Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and...
Transcript of Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and...
![Page 1: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/1.jpg)
1
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
.govCAR.gov Cybersecurity Architecture Review
March 26 2019
![Page 2: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/2.jpg)
2
The CAR methodology provides:• Threat-based assessment of cyber capabilities.• A look at the problem of cyber security the way an
adversary does.• Directly identifies where mitigations can be applied
for the best defense against all phases of a cyber-attack.
• Enhances cybersecurity by analyzing capabilitiesagainst the current cyber threats to highlight gaps,and identify and prioritize areas for futureinvestments.
About : Cyber Architectural Review
![Page 3: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/3.jpg)
3
The Department of Defense Cybersecurity Analysis and Review (DoDCAR) was created by the DoD CIO, NSA, and DISA in June of 2015 to analyze the existing architecture and proposed changes and make recommendations Developed a threat-based methodology that provided a
single evaluation framework across the full scope (holistic) of the DoD Architecture, including the DoD boundary and individual services and agencies Architectural recommendations used to drive budget (POM)
and programmatic changes
DoDCAR
3
![Page 4: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/4.jpg)
4
.govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community
Goal: Inform DHS’s approach to assisting Departments and Agencies with insight and knowledge to make prioritized cybersecurity investment decisions across the .gov environment Create a threat-based security architecture review that provides an end-
to-end holistic assessment that is composed of capabilities provided by DHS or the individual Departments and Agencies.
Create a common framework to discuss and assess cybersecurity architectural choices: For a shared Federal IT Infrastructure To inform DHS’s approach for its capabilities To enable Departments and Agencies to make threat-based risk decisions
Be transparent and traceable
.govCAR
4
![Page 5: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/5.jpg)
5
.govCAR: Move to Stronger Risk Management
Compliance
Risk determination based on checklist
Cyber Hygiene
Risk determination based on automated asset and account management
Risk determination based on performance-based measures
Threat-based Approach.govCAR
5
![Page 6: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/6.jpg)
6
Determine if my current cyber security capabilities are protecting me against threats, by evaluating: architectures of architectures (layered architecture) enterprise architectures and capabilities (vendor independent
descriptions of building blocks, e.g., firewall) security stack architectures and capabilities
If not, where are the gaps/ unwanted duplications?
Support investment direction and decisions
Can evaluate people, policy and process capabilities, but has been primarily used for technology (materiel) evaluation
Utilizing .govCAR
6
![Page 7: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/7.jpg)
7
Have provided actionable recommendations, backed by extensive data and analysis, for targeting cybersecurity investments on department and agency networks, and for DHS services
Provided input for decision-making and revectoring on CDM and TIC RA v3.
Cybersecurity Threat Framework mentioned in OMB report: Federal Cybersecurity Risk Determination Report and Action Plan
Special tasking to determine if there is a clear security distinction for DHS between using a single or multi-tenant deployment model for MS Office 365
Director for Network Security Deployment at DHS, signed out a memo directing the NCPS and CDM program to incorporate the current .govCAR recommendations into the planning and delivery of evolving capabilities (August 2018)
Newly formed CISA CTO using .govCAR results to drive technology investigations
Impact of .govCAR
7
