Evaluating the Impact of Cybersecurity Decisions on Adversary Behavior

Introduction

As our reliance on information systems grows, so does the sophistication of cyber adversaries who use advanced tactics, techniques, and procedures (TTPs) to exploit vulnerabilities. Cybersecurity decisions refer to the strategic choices made by defenders to mitigate and manage the risk of cyber attacks on their systems, networks, and data.

To better understand and evaluate the impact of these decisions on adversary behavior, a standardized vocabulary is essential. This vocabulary, derived from NIST 800-160 vol 2 rev 1, includes five high-level desired effects on adversaries: redirect, preclude, impede, limit, and expose, along with 15 specific classes of effects categorized under these headings. This article explains what this vocabulary is, how to use it at both macro and micro levels, and the benefits it provides.

NIST SP 800-160 Vol 2 Rev 1

What is the Standardized Vocabulary?

Cybersecurity decisions encompass a range of choices involving cyber defender actions, architectural decisions, and the selection and utilization of technologies to enhance security, resiliency, and defensibility against ongoing adversary activities. The standardized vocabulary enables clear and comparable articulation of claims and hypotheses across various assumed or real-world environments. This vocabulary facilitates the identification of evidence independently of the evaluation methods used. It can be applied to multiple modeling and analysis techniques, including Red Team analysis, game-theoretic modeling, attack tree and attack graph modeling, and analysis based on the cyber attack lifecycle (also known as cyber kill chain analysis or cyber campaign analysis). It includes five high-level effects and 15 specific classes of effects that have an effect on risk:

Redirect:

• Deter: Discourage adversaries from attempting an attack.
• Effect on Risk: Reduces the likelihood of occurrence.
• Divert: Channel adversaries away from high-value targets.
• Effect on Risk: Reduces the likelihood of occurrence.
• Deceive: Mislead adversaries into taking ineffective actions.
• Effect on Risk: Reduces the likelihood of occurrence and reduces the likelihood of impact.

Preclude:

• Expunge: Remove adversary presence from the system.
• Effect on Risk: Reduces the likelihood of impact of subsequent events in the same threat scenario.
• Preempt: Prevent an attack before it occurs.
• Effect on Risk: Reduces the likelihood of occurrence.
• Negate: Neutralize the impact of an attack.
• Effect on Risk: Reduces the likelihood of impact.

Impede:

• Contain: Restrict the spread of an attack.
• Effect on Risk: Reduces the level of impact.
• Degrade: Reduce the effectiveness of an attack.
• Effect on Risk: Reduces the likelihood of impact and the level of impact.
• Delay: Slow down an attack.
• Effect on Risk: Reduces the likelihood of impact and the level of impact.
• Exert: Apply pressure to adversaries.
• Effect on Risk: Reduces the likelihood of impact.

Limit:

• Shorten: Reduce the duration of an attack.
• Effect on Risk: Reduces the level of impact.
• Reduce: Minimize the number of opportunities for an attack.
• Effect on Risk: Reduces the level of impact and the likelihood of impact of subsequent events in the same threat scenario.

Expose:

• Detect: Identify adversary activities.
• Effect on Risk: Reduces the likelihood of impact and the level of impact.
• Reveal: Publicly disclose adversary actions.
• Effect on Risk: Reduces the likelihood of impact, particularly in the future.
• Scrutinize: Analyze adversary behavior to gain insights.
• Effect on Risk: Reduces the likelihood of impact.

How to Use the Vocabulary

Macro Level: Threat Scenarios

At the macro level, the vocabulary can be applied to broad threat scenarios, such as phishing, ransomware, and insider threats. By using the vocabulary, organizations can systematically evaluate and enhance their defensive strategies against these widespread threats.

Phishing:

• Redirect: Deploy email filtering and training to deter and divert phishing attempts.
• Preclude: Implement multi-factor authentication (MFA) to preempt unauthorized access.
• Impede: Use endpoint protection to contain and degrade phishing payloads.
• Limit: Monitor email traffic to shorten the window of opportunity for attackers.
• Expose: Employ threat intelligence to detect and reveal phishing campaigns.

