Tuesday, October 7, 2014

“Cyber Terrain”: A Model for Increased Understanding of Cyber Activity

In my first Science of Security post, I recommended that organizations consider hiring cyber security scientists to help organizations in developing a strong, rigorous scientific foundation to cyber security while providing structure and organization to a broad-based body of knowledge on the domain. In my second Science of Security post I provided an example of applying the scientific method to cyber security operations. In that second post I mentioned that every cyber attack has 4 basic components: Threat Actors, TTPs, Cyber Terrain, and Defenders. In this post I’ll introduce a multilayered Cyber Terrain model and describe how this can be used to help systematically organize the broad-based body of cyber security knowledge to enable increased understanding amongst cyber participants.

Traditional “terrain” maps show physical features to help users better understand the terrain and how best to navigate the terrain. To apply this concept to cyberspace we will leverage a multilayered cyber terrain model that allows us to conceptually model, organize, and understand the features (laws, policy, security technology, etc.) and activity (cybercrime, APT, hacktivism, etc.) that takes place in the cyber terrain.

Cyber terrain can be used to model the Defender’s cyber terrain, the Threat Actor’s cyber terrain, and just about everything that makes up the Internet of Things (IoT). Most of the time when I mention cyber terrain to people they tend to visualize routers, switches, and other physical hardware. While the hardware is part of the cyber terrain it only represents 1 of the 15 layers that I’ll introduce in today’s post.

A large body of research indicates that visual cues help us to better retrieve and remember information. The research outcomes on visual learning makes complete sense when you consider that our brain is mainly an image processor since much of our sensory cortex is devoted to vision. The cyber terrain model allows us to visualize the cyber terrain to help accelerate learning and promote a shared understanding.

Cyber terrain is a concept developed by the U.S. Department of Defense as an updated defense in depth model. The original defense in depth multilayered model was introduced a long time ago and was focused primarily on addressing the path of data in and out of the network (OSI layers 2, 3, & 4). The cyber terrain model is designed to address both the path of the data in and out of the network as well as what happens after the data arrives. The cyber terrain provides a more comprehensive approach since one can use it as a lens to view activity from both the defensive aspect, but also from threat actor perspective, which can reveal critical information needed to better defend against an attack.

Defense in depth is still a good defensive strategy, but it is limited since its focus was solely defense and only focused on the network layers. It also doesn’t account for key aspects of threats such as geolocation, persona, etc.

The cyber terrain model I’m introducing in this post builds off the efforts of the U.S. DoD and is designed to represent the full triangle of sustainment or the three pillars of cybersecurity: People – Organizations & Processes – Technology. To achieve this we need a model that represents both physical, real-world layers as well as the virtual layers of cyberspace. A model capable of representing the data, technology, people, processes, activity across all the traditional security engineering, security operations, and security intelligence areas on the defender side as well as the threat actors, TTPs, and infrastructure used by the bad guys. The cyber terrain model can also enable a shared understanding by engineers, operators, analysts, executives, and board members. This lead to the creation of the 15 layer cyber terrain model shown below. 

Layer 0 – Geographic Layer

The geographic layer represents the geographic area where real-world devices, people, organization buildings, and other physical items resides. The geographic location of physical items helps to give context to applicable cyber laws, policies, etc that apply to items in specific geographic areas as represented in the government layer. For example, a company with physical offices in both the United States and the United Kingdom would have different government level cyber laws that apply to that organizations people and technology depending on where the people and technology are located geographically. 

This layer can also represent geographic location attack vectors such as leaving a few BadUSB infected USB thumb drives in the parking lot outside the office of a targeted organization. The layer can also represent risk from natural threats that affect an organization’s people and technology in specific geographic areas such as earthquakes or flooding.

·         CAPEC-ID:406 – Social Information Gathering via Dumpster Diving https://capec.mitre.org/data/definitions/406.html
·         CAPEC-ID:407 – Social Information Gathering via Pretexting https://capec.mitre.org/data/definitions/407.html
o   CAPEC-ID:413 – Pretexting via Tech Support https://capec.mitre.org/data/definitions/413.html
o   CAPEC-ID:414 – Pretexting via Delivery Person https://capec.mitre.org/data/definitions/414.html
·         CAPEC-ID:507 – Physical Theft  http://capec.mitre.org/data/definitions/507.html
·         CAPEC-ID:391 – Bypassing Physical Locks http://capec.mitre.org/data/definitions/391.html

Layer 1 – Physical Layer

The physical layer represents the physical layer of the OSI model and includes all the hardware, cables, etc. This layer includes physical security and controlled access spaces such as locked server rooms. It’s important to keep in mind that items in the physical layer actually exist and therefore have a location, this means there is a strong link between the geographic layer and the physical layer. Here are a few examples of common attack patterns at the physical layer:

·         CAPEC-ID:507 – Physical Theft  http://capec.mitre.org/data/definitions/507.html
·         CAPEC-ID:391 – Bypassing Physical Locks http://capec.mitre.org/data/definitions/391.html
·         CAPEC-ID:397 – Cloning Magnetic Strip Cards http://capec.mitre.org/data/definitions/397.html
·         CAPEC-ID:547 – Physical Destruction of Device or Component http://capec.mitre.org/data/definitions/547.html
·         CAPEC-ID:453 – Malicious Logic Insertion via Counterfeit Hardware https://capec.mitre.org/data/definitions/453.html
·         CAPEC-ID:455 – Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components https://capec.mitre.org/data/definitions/455.html

Layers 2-7 – Logical Layers (Communications Ports and Protocols)

The logical layers represent the upper 6 layers of the OSI model which enables us to model the communications ports and protocols of the cyber terrain. A defender might share that an observable indicator for beaconing activity by a threat actor’s TTP is a specific pattern observed in packets at the network layer, or a pattern in an http GET request at the application layer. Here are a few examples of common attack patterns in the logical layers:

·         CAPEC-ID:383 – Harvesting Usernames or UserIDs via Application API Event Monitoring (Application Layer) https://capec.mitre.org/data/definitions/383.html
·         CAPEC-ID:293 – Traceroute Route Enumeration (Network Layer & Transport Layer) https://capec.mitre.org/data/definitions/293.html
·         CAPEC-ID:309 – Network Topology Mapping (Network Layer, Transport Layer, & Application Layer) https://capec.mitre.org/data/definitions/309.html
·         CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) https://capec.mitre.org/data/definitions/311.html
·         CAPEC-ID:316 – ICMP Fingerprinting Probes (Network Layer) https://capec.mitre.org/data/definitions/316.html
·         CAPEC-ID:310 – Scanning for Vulnerable Software (Network Layer, Transport Layer, & Application Layer) https://capec.mitre.org/data/definitions/310.html
·         CAPEC-ID:315 – TCP/IP Fingerprinting Probes (Network Layer, Transport Layer, & Application Layer) https://capec.mitre.org/data/definitions/315.html
·         CAPEC-ID:312 – Active OS Fingerprinting (Network Layer) https://capec.mitre.org/data/definitions/312.html
·         CAPEC-ID:291 – DNS Zone Transfers (Application Layer) https://capec.mitre.org/data/definitions/291.html
·         CAPEC-ID:307 – TCP RPC Scan (Transport Layer) https://capec.mitre.org/data/definitions/307.html

The different layers that make up the cyber terrain allows us to breakdown activity by layer and to consider countermeasures or security controls that might apply to the different layers. They also help to increase understanding when sharing information with other organizations or describing observed activity to other defenders.

DDoS attacks have made the headlines several times over the past decade but breaking it down by layers helps to provide more actionable information and increased understanding. Consider the below image from National Cybersecurity and Communications Integration Center at the U.S. Department of Homeland Security which shows DDoS attack possibilities by OSI Layer. 

                                     Source: https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf

Layer 8 – Machine Language 

The machine language layer is used to represent data such as binary executables, class files, shared libraries (e.g., DLLs), or other machines code. The machine language layer also includes items such as embedded system such as those used in SCADA systems, BIOS, and firmware on various devices such as video cards and storage devices.

·         CAPEC-ID:37 – Lifting Data Embedded in Client Distributions https://capec.mitre.org/data/definitions/37.html
·         CAPEC-ID:190 – Reverse Engineer an Executable to Expose Assumed Hidden Functionality or Content https://capec.mitre.org/data/definitions/190.html
·         CAPEC-ID:205 – Lifting Credential Key Material Embedded in Client Distributions https://capec.mitre.org/data/definitions/205.html

Layer 9 – Operating System

The operating system layer is used to represent the operating systems used by the defender or the threat actor to include operation system weaknesses, vulnerabilities, security configuration issues, and attack patterns. Here are a few common attack patterns for the operating system level:

·         CAPEC-ID:9 – Buffer Overflow in Local Command-Line Utilities http://capec.mitre.org/data/definitions/9.html
·         CAPEC-ID:45 – Buffer Overflow via Symbolic Links http://capec.mitre.org/data/definitions/45.html
·         CAPEC-ID:8 – Buffer Overflow in an API Call http://capec.mitre.org/data/definitions/8.html
·         CAPEC-ID:14 – Client-side Injection-induced Buffer Overflow http://capec.mitre.org/data/definitions/14.html
·         CAPEC-ID:118 – Gather Information http://capec.mitre.org/data/definitions/118.html
·         CAPEC-IDS:268 – Audit Log Manipulation https://capec.mitre.org/data/definitions/268.html
·         CAPEC-ID:270 – Modification of Registry Run Keys https://capec.mitre.org/data/definitions/270.html
·         CAPEC-ID:17 – Accessing, Modifying or Executing Executable Files http://capec.mitre.org/data/definitions/17.html

Layer 10 – Software Application

The software application layer is used to represent software applications installed across the different operating systems. Not only does this include the application code itself, but also the necessary application and service infrastructure used to support the application execution, such as web servers, .Net framework, OSGi, etc.  These execution containers may also reveal critical information that could be used by adversaries to better understand an attack surface or leak information about the organization due to insecure configuration.
This layer is also used to represent secure coding, software application configuration issues, vulnerabilities, weaknesses, and attack patterns. This is also where languages that are compiled to bytecode, such as Java and .Net reside.  In recent days, languages utilizing bytecodes have become a popular target by attackers. Here are some examples attack patterns that include machine code.

This is one of the most popular layers for attacks when you consider software applications such as browsers (Internet Explorer, Firefox, Safari, Chrome, etc) and office applications (MS Office, Adobe, etc). Here are just a few examples of the types of attack patterns we might see at this level.

·         CAPEC-ID:69 – Target Programs with Elevated Privileges http://capec.mitre.org/data/definitions/69.html
·         CAPEC-ID:118 – Gather Information http://capec.mitre.org/data/definitions/118.html
·         CAPEC-ID:76 – Manipulating Input to File System Calls https://capec.mitre.org/data/definitions/76.html
·         CAPEC-ID:35 – Leverage Executable Code in Non-Executable Files http://capec.mitre.org/data/definitions/35.html
·         CAPEC-ID:472 – Browser Fingerprinting http://capec.mitre.org/data/definitions/472.html
·         CAPEC-ID:13 – Subverting Environmental Values http://capec.mitre.org/data/definitions/13.html
·         CAPEC-ID:46 – Overflow Variables and Tags http://capec.mitre.org/data/definitions/46.html

Layer 11 – Persona

The personal layer is used to represent the various ways in which people are represented in cyberspace such as user accounts, userIDs, email addresses, phone numbers, etc. This can include full credentials that allow access to information. A single person can have multiple persona identifies in cyberspace, a common tactic used by threat actors to better hide themselves.

Persona accounts are normally the first level of technical attribution as defenders discover threat actor persona accounts that are tied to specific TTPs (Phising, malicious domain registrations, carding, etc). Since persona details represent humans in cyberspace, they could reveal attributes that could potentially lead to a specific person or organization.

This information could be gathered through open source intelligence, taken as part of an attack on an information system, obtained from the domain registrations, or perhaps gathered through monitoring of threat actors in underground forums and black market sites. 

Here are just a couple simple examples of attacks patterns dealing with persona information:

·         CAPEC-ID:404 – Social Information Gathering Attacks https://capec.mitre.org/data/definitions/404.html
·         CAPEC-ID:383 – Harvesting Usernames or UserIDs via Application API Event Monitoring https://capec.mitre.org/data/definitions/383.html
·         CAPEC-ID:156 – Deceptive Interactions https://capec.mitre.org/data/definitions/156.html
·         CAPEC-ID:151 – Identity Spoofing https://capec.mitre.org/data/definitions/151.html
·         CAPEC-ID:98 – Phishing https://capec.mitre.org/data/definitions/98.html
·         CAPEC-ID:163 – Spear Phishing https://capec.mitre.org/data/definitions/163.html
·         CAPEC-ID:164 – Mobile Phishing  (aka MobPhishing) https://capec.mitre.org/data/definitions/164.html

Layer 12 – People / Supervisory / Temporal

Unlike the persona layer which focuses on the various forms of identify that a human has in cyberspace, the People, Supervisory, and Temporal layer is used to represent the real-world people (the actual individual) such as defenders and threat actors, supervisory functions such as starting, stopping, modifying, or redirecting a cyber operation, and the temporal data surrounding activity in the cyber terrain. All operations in cyberspace begin with a human being and this is the layer in which actual human beings are represented. This could be money mules, carders, APT actors, botnet operators, defenders, etc. Ideally, defenders want to identify who the actual human person is behind the activity for the purpose of prosecution.

Below are a few high-level attack patterns aimed at the humans in the loop.

·         CAPEC-ID:404 – Social Information Gathering Attacks https://capec.mitre.org/data/definitions/404.html
·         CAPEC-ID:410 – Information Elicitation via Social Engineering https://capec.mitre.org/data/definitions/410.html
·         CAPEC-ID:416 – Target Influence via Social Engineering https://capec.mitre.org/data/definitions/416.html
·         CAPEC-ID:527 – Manipulate System Users https://capec.mitre.org/data/definitions/527.html
·         CAPEC-ID:156 – Deceptive Interactions https://capec.mitre.org/data/definitions/156.html
·         CAPEC-ID:98 – Phishing https://capec.mitre.org/data/definitions/98.html
·         CAPEC-ID:163 – Spear Phishing https://capec.mitre.org/data/definitions/163.html
·         CAPEC-ID:164 – Mobile Phishing  (aka MobPhishing) https://capec.mitre.org/data/definitions/164.html

Layer 13 – Organization

The organization layer allows us to represent organization policies, processes, and procedures that apply to the defender’s organization. These could be the organization’s own items or those of another organization. An example might be security benchmarks from the Center for Internet Security or standards from the International Organization for Standardization (ISO). This could also be a threat actor’s organization such as the Hacktivist organization Anonymous, an underground carding organization, or a foreign competitor’s organization.

Much like persona accounts represent real people in cyberspace, organizations have their own identities in cyberspace. Some cyber activity might only be attributed to an organizational level identity such as SEA / Syrian Electronic Army. It’s important to try to link threat actor persona accounts with the organization they belong to for better overall attribution.  

