In my first Science of Security post, I recommended that
organizations consider hiring cyber security scientists to help organizations
in developing a strong, rigorous scientific foundation to cyber security while
providing structure and organization to a broad-based body of knowledge on the
domain. In my second Science of Security post I provided an example of applying
the scientific method to cyber security operations. In that second post I mentioned
that every cyber attack has 4 basic components: Threat Actors, TTPs, Cyber
Terrain, and Defenders. In this post I’ll introduce a multilayered Cyber Terrain
model and describe how this can be used to help systematically organize the broad-based
body of cyber security knowledge to enable increased understanding amongst cyber
participants.
Traditional “terrain” maps show physical features to help
users better understand the terrain and how best to navigate the terrain. To
apply this concept to cyberspace we will leverage a multilayered cyber terrain
model that allows us to conceptually model, organize, and understand the
features (laws, policy, security technology, etc.) and activity (cybercrime,
APT, hacktivism, etc.) that takes place in the cyber terrain.
Cyber terrain can be used to model the Defender’s cyber
terrain, the Threat Actor’s cyber terrain, and just about everything that makes
up the Internet of Things (IoT). Most of the time when I mention cyber terrain
to people they tend to visualize routers, switches, and other physical hardware.
While the hardware is part of the cyber terrain it only represents 1 of the 15
layers that I’ll introduce in today’s post.
A large body of research indicates that visual cues help
us to better retrieve and remember information. The research outcomes on visual
learning makes complete sense when you consider that our brain is mainly an
image processor since much of our sensory cortex is devoted to vision. The
cyber terrain model allows us to visualize the cyber terrain to help accelerate
learning and promote a shared understanding.
Cyber terrain is a concept developed by the U.S.
Department of Defense as an updated defense in depth model. The original defense
in depth multilayered model was introduced a long time ago and was focused
primarily on addressing the path of data in and out of the network (OSI layers
2, 3, & 4). The cyber terrain model is designed to address both the path of
the data in and out of the network as well as what happens after the data
arrives. The cyber terrain provides a more comprehensive approach since one can
use it as a lens to view activity from both the defensive aspect, but also from
threat actor perspective, which can reveal critical information needed to
better defend against an attack.
Defense in depth is still a good defensive strategy, but
it is limited since its focus was solely defense and only focused on the
network layers. It also doesn’t account for key aspects of threats such as
geolocation, persona, etc.
The cyber terrain model I’m introducing in this post
builds off the efforts of the U.S. DoD and is designed to represent the full
triangle of sustainment or the three pillars of cybersecurity: People – Organizations
& Processes – Technology. To achieve this we need a model that represents
both physical, real-world layers as well as the virtual layers of cyberspace. A
model capable of representing the data, technology, people, processes, activity
across all the traditional security engineering, security operations, and
security intelligence areas on the defender side as well as the threat actors,
TTPs, and infrastructure used by the bad guys. The cyber terrain model can also
enable a shared understanding by engineers, operators, analysts, executives,
and board members. This lead to the creation of the 15 layer cyber terrain
model shown below.
Layer
0 – Geographic Layer
The geographic layer represents the geographic area where
real-world devices, people, organization buildings, and other physical items
resides. The geographic location of physical items helps to give context to
applicable cyber laws, policies, etc that apply to items in specific geographic
areas as represented in the government layer. For example, a company with
physical offices in both the United States and the United Kingdom would have
different government level cyber laws that apply to that organizations people
and technology depending on where the people and technology are located geographically.
This layer can also represent geographic location attack
vectors such as leaving a few BadUSB infected USB thumb drives in the parking
lot outside the office of a targeted organization. The layer can also represent
risk from natural threats that affect an organization’s people and technology
in specific geographic areas such as earthquakes or flooding.
