Threat Assessment & Remediation Analysis (TARA)

1 Threat Assessment & Remediation Analysis (TARA) Methodology Description Version Jackson Wynn Joseph Whitmore Geoff Upton Lindsay Spriggs Dan McKinnon Richard McInnes Richard Graubart Lauren Clausen October 2011 M T R 1 1 0 1 7 6 M I T R E T E C H N I C A L R E P ORT Sponsor: OSD (NII) Dept. No.: G021 Contract No.: W15P7T-10-C-F600 Project No.: 031180SE-K1 The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by other documentation. Distribution Statement A: Approved for public release; distribution unlimited. 2011 The MITRE Corporation. All Rights Reserved. Bedford, MA Approved for Public Release: 11-4982. Distribution Unlimited. This page intentionally left blank.

2 Iii Abstract Mission Assurance Engineering (MAE) is the sub discipline of Enterprise Systems Engineering (ESE) intended to provide mission assurance against the advanced persistent Threat (APT). The APT uses an evolving set of tactics, techniques, and procedures (TTPs) to establish and maintain a foothold in the enterprise's information infrastructure, and to exploit that foothold to ex-filtrate large volumes of sensitive information, to corrupt mission-critical information, and/or to deny or degrade mission capabilities. This report describes the Threat Assessment & Remediation Analysis (TARA) methodology, which applies MAE to systems and acquisitions. TARA is a methodology to identify and assess cyber threats and select countermeasures effective at mitigating those threats . When applied in conjunction with a Crown Jewels Analysis (CJA) or other means for assessing mission impact, CJA and TARA together provide for the identification, Assessment , and security enhancement of mission critical assets, which is the cornerstone of mission assurance.

3 Iv Executive Summary The ESE Capstone Program fosters improved enterprise integration and interoperability across the DoD and IC enterprises by conducting systems engineering activities that complement and shape the existing FFRDC work program with sponsors from across the enterprises. The FY11 Mission Assurance Engineering (MAE) Capstone task develops a methodology called Cyber Risk Remediation Analysis (CRRA) for selecting countermeasures (CMs) effective at mitigating cyber threats attributable to the Advanced Persistent Threat (APT). This report builds upon a FY10 ESE Capstone task that defined a methodology called Cyber Threat Susceptibility Analysis (CTSA) [1] to identify and rank a system's susceptibility to cyber attacks mounted by APT Threat actors. The APT can be summarized as an adversary with the sophistication and resources to apply multiple attack vectors to achieve its objectives, which include establishment of footholds within a targeted information technology (IT) infrastructure.

4 The combined approach of CTSA followed by CRRA is referred to as Threat Assessment & Remediation Analysis (TARA), which is a system level engineering practice within the MITRE Mission Assurance Engineering (MAE) portfolio. The objective of MAE is to reduce risk to mission attributable to the APT. The objective of this paper is to define a rigorous and repeatable methodology for performing TARA assessments, and to describe the framework of tools, data, and workflows that collectively support this practice. v Table of Contents 1 Introduction .. 1 Motivation .. 1 An Overview of TARA .. 1 Related Work .. 3 The Mission Assurance Engineering (MAE) Portfolio .. 3 Cyber-Aware Enterprise Transformation Strategies .. 3 Cyber Resiliency Engineering .. 3 System/Acquisition Mission Assurance Engineering (SAMAE).

5 3 Information Systems Security Engineering (ISSE) .. 4 TARA-like Methodologies in Industry .. 4 Mission Oriented Risk and Design Analysis (MORDA) .. 4 Decision Analysis to Counter Cyber Attacks (DACCA) .. 4 Common Vulnerability Scoring System (CVSS) .. 4 Microsoft Threat Modeling .. 4 Outline of this Paper .. 4 2 Threat Assessment & Remediation Analysis (TARA) .. 5 Assessment Methodology .. 5 Cyber Threat Susceptibility Assessment (CTSA) .. 5 Establish Assessment Scope .. 5 Identify Candidate TTP .. 6 Eliminate Implausible TTPs .. 6 Apply Scoring Model .. 7 Construct a Threat Matrix .. 8 Cyber Risk Remediation Analysis (CRRA) .. 9 Select which TTPs to Mitigate .. 9 Identify Plausible Countermeasures .. 10 Assess Countermeasure Merit .. 11 Identify an Optimal CM Solution .. 12 Prepare Recommendations.

6 13 The MAE Catalog .. 13 The MAE Data Model .. 14 Tactics, Techniques, and Procedure (TTP) .. 14 Countermeasure (CM) .. 14 vi Asset Class (AC) .. 15 TTP/CM Mapping .. 15 Sources of Catalog Data .. 15 MAE Catalog Development .. 15 Developing Catalog TTPs, CMs, and TTP/CM Mappings .. 16 Developing Asset Classes and AC/TTP Mappings .. 16 MAE Toolset .. 16 Catalog Development Tools .. 16 Data Entry Web Forms .. 16 Catalog Data Import Tools .. 16 Catalog Data Export Tools .. 17 Catalog Search Tools .. 17 TTP Search Web Form .. 17 CM Search Web Form .. 17 Report Generation .. 17 Scoring Tools .. 17 3 Worked Example .. 18 Assessment Scope .. 18 Cyber Assets .. 18 LAN Switch .. 18 VOIP Gateway .. 18 Range of TTPs .. 18 Cyber Threat Susceptibility Assessment (CTSA) .. 19 TTP Plausibility.

7 19 TTP Risk Scoring .. 22 Threat Matrix .. 22 Cyber Risk Remediation Analysis (CRRA) .. 24 TTPs to Mitigate .. 24 Candidate Countermeasures (CMs) .. 24 CM Scoring .. 25 [Near] Optimal Solution Set .. 26 TARA Recommendations .. 26 4 27 Genesis of the TARA Methodology .. 27 Assessment Tailoring .. 28 vii Support to Acquisition Programs .. 28 Pre-PDR Support .. 28 PDR-to-CDR Support .. 29 Post-CDR Support .. 29 Engineering Trade-off Studies .. 29 Support for Operational Cyber Defense .. 29 Towards an Adversary Model .. 29 Comparison of TARA to other Methodologies .. 30 Mission Oriented Risk and Design Analysis (MORDA) .. 30 Decision Analysis to Counter Cyber Attacks (DACCA) .. 31 Common Vulnerability Scoring System (CVSS) .. 32 Microsoft Threat Modeling .. 33 Areas for Additional Research.

8 34 Appendix A Acronym List .. 36 Appendix B MAE Terminology .. 39 Appendix C MAE Catalog Details .. 41 Data Dictionary .. 41 Representative TTPs .. 44 Representative CMs .. 46 Appendix D MAE Toolset Details .. 48 Appendix E References and Links .. 50 viii List of Figures Figure 1 Threat Assessment & Remediation Analysis (TARA) Methodology .. 2 Figure 2 Default TTP Risk Scoring Spreadsheet .. 7 Figure 3 TARA Threat Matrix .. 8 Figure 4 TTP/CM Mapping Table .. 10 Figure 5 Mitigation Effectiveness Notations .. 11 Figure 6 Mitigation Effectiveness Scoring .. 11 Figure 7 CM Ranking Table .. 12 Figure 8 CM Solutions 13 Figure 9 MAE Data Model .. 14 Figure 10 Worked Example TTPs .. 19 Figure 11 TTP Plausibility .. 21 Figure 12 Tailored TTP Scoring 22 Figure 13 Threat Matrix .. 23 Figure 14 Threat Matrix .. 24 Figure 15 TTP/CM Mapping Table.

9 25 Figure 16 CM Ranking Table .. 26 Figure 17 Solutions List .. 26 Figure 18 MAE Data Model .. 41 Figure 19 TTP Management Interface .. 48 Figure 20 CM Management Interface .. 49 Figure 21 Asset Class Management Interface .. 49 ix This page intentionally left blank. 1 1 Introduction This paper details a methodology resulting from a two (2) year ESE Capstone effort to develop an engineering methodology that promotes greater mission assurance within the system acquisition lifecycle. Motivation This research is motivated in part by a 2008 report by the Air Force Scientific Advisory Board (SAB) on "Defending and operating in a Contested Cyber Domain", which defines mission assurance (MA) as "measures that are required to accomplish objectives of missions in the presence of information assurance compromises." [2] Mission assurance assumes that the adversary, herein referred to as the Advanced Persistent Threat (APT), has the motivation, skills, and resources necessary to breach/penetrate security perimeters and gain persistent access to cyber assets within an enterprise.

10 NIST SP 800-39 defines the APT as "an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors ( , cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of ex-filtrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent Threat : (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.