Adversarial Approach to Identifying Critical Assets - CARVER Methodology
A Target Analysis Approach to Identifying Internal Critical Assets
Incident response planning is conducted with the intention of enabling teams to better prepare, test, and improve the way they deal with cyber incidents and threats to build a more resilient approach to incident response. The ongoing challenge conveyed from cyber incident response is most organizations struggle with the ability to identify their critical and essential information assets. These assets are systems responsible for transmitting, storing, and processing business essential functions for the organization. The inability to define and identify these items causes unnecessary constraints when an organization works to prioritize securing and defending critical assets.
This research approach will focus on leveraging the CARVER method. Created by U.S. Special Forces, the CARVER methodology was introduced as an approach to exploit an enemy’s critical infrastructure (assets). The user would score the potential target both quantitatively and qualitatively to determine hardness or softness of the asset. The CARVER method sustains its credibility as a preferred method to conduct the identification of critical assets in a risk assessment approach, as it supports multi-attribute decision making and leverages insights from subjective system owners through to threat intelligence informed guidance.
A deeper look into CARVER
CARVER is an acronym that is breaks out into the following:
Criticality: Is an assets value to an organization, when its destruction or damage has a significant impact on business operations – How essential the asset is to business operations?
Accessibility: The ability of an actor to reach the asset with sufficient skills and tools – How hard it would be for an actor to access or attack the asset?
Recuperability: An assets recoverability is measured in time - How long it will take to repair, bypass, or replace the damage to the assets?
Vulnerability: An asset is vulnerable if the threat has the means and capability to successfully attack the asset – How well the asset may survive an attack?
Effect: Is of an asset attack is the measure of all impacts to the assets and beyond, those desired and undesired second and third order effects. – What impact considerations, both informed and speculative, can be weighed from technical through strategic operations?
Recognizability: Is the degree to which the assets can be recognized by a threat actor during reconnaissance – How easy is it for a threat actor to find and identify the asset?
Gain momentum by getting started
Successfully maneuvering the critical asset identification and prioritization with a risk informed approach will only occur if you take the first steps.
This broad category approach will enable buy-in, help identity some potential system unknowns, and enable self-assessment.
领英推荐
2. Use the rating scale to identify high risks and assist in prioritizing measures based on vulnerability and potential consequences to your listed assets.
3. Document the first-round findings 1 to N, remove the duplicates and begin value assignment in a CARVER matrix.
Value Assignment
The obtained information can be cleaned up to remove duplicates, address proper naming, and refined to create the initial list for valuation. For the example below we are considering one of the four assets for submission and the weighted scale and scoring that may arise from an IT and Security team assessment.
Example: The Customer Relationship Management (CRM) system submitted is deemed:
? Very valuable and loss of the system would be a business stopper = 5 (C)
? Somewhat accessible – older system, lacks MFA, no XDR = 3 (A)
? Can be easily restored within 24-48 hours due to SLAs or onsite support = 2 (R)
? Focused actor may impact the asset with current unpatched vulnerabilities & tools = 3 (V)
? Little impact to client data or loss and asset is not tied into other internal systems = 3 (E)
Once you have completed the above, you will be left with a set of calculations. These represent the relative most attractiveness of the asset as an adversarial target, in turn giving you a prioritized list of potential targets with the highest sums being most critical to the organization. You can now begin to focus on efforts to mature your organizations cyber defense strategy focusing on the prioritized assets and leveraging the essential cyber defense strategy.
Conclusion
A CARVER assessment can be the first step in helping organizations obtain insight to their critical assets as systems which process, store, and transmit information critical to business operations. Foundational, the approach leverages an often overlooked adversarial prospective with subjective functional focused critical asset identification. Increased measure to protect, detect and defend against threat will reduce attack surfaces and require future evaluation to identify gaps and validate input.