·
CAPEC-ID:406 – Social Information Gathering
via Dumpster Diving https://capec.mitre.org/data/definitions/406.html
·
CAPEC-ID:407 – Social Information Gathering
via Pretexting https://capec.mitre.org/data/definitions/407.html
o
CAPEC-ID:413 – Pretexting via Tech Support https://capec.mitre.org/data/definitions/413.html
o
CAPEC-ID:414 – Pretexting via Delivery Person
https://capec.mitre.org/data/definitions/414.html
·
CAPEC-ID:507 – Physical Theft http://capec.mitre.org/data/definitions/507.html
·
CAPEC-ID:391 – Bypassing Physical Locks http://capec.mitre.org/data/definitions/391.html
Layer
1 – Physical Layer
The physical layer represents the physical layer of the
OSI model and includes all the hardware, cables, etc. This layer includes
physical security and controlled access spaces such as locked server rooms. It’s
important to keep in mind that items in the physical layer actually exist and
therefore have a location, this means there is a strong link between the
geographic layer and the physical layer. Here are a few examples of common
attack patterns at the physical layer:
·
CAPEC-ID:507 – Physical Theft http://capec.mitre.org/data/definitions/507.html
·
CAPEC-ID:391 – Bypassing Physical Locks http://capec.mitre.org/data/definitions/391.html
·
CAPEC-ID:397 – Cloning Magnetic Strip Cards http://capec.mitre.org/data/definitions/397.html
·
CAPEC-ID:547 – Physical Destruction of
Device or Component http://capec.mitre.org/data/definitions/547.html
·
CAPEC-ID:453 – Malicious Logic Insertion via
Counterfeit Hardware https://capec.mitre.org/data/definitions/453.html
·
CAPEC-ID:455 – Malicious Logic Insertion via
Inclusion of Counterfeit Hardware Components https://capec.mitre.org/data/definitions/455.html
Layers
2-7 – Logical Layers (Communications Ports and Protocols)
The logical layers represent the upper 6 layers of the
OSI model which enables us to model the communications ports and protocols of
the cyber terrain. A defender might share that an observable indicator for
beaconing activity by a threat actor’s TTP is a specific pattern observed in
packets at the network layer, or a pattern in an http GET request at the
application layer. Here are a few examples of common attack patterns in the
logical layers:
·
CAPEC-ID:383 – Harvesting Usernames or
UserIDs via Application API Event Monitoring (Application Layer) https://capec.mitre.org/data/definitions/383.html
·
CAPEC-ID:293 – Traceroute Route Enumeration
(Network Layer & Transport Layer) https://capec.mitre.org/data/definitions/293.html
·
CAPEC-ID:309 – Network Topology Mapping
(Network Layer, Transport Layer, & Application Layer) https://capec.mitre.org/data/definitions/309.html
·
CAPEC-ID:311 – OS Fingerprinting (Network
Layer, Transport Layer, & Application Layer) https://capec.mitre.org/data/definitions/311.html
·
CAPEC-ID:316 – ICMP Fingerprinting Probes
(Network Layer) https://capec.mitre.org/data/definitions/316.html
·
CAPEC-ID:310 – Scanning for Vulnerable
Software (Network Layer, Transport Layer, & Application Layer) https://capec.mitre.org/data/definitions/310.html
·
CAPEC-ID:315 – TCP/IP Fingerprinting Probes
(Network Layer, Transport Layer, & Application Layer) https://capec.mitre.org/data/definitions/315.html
·
CAPEC-ID:312 – Active OS Fingerprinting
(Network Layer) https://capec.mitre.org/data/definitions/312.html
·
CAPEC-ID:291 – DNS Zone Transfers
(Application Layer) https://capec.mitre.org/data/definitions/291.html
·
CAPEC-ID:307 – TCP RPC Scan (Transport Layer)
https://capec.mitre.org/data/definitions/307.html
The different layers that make up the cyber terrain
allows us to breakdown activity by layer and to consider countermeasures or
security controls that might apply to the different layers. They also help to
increase understanding when sharing information with other organizations or
describing observed activity to other defenders.
DDoS attacks have made the headlines several times over
the past decade but breaking it down by layers helps to provide more actionable
information and increased understanding. Consider the below image from National
Cybersecurity and Communications Integration Center at the U.S. Department of
Homeland Security which shows DDoS attack possibilities by OSI Layer.
Source: https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
Layer
8 – Machine Language
The machine language layer is used to
represent data such as binary executables, class files, shared libraries (e.g.,
DLLs), or other machines code. The machine language layer also includes items
such as embedded system such as those used in SCADA systems, BIOS, and firmware
on various devices such as video cards and storage devices.
·
CAPEC-ID:37 – Lifting Data Embedded in Client
Distributions https://capec.mitre.org/data/definitions/37.html
·
CAPEC-ID:190 – Reverse Engineer an Executable
to Expose Assumed Hidden Functionality or Content https://capec.mitre.org/data/definitions/190.html
·
CAPEC-ID:205 – Lifting Credential Key
Material Embedded in Client Distributions https://capec.mitre.org/data/definitions/205.html
Layer
9 – Operating System
The operating system layer is used to represent the
operating systems used by the defender or the threat actor to include operation
system weaknesses, vulnerabilities, security configuration issues, and attack
patterns. Here are a few common attack patterns for the operating system level:
·
CAPEC-ID:9 – Buffer Overflow in Local
Command-Line Utilities http://capec.mitre.org/data/definitions/9.html
·
CAPEC-ID:45 – Buffer Overflow via Symbolic
Links http://capec.mitre.org/data/definitions/45.html
·
CAPEC-ID:8 – Buffer Overflow in an API Call http://capec.mitre.org/data/definitions/8.html
·
CAPEC-ID:14 – Client-side Injection-induced
Buffer Overflow http://capec.mitre.org/data/definitions/14.html
·
CAPEC-ID:118 – Gather Information http://capec.mitre.org/data/definitions/118.html
·
CAPEC-IDS:268 – Audit Log Manipulation https://capec.mitre.org/data/definitions/268.html
·
CAPEC-ID:270 – Modification of Registry Run
Keys https://capec.mitre.org/data/definitions/270.html
·
CAPEC-ID:17 – Accessing, Modifying or
Executing Executable Files http://capec.mitre.org/data/definitions/17.html
Layer
10 – Software Application
The software application layer is used to represent
software applications installed across the different operating systems. Not
only does this include the application code itself, but also the necessary
application and service infrastructure used to support the application
execution, such as web servers, .Net framework, OSGi, etc. These execution containers may also reveal
critical information that could be used by adversaries to better understand an
attack surface or leak information about the organization due to insecure
configuration.
This layer is also used to represent secure coding,
software application configuration issues, vulnerabilities, weaknesses, and
attack patterns. This is also where languages that are compiled to bytecode,
such as Java and .Net reside. In recent
days, languages utilizing bytecodes have become a popular target by attackers. Here
are some examples attack patterns that include machine code.
This is one of the most popular layers for attacks when
you consider software applications such as browsers (Internet Explorer,
Firefox, Safari, Chrome, etc) and office applications (MS Office, Adobe, etc).
Here are just a few examples of the types of attack patterns we might see at
this level.
·
CAPEC-ID:69 – Target Programs with Elevated
Privileges http://capec.mitre.org/data/definitions/69.html
·
CAPEC-ID:118 – Gather Information http://capec.mitre.org/data/definitions/118.html
·
CAPEC-ID:76 – Manipulating Input to File
System Calls https://capec.mitre.org/data/definitions/76.html
·
CAPEC-ID:35 – Leverage Executable Code in
Non-Executable Files http://capec.mitre.org/data/definitions/35.html
·
CAPEC-ID:472 – Browser Fingerprinting http://capec.mitre.org/data/definitions/472.html
·
CAPEC-ID:13 – Subverting Environmental Values
http://capec.mitre.org/data/definitions/13.html
·
CAPEC-ID:46 – Overflow Variables and Tags http://capec.mitre.org/data/definitions/46.html
Layer
11 – Persona
The personal layer is used to represent the various ways
in which people are represented in cyberspace such as user accounts, userIDs,
email addresses, phone numbers, etc. This can include full credentials that
allow access to information. A single person can have multiple persona identifies
in cyberspace, a common tactic used by threat actors to better hide themselves.
Persona accounts are normally the first level of
technical attribution as defenders discover threat actor persona accounts that
are tied to specific TTPs (Phising, malicious domain registrations, carding,
etc). Since persona details represent humans in cyberspace, they could reveal
attributes that could potentially lead to a specific person or organization.
This information could be gathered through open source
intelligence, taken as part of an attack on an information system, obtained
from the domain registrations, or perhaps gathered through monitoring of threat
actors in underground forums and black market sites.
Here are just a couple
simple examples of attacks patterns dealing with persona information:
·
CAPEC-ID:404 – Social Information Gathering
Attacks https://capec.mitre.org/data/definitions/404.html
·
CAPEC-ID:383 – Harvesting Usernames or
UserIDs via Application API Event Monitoring https://capec.mitre.org/data/definitions/383.html
·
CAPEC-ID:156 – Deceptive Interactions https://capec.mitre.org/data/definitions/156.html
·
CAPEC-ID:151 – Identity Spoofing https://capec.mitre.org/data/definitions/151.html
·
CAPEC-ID:98 – Phishing https://capec.mitre.org/data/definitions/98.html
·
CAPEC-ID:163 – Spear Phishing https://capec.mitre.org/data/definitions/163.html
·
CAPEC-ID:164 – Mobile Phishing (aka MobPhishing) https://capec.mitre.org/data/definitions/164.html
Layer
12 – People / Supervisory / Temporal
Unlike the persona layer which focuses on the various
forms of identify that a human has in cyberspace, the People, Supervisory, and
Temporal layer is used to represent the real-world people (the actual
individual) such as defenders and threat actors, supervisory functions such as
starting, stopping, modifying, or redirecting a cyber operation, and the
temporal data surrounding activity in the cyber terrain. All operations in
cyberspace begin with a human being and this is the layer in which actual human
beings are represented. This could be money mules, carders, APT actors, botnet
operators, defenders, etc. Ideally, defenders want to identify who the actual
human person is behind the activity for the purpose of prosecution.
Below are a few high-level attack patterns aimed at the
humans in the loop.
·
CAPEC-ID:404 – Social Information Gathering
Attacks https://capec.mitre.org/data/definitions/404.html
·
CAPEC-ID:410 – Information Elicitation via
Social Engineering https://capec.mitre.org/data/definitions/410.html
·
CAPEC-ID:416 – Target Influence via Social
Engineering https://capec.mitre.org/data/definitions/416.html
·
CAPEC-ID:527 – Manipulate System Users https://capec.mitre.org/data/definitions/527.html
·
CAPEC-ID:156 – Deceptive Interactions https://capec.mitre.org/data/definitions/156.html
·
CAPEC-ID:98 – Phishing https://capec.mitre.org/data/definitions/98.html
·
CAPEC-ID:163 – Spear Phishing https://capec.mitre.org/data/definitions/163.html
·
CAPEC-ID:164 – Mobile Phishing (aka MobPhishing) https://capec.mitre.org/data/definitions/164.html
Layer
13 – Organization
The organization layer allows us to represent
organization policies, processes, and procedures that apply to the defender’s organization.
These could be the organization’s own items or those of another organization.
An example might be security benchmarks from the Center for Internet Security
or standards from the International Organization for Standardization (ISO).
This could also be a threat actor’s organization such as the Hacktivist
organization Anonymous, an underground carding organization, or a foreign
competitor’s organization.
Much like persona accounts represent real people in
cyberspace, organizations have their own identities in cyberspace. Some cyber activity
might only be attributed to an organizational level identity such as SEA /
Syrian Electronic Army. It’s important to try to link threat actor persona
accounts with the organization they belong to for better overall attribution.
Layer
14 – Government
The government layer allows us to represent government
items such as cyber laws, regulation, frameworks, and data. For example, in the
United States there are more than 50 statutes that address various aspects of
cybersecurity either directly or indirectly to include things such as the
Privacy Act of 1974, the Counterfeit Access Device and Computer Fraud and Abuse
Act of 1984. The NIST Cybersecurity Framework. Vulnerability and Security
Configuration information from the National Vulnerability Database. This layer
can also represent alleged government associations of threat actors such as the
Mandiant APT1 campaign association with the Chinese military / government, the
alleged ties to the Iranian government behind the DDoS attacks on financial
institutions, or the alleged connection to the Russian government behind the
recent JPMorgan breach.
Cyber
Terrain Analysis
Now that we have covered the different layers of the
cyber terrain we can consider cyber terrain analysis. I won’t go into much
detail on cyber terrain analysis in this post but a quick overview of key
points should help get people thinking in the right direction.
The U.S DoD uses a process called OCOKA for traditional
terrain analysis. OCOKA is an acronym for Observation, Cover and Concealment,
Obstacles, Key Terrain, and Avenues of Approach. These all directly map to the
cyber terrain. Let’s look at each of these steps below:
·
Observation
–
What can be seen and where? Where are the various sensors in the different
layers of cyberspace within the defender’s cyber terrain? What can those
sensors see?
·
Cover
and Concealment – What can I hide from threat actor observation?
Consider all the information exposed about operating systems and version
numbers to resources outside the defender’s cyber terrain. A good example to
show leaked information is http://www.shodanhq.com/
·
Obstacles –
How can I make it harder to attack? This could be technology or process driven mitigations
and countermeasures for each attack pattern applicable to the defender’s cyber
terrain in order to limit movement within the network. This is generally called
Risk Remediation Analysis in the cybersecurity community.
·
Key
Terrain – Key assets, accounts, data, etc. Within the
cybersecurity world this is generally known as Crown Jewels analysis. Losing
these to a threat actor would be a significant defeat for the defender.
·
Avenues
of Approach – This is the various paths that can be
taken to exploit a target. Consider both the exact paths into and out of your
network along with what specific attack patterns apply based on the specific
assets (software applications, operating systems, etc) inside the defender’s
cyber terrain. This is generally referred to as Threat Susceptibility Analysis
in the cybersecurity community.
o
Exploit
Target – When considering the avenues of approach it helps to
analyze the exploit target of each attack pattern based on the assets present
in the defender’s cyber terrain. This include:
§ Security
Configuration Issues – example CCEs
§ Software
Vulnerabilities – example CVEs
§ Software
Weaknesses – example CWEs
§ People
– example social engineering
When modeling adversaries with the cyber terrain, layers
11-14 are almost like filters to be applied to the layers below when correlated
with attack patterns as they can be used as means to better understand the
kinds of attacks that an enterprise might see from the different types of
threat actors. The attack patterns help to identify the weaknesses,
vulnerabilities, and configuration issues that threat actors would typically
look to exploit.
By looking at the critical assets (key terrain) within
the defender’s cyber terrain, through techniques such as crown jewels analysis,
and then determining who would want those assets and why, defenders can better
understand the kinds of threat actors that they are likely to face, the
patterns of attack associated with those types of threat actors, and ultimately
the weaknesses, vulnerabilities, and configuration issues that are likely to be
exploited in an attack. With this data, mechanisms for better detection and
prevention could be put into place across different cyber terrain layers.
Summary
In this post I presented readers with a new 15 layer cyber
terrain model that enables organizations to organize a broad based body of cybersecurity
knowledge and visualize the physical and logical parts of the cyber terrain.
There are strong relations between the layers and activity can be observed
across different layers.
By breaking down the cyber terrain to individual layers
we are presented with a new way to analyze and understand the complexities of
modern cyber operations layer by layer where we can consider both technical and
policy based mitigations and countermeasures for each layer of the defenders
cyber terrain.
A fundamental aspect of intelligence preparation of the
operational environment (IPOE) is detailed terrain analysis to include the threat
actors, their TTPs, attack patterns, and use of the cyber terrain as well the
defender’s TTPs, cyber terrain, and key terrain. Modern threat intelligence can
include actionable information for each of the 15 cyber terrain layers. Using a
multilayered cyber terrain model can help us to organize this knowledge to
support increase understanding and accelerate learning while advancing an
organization’s intelligence driven security program.