Ransomware:

• Redirect: Use network segmentation to divert ransomware from critical assets.
• Preclude: Keep systems patched and updated to expunge vulnerabilities.
• Impede: Deploy intrusion prevention systems (IPS) to delay and exert pressure on ransomware.
• Limit: Implement robust backup solutions to shorten the impact duration.
• Expose: Use anomaly detection to scrutinize and reveal ransomware activities.

Insider Threats:

• Redirect: Create decoy documents to deceive potential insider threats.
• Preclude: Enforce strict access controls to preempt unauthorized activities.
• Impede: Monitor user behavior to contain and degrade insider actions.
• Limit: Implement data loss prevention (DLP) to reduce the impact of data exfiltration.
• Expose: Conduct regular audits to detect and reveal suspicious activities.

Integrating the Effects Vocabulary with the Cyber Kill Chain

The Cyber Kill Chain (CKC), developed by Lockheed Martin, describes the different stages of a cyber attack from initial reconnaissance to data exfiltration. Mapping the standardized vocabulary of effects to the CKC phases can enhance the understanding and application of cybersecurity measures. Here’s how the effects vocabulary can be integrated with the CKC, along with a mapping of effects to kill chain phases.

The Cyber Kill Chain Phases

1. Reconnaissance: Gathering information about the target.
2. Weaponization: Creating a payload to exploit a vulnerability.
3. Delivery: Transmitting the payload to the target.
4. Exploitation: Triggering the payload to exploit the vulnerability.
5. Installation: Installing malware on the target system.
6. Command and Control (C2): Establishing a channel for remote control.
7. Actions on Objectives: Executing the attack to achieve objectives, such as data exfiltration.

Mapping Effects Vocabulary to the Kill Chain Phases

Reconnaissance:

• Deter: Implementing measures that make it clear the organization is well-defended can deter adversaries from attempting further reconnaissance.
• Divert: Using honeypots or fake information to mislead adversaries.
• Deceive: Creating decoy systems or false data to mislead adversaries.
• Detect: Using network monitoring to identify reconnaissance activities.
• Scrutinize: Analyzing detected reconnaissance to understand adversary tactics.

Weaponization:

• Reveal: Sharing intelligence on observed weaponization activities with the broader community to prevent widespread attacks.
• Scrutinize: Examining the tools and techniques used to create malicious payloads.

Delivery:

• Deter: Utilizing email filters and web gateways to deter delivery attempts.
• Divert: Routing malicious emails to a sandbox environment.
• Expunge: Removing malicious attachments or links before they reach the user.
• Preempt: Blocking known malicious IP addresses or domains.
• Delay: Implementing thorough scanning processes to slow down the delivery and give time for detection.

Exploitation:

• Negate: Applying patches and updates to eliminate vulnerabilities.
• Preempt: Using endpoint protection to prevent the execution of malicious code.
• Degrade: Limiting the capabilities of the payload through security configurations.
• Detect: Monitoring for signs of exploitation attempts.
• Scrutinize: Analyzing attempted exploitations to enhance defenses.

Installation:

• Expunge: Using anti-malware tools to remove installed malware.
• Preempt: Blocking unauthorized installations through application whitelisting.
• Contain: Using network segmentation to limit the spread of installed malware.
• Degrade: Reducing the malware’s effectiveness through restrictive permissions.
• Detect: Identifying installed malware through regular scans.
• Scrutinize: Investigating the methods of installation to improve preventive measures.

Command and Control (C2):

• Negate: Blocking communication channels used by malware.
• Delay: Implementing network traffic analysis to slow down command and control communications.
• Contain: Isolating infected systems to prevent them from communicating with the adversary.
• Detect: Monitoring for unusual outbound traffic indicative of C2 activity.
• Scrutinize: Analyzing C2 communications to understand the adversary’s infrastructure.

Actions on Objectives:

• Expunge: Removing the adversary’s presence from the network.
• Negate: Implementing measures to neutralize the adversary’s ability to achieve their objectives.
• Contain: Limiting the adversary’s ability to move laterally within the network.
• Degrade: Disrupting the adversary’s ability to exfiltrate data or achieve other objectives.
• Delay: Slowing down the adversary’s progress to allow for a response.
• Detect: Identifying and alerting on actions taken by the adversary.
• Reveal: Sharing information about the attack with the wider security community.

Integrating the effects vocabulary with the Cyber Kill Chain provides a comprehensive framework for evaluating and enhancing cybersecurity measures. By mapping specific effects to each phase of the kill chain, organizations can better understand how to apply various defensive strategies to thwart adversary activities at every stage of an attack. This structured approach ensures that cybersecurity decisions are targeted, effective, and aligned with the overall goal of reducing risk and improving resilience.

Micro Level: MITRE ATT&CK TTPs

At the micro level, the vocabulary can be applied to specific TTPs outlined in the MITRE ATT&CK framework. This allows for a granular analysis and tailored defensive measures against individual adversary actions.

Tactic: Initial Access Technique: Spearphishing Attachment (T1193):

• Redirect: Use secure email gateways to divert malicious emails.
• Preclude: Implement MFA to preempt unauthorized access.
• Impede: Employ attachment scanning to delay the execution of malicious payloads.
• Limit: Limit user privileges to reduce the impact of a successful phishing attack.
• Expose: Use email analytics to detect and reveal spearphishing attempts.

Tactic: Lateral Movement Technique: Remote Services (T1021):

• Redirect: Use network segmentation to divert adversary movement.
• Preclude: Disable unnecessary remote services to expunge potential access points.
• Impede: Monitor and control remote access to delay adversary actions.
• Limit: Restrict access permissions to shorten the adversary's operational scope.
• Expose: Use network monitoring tools to scrutinize and reveal lateral movement.

Benefits of Using the Vocabulary

Enhanced Clarity and Precision

The vocabulary allows defenders to describe their cybersecurity strategies, claims, and hypotheses with greater detail and accuracy. This ensures that all stakeholders, from technical teams to executive management, have a clear understanding of cybersecurity measures and objectives.

• Reduced Miscommunication: Aligns everyone towards common goals, minimizing the risk of misunderstandings.
• Accurate Articulation: Enables precise descriptions of cybersecurity measures and their intended effects.
• Common Understanding: Ensures that both technical and non-technical stakeholders are on the same page regarding cybersecurity strategies and goals.

Improved Communication and Collaboration

Providing a common language that bridges the gap between different teams and stakeholders facilitates better coordination across departments and with external partners.

• Internal Coordination: Improves collaboration between IT, risk management, and executive leadership.
• External Partnerships: Enhances communication with vendors, regulators, and other external parties.
• Cross-Functional Teams: Fosters effective teamwork among diverse teams by using a shared vocabulary.
• Stakeholder Engagement: Helps engage all relevant stakeholders in cybersecurity discussions and decision-making.

Evidence-Based Decision Making

The vocabulary enables the creation of clear, testable hypotheses and claims, allowing for rigorous evaluations based on data and analysis.

• Reliable Strategies: Ensures cybersecurity measures are backed by empirical evidence.
• Data-Driven Decisions: Facilitates informed decision-making based on solid data.
• Performance Metrics: Provides a basis for developing metrics to evaluate the effectiveness of cybersecurity measures.
• Validation and Verification: Supports the validation and verification of cybersecurity controls and strategies.

Cross-Disciplinary Integration

Supporting the incorporation of insights from various disciplines within the organization promotes a holistic approach to cybersecurity.

• Comprehensive View: Integrates technical, operational, and business perspectives for well-rounded defense strategies.
• Interdisciplinary Collaboration: Encourages cooperation across different areas of expertise.
• Strategic Alignment: Ensures that cybersecurity strategies are aligned with overall business objectives.
• Innovative Solutions: Leverages diverse perspectives to develop innovative solutions to cybersecurity challenges.

Scalability and Adaptability

The vocabulary can be applied to various modeling and analysis techniques, ensuring its relevance and effectiveness across different scenarios and environments.

• Flexible Application: Can be used in Red Team analysis, game-theoretic modeling, attack tree and attack graph modeling, and cyber attack lifecycle analysis.
• Evolving Threats: Remains adaptable as cyber threats evolve.
• Tailored Approaches: Can be customized to fit the specific needs and contexts of different organizations.
• Broad Applicability: Applicable to various industries and sectors, enhancing its utility.

Improved Resiliency and Defensibility

A structured evaluation of the impact of cybersecurity decisions on adversary behavior helps in developing more resilient and defensible defense mechanisms.

• Robust Defense: Enhances the organization’s ability to withstand cyber incidents.
• Effective Mitigation: Improves measures to mitigate ongoing adversary activities.
• Proactive Posture: Supports a proactive approach to cybersecurity, anticipating and addressing potential threats.
• Comprehensive Protection: Ensures comprehensive protection across all layers of the organization’s IT infrastructure.

Better Resource Allocation

Clearer insights into the effectiveness of different cybersecurity measures allow organizations to prioritize their investments and allocate resources more efficiently.

• Focused Funding: Prioritizes investments in measures that significantly reduce risk.
• Efficient Use of Resources: Ensures resources are allocated to the most impactful strategies.
• Cost-Effective Solutions: Identifies cost-effective solutions that provide the greatest benefit.
• Strategic Budgeting: Supports strategic budgeting decisions for cybersecurity initiatives.

Continuous Improvement

Supporting ongoing assessment and refinement of cybersecurity strategies enables organizations to regularly evaluate and adjust their defenses.

• Dynamic Adjustments: Adapts to new evidence and evolving threats.
• Sustained Effectiveness: Ensures security measures remain effective over time.
• Feedback Loop: Establishes a feedback loop for continuous improvement of cybersecurity practices.
• Adaptive Strategies: Develops adaptive strategies that evolve with the changing threat landscape.

Facilitation of Threat Intelligence Sharing

A common language makes it easier to share threat intelligence and best practices with other organizations, enhancing collective security efforts.

• Community Collaboration: Promotes effective communication and cooperation on emerging threats.
• Stronger Defense Ecosystem: Builds a robust defense network across industries and sectors.
• Shared Learning: Facilitates shared learning and knowledge exchange among cybersecurity professionals.
• Collaborative Defense: Enhances collaborative defense efforts, leading to more comprehensive threat mitigation.

Conclusion

The implementation of a standardized vocabulary for cybersecurity decisions, as derived from NIST 800-160 vol 2 rev 1, provides significant value for organizations striving to enhance their security posture against sophisticated cyber adversaries. This vocabulary, encompassing five high-level effects and 15 specific classes of effects, allows defenders to articulate, evaluate, and compare their cybersecurity strategies with greater clarity and precision.

By applying this vocabulary to both macro-level threat scenarios, such as phishing, ransomware, and insider threats, the cyber kill chain phases, and micro-level specific MITRE ATT&CK TTPs, organizations can systematically assess and improve their defensive measures. Integrating the effects vocabulary with the Cyber Kill Chain phases further enhances the understanding and application of cybersecurity measures, ensuring targeted and effective defense strategies across all stages of an attack.

The benefits of using this standardized vocabulary extend across various facets of cybersecurity. It promotes enhanced clarity and precision, improved communication and collaboration, evidence-based decision-making, and cross-disciplinary integration. Its scalability and adaptability ensure its relevance across different scenarios and industries, while structured evaluations foster improved resiliency and defensibility. Moreover, it facilitates better resource allocation and continuous improvement of cybersecurity practices, supporting dynamic adjustments to evolving threats.

Ultimately, the real value to defenders lies in the ability to make informed, effective, and coordinated decisions. The standardized vocabulary enables organizations to proactively anticipate, address, and mitigate cyber threats, leading to a more robust and resilient cybersecurity posture. By fostering a common language for threat intelligence sharing and collaborative defense, it strengthens the overall security ecosystem, enhancing collective efforts to combat cyber adversaries and protect critical assets.