Layer 14 – Government

The government layer allows us to represent government items such as cyber laws, regulation, frameworks, and data. For example, in the United States there are more than 50 statutes that address various aspects of cybersecurity either directly or indirectly to include things such as the Privacy Act of 1974, the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984. The NIST Cybersecurity Framework. Vulnerability and Security Configuration information from the National Vulnerability Database. This layer can also represent alleged government associations of threat actors such as the Mandiant APT1 campaign association with the Chinese military / government, the alleged ties to the Iranian government behind the DDoS attacks on financial institutions, or the alleged connection to the Russian government behind the recent JPMorgan breach.

Cyber Terrain Analysis

Now that we have covered the different layers of the cyber terrain we can consider cyber terrain analysis. I won’t go into much detail on cyber terrain analysis in this post but a quick overview of key points should help get people thinking in the right direction.

The U.S DoD uses a process called OCOKA for traditional terrain analysis. OCOKA is an acronym for Observation, Cover and Concealment, Obstacles, Key Terrain, and Avenues of Approach. These all directly map to the cyber terrain. Let’s look at each of these steps below:

·         Observation – What can be seen and where? Where are the various sensors in the different layers of cyberspace within the defender’s cyber terrain? What can those sensors see?
·         Cover and Concealment – What can I hide from threat actor observation? Consider all the information exposed about operating systems and version numbers to resources outside the defender’s cyber terrain. A good example to show leaked information is http://www.shodanhq.com/
·         Obstacles – How can I make it harder to attack? This could be technology or process driven mitigations and countermeasures for each attack pattern applicable to the defender’s cyber terrain in order to limit movement within the network. This is generally called Risk Remediation Analysis in the cybersecurity community.
·         Key Terrain – Key assets, accounts, data, etc. Within the cybersecurity world this is generally known as Crown Jewels analysis. Losing these to a threat actor would be a significant defeat for the defender.
·         Avenues of Approach – This is the various paths that can be taken to exploit a target. Consider both the exact paths into and out of your network along with what specific attack patterns apply based on the specific assets (software applications, operating systems, etc) inside the defender’s cyber terrain. This is generally referred to as Threat Susceptibility Analysis in the cybersecurity community.
o   Exploit Target – When considering the avenues of approach it helps to analyze the exploit target of each attack pattern based on the assets present in the defender’s cyber terrain. This include:
§  Security Configuration Issues – example CCEs
§  Software Vulnerabilities ­– example CVEs
§  Software Weaknesses – example CWEs
§  People – example social engineering

When modeling adversaries with the cyber terrain, layers 11-14 are almost like filters to be applied to the layers below when correlated with attack patterns as they can be used as means to better understand the kinds of attacks that an enterprise might see from the different types of threat actors. The attack patterns help to identify the weaknesses, vulnerabilities, and configuration issues that threat actors would typically look to exploit.

By looking at the critical assets (key terrain) within the defender’s cyber terrain, through techniques such as crown jewels analysis, and then determining who would want those assets and why, defenders can better understand the kinds of threat actors that they are likely to face, the patterns of attack associated with those types of threat actors, and ultimately the weaknesses, vulnerabilities, and configuration issues that are likely to be exploited in an attack. With this data, mechanisms for better detection and prevention could be put into place across different cyber terrain layers.


In this post I presented readers with a new 15 layer cyber terrain model that enables organizations to organize a broad based body of cybersecurity knowledge and visualize the physical and logical parts of the cyber terrain. There are strong relations between the layers and activity can be observed across different layers.

By breaking down the cyber terrain to individual layers we are presented with a new way to analyze and understand the complexities of modern cyber operations layer by layer where we can consider both technical and policy based mitigations and countermeasures for each layer of the defenders cyber terrain.

A fundamental aspect of intelligence preparation of the operational environment (IPOE) is detailed terrain analysis to include the threat actors, their TTPs, attack patterns, and use of the cyber terrain as well the defender’s TTPs, cyber terrain, and key terrain. Modern threat intelligence can include actionable information for each of the 15 cyber terrain layers. Using a multilayered cyber terrain model can help us to organize this knowledge to support increase understanding and accelerate learning while advancing an organization’s intelligence driven security program.

No comments: