OCR of the Document

View the Document >>

Office of the Director of National Intelligence, A Common Cyber Threat Framework: A Foundation for Communication, May 2017. Unclassified.

UNCLASSIFIED A Common Cyber Threat Framework A Foundation for Communication This is a work of the U S Government and is not subject to copyright protection in the United States UNCLASSIFIED With So Many Cyber Threat Models or Frameworks Why build another Intent Target ID Reconnaissance Maintain expand Target access Exploitation Resource development Detection voidance Delivery Scanning Malware Actor Hacking Propagate Development Enumeration Social Weaponization Development 3 13 2017 Effect Staging Delivery Gain access exploitation Infrastructure Delivery Reconnaissance Configure Privilege escalation Environmental threat Tactics Techniques Procedures Reconnaissance Intent Engage Reconnaissance Foot printing Manipulate C2 Prepare Intent Extract Data Establish modify Network infrastructure Staging Administer Deny Access Maneuver Situational awareness Physical threat Exploitation Covering tracks Misuse C2 Effect Creating Backdoors Error Victim Exploitation Staging Installation Engagement C2 Maneuver Actions on Objective Configure C2 Lockheed Martin Kill Chain R Effect 2 STIXTM UNCLASSIFIED Because comparison of threat data across models and users is problematic Following a common approach helps to o Establish a common ontology and enhance informationsharing since it is easier to map unique models to a common standard than to each other o Characterize and categorize threat activity in a straightforward way that can support missions ranging from strategic decision-making to analysis and cybersecurity measures and users from generalists to technical expert o Achieve common situational awareness across organizations 3 13 2017 3 UNCLASSIFIED Goals of a Common Approach o Key Attributes a model that is hierarchical structured transparent and repeatable featuring explicit definitions o An optimized cyber threat framework - Is focused on empirical and often sensor-derived data serves as the foundation for subsequent analysis and decision-making - Supports analysis and the characterization and categorization of cyber threat information through the use of standardized language - Accommodates a wide variety of data sources threat actors and threat activity - The information captured within is arranged hierarchically and organized in increasing layers of detail - Is tailorable to meet a host of individual needs 3 13 2017 4 UNCLASSIFIED Common Cyber Threat Framework A Hierarchical Approach The progression of cyber threat actions over time to achieve objectives The purpose of conducting an action or a series of actions Actions and associated resources used by an threat actor to satisfy an objective Discrete cyber threat intelligence data 3 13 2017 Stages Layer 1 Objectives Layer 2 Actions Layer 3 Indicators Layer 4 5 UNCLASSIFIED Common Cyber Threat Framework Structured around a Simplified Threat Lifecycle External actions Left of Intrusion Pre-execution actions The progression of cyber threat actions over time to achieve objectives 3 13 2017 Stages Preparation Internal actions Right of Intrusion Operational actions Engagement Presence Effect Consequence 6 Layer 1 UNCLASSIFIED Common Cyber Threat Framework Threat Actor Objectives within the Threat Lifecycle The progression of cyber threat actions over time to achieve objectives Layer 1 Stages Preparation Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Enable other operations Deny access Extract data Expand presence Exploit vulnerabilities Deliver malicious capability Refine focus of activity Alter data and or computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective Actions Layer 4 Discrete cyber threat intelligence data 3 13 2017 Indicators 7 UNCLASSIFIED CommonCyber Threat Framework Actions and Indicators are the Details of Threat Activity The progression of cyber threat actions over time to achieve objectives Layer 1 Stages Preparation Engagement Presence Effect Consequence Layer 2 Plan activity Conduct research analysis The purpose of conducting an action or a series of actions Objectives Deploy capability Establish controlled access Interact with intended victim Hide Develop resources capabilities Acquire victim specific knowledge Complete preparations Enable other operations Deny access Extract data Expand presence Exploit vulnerabilities Deliver malicious capability Refine focus of activity Alter data and or computer network or system behavior Establish persistence Destroy HW SW data Layer 3 Actions and associated resources used by an threat actor to satisfy an objective Actions Send a spear phishing email Layer 4 Discrete cyber threat intelligence data 3 13 2017 Indicators Malicious attachment 8 UNCLASSIFIED This Common Approach Facilitates Grouping and Comparison of Cyber Threat Activities Seen from Different Perspectives Intent Target ID Reconnaissance Maintain expand Target access Exploitation Resource development Detection voidance Delivery Intent Actor Scanning Hacking Propagate Development Enumeration Social Weaponization Development 3 13 2017 Effect Staging Delivery Gain access exploitation Infrastructure Delivery Reconnaissance Configure Privilege escalation Environmental threat Tactics Techniques Procedures Reconnaissance Intent Engage Reconnaissance Malware Manipulate C2 Prepare Foot printing Extract Data Establish modify Network infrastructure Staging Administer Deny Access Maneuver Situational awareness Physical threat Exploitation Covering tracks Misuse C2 Effect Creating Backdoors Error Victim Exploitation Staging Installation Engagement C2 Maneuver Actions on Objective Configure C2 Lockheed Martin Kill Chain R Effect 9 STIXTM UNCLASSIFIED Common Cyber Threat Framework Current Status o Framework and associated Lexicon available at DNI GOV o Used in threat products by DHS FBI and the ODNI's Cyber Threat Intelligence Integration Center CTIIC o Being taught to new US Government cyber analysts o Included in curricula and research at multiple universities o Under consideration by international partners to facilitate a common operating picture and enhance threat information sharing o Evolution continues based on use and ongoing outreach to industry academia government and international partners 3 13 2017 10 UNCLASSIFIED OFFICE 31 THE DF NATIONAL INTELLIGENCE LEADING INTELLIGENCE INTEGRATION Questions 3 13 2017 11                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu