title: cyber table top cyber table... · 3 cyber table top. 4 cyber table top. 5 cyber table top. 6...
TRANSCRIPT
-
Title: Cyber Table Top
Date: 8 August 2018
Presenter: Roy Wilson, Professor of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region
Moderator: Jim Davis, Logistics Department Chair, Defense Acquisition University, Mid-Atlantic Region
-
2
Cyber Table Top
• Cyber Table Top (CTT) Guidebook• 2 July 2018• DASD/DT&E
• CTT Facilitator Training• DASD/DT&E• DAU• On-site, 1-day
-
3
Cyber Table Top
-
4
Cyber Table Top
-
5
Cyber Table Top
-
6
Cyber Table Top
-
7
Cyber Table Top
-
Cyber Table Top (CTT)• Input to Controls Selection / Risk Assessment / Pre-Test• User Reps / Focused Mission Areas
*Facilitator Training Available via Ms. Standard, Sarah M CIV OSD OUSD ATL (US), [email protected]
Event Preparation
Event Execution
Post Mission Analysis
Reporting
Develop Mission Plan
• Analyze Architecture, CONOPS, Intelligence
• Define Mission• Identify Control, Blue,
Red, Analysis, Reporting Teams
• Define Attack Paths, & Vulnerabilities
• Analyze adversary attacks
• Determine Cyber effects: F/P/NMC
• Risk: Likelihood, Consequence
• Risk Cube• Mitigations• Executive, Detailed
& Full Report
Execute Attacks
Describe Effects
Develop Mitigations
Define Access Paths
~ 3 days
Color CodeOperational (Blue) TeamAdversarial (Red ) Team
~ Weeks~ Weeks
PresenterPresentation NotesQ- What is most critical part of a CTT? – prep and User repsF/P/NMC = full, partial not mission capableFacilitator Training Available from the National Cyber Range via Ms Christa Pettie ([email protected])
-
9
Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, Mitigations
Mission, Attack, Variant no.
Attack goal concerning mission.
Broad class of attack e.g. DDOS. Specific
description of attack.
Attack assumptions. Explain why this matters.
Description of possible outcomes.
Description of impact if the attack is successful
Description of the operational impact to the mission
Description of consequence to blue team mission state:
F/P/NMC
Analysis Team
M1A1V1
OPFOR
IDAttack Method
Attack DescriptionGoal
Control Team/ OPFOR
Attack Result (Then)
Operational Team
AssumptionsWhen in the
Mission Timeline
Possible System Effect (If)
Mission Effect (If)
Mission Impact (Then)
OPFOR Attacks
Level of Access to Operational Data is Critical
OPFOR Mission 1 e.g. Degrade
Mission, Attack, Variant no.Attack goal concerning mission.Broad class of attack e.g. DDOS. Specific description of attack.Attack assumptions.Explain why this matters.Description of possible outcomes.Description of impact if the attack is successfulDescription of the operational impact to the mission Description of consequence to blue team mission state: F/P/NMCUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible System Effect (If) Attack Result (Then) Mission Effect (If) Mission Impact (Then)Numerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis
In Place TodayPlanned for the Future
M1A1V1
Distribution Statement A - approved for public release; distribution is unlimited, as under NAVAIR Public Release Authorization 2015-710
OPFOR Mission 2 e.g. Deny
Mission number Attack number and variant number: e.g.M2A1V2Goal of the attack with respect to the mission; e.g. delay operational missionThe broad class of attack e.g. SQL injection the adversary team will employ to execute the mission; there may be multiple attack types capable of executing the missionThe specific description for the attack e.g. delete entries for customer database; split out b/c they can have very different mission impacts, consequences, costs etc.Assumptions about the attack process and systems under attack e.g. the adversary team has previously gained a presence on the networkSpecific event, circumstances, or specific times in the operational scenario when the attack is executed; and explanation why that mattersDescription of possible outcomes to the systems under attack e.g. customer entries are deleted from the databases; Don't have to break out into separate rows, unless relevant.Description of the impact on the system if the outcome occurs e.g. customer data is unavailable under restore from backupDescription of the operational impact to the mission e.g. operators can't pull up customer records in support of mission execution and have to bring system down for unplanned maintenance for 3 hoursDescription of the high level consequence to the overall blue team mission state: Full Mission Capable, Partial Mission Capable, Not Mission CapableUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible OutcomeAttack ResultMission ImpactMission ConsequenceNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
OPFOR Mission 3 e.g. Exfil
Mission number Attack number and variant number: e.g.M2A1V2Goal of the attack with respect to the mission; e.g. delay operational missionThe broad class of attack e.g. SQL injection the adversary team will employ to execute the mission; there may be multiple attack types capable of executing the missionThe specific description for the attack e.g. delete entries for customer database; split out b/c they can have very different mission impacts, consequences, costs etc.Assumptions about the attack process and systems under attack e.g. the adversary team has previously gained a presence on the networkSpecific event, circumstances, or specific times in the operational scenario when the attack is executed; and explanation why that mattersDescription of possible outcomes to the systems under attack e.g. customer entries are deleted from the databases; Don't have to break out into separate rows, unless relevant.Description of the impact on the system if the outcome occurs e.g. customer data is unavailable under restore from backupDescription of the operational impact to the mission e.g. operators can't pull up customer records in support of mission execution and have to bring system down for unplanned maintenance for 3 hoursDescription of the high level consequence to the overall blue team mission state: Full Mission Capable, Partial Mission Capable, Not Mission CapableUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible OutcomeAttack ResultMission ImpactMission ConsequenceNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
-
10
Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, Mitigations
Mission, Attack, Variant number
Assess mission consequence, (1-5)
Combination of technical complexity, system
information availability
Likelihood attack is successful when executed, NOT
likelihood adverary would use attack
Combination of level of effort,
ease, and likelihood attack succeeding, (1-5)
Difficulty or ease of access to
specific Network
Final Value
Analysis Team
M1A1V1
IDNumerical Likelihood
Attack Cost / Level of Effort
Attack Success Likelihood
Analysis of numerical Likelihood
Analysis TeamFinal Risk
Assessment coordinates
Numerical Mission Impact and Consequence
Effects, Impacts, Likelihood
User Representation is Critical
OPFOR Mission 1 e.g. Degrade
Mission, Attack, Variant numberAssess mission consequence, (1-5)Combination of technical complexity, system information availability Likelihood attack is successful when executed, NOT likelihood adverary would use attackCombination of level of effort, ease, and likelihood attack succeeding, (1-5)Difficulty or ease of access to specific NetworkFinal Value
Analysis TeamAnalysis Team
IDNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinates
M1A1V1
Distribution Statement A - approved for public release; distribution is unlimited, as under NAVAIR Public Release Authorization 2015-710
OPFOR Mission 2 e.g. Deny
Mission number Attack number and variant number: e.g.M2A1V2Goal of the attack with respect to the mission; e.g. delay operational missionThe broad class of attack e.g. SQL injection the adversary team will employ to execute the mission; there may be multiple attack types capable of executing the missionThe specific description for the attack e.g. delete entries for customer database; split out b/c they can have very different mission impacts, consequences, costs etc.Assumptions about the attack process and systems under attack e.g. the adversary team has previously gained a presence on the networkSpecific event, circumstances, or specific times in the operational scenario when the attack is executed; and explanation why that mattersDescription of possible outcomes to the systems under attack e.g. customer entries are deleted from the databases; Don't have to break out into separate rows, unless relevant.Description of the impact on the system if the outcome occurs e.g. customer data is unavailable under restore from backupDescription of the operational impact to the mission e.g. operators can't pull up customer records in support of mission execution and have to bring system down for unplanned maintenance for 3 hoursDescription of the high level consequence to the overall blue team mission state: Full Mission Capable, Partial Mission Capable, Not Mission CapableUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible OutcomeAttack ResultMission ImpactMission ConsequenceNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
OPFOR Mission 3 e.g. Exfil
Mission number Attack number and variant number: e.g.M2A1V2Goal of the attack with respect to the mission; e.g. delay operational missionThe broad class of attack e.g. SQL injection the adversary team will employ to execute the mission; there may be multiple attack types capable of executing the missionThe specific description for the attack e.g. delete entries for customer database; split out b/c they can have very different mission impacts, consequences, costs etc.Assumptions about the attack process and systems under attack e.g. the adversary team has previously gained a presence on the networkSpecific event, circumstances, or specific times in the operational scenario when the attack is executed; and explanation why that mattersDescription of possible outcomes to the systems under attack e.g. customer entries are deleted from the databases; Don't have to break out into separate rows, unless relevant.Description of the impact on the system if the outcome occurs e.g. customer data is unavailable under restore from backupDescription of the operational impact to the mission e.g. operators can't pull up customer records in support of mission execution and have to bring system down for unplanned maintenance for 3 hoursDescription of the high level consequence to the overall blue team mission state: Full Mission Capable, Partial Mission Capable, Not Mission CapableUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible OutcomeAttack ResultMission ImpactMission ConsequenceNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
-
11
Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, Mitigations
Mission, Attack, Variant number: e.g.M2A1V2
Description of how specific cyber-security in place ould mitigate
Description of how specific cyber-security planned would mitigate
Recommendations, e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.
Questions or requests for information
Analysis Team
In Place Today Planned for the Future
M1A1V1
ID
System Test LeadsCapabilities
Recommendations Questions, RFIs, Further Analysis
Recommendations, Mitigations
All Participants are Part of the Solution
OPFOR Mission 1 e.g. Degrade
Mission number Attack number and variant number: e.g.M2A1V2Goal of the attack with respect to the mission; e.g. delay operational missionThe broad class of attack e.g. SQL injection the adversary team will employ to execute the mission; there may be multiple attack types capable of executing the missionThe specific description for the attack e.g. delete entries for customer database; split out b/c they can have very different mission impacts, consequences, costs etc.Assumptions about the attack process and systems under attack e.g. the adversary team has previously gained a presence on the networkSpecific event, circumstances, or specific times in the operational scenario when the attack is executed; and explanation why that mattersDescription of possible outcomes to the systems under attack e.g. customer entries are deleted from the databases; Don't have to break out into separate rows, unless relevant.Description of the impact on the system if the outcome occurs e.g. customer data is unavailable under restore from backupDescription of the operational impact to the mission e.g. operators can't pull up customer records in support of mission execution and have to bring system down for unplanned maintenance for 3 hoursDescription of the high level consequence to the overall blue team mission state: Full Mission Capable, Partial Mission Capable, Not Mission CapableUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible OutcomeAttack ResultMission ImpactMission ConsequenceNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
Distribution Statement A - approved for public release; distribution is unlimited, as under NAVAIR Public Release Authorization 2015-710
OPFOR Mission 2 e.g. Deny
Mission number Attack number and variant number: e.g.M2A1V2Goal of the attack with respect to the mission; e.g. delay operational missionThe broad class of attack e.g. SQL injection the adversary team will employ to execute the mission; there may be multiple attack types capable of executing the missionThe specific description for the attack e.g. delete entries for customer database; split out b/c they can have very different mission impacts, consequences, costs etc.Assumptions about the attack process and systems under attack e.g. the adversary team has previously gained a presence on the networkSpecific event, circumstances, or specific times in the operational scenario when the attack is executed; and explanation why that mattersDescription of possible outcomes to the systems under attack e.g. customer entries are deleted from the databases; Don't have to break out into separate rows, unless relevant.Description of the impact on the system if the outcome occurs e.g. customer data is unavailable under restore from backupDescription of the operational impact to the mission e.g. operators can't pull up customer records in support of mission execution and have to bring system down for unplanned maintenance for 3 hoursDescription of the high level consequence to the overall blue team mission state: Full Mission Capable, Partial Mission Capable, Not Mission CapableUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible OutcomeAttack ResultMission ImpactMission ConsequenceNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
OPFOR Mission 3 e.g. Exfil
Mission, Attack, Variant number: e.g.M2A1V2Description of how specific cyber-security in place ould mitigate Description of how specific cyber-security planned would mitigateRecommendations, e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Questions or requests for information
Analysis TeamSystem Test Leads
IDCapabilitiesRecommendationsQuestions, RFIs, Further Analysis
In Place TodayPlanned for the Future
M1A1V1
-
12
Impact RiskProbability
Impact Mission Impact
1 Fully Mission Capable
2 Partial to Fully Mission Capable
3 Partially Mission Capable
4 Non to Partially Mission Capable
5 Non-Mission Capable
CTT Risk Cubes: Impact vs Probability
M=Mission A=Attack V=Variant
-
Questions?
13
Cyber Table Top
-
Resources
• Cyber Tabletop Home Pagehttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/SitePages/Home.aspx
• Cyber Table Top Guidebookhttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/Shared%20Documents1/CTT%20Facilitators/Cyber%20Table%20Top%20Handbook.pdf
• Cybersecurity Community of Practice
• Cybersecurity Tools (enter “Cybersecurity” into the ‘Search Tools’ area and click ‘Apply Filters’
14
https://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/SitePages/Home.aspxhttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/Shared%20Documents1/CTT%20Facilitators/Cyber%20Table%20Top%20Handbook.pdfhttps://www.dau.mil/cop/cybersecurity/Pages/Default.aspx?utm_source=landl&utm_medium=ctt080818&utm_campaign=prshttps://www.dau.mil/tools?utm_source=landl&utm_medium=ctt080818&utm_campaign=prs
-
Contact Info
DAU Cybersecurity Enterprise Team• Vinny Lamolinara
• Roy [email protected]
15
DASD/DT&E Contact InfoE-mail: [email protected] Website: https://www.acq.osd.mil/dte-trmc/
mailto:[email protected]:[email protected]
Title: Cyber Table TopSlide Number 2Slide Number 3Slide Number 4Slide Number 5Slide Number 6Slide Number 7Slide Number 8Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, MitigationsAnalysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, MitigationsAnalysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, MitigationsCTT Risk Cubes: Impact vs ProbabilitySlide Number 13ResourcesContact Info