Expert Answer:.In 2-3 paragraphs, 300-500 words, summarize the a

Answer & Explanation:Threat Analysis and Detection 1. Read the article : Cyber Threat Metrics – http://prod.sandia.gov/techlib/access-control.cgi/2012/122427.pdf 2.In 2-3 paragraphs, 300-500 words, summarize the article you selected, perform additional research, and provide your analysis of the threat, potential risks, and a recommendation for some indicators that could used to develop a mitigation strategy, such as a Snort rule. Properly reference, and cite in MLA
cyber_threat.pdf

Unformatted Attachment Preview

SANDIA REPORT
SAND2012-2427
Unlimited Release
Printed March 2012
Cyber Threat Metrics
Mark Mateski, Cassandra M. Trevino, Cynthia K. Veitch, John Michalski, J. Mark Harris,
Scott Maruoka, Jason Frye
Prepared by
Sandia National Laboratories
Albuquerque, New Mexico 87185
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation,
a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s
National Nuclear Security Administration under contract DE-AC04-94AL85000.
Approved for public release; further dissemination unlimited
Issued by Sandia National Laboratories, operated for the United States Department of Energy by
Sandia Corporation.
NOTICE: This report was prepared as an account of work sponsored by an agency of the United
States Government. Neither the United States Government, nor any agency thereof, nor any of their
employees, nor any of their contractors, subcontractors, or their employees, make any warranty,
express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process disclosed, or represent that its use
would not infringe privately owned rights. Reference herein to any specific commercial product,
process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation, or favoring by the United States
Government, any agency thereof, or any of their contractors or subcontractors. The views and
opinions expressed herein do not necessarily state or reflect those of the United States Government,
any agency thereof, or any of their contractors.
Printed in the United States of America. This report has been reproduced from the best available
copy.
Available to DOE and DOE contractors from
U.S. Department of Energy
Office of Scientific and Technical Information
P.O. Box 62
Oak Ridge, TN 37831
Telephone: (865)576-8401
Facsimile: (865)576-5728
E-Mail: reports@adonis.osti.gov
Online ordering: http://www.osti.gov/bridge
Available to the public from
U.S. Department of Commerce
National Technical Information Service
5285 Port Royal Rd
Springfield, VA 22161
Telephone: (800)553-6847
Facsimile: (703)605-6900
E-Mail: orders@ntis.fedworld.gov
Online ordering: http://www.ntis.gov/help/ordermethods.asp?loc=7-4-0#online
2
SAND2012-2427
Unlimited Release
Printed March 2012
Cyber Threat Metrics
John Michalski, Cynthia Veitch
Critical Systems Security, 05621
Mark Mateski
Security Systems Analysis, 06612
Cassandra Trevino
Analytics and Cryptography, 05635
Jason Frye
Information Engineering, 09515
Mark Harris, Scott Maruoka
Assurance Tech and Assessments, 05627
Sandia National Laboratories
P.O. Box 5800
Albuquerque, New Mexico 87185-MS0671
Abstract
Threats are generally much easier to list than to describe, and much easier to describe than to
measure. As a result, many organizations list threats. Fewer describe them in useful terms, and
still fewer measure them in meaningful ways. This is particularly true in the dynamic and
nebulous domain of cyber threats—a domain that tends to resist easy measurement and, in some
cases, appears to defy any measurement.
We believe the problem is tractable. In this report we describe threat metrics and models for
characterizing threats consistently and unambiguously.
3
This page intentionally blank
4
CONTENTS
1
Introduction ………………………………………………………………………………………………………………. 7
1.1 Background ……………………………………………………………………………………………………… 7
1.2 Scope and Purpose ……………………………………………………………………………………………. 8
1.3 Report Structure ……………………………………………………………………………………………….. 8
2
Threat Metrics and Models …………………………………………………………………………………………. 9
2.1 Threat Metrics ………………………………………………………………………………………………….. 9
2.2 Threat Models ………………………………………………………………………………………………… 10
3
The Generic Threat Matrix ……………………………………………………………………………………….. 13
3.1 Threat Attributes …………………………………………………………………………………………….. 14
3.1.1 Commitment Attribute Family……………………………………………………………… 14
3.1.2 Resource Attribute Family …………………………………………………………………… 15
3.2 Profiles of Threat Capability…………………………………………………………………………….. 16
4
Additional Sources of Threat Metrics …………………………………………………………………………. 19
4.1 Incident Data ………………………………………………………………………………………………….. 19
4.2 Threat Multipliers …………………………………………………………………………………………… 22
4.3 Attack Vectors ……………………………………………………………………………………………….. 22
4.4 Target Characteristics ……………………………………………………………………………………… 23
4.5 Attack Trees …………………………………………………………………………………………………… 24
4.6 Attack Frequency ……………………………………………………………………………………………. 27
5
Conclusion: Toward a Consistent Threat Assessment Process………………………………………. 31
6
Works Cited ……………………………………………………………………………………………………………. 35
FIGURES
Figure 1: An example attack tree. ……………………………………………………………………………………. 24
Figure 2: Chart view of attack tree scenarios by threat level (notional). ……………………………….. 26
Figure 3: Chart view of alternative attack tree scenarios by threat level (notional). ……………….. 27
Figure 4: Cumulative attack frequency by threat level, vulnerability, and target type (notional). 28
Figure 5: Cumulative attack frequency by threat level, target type, and vulnerability (notional). 28
Figure 6: A functional view of the “as is” threat assessment process. ………………………………….. 31
Figure 7: A functional view of the “to be” threat assessment process…………………………………… 32
TABLES
Table 1. Generic threat matrix ………………………………………………………………………………………… 13
Table 2. The expected relationship between incident details and threat attributes. …………………. 19
Table 3. The relationship between incident information categories and threat attributes. ……….. 21
Table 4: Tabular view of attack tree scenarios by threat level (notional) ………………………………. 25
Table 5: Tabular view of alternative attack tree scenarios by threat level (notional) ………………. 26
Table 6: Selected enumerations, languages, and repositories in MITRE’s Making Security
Measurable initiative…………………………………………………………………………………………. 29
5
ACRONYMS AND ABBREVIATIONS
APT
Advanced Persistent Threat
C&C
Command and Control
CNO/CNE
Computer Network Operations and Exploitation
DHS
Department of Homeland Security
DOE
Department of Energy
FCEB
Federal Civilian Executive Branch
FNS
Federal Network Security
HSB
Human Studies Board
OTA
Operational Threat Assessment
RFP
Request for Proposal
RVA
Risk and Vulnerability Assessment
VAP
Vulnerability Assessment Program
VPN
Virtual Private Network
XSS
Cross-site Scripting
6
1 INTRODUCTION
For the purposes of this report, a threat is a person or organization that intends to cause harm.
Threats are generally much easier to list than to describe, and much easier to describe than to
measure. As a result, many organizations list threats, but fewer describe them in useful terms and
still fewer measure them in meaningful ways.
Several advantages ensue from the ability to measure threats accurately and consistently. Good
threat measurement, for example, can improve understanding and facilitate analysis. It can also
reveal trends and anomalies, underscore the significance of specific vulnerabilities, and help
associate threats with potential consequences. In short, good threat measurement supports good
risk management.
Unfortunately, the practice of defining and applying good threat metrics remains immature. This
is particularly true in the dynamic and nebulous domain of cyber threats—a domain that tends to
resist easy measurement and, in some cases, appears to defy any measurement.
We believe the problem is tractable. In this report we describe threat metrics and models for
characterizing threats consistently and unambiguously. We embed these metrics within a process
and suggest ways in which the metrics and process can be applied and extended.
1.1 Background
The Department of Homeland Security (DHS) Federal Network Security (FNS) program created
the Risk and Vulnerability Assessment (RVA) program to assist Federal Civilian Executive
Branch (FCEB) agencies with conducting risk and vulnerability assessments [1]. These
assessments individually identify agency-specific vulnerabilities and combine to provide a view
of cyber risk and vulnerability across the entire federal enterprise. The RVA program has worked
with Sandia National Laboratories to develop a basis Operational Threat Assessment (OTA)
methodology that will result in an unclassified estimate of current threats to an FCEB system to
be shared with the system owner [2].
The goal of the OTA phase of a risk and vulnerability assessment is to provide an accurate
appraisal of the threat levels faced by a given FCEB agency. Information is collected about the
system being assessed through document review and targeted searches of both open source and
classified data sets. The identified threats, vulnerabilities, mitigations, and controls may be
confirmed or discounted during assessment activities.
OTA is designed to provide an efficient threat estimate that is consistent from agency to agency
and analyst to analyst. Given the scope of the RVA program, a large number of assessments will
be conducted each year, addressing agencies with widely varying sizes and missions. The
consistency and repeatability of each threat assessment is important to ensure similar treatment
of all agencies and facilitate the combination of risk assessment results for all agencies. Toward
this end, this report reviews cyber threat metrics and models that may potentially contribute to
the OTA methodology.
7
1.2 Scope and Purpose
The purpose of this report is to support the OTA phase of risk and vulnerability assessment. To
this end, we focus on the task of characterizing cyber threats using consistent threat metrics and
models. In particular, we address threat metrics and models for describing malicious cyber
threats to US FCEB agencies and systems.
1.3 Report Structure
This report is organized as follows:

Chapter 1 provides background, scope, and purpose;

Chapter 2 describes the nature and utility of threat metrics and models;

Chapter 3 introduces the generic threat matrix and discusses its application as a threat model;

Chapter 4 discusses several sources of possible threat metrics; and

Chapter 5 concludes the report by sketching a threat analysis process.
8
2 THREAT METRICS AND MODELS
In order to define and apply good threat metrics, we must first understand the characteristics of a
good metric and then understand how those metrics can be framed to establish a model to
describe threat.
2.1 Threat Metrics
Before we discuss our approach to threat metrics, it is useful to review the following four
questions.
What is a metric?
Why do we use
metrics?
What makes a good
metric?
A concise dictionary definition of metric is “a standard of measurement”
[3]. Similarly, a current security metrics guide describes a metric as “a
consistent standard of measurement” [4]. Metrics allow us to measure
attributes and behaviors of interest. A meter, for example, is a metric
that allows us to measure length, while the number of defects per
shipment is a metric that allows us to measure quality.
Confusion between a metric and a measure sometimes occurs. Bob
Frost, a performance measurement authority, clarifies the terms by
noting that “’metric’ is the unit of measure, [while] ‘measure’ means a
specific observation characterizing performance” [5]. Thus, if the
number of defects per hour is the metric, the measure is the observed
value of, for example, seven.
When we measure something using consistent metrics, we improve our
ability to understand it, control it, and, in the case of a threat, better
defend against it. According to the performance engineer H. James
Harrington, “Measurement is the first step that leads to control and
eventually improvement. If you can’t measure something, you can’t
understand it. If you can’t understand it, you can’t control it. If you can’t
control it, you can’t improve it.” [6].
A quality metric typically exhibits several conventional characteristics.
For example, a good metric is clear and unambiguous. It facilitates
inexpensive collection (that is, the cost of collecting measurement data
doesn’t exceed the value of the data). A good metric also supports
decision making and precludes subjective interpretation.
Many authors further suggest that good metrics implement quantitative
rather than qualitative scales. On this point, security professional
Andrew Jaquith states that “good metrics should express results using
numbers rather than high-low-medium ratings, grades, traffic lights, or
other nonnumeric methods.” He notes further that “Ordinal numbers—
created by assigning a series of subjective scores numeric equivalents—
are functionally equivalent to ratings” [4]. Although the goal of
implementing only quantitative scales is certainly a worthy one,
practitioners continue to debate precisely how to do this. For now, most
organizations continue to implement qualitative scales for measuring
“intangible” factors such as motivation and intent.
9
What makes a good
threat metric?
An additional factor to consider here is that no single metric—no matter
how good it might be—is likely to tell the whole story. Multiple metrics
from multiple perspectives are usually needed. This, in fact, is one of the
driving ideas behind the widely used Balanced Scorecard that Bob Frost
refers to as a “measurement framework” or a “performance model.” Not
only does a measurement framework help organize sets of metrics, Frost
notes that it also “can tell you what types of variables to consider and
where to look” [7].
A good threat metric is foremost a good metric. It is clear and efficient,
and it supports decision making. An example of a good threat metric
might be number of attacks per month. If we are able to define attacks
clearly and count them economically, we will most likely have a good
metric. Over time, the count of attacks—whether high or low—grants
the defender insight into the attacker’s intent and capability. Given this,
the defender can better calculate risk and allocate resources.
2.2 Threat Models
As we noted above, a stand-alone metric is usually insufficient to describe the characteristics or
behavior of a complex system or actor. Much more useful is a “measurement framework” that
combines metrics and their relationships into a complete and consistent whole. Although models
can be much more than measurement frameworks, a measurement framework is certainly a
model. In this section, we consider threat models. More specifically, we consider cyber threat
models.
What is a threat?
What is a model?
We informally describe a threat as “a person or organization that
intends to cause harm.” More formally, a threat is “a malevolent
actor, whether an organization or an individual, with a specific
political, social, or personal goal and some level of capability and
intention to oppose an established government, a private
organization, or an accepted social norm” [8].
Threats can be of different types, and they can pursue different goals.
Depending on the environment in which an information system or
network is located and the type of information it is designed to
support, different classes of threats will have an interest in attempting
to gain different types of information or access, based on their
particular capabilities.
Informally, a model is a simplified representation of something else.
A model ignores, masks, or abstracts unimportant or unnecessary
details, thereby highlighting the details of interest. For example, a
model of a real-world computer network will abstract away certain
details and highlight others.
10
What is a threat model?
Clearly, a threat model is a model of a threat. Per the definition of
model above, a threat model highlights the details of interest
regarding a threat, class of threat, or threats in general. A threat
model will generally address both a threat’s capabilities and its
intent.1 Because our mandate is to address cyber threat metrics, the
models we consider below emphasize the intent and capability of
cyber threats.
Today, cyber threat models are frequently little more than a progression of semi-descriptive
labels: hackers, hacktivists,2 script kiddies,3 nation states, cyber terrorists,4 organized crime, or
malicious insiders. These labels reinforce preconceived notions regarding motivation and
resources. Unfortunately, this method undermines a clear understanding of capabilities—an
understanding that is particularly useful when attempting to establish protections for an
information system or network. The model that follows is designed to address the limitations of
current cyber threat models.
Additionally, the model that follows is designed to promote consistency, even (or especially)
when the analysis is performed by different analysts. Arming analysts with clearly defined,
uniform threat models based on consistent metrics helps reduce the effects of personal bias and
preconceived notions. Moreover, the value of consistency grows with time. Given a standardized
threat model, an analyst can store consistent threat reports in a reference database accessible to
other analysts. As new threats are encountered, these threats can be analyzed using the same
process, allowing for up-to-date, accurate threat estimates that contribute to a consistent,
repeatable, and reliable risk and vulnerability assessment process.
In the remainder of the report, we present and describe a threat model based on the generic threat
matrix. We then discuss a range of possible metrics sources. We close by bringing these
elements together into a broader threat assessment process.
1
The DHS Risk Lexicon notes, for example, that “Adversary intent is one of two elements, along with adversary
capability, that is commonly considered when estimating the likelihood of terrorist attacks …” [11]
2
A hacktivist uses computers and networks as a means of protest to promote social, political, or ideological ends.
3
A script kiddie uses existing computer scripts or code to gain …
Purchase answer to see full
attachment

Place your order
(550 words)

Approximate price: $22

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more