![Page 8: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/8.jpg)
8
.govCAR Methodology
8
Section 4
Sections 2 & 3
Section 5
Section 6
Section 7
![Page 9: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/9.jpg)
9
SPINs to date
SPIN 1• NCPS• TIC
SPIN 2• D/A Endpoint
SPIN 3• IaaS• SaaS
SPIN 4• D/A Data
Center
SPIN 5• Mobile
![Page 10: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/10.jpg)
10
Spin 1-5 Architecture View
SPIN 3+ Cloud
SPIN 4+ Data Center
SPIN 1NCPS + TIC
SPIN 2D/A Endpoint
SPIN 5+ Mobile
SPIN 5+ MobileSPIN 5
+ Mobile
![Page 11: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/11.jpg)
11
LayersGroupings of Capabilities at logical and/or physical locations in the Architecture that generally represent boundaries between segments of the Architecture
CapabilitiesArchitecture capabilities have one or more features that are described in a generic nature (i.e., not a specific product, but generally included in products in that category) and in sufficient detail to allow scoring for P/D/R against threat actions
Architectural Layers and Capabilities
11
![Page 12: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/12.jpg)
12
Data Flows: Data Center example
12
Flows represent avenues of approach or attack paths for the adversary
Architectural Layers
![Page 13: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/13.jpg)
13
Cyber Threat Framework
13
Phase 0 - Administer Phase 1 - Prepare Phase 3 - Propagate Phases 1-4
Intent/Resource Development
Reconnaissance/ Staging Weaponization DeliveryInitial Compromise/
ExploitationInstallation Persistence Privilege Escalation Defense Evasion Credential Access
Host Enumeration/ Internal Reconnaissance
Lateral Movement ExecutionCommand & Control
(C2)
Monitor (Observation)/
ExfiltrationAlter/Deceive…
Intent/Resource Development
Crawling Internet WebsitesAdd Exploits to
Application Data FilesSpear-phishing Emails w/
AttachmentsTargets Application
VulnerabilityWriting to Disk Legitimate Credentials Legitimate Credentials Legitimate Credentials Credential Dumping Account Enumeration
Application Deployment Software
Command Line Commonly used portAutomated or Scripted
ExfiltrationDistributed Denial of Service
(DDOS)
Network Mapping (e.g. NMAP)Spear-phishing email
w/Malicious LinkTarget Operating System
VulnerabilityIn Memory Malware Accessibility Features Accessibility Features Binary Padding Network Sniffing File System Enumeration Exploitation of Vulnerability File Access
Comm through removable media
Data CompressedPartial disk/OS deletion
(corruption)
Social Media WebsitesTargets Application
Vulnerability RemotelyInterpreted Scripts Automatic Loading at Startup
Automatic Loading at Startup
Disabling Security Tools User InteractionGroup Permission
EnumerationLogon Scripts Interpreted Scripts
Custom Application Layer Protocol
Data Size limitsFull disk/OS deletion
(bricking)
Mid-Points Removable Media (i.e. USB)Targets Web Application
Vulnerabilities (ex. XSS, CSRF)
Replace legitimate binary with Malicious (ex:
Havex)Library Search Hijack Library Search Hijack Library Search Hijack Password Recovery
Local Network Connection Enumeration
Authentication Assertion Misuse
Process InjectionCommunications
EncryptedData Staged Data Alteration
Vulnerability Scan Credential Pharming Trojan New Service New Service File System Logical Offsets Credential ManipulationLocal Networking
EnumerationRemote Services
Configuration Modification to
Facilitate LaunchData Obfuscation Exfil over C2 channel
Data Encrypted and Unavailable (Crypto Locker)
SQL Injection Social Engineering Path Interception Path Interception File Deletion Hijack Active CredentialOperating System
EnumerationPeer Connections
Use of Trusted Process to Execute
Untrusted CodeFallback Channels
Exfil over Alternate Channel to a C2
NetworkData Deletion (Partial)
Deploy Exploit using Advertising
Legitimate Access Scheduled Task Scheduled Task Indicator Blocking on Host Credentials in File Owner/User Enumeration Remote Interactive Logon Scheduled Task Multiband commExfiltration Over other
Network MediumData Deletion (full)
DNS/Cache Poisoning Defeat EncryptionService File Permission
WeaknessService File Permission
WeaknessIndicator Removal from
ToolsProcess Enumeration Remote Management Services
Service Manipulation
Multilayer EncryptionExfiltration from Local
SystemDenial of Service
Virtualization Attacks Exploit Weak Access Controls Link Modification Link ModificationIndicator Removal from
HostSecurity Software
EnumerationReplication through removable media
Third Party Software
Peer ConnectionsExfil over network
resourcesCause Physical Effects
Connection of Rogue Network Devices
Edit Default File HandlersManipulate Trusted
ProcessManipulate Trusted
ProcessService Enumeration Shared Webroot
Remote Management
Services
Standard app layer protocol
Scheduled Transfer
Trusted Website BIOS Process Injection Process Injection Window Enumeration Taint Shared ContentAPIs to Facilitate
LaunchStandard non-app layer
protocolData Encrypted
Legitimate Remote Access Hypervisor RootkitExploitation of
Vulnerability (ex. XSS, CSRF, OS/Software)
Masquerading Remote File SharesStandard Encryption
CipherExfil over Physical
Medium
Crosstalk (Data Emanation)Weak Access Control for
Service Configuration
Weak Access Control for Service
ConfigurationFile System Hiding
Uncommonly Used Port
Crosstalk (Data Emanation)
Device Swapping (Cross Domain Violation)
Master Boot Record Obfuscated PayloadCustom encryption
cipherData Encoded
Exploit Cross Domain or Multi-Level Solution
MisconfigurationModify Existing Services Rootkit
Multiple Protocols Combined
Cross Domain or Multi-Level Solution
Traversal
Physical Network Bridge Logon ScriptsUse of Trusted Process to Execute Untrusted Code
Defeat Encryption
Data Encoded Security Support Provider ScriptingExploit Weak Access
ControlsAutomatically Transported
Trusted ServicesWeb Shell Software Packing
Cross Domain or Multi-Level Solution Traversal
Signed Malicious Content
Supply Chain / Trusted Source Compromise
Sandbox Detection
Insider Threat/Close Access Malicious Behavior Delays
Wireless AccessCompromise Common Network Infrastructure
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Initial Sources: NSA Threat Operations Center’s (NTOC)
Adversary Lifecycle Analysis (ALA); Lockheed Martin’s
Cyber Kill Chain and MITRE’s Adversarial Tactics,Techniques, & Common Knowledge (ATT&CK)
Pre-Event
UNCLASSIFIED//FOR OFFICIAL USE ONLYThreat Framework v2.0
Phase 2 - Engage Phase 3 - Propagate Phase 4 - Effect
Get In Stay In Act
Set of threat actions requiring counteraction by Protect / Detect / Respond
STAGESThe progression of cyber
threats over time to achieve objectives
OBJECTIVESThe purpose of conducting an action or series of actions
ACTIONSActions and associated
resources used by a threat actor to satisfy an objective
Installation
Pre-Event Get-In Stay-In Act
Intent/Resource Development
Reconnaissance/ Staging
Weaponize
Delivery
Initial Compromise/ Exploitation
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Host Enumeration/ Internal Recon
Lateral Movement
Monitor / Exfiltration
Alter/Deceive
Execution
Command & Control
1
5
1
23
9
4
18
13
21
7
11
11
12
15
17
9
.govCAR 2.0 based on NSA 2.0
![Page 14: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/14.jpg)
14
.govCAR Scoring Sheet
Protect Detect Respond Protect Detect Respond
Capabilities
To create new Capabilities, select the entire row of an Is En
hanc
%
Scor
ing
Com
ple
Layer1
A Description M M S None None L
Rationale
Layer2
B Description N/A N/A N/A L L L
Rationale 0%
B (Enhancement) Description N/A N/A N/A M M M
Rationale 0%
Stage
Objective
only covers one possible vector
coverage include additional but not all vectors
govCAR Mitigation Draft Scoring Sheet
Detailed Capability Description En
h
% S
core
s Don
e
Threat Action Y Threat Action z
Threat Action Description Threat Action Description
P/D has some allowed paths. All actions are logged
Threat action is permitted but logged. Logs only persist 1 week
Threat ‘Actions’ From
the Framework
Security Capabilities for
as-implemented, as-funded, and
as-recommended
architecture configurations
Logical Groupings of
Capabilities by Tier
SME Scoring: SignificantModerateLimited
NIST CyberSecurityFramework Mitigation
Functions
![Page 15: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/15.jpg)
15
AnalysisUnderstand the threat -- Make informed risk decisions
Security Capability Coverage (Protect, Detect, Respond)
Threat Action Heat Map (Observed Adversary Actions)
Observed Actions + Lack of Coverage = Gaps to be Addressed
Administer Phase 1 - PreparePhase 3 -
Propagate Phases 1-4
Intent/Resource Development
Reconnaissance/ Staging
Weaponization DeliveryInitial Compromise/
ExploitationInstallation Persistence
Privilege Escalation
Defense EvasionCredential
Access
Host Enumeration/
Internal Reconnaissance
Lateral Movement ExecutionCommand & Control (C2)
Monitor (Observation)/
ExfiltrationAlter/Deceive…
Intent/Resource Development
Crawling Internet Websites
Add Exploits to Application Data
Files
Spear-phishing Emails w/ Attachments
Targets Application Vulnerability Writing to Disk Legitimate Credentials
Legitimate Credentials Legitimate Credentials Credential Dumping
Account Enumeration
Application Deployment Software Command Line
Commonly used port
Automated or Scripted
Exfiltration
Distributed Denial of Service (DDOS)
Network Mapping (e.g. NMAP)
Spear-phishing email w/Malicious Link
Target Operating System Vulnerability
In Memory Malware Accessibility Features Accessibility Features
Binary Padding Network Sniffing File System Enumeration
Exploitation of Vulnerability
File Access Comm through removable media
Data Compressed Partial disk/OS deletion (corruption)
Social Media WebsitesTargets Application
Vulnerability Remotely Interpreted ScriptsAutomatic Loading at
StartupAutomatic Loading
at StartupDisabling Security
Tools User InteractionGroup Permission
Enumeration Logon ScriptsInterpreted
ScriptsCustom Application
Layer Protocol Data Size limitsFull disk/OS deletion
(bricking)
Mid-Points Removable Media (i.e. USB)
Targets Web Application Vulnerabilities (ex. XSS,
CSRF)
Replace legitimate binary with
Malicious (ex: Havex)Library Search Hijack Library Search
HijackLibrary Search Hijack Password Recovery
Local Network Connection
Enumeration
Authentication Assertion Misuse
Process Injection
Communications Encrypted
Data Staged Data Alteration
Vulnerability Scan Credential Pharming Trojan New Service New Service File System Logical Offsets
Credential Manipulation
Local Networking Enumeration
Remote Services
Configuration Modification to
Facilitate Launch
Data Obfuscation Exfil over C2 channel
Data Encrypted and Unavailable (Crypto
Locker)
SQL Injection Social Engineering Path Interception Path Interception File Deletion Hijack Active Credential
Operating System Enumeration
Peer Connections
Use of Trusted Process to
Execute Untrusted Code
Fallback ChannelsExfil over
Alternate Channel to a C2 Network
Data Deletion (Partial)
Deploy Exploit using Advertising Legitimate Access Scheduled Task Scheduled Task
Indicator Blocking on Host Credentials in File
Owner/User Enumeration
Remote Interactive Logon Scheduled Task Multiband comm
Exfiltration Over other Network
MediumData Deletion (full)
DNS/Cache Poisoning Defeat EncryptionService File Permission
Weakness
Service File Permission Weakness
Indicator Removal from Tools Process Enumeration
Remote Management Services
Service Manipulation
Multilayer Encryption
Exfiltration from Local System Denial of Service
Virtualization AttacksExploit Weak Access
Controls Link Modification Link ModificationIndicator Removal
from HostSecurity Software
EnumerationReplication through
removable mediaThird Party
Software Peer ConnectionsExfil over network
resources Cause Physical Effects
Connection of Rogue Network Devices
Edit Default File Handlers
Manipulate Trusted Process
Manipulate Trusted Process Service Enumeration Shared Webroot
Remote Management
Services
Standard app layer protocol
Scheduled Transfer
Trusted Website BIOS Process Injection Process InjectionWindow
Enumeration Taint Shared ContentAPIs to
Facilitate Launch
Standard non-app layer protocol Data Encrypted
Legitimate Remote Access
Hypervisor Rootkit
Exploitation of Vulnerability (ex.
XSS, CSRF, OS/Software)
Masquerading Remote File Shares Standard Encryption Cipher
Exfil over Physical Medium
Crosstalk (Data Emanation)
Weak Access Control for Service Configuration
Weak Access Control for Service
ConfigurationFile System Hiding Uncommonly Used
PortCrosstalk (Data
Emanation)
Device Swapping (Cross Domain Violation)
Master Boot Record Obfuscated Payload Custom encryption cipher
Data Encoded
Exploit Cross Domain or Multi-Level Solution
MisconfigurationModify Existing Services Rootkit
Multiple Protocols Combined
Cross Domain or Multi-Level
Solution Traversal
Physical Network Bridge Logon Scripts
Use of Trusted Process to Execute
Untrusted CodeDefeat Encryption
Data Encoded Security Support Provider
Scripting Exploit Weak Access Controls
Automatically Transported Trusted
ServicesWeb Shell Software Packing
Legend:Cross Domain or Multi-
Level Solution Traversal
Signed Malicious Content
High prioritySupply Chain / Trusted
Source Compromise Sandbox Detection
Mid Priority Insider Threat/Close Access
Malicious Behavior Delays
Low Priority Wireless Access
Compromise Common Network Infrastructure
// Threat Framework v2.0
Phase 2 - Engage Phase 3 - Propagate Phase 4 - Effect
Initial Sources: NSA Threat Operations Center’s (NTOC)
Adversary Lifecycle Analysis (ALA); Lockheed Martin’s
Cyber Kill Chain and MITRE’s Adversarial Tactics,Techniques, & Common Knowledge (ATT&CK)
Administer Phase 1 - PreparePhase 3 -
Propagate Phases 1-4
Intent/Resource Development
Reconnaissance/ Staging
Weaponization DeliveryInitial Compromise/
ExploitationInstallation Persistence
Privilege Escalation
Defense EvasionCredential
Access
Host Enumeration/
Internal Reconnaissance
Lateral Movement ExecutionCommand & Control (C2)
Monitor (Observation)/
ExfiltrationAlter/Deceive…
Intent/Resource Development
Crawling Internet Websites
Add Exploits to Application Data
Files
Spear-phishing Emails w/ Attachments
Targets Application Vulnerability Writing to Disk Legitimate Credentials
Legitimate Credentials Legitimate Credentials Credential Dumping
Account Enumeration
Application Deployment Software Command Line
Commonly used port
Automated or Scripted
Exfiltration
Distributed Denial of Service (DDOS)
Network Mapping (e.g. NMAP)
Spear-phishing email w/Malicious Link
Target Operating System Vulnerability
In Memory Malware Accessibility Features Accessibility Features
Binary Padding Network Sniffing File System Enumeration
Exploitation of Vulnerability
File Access Comm through removable media
Data Compressed Partial disk/OS deletion (corruption)
Social Media WebsitesTargets Application
Vulnerability Remotely Interpreted ScriptsAutomatic Loading at
StartupAutomatic Loading
at StartupDisabling Security
Tools User InteractionGroup Permission
Enumeration Logon ScriptsInterpreted
ScriptsCustom Application
Layer Protocol Data Size limitsFull disk/OS deletion
(bricking)
Mid-Points Removable Media (i.e. USB)
Targets Web Application Vulnerabilities (ex. XSS,
CSRF)
Replace legitimate binary with
Malicious (ex: Havex)Library Search Hijack Library Search
HijackLibrary Search Hijack Password Recovery
Local Network Connection
Enumeration
Authentication Assertion Misuse
Process Injection
Communications Encrypted
Data Staged Data Alteration
Vulnerability Scan Credential Pharming Trojan New Service New Service File System Logical Offsets
Credential Manipulation
Local Networking Enumeration
Remote Services
Configuration Modification to
Facilitate Launch
Data Obfuscation Exfil over C2 channel
Data Encrypted and Unavailable (Crypto
Locker)
SQL Injection Social Engineering Path Interception Path Interception File Deletion Hijack Active Credential
Operating System Enumeration
Peer Connections
Use of Trusted Process to
Execute Untrusted Code
Fallback ChannelsExfil over
Alternate Channel to a C2 Network
Data Deletion (Partial)
Deploy Exploit using Advertising Legitimate Access Scheduled Task Scheduled Task
Indicator Blocking on Host Credentials in File
Owner/User Enumeration
Remote Interactive Logon Scheduled Task Multiband comm
Exfiltration Over other Network
MediumData Deletion (full)
DNS/Cache Poisoning Defeat EncryptionService File Permission
Weakness
Service File Permission Weakness
Indicator Removal from Tools Process Enumeration
Remote Management Services
Service Manipulation
Multilayer Encryption
Exfiltration from Local System Denial of Service
Virtualization AttacksExploit Weak Access
Controls Link Modification Link ModificationIndicator Removal
from HostSecurity Software
EnumerationReplication through
removable mediaThird Party
Software Peer ConnectionsExfil over network
resources Cause Physical Effects
Connection of Rogue Network Devices
Edit Default File Handlers
Manipulate Trusted Process
Manipulate Trusted Process Service Enumeration Shared Webroot
Remote Management
Services
Standard app layer protocol
Scheduled Transfer
Trusted Website BIOS Process Injection Process InjectionWindow
Enumeration Taint Shared ContentAPIs to
Facilitate Launch
Standard non-app layer protocol Data Encrypted
Legitimate Remote Access
Hypervisor Rootkit
Exploitation of Vulnerability (ex.
XSS, CSRF, OS/Software)
Masquerading Remote File Shares Standard Encryption Cipher
Exfil over Physical Medium
Crosstalk (Data Emanation)
Weak Access Control for Service Configuration
Weak Access Control for Service
ConfigurationFile System Hiding Uncommonly Used
PortCrosstalk (Data
Emanation)
Device Swapping (Cross Domain Violation)
Master Boot Record Obfuscated Payload Custom encryption cipher
Data Encoded
Exploit Cross Domain or Multi-Level Solution
MisconfigurationModify Existing Services Rootkit
Multiple Protocols Combined
Cross Domain or Multi-Level
Solution Traversal
Physical Network Bridge Logon Scripts
Use of Trusted Process to Execute
Untrusted CodeDefeat Encryption
Data Encoded Security Support Provider
Scripting Exploit Weak Access Controls
Automatically Transported Trusted
ServicesWeb Shell Software Packing
Cross Domain or Multi-Level Solution
Traversal
Signed Malicious Content
Full CoverageSupply Chain / Trusted
Source Compromise Sandbox Detection
Partial Coverage Insider Threat/Close Access
Malicious Behavior Delays
No Coverage Wireless Access
Compromise Common N k I f
Threat Framework v2.0
Phase 2 - Engage Phase 3 - Propagate Phase 4 - Effect
Initial Sources: NSA Threat Operations Center’s (NTOC)
Adversary Lifecycle Analysis (ALA); Lockheed Martin’s
Cyber Kill Chain and MITRE’s Adversarial Tactics,Techniques, & Common Knowledge (ATT&CK)
Legend
![Page 16: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/16.jpg)
16
Joint
Assess current cyber security capabilities for effectiveness against threats and
gaps efficacy of current investment strategy
Evaluate multi-layer complex security architectures architecture based on vendor neutral capabilities security stack (defense in depth) architectures people, policy and process non-materiel capabilities
Support – Investment direction and decisions especially at the portfolio level
.govCAR does not Evaluate vendor specific implementations of a capability Provide mission-based/cyber key terrain-based analysis (no impact
analysis) Delineate detailed implementation tradeoffs
.govCAR Provides Ability to:
![Page 17: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/17.jpg)
17
PDR Protect, Detect, RespondSME Subject Matter Expert
Threat Coverage, Prioritization, & Gap ID
Capability Get In (Engage; Access)
Enterprise Perimeter (IAP) Protect Detect RespondProtectDetectRespond Protect Detect RespondStrategic Sensor N/A S N/A N/A M N/A N/A N/A N/AECOS (Trickler) L N/A M N/A L N/A M L N/AWeb Content Filter L N/A N/A N/A M N/A M S N/ANGFW (url reputation) L N/A N/A N/A L N/A N/A N/A N/AIPS N/A N/A M N/A N/A N/A N/A S N/AZND Web N/A N/A N/A L S N/A N/A L N/AZND Mail S N/A L S N/A N/A M L N/AEEMSG N/A N/A N/A N/A N/A N/A N/A N/A MECOS (NETFLOW) N/A N/A N/A S N/A N/A N/A N/A N/AECOS (Packet Capture) N/A N/A L L S N/A M L SSSL Proxy/Inspection N/A N/A M N/A N/A N/A N/A S N/AECOS (IDS) N/A N/A N/A N/A N/A S L M N/ADDoS Detection/Mitigation internal S N/A N/A N/A L N/A N/A N/A N/ADDoS Detection/Mitigation external M N/A N/A N/A N/A N/A N/A N/A N/AACLs and Whitelist N/A M N/A N/A L N/A N/A M N/ASDN N/A N/A M N/A N/A N/A N/A S N/ADNS Proxy and Recursive Services N/A M N/A L L M N/A N/A MEnterprise Remote Access N/A N/A N/A N/A N/A N/A N/A N/A N/ACloud: IPS N/A L N/A N/A S N/A L N/A N/ACloud: NGFW N/A N/A N/A N/A N/A N/A N/A N/A N/ACloud: PCAP N/A S M N/A N/A N/A N/A N/A N/ACloud: FWD Proxy N/A S L L N/A N/A N/A N/A N/ACloud: Premise Router/ MeetMe M L N/A N/A N/A L N/A L MCyber SA: Security Event Management (as is) N/A N/A N/A L L N/A N/A N/A LCyber SA: Security Event Management (as planned)N/A N/A L S N/A N/A S N/A N/ACyber SA: Big Data Fusion Analytics (as is) N/A L N/A M N/A N/A N/A M N/ACyber SA: Big Data Fusion Analytics (as planned) N/A N/A L N/A N/A N/A N/A N/A N/ACyber SA: Continuous Security Monitoring N/A N/A M N/A M S L N/A N/ACyber SA: DCO/Analyst Collaboration (as is) S N/A N/A N/A N/A N/A N/A M MCyber SA: DCO/Analyst Collaboration (as planned) N/A N/A L N/A N/A M M N/A N/A
DeliverySpear-phishing Emails w/
attachmentsWebsites
as implementedas implemented as implemented
Removable Media (i.e. USB)
Capability Mitigation Scoring
Based on SME assessmentAdminister
Stage 1 - Prepare
Stage 3 - Propagate Stage 1-4
Intent/Resource Development
Reconnaissance/ Staging
Weaponization DeliveryInitial
Compromise/ Exploitation
Installation PersistencePrivilege
EscalationDefense Evasion Credential Access
Host Enumeration/
Internal Lateral Movement Execution
Command & Control (C2)
Monitor (Observation)/
ExfiltrationAlter/Deceive…
Intent/Resource Development
Crawling Internet Websites
Add Exploits to Application Data Files
Spear-phishing Emails w/ Attachments
Targets Application Vulnerability
Writing to Disk Legitimate Credentials Legitimate Credentials Legitimate Credentials Credential Dumping Account EnumerationApplication Deployment
SoftwareCommand Line Commonly used port
Automated or Scripted Exfiltration
Distributed Denial of Service (DDOS)
Network Mapping (e.g. NMAP)
Spear-phishing email w/Malicious Link
Target Operating System Vulnerability
In Memory Malware Accessibility Features Accessibility Features Binary Padding Network Sniffing File System EnumerationExploitation of Vulnerability
File AccessComm through removable
mediaData Compressed
Partial disk/OS deletion (corruption)
Social Media WebsitesTargets Application
Vulnerability RemotelyInterpreted Scripts AddMonitor AddMonitor DLL Side Loading User Interaction
Group Permission Enumeration
Logon Scripts PowerShellCustom Application Layer
ProtocolData Size limits
Full disk/OS deletion (bricking)
Mid-PointsRemovable Media (i.e.
USB)
Targets Web Application Vulnerabilities (ex. XSS,
CSRF)
Replace legitimate binary with Malicious (ex: Havex)
DLL Search Order Hijack DLL Search Order Hijack Disabling Security Tools Brute ForceLocal Network Connection
EnumerationPass the Hash Process Hollowing
Communications Encrypted
Data Staged Data Alteration
Vulnerability Scan Credential Pharming Trojan New Service New ServiceFile System Logical
OffsetsCredential Manipulation
Local Networking Enumeration
Pass the Ticket Registry Data Obfuscation Exfil over C2 channelData Encrypted and Unavailable (Crypto
Locker)
SQL Injection Social Engineering Path Interception Path Interception Process Hollowing Hijack Active CredentialOperating System
EnumerationPeer Connections Rundll32 Fallback Channels
Exfil over Alternate Channel to a C2 Network
Data Deletion (Partial)
Deploy Exploit using Advertising
Legitimate Access Scheduled Task Scheduled Task Indicator Blocking on Host Credentials in File Owner/User Enumeration Remote Desktop Protocol Scheduled Task Multiband commExfiltration Over other
Network MediumData Deletion (full)
DNS/Cache PoisoningService File Permission
WeaknessService File Permission
WeaknessIndicator Removal from
ToolsProcess Enumeration
Windows Management Instrumentation
Service Manipulation Multilayer EncryptionExfiltration from Local
System
Virtualization Attacks Shortcut Modification Shortcut ModificationIndicator Removal from
HostSecurity Software
EnumerationWindows remote
managementThird Party Software Peer Connections
Exfil over network resources
Connection of Rogue Network Devices
Edit Default File Handlers Bypass UAC Bypass UAC Service Enumeration Remote ServicesWindows management
instrumentationStandard app layer
protocolScheduled Transfer
Trusted Website BIOS DLL Injection DLL Injection Window EnumerationReplication through
removable mediaWindows remote
managementStandard non-app layer
protocolData Encrypted
Legitimate Remote Access Hypervisor RootkitExploitation of
Vulnerability (ex. XSS, CSRF, OS/Software)
Masquerading Shared Webroot CreateProcessStandard Encryption
CipherExfil over Physical
Medium
Logon ScriptsService Registry
Permissions WeaknessNTFS Extended Attributes Taint Shared Content Uncommonly Used Port
Master Boot Record AppInit DLLs Obfuscated PayloadWindows Admin Shares
(C$, ADMIN$)Custom encryption cipher
Modify Existing Services RootkitMultiple Protocols
CombinedRegistry Run Keys (Startup
Folder addition)Rundll32
Serv. Reg. Perm. Weakness
Scripting
Windows Mgmt Instr. Event Subsc.
Software Packing
Winlogon Helper DLL Signed Malicious ContentAppInit DLLs File Deletion
Security Support Provider Sandbox Detection
Web Shell Malicious Behavior Delays
U//FOUO Threat Framework V1.1
Stage 2 - Engage Stage 3 - Propagate Stage 4 - Effect
Initial Sources: NSA Threat Operations Center’s (NTOC)Adversary Lifecycle Analysis (ALA); Lockheed Martin’s
Cyber Kill Chain and MITRE’s Adversarial Tactics,Techniques, & Common Knowledge (ATT&CK)
PDR Protect, Detect, RespondSME Subject Matter Expert
Threat Action Heat Map – Structures Prioritization
Heat Map
Based on actual intel threat data
Security Capability Coverage – effectiveness for PDR
Threat Framework
Priority Gap in PDR
Threat Framework
![Page 18: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/18.jpg)
18
Joint
Top Recommendations from Spins 1-4
![Page 19: Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community Goal: Inform DHS’s](https://reader036.fdocuments.in/reader036/viewer/2022071210/60212b52c9a75543b4522aec/html5/thumbnails/19.jpg)
19