exfiltrate data information 16 UNCLASSIFED Sample Report #2 o Recent reporting indicates suspected cyber actors working on behalf of country X are planning a possible spearphishing campaign against the US Government with the goal of gaining access to personnel records 1 30 2017 ODNI Public Affairs Office 17 UNCLASSIFED Sample Report #2 Highlighted o Recent reporting indicates suspected cyber actors working on behalf of country X are planning a possible spearphishing campaign against the US Government with the goal of gaining access to personnel records 1 30 2017 ODNI Public Affairs Office 18 UNCLASSIFED Sample Report #2 Tagged to Layers 1 and 2 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective 1 30 2017 Actions suspected cyber actors working on behalf of country X are planning a possible spearphishing campaign with the goal of gaining access to personnel records ODNI Public Affairs Office 19 UNCLASSIFED Sample Report #2 Tagged to Layers 1 2 and 3 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Internal actions Right of Intrusion Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective Actions o o o 1 30 2017 Identify intended target s Outline where how to conduct the activity Establish timeline for activity suspected cyber actors working on behalf of country X are planning a possible spearphishing campaign with the goal of gaining access to personnel records ODNI Public Affairs Office 20 UNCLASSIFED Sample Report #2 Tagged to Layers 1 2 and 3 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete Preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective Actions o o o o 1 30 2017 Identify intended target s Outline where how to conduct the activity Establish timeline for activity Establish strategy suspected cyber actors working on behalf of country X are planning a possible spearphishing campaign with the goal of gaining access to personnel records Each of the Layer 3 Actions contains a number of embedded actions this is but one example ODNI Public Affairs Office 21 UNCLASSIFED Sample Report #3 o Hackers attacked a self-driving car bringing the car to a complete stop Investigation showed that the hackers targeted the laser ranging system spoofed thousands of objects and overwhelmed the system's ability to process information 1 30 2017 ODNI Public Affairs Office 22 UNCLASSIFED Sample Report #3 Highlighted o Hackers attacked a self-driving car bringing the car to a complete stop Investigation showed that the hackers targeted the laser ranging system spoofed thousands of objects and overwhelmed the system's ability to process information The framework allows the user to capture all activity surrounding an event Assuming this was a cyber event there are two activities the first was when the car stopped the second determined through subsequent forensic analysis was the specific targeting of the laser ranging system Both actions should be recorded The user must determine how to link the two activities to the single event 1 30 2017 ODNI Public Affairs Office 23 UNCLASSIFED Sample Report #3 Fact 1 Tagged to Layers 1 and 2 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective 1 30 2017 Actions The car stopped ODNI Public Affairs Office 24 UNCLASSIFED Sample Report #3 Fact 1 Tagged to Layers 1 2 and 3 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective 1 30 2017 Actions The car stopped ODNI Public Affairs Office Steps taken by a threat actor to alter the operation of the victim information system o o o o Disrupt degrade communications links DDos Disrupt degrade the network Execute ransomware 25 UNCLASSIFED Sample Report #3 Fact 2 Tagged to Layers 1 2 and 3 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective 1 30 2017 Actions Spoofed thousands of objects and overwhelmed the laser ranging system's ability to process information ODNI Public Affairs Office Steps taken by a threat actor that prevents access to a telecommunications system o o o o Disrupt degrade communications links DDos Disrupt degrade the network Execute ransomware 26 UNCLASSIFED Sample Report #3 Fact 2 Tagged to Layer 4 External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives Stages Preparation Internal actions Right of Intrusion Operational actions Layer 1 Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Expand presence Exploit vulnerabilities Deliver malicious capability Enable other operations Deny access Extract data Refine focus of activity Alter computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective Discrete cyber threat intelligence data 1 30 2017 Actions Indicators Spoofed thousands of objects and overwhelmed the laser ranging system's ability to process information ODNI Public Affairs Office Steps taken by a threat actor that prevents access to a telecommunications system DDoS Layer 4 Program used to spoof the laser ranging system 27 UNCLASSIFED Analysis o Depending on the information selected and its presentation one can begin to conduct a variety of analysis - Trends - change over time o What caused the change - Predictive - what's next - Environmental o Was the threat different than expected o What vulnerabilities were missed o How to optimize remedial action - Vulnerability - risk analysis - Defensive posture 1 30 2017 ODNI Public Affairs Office 28 UNCLASSIFED Threat Actor Preparation Engagement Presence Effect Consequence Cyber Threat Activity - CTF Layer 1 Stages Exemplar Threat actor Threat Actor A Threat Actor B Threat Actor C Threat Actor D Threat Actor E Threat Actor F Threat Actor G Threat Actor H 0 1 2 3 4 5 6 Preparation 7 8 90 2 4 6 8 10 0 2 Engagement 4 6 Presence 8 10 0 1 2 3 4 5 6 Effect Consequence Reporting Period January - March 2016 1 30 2017 ODNI Public Affairs Office 29 UNCLASSIFED CTF v4 Layer 2 Objectives Exemplar Threat actor Layer 2 Objectives Layer 1 Stages Threat Actor A Threat Actor B Threat Actor C Threat Actor D Threat Actor E Threat Actor F Threat Actor G Threat Actor H Preparation Develop capability Presence Conduct research analysis Engagement Plan activity Develop resources capabilities Acquire victim specific knowledge Complete preparations Interact with intended victim Exploit vulnerabilities Deliver malicious capability Establish controlled access Hide Expand presence Refine focus of activity Effect Consequence Establish persistence Enable other operations Deny Access Extract data Alter manipulate computer network or system behavior Destroy HW SW data 1 30 2017 ODNI Public Affairs Office 30 UNCLASSIFED Trend Analysis - Threat Activity Over Time Level 2 Cyber Threat Activity by Threat Actor Report Date and Country of Threat Origin Reporting Period Jan - Apr 2015 January Country A Country B Country Country C D February Country Country Country A B C Country E March Country Country F G Country B Country D Country E April Country Country G B Country C Country G Threat Actor A Threat Actor B Threat Actor C Threat Actor D Threat Actor E Threat Actor F Threat Actor G Threat Actor H 1 30 2017 ODNI Public Affairs Office 31 UNCLASSIFED Summary o The Cyber Threat Framework can be represented in a variety of products tailored to a specific audience o Important to understand how tagging cyber threat information to the Cyber Threat Framework works o Cyber Threat Framework-tagged reporting can be used to produce insightful consistent analysis from a variety of information sources 1 30 2017 ODNI Public Affairs Office 32 x UNCLASSIFED DFFIGE UP THE DIRECTOR DE NATIDNAL INTELLIGENCE INTELLIGENCE INTEGRATION Questions 1 30 2017 ODNI Public Affairs Office 33                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu