-
Title: Cyber Table Top
Date: 8 August 2018
Presenter: Roy Wilson, Professor of Acquisition Cybersecurity,
Defense Acquisition University, Mid-Atlantic Region
Moderator: Jim Davis, Logistics Department Chair, Defense
Acquisition University, Mid-Atlantic Region
-
2
Cyber Table Top
• Cyber Table Top (CTT) Guidebook• 2 July 2018•
DASD/DT&E
• CTT Facilitator Training• DASD/DT&E• DAU• On-site,
1-day
-
3
Cyber Table Top
-
4
Cyber Table Top
-
5
Cyber Table Top
-
6
Cyber Table Top
-
7
Cyber Table Top
-
Cyber Table Top (CTT)• Input to Controls Selection / Risk
Assessment / Pre-Test• User Reps / Focused Mission Areas
*Facilitator Training Available via Ms. Standard, Sarah M CIV
OSD OUSD ATL (US), [email protected]
Event Preparation
Event Execution
Post Mission Analysis
Reporting
Develop Mission Plan
• Analyze Architecture, CONOPS, Intelligence
• Define Mission• Identify Control, Blue,
Red, Analysis, Reporting Teams
• Define Attack Paths, & Vulnerabilities
• Analyze adversary attacks
• Determine Cyber effects: F/P/NMC
• Risk: Likelihood, Consequence
• Risk Cube• Mitigations• Executive, Detailed
& Full Report
Execute Attacks
Describe Effects
Develop Mitigations
Define Access Paths
~ 3 days
Color CodeOperational (Blue) TeamAdversarial (Red ) Team
~ Weeks~ Weeks
PresenterPresentation NotesQ- What is most critical part of a
CTT? – prep and User repsF/P/NMC = full, partial not mission
capableFacilitator Training Available from the National Cyber Range
via Ms Christa Pettie ([email protected])
-
9
Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts,
Likelihood; Recommendations, Mitigations
Mission, Attack, Variant no.
Attack goal concerning mission.
Broad class of attack e.g. DDOS. Specific
description of attack.
Attack assumptions. Explain why this matters.
Description of possible outcomes.
Description of impact if the attack is successful
Description of the operational impact to the mission
Description of consequence to blue team mission state:
F/P/NMC
Analysis Team
M1A1V1
OPFOR
IDAttack Method
Attack DescriptionGoal
Control Team/ OPFOR
Attack Result (Then)
Operational Team
AssumptionsWhen in the
Mission Timeline
Possible System Effect (If)
Mission Effect (If)
Mission Impact (Then)
OPFOR Attacks
Level of Access to Operational Data is Critical
OPFOR Mission 1 e.g. Degrade
Mission, Attack, Variant no.Attack goal concerning mission.Broad
class of attack e.g. DDOS. Specific description of attack.Attack
assumptions.Explain why this matters.Description of possible
outcomes.Description of impact if the attack is
successfulDescription of the operational impact to the mission
Description of consequence to blue team mission state: F/P/NMCUsing
an operational mission rubric to assess mission consequence, assign
a numerical value for columns I and J (1-5)A estimation of how
difficult the attack is to execute; this is a combination of the
technical complexity, the availability of system information (or
the system) to the adversary prior to the attack; Assumption should
be excluded from consideration e.g. if network access if assumed
the difficulty of that should be excludedThe likelihood the attack
will be successful when executed and have the stated attack result
(due to techinical complexity, etc) and NOT an estimate of the
likelihood that an real-world adverary would use this attackUsing a
likelihood rubric that takes into account the level of effort and
the ease of the atack as well as the likelihood of the attack
successeding, a numerical value will be assigned for likelihood.
Value is 1-5.If the attack required some type of access to a
specific network, this column will factor the difficulty of gaining
that access with the attack level of effort and likelihod of
success. This may result in the likelihood value in column N
increasing or decreasingColumn K and O, (if the value in N was
adjusted) represented as coordinates, e.g. (3,5)Description of how
specific IA and cyber-security mechanisms the system under analysis
has in place today would mitigate the attackDescription of how
specific IA and cyber-security mechanisms the system under analysis
planned for the future would mitigate the attackFollow-on
recommendations the program conducitng the CTT should consider for
each attack. Should be some high level categorization with
amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test,
etc.Any unanswered questions or requests for more information that
are needed to inform CTT analysis; Questions that need to be
investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis
TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the
Mission TimelinePossible System Effect (If) Attack Result (Then)
Mission Effect (If) Mission Impact (Then)Numerical Mission Impact
and Consequence Attack Cost / Level of EffortAttack Success
Likelihood Numerical LikelihoodAnalysis of numerical Likelihood
factoring in access methods. Final Risk Assessment
coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further
Analysis
In Place TodayPlanned for the Future
M1A1V1
Distribution Statement A - approved for public release;
distribution is unlimited, as under NAVAIR Public Release
Authorization 2015-710
OPFOR Mission 2 e.g. Deny
Mission number Attack number and variant number: e.g.M2A1V2Goal
of the attack with respect to the mission; e.g. delay operational
missionThe broad class of attack e.g. SQL injection the adversary
team will employ to execute the mission; there may be multiple
attack types capable of executing the missionThe specific
description for the attack e.g. delete entries for customer
database; split out b/c they can have very different mission
impacts, consequences, costs etc.Assumptions about the attack
process and systems under attack e.g. the adversary team has
previously gained a presence on the networkSpecific event,
circumstances, or specific times in the operational scenario when
the attack is executed; and explanation why that mattersDescription
of possible outcomes to the systems under attack e.g. customer
entries are deleted from the databases; Don't have to break out
into separate rows, unless relevant.Description of the impact on
the system if the outcome occurs e.g. customer data is unavailable
under restore from backupDescription of the operational impact to
the mission e.g. operators can't pull up customer records in
support of mission execution and have to bring system down for
unplanned maintenance for 3 hoursDescription of the high level
consequence to the overall blue team mission state: Full Mission
Capable, Partial Mission Capable, Not Mission CapableUsing an
operational mission rubric to assess mission consequence, assign a
numerical value for columns I and J (1-5)A estimation of how
difficult the attack is to execute; this is a combination of the
technical complexity, the availability of system information (or
the system) to the adversary prior to the attack; Assumption should
be excluded from consideration e.g. if network access if assumed
the difficulty of that should be excludedThe likelihood the attack
will be successful when executed and have the stated attack result
(due to techinical complexity, etc) and NOT an estimate of the
likelihood that an real-world adverary would use this attackUsing a
likelihood rubric that takes into account the level of effort and
the ease of the atack as well as the likelihood of the attack
successeding, a numerical value will be assigned for likelihood.
Value is 1-5.If the attack required some type of access to a
specific network, this column will factor the difficulty of gaining
that access with the attack level of effort and likelihod of
success. This may result in the likelihood value in column N
increasing or decreasingColumn K and O, (if the value in N was
adjusted) represented as coordinates, e.g. (3,5)Description of how
specific IA and cyber-security mechanisms the system under analysis
has in place today would mitigate the attackDescription of how
specific IA and cyber-security mechanisms the system under analysis
planned for the future would mitigate the attackFollow-on
recommendations the program conducitng the CTT should consider for
each attack. Should be some high level categorization with
amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test,
etc.Any unanswered questions or requests for more information that
are needed to inform CTT analysis; Questions that need to be
investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis
TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the
Mission TimelinePossible OutcomeAttack ResultMission ImpactMission
ConsequenceNumerical Mission Impact and Consequence Attack Cost /
Level of EffortAttack Success Likelihood Numerical
LikelihoodAnalysis of numerical Likelihood factoring in access
methods. Put new (or unchanged) likelhood value from N.Final Risk
Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs,
Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
OPFOR Mission 3 e.g. Exfil
Mission number Attack number and variant number: e.g.M2A1V2Goal
of the attack with respect to the mission; e.g. delay operational
missionThe broad class of attack e.g. SQL injection the adversary
team will employ to execute the mission; there may be multiple
attack types capable of executing the missionThe specific
description for the attack e.g. delete entries for customer
database; split out b/c they can have very different mission
impacts, consequences, costs etc.Assumptions about the attack
process and systems under attack e.g. the adversary team has
previously gained a presence on the networkSpecific event,
circumstances, or specific times in the operational scenario when
the attack is executed; and explanation why that mattersDescription
of possible outcomes to the systems under attack e.g. customer
entries are deleted from the databases; Don't have to break out
into separate rows, unless relevant.Description of the impact on
the system if the outcome occurs e.g. customer data is unavailable
under restore from backupDescription of the operational impact to
the mission e.g. operators can't pull up customer records in
support of mission execution and have to bring system down for
unplanned maintenance for 3 hoursDescription of the high level
consequence to the overall blue team mission state: Full Mission
Capable, Partial Mission Capable, Not Mission CapableUsing an
operational mission rubric to assess mission consequence, assign a
numerical value for columns I and J (1-5)A estimation of how
difficult the attack is to execute; this is a combination of the
technical complexity, the availability of system information (or
the system) to the adversary prior to the attack; Assumption should
be excluded from consideration e.g. if network access if assumed
the difficulty of that should be excludedThe likelihood the attack
will be successful when executed and have the stated attack result
(due to techinical complexity, etc) and NOT an estimate of the
likelihood that an real-world adverary would use this attackUsing a
likelihood rubric that takes into account the level of effort and
the ease of the atack as well as the likelihood of the attack
successeding, a numerical value will be assigned for likelihood.
Value is 1-5.If the attack required some type of access to a
specific network, this column will factor the difficulty of gaining
that access with the attack level of effort and likelihod of
success. This may result in the likelihood value in column N
increasing or decreasingColumn K and O, (if the value in N was
adjusted) represented as coordinates, e.g. (3,5)Description of how
specific IA and cyber-security mechanisms the system under analysis
has in place today would mitigate the attackDescription of how
specific IA and cyber-security mechanisms the system under analysis
planned for the future would mitigate the attackFollow-on
recommendations the program conducitng the CTT should consider for
each attack. Should be some high level categorization with
amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test,
etc.Any unanswered questions or requests for more information that
are needed to inform CTT analysis; Questions that need to be
investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis
TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the
Mission TimelinePossible OutcomeAttack ResultMission ImpactMission
ConsequenceNumerical Mission Impact and Consequence Attack Cost /
Level of EffortAttack Success Likelihood Numerical
LikelihoodAnalysis of numerical Likelihood factoring in access
methods. Put new (or unchanged) likelhood value from N.Final Risk
Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs,
Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
-
10
Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts,
Likelihood; Recommendations, Mitigations
Mission, Attack, Variant number
Assess mission consequence, (1-5)
Combination of technical complexity, system
information availability
Likelihood attack is successful when executed, NOT
likelihood adverary would use attack
Combination of level of effort,
ease, and likelihood attack succeeding, (1-5)
Difficulty or ease of access to
specific Network
Final Value
Analysis Team
M1A1V1
IDNumerical Likelihood
Attack Cost / Level of Effort
Attack Success Likelihood
Analysis of numerical Likelihood
Analysis TeamFinal Risk
Assessment coordinates
Numerical Mission Impact and Consequence
Effects, Impacts, Likelihood
User Representation is Critical
OPFOR Mission 1 e.g. Degrade
Mission, Attack, Variant numberAssess mission consequence,
(1-5)Combination of technical complexity, system information
availability Likelihood attack is successful when executed, NOT
likelihood adverary would use attackCombination of level of effort,
ease, and likelihood attack succeeding, (1-5)Difficulty or ease of
access to specific NetworkFinal Value
Analysis TeamAnalysis Team
IDNumerical Mission Impact and Consequence Attack Cost / Level
of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of
numerical Likelihood factoring in access methods. Put new (or
unchanged) likelhood value from N.Final Risk Assessment
coordinates
M1A1V1
Distribution Statement A - approved for public release;
distribution is unlimited, as under NAVAIR Public Release
Authorization 2015-710
OPFOR Mission 2 e.g. Deny
Mission number Attack number and variant number: e.g.M2A1V2Goal
of the attack with respect to the mission; e.g. delay operational
missionThe broad class of attack e.g. SQL injection the adversary
team will employ to execute the mission; there may be multiple
attack types capable of executing the missionThe specific
description for the attack e.g. delete entries for customer
database; split out b/c they can have very different mission
impacts, consequences, costs etc.Assumptions about the attack
process and systems under attack e.g. the adversary team has
previously gained a presence on the networkSpecific event,
circumstances, or specific times in the operational scenario when
the attack is executed; and explanation why that mattersDescription
of possible outcomes to the systems under attack e.g. customer
entries are deleted from the databases; Don't have to break out
into separate rows, unless relevant.Description of the impact on
the system if the outcome occurs e.g. customer data is unavailable
under restore from backupDescription of the operational impact to
the mission e.g. operators can't pull up customer records in
support of mission execution and have to bring system down for
unplanned maintenance for 3 hoursDescription of the high level
consequence to the overall blue team mission state: Full Mission
Capable, Partial Mission Capable, Not Mission CapableUsing an
operational mission rubric to assess mission consequence, assign a
numerical value for columns I and J (1-5)A estimation of how
difficult the attack is to execute; this is a combination of the
technical complexity, the availability of system information (or
the system) to the adversary prior to the attack; Assumption should
be excluded from consideration e.g. if network access if assumed
the difficulty of that should be excludedThe likelihood the attack
will be successful when executed and have the stated attack result
(due to techinical complexity, etc) and NOT an estimate of the
likelihood that an real-world adverary would use this attackUsing a
likelihood rubric that takes into account the level of effort and
the ease of the atack as well as the likelihood of the attack
successeding, a numerical value will be assigned for likelihood.
Value is 1-5.If the attack required some type of access to a
specific network, this column will factor the difficulty of gaining
that access with the attack level of effort and likelihod of
success. This may result in the likelihood value in column N
increasing or decreasingColumn K and O, (if the value in N was
adjusted) represented as coordinates, e.g. (3,5)Description of how
specific IA and cyber-security mechanisms the system under analysis
has in place today would mitigate the attackDescription of how
specific IA and cyber-security mechanisms the system under analysis
planned for the future would mitigate the attackFollow-on
recommendations the program conducitng the CTT should consider for
each attack. Should be some high level categorization with
amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test,
etc.Any unanswered questions or requests for more information that
are needed to inform CTT analysis; Questions that need to be
investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis
TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the
Mission TimelinePossible OutcomeAttack ResultMission ImpactMission
ConsequenceNumerical Mission Impact and Consequence Attack Cost /
Level of EffortAttack Success Likelihood Numerical
LikelihoodAnalysis of numerical Likelihood factoring in access
methods. Put new (or unchanged) likelhood value from N.Final Risk
Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs,
Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
OPFOR Mission 3 e.g. Exfil
Mission number Attack number and variant number: e.g.M2A1V2Goal
of the attack with respect to the mission; e.g. delay operational
missionThe broad class of attack e.g. SQL injection the adversary
team will employ to execute the mission; there may be multiple
attack types capable of executing the missionThe specific
description for the attack e.g. delete entries for customer
database; split out b/c they can have very different mission
impacts, consequences, costs etc.Assumptions about the attack
process and systems under attack e.g. the adversary team has
previously gained a presence on the networkSpecific event,
circumstances, or specific times in the operational scenario when
the attack is executed; and explanation why that mattersDescription
of possible outcomes to the systems under attack e.g. customer
entries are deleted from the databases; Don't have to break out
into separate rows, unless relevant.Description of the impact on
the system if the outcome occurs e.g. customer data is unavailable
under restore from backupDescription of the operational impact to
the mission e.g. operators can't pull up customer records in
support of mission execution and have to bring system down for
unplanned maintenance for 3 hoursDescription of the high level
consequence to the overall blue team mission state: Full Mission
Capable, Partial Mission Capable, Not Mission CapableUsing an
operational mission rubric to assess mission consequence, assign a
numerical value for columns I and J (1-5)A estimation of how
difficult the attack is to execute; this is a combination of the
technical complexity, the availability of system information (or
the system) to the adversary prior to the attack; Assumption should
be excluded from consideration e.g. if network access if assumed
the difficulty of that should be excludedThe likelihood the attack
will be successful when executed and have the stated attack result
(due to techinical complexity, etc) and NOT an estimate of the
likelihood that an real-world adverary would use this attackUsing a
likelihood rubric that takes into account the level of effort and
the ease of the atack as well as the likelihood of the attack
successeding, a numerical value will be assigned for likelihood.
Value is 1-5.If the attack required some type of access to a
specific network, this column will factor the difficulty of gaining
that access with the attack level of effort and likelihod of
success. This may result in the likelihood value in column N
increasing or decreasingColumn K and O, (if the value in N was
adjusted) represented as coordinates, e.g. (3,5)Description of how
specific IA and cyber-security mechanisms the system under analysis
has in place today would mitigate the attackDescription of how
specific IA and cyber-security mechanisms the system under analysis
planned for the future would mitigate the attackFollow-on
recommendations the program conducitng the CTT should consider for
each attack. Should be some high level categorization with
amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test,
etc.Any unanswered questions or requests for more information that
are needed to inform CTT analysis; Questions that need to be
investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis
TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the
Mission TimelinePossible OutcomeAttack ResultMission ImpactMission
ConsequenceNumerical Mission Impact and Consequence Attack Cost /
Level of EffortAttack Success Likelihood Numerical
LikelihoodAnalysis of numerical Likelihood factoring in access
methods. Put new (or unchanged) likelhood value from N.Final Risk
Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs,
Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
-
11
Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts,
Likelihood; Recommendations, Mitigations
Mission, Attack, Variant number: e.g.M2A1V2
Description of how specific cyber-security in place ould
mitigate
Description of how specific cyber-security planned would
mitigate
Recommendations, e.g. Accept Risk, Conduct Follow-on Analysis,
Test, etc.
Questions or requests for information
Analysis Team
In Place Today Planned for the Future
M1A1V1
ID
System Test LeadsCapabilities
Recommendations Questions, RFIs, Further Analysis
Recommendations, Mitigations
All Participants are Part of the Solution
OPFOR Mission 1 e.g. Degrade
Mission number Attack number and variant number: e.g.M2A1V2Goal
of the attack with respect to the mission; e.g. delay operational
missionThe broad class of attack e.g. SQL injection the adversary
team will employ to execute the mission; there may be multiple
attack types capable of executing the missionThe specific
description for the attack e.g. delete entries for customer
database; split out b/c they can have very different mission
impacts, consequences, costs etc.Assumptions about the attack
process and systems under attack e.g. the adversary team has
previously gained a presence on the networkSpecific event,
circumstances, or specific times in the operational scenario when
the attack is executed; and explanation why that mattersDescription
of possible outcomes to the systems under attack e.g. customer
entries are deleted from the databases; Don't have to break out
into separate rows, unless relevant.Description of the impact on
the system if the outcome occurs e.g. customer data is unavailable
under restore from backupDescription of the operational impact to
the mission e.g. operators can't pull up customer records in
support of mission execution and have to bring system down for
unplanned maintenance for 3 hoursDescription of the high level
consequence to the overall blue team mission state: Full Mission
Capable, Partial Mission Capable, Not Mission CapableUsing an
operational mission rubric to assess mission consequence, assign a
numerical value for columns I and J (1-5)A estimation of how
difficult the attack is to execute; this is a combination of the
technical complexity, the availability of system information (or
the system) to the adversary prior to the attack; Assumption should
be excluded from consideration e.g. if network access if assumed
the difficulty of that should be excludedThe likelihood the attack
will be successful when executed and have the stated attack result
(due to techinical complexity, etc) and NOT an estimate of the
likelihood that an real-world adverary would use this attackUsing a
likelihood rubric that takes into account the level of effort and
the ease of the atack as well as the likelihood of the attack
successeding, a numerical value will be assigned for likelihood.
Value is 1-5.If the attack required some type of access to a
specific network, this column will factor the difficulty of gaining
that access with the attack level of effort and likelihod of
success. This may result in the likelihood value in column N
increasing or decreasingColumn K and O, (if the value in N was
adjusted) represented as coordinates, e.g. (3,5)Description of how
specific IA and cyber-security mechanisms the system under analysis
has in place today would mitigate the attackDescription of how
specific IA and cyber-security mechanisms the system under analysis
planned for the future would mitigate the attackFollow-on
recommendations the program conducitng the CTT should consider for
each attack. Should be some high level categorization with
amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test,
etc.Any unanswered questions or requests for more information that
are needed to inform CTT analysis; Questions that need to be
investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis
TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the
Mission TimelinePossible OutcomeAttack ResultMission ImpactMission
ConsequenceNumerical Mission Impact and Consequence Attack Cost /
Level of EffortAttack Success Likelihood Numerical
LikelihoodAnalysis of numerical Likelihood factoring in access
methods. Put new (or unchanged) likelhood value from N.Final Risk
Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs,
Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
Distribution Statement A - approved for public release;
distribution is unlimited, as under NAVAIR Public Release
Authorization 2015-710
OPFOR Mission 2 e.g. Deny
Mission number Attack number and variant number: e.g.M2A1V2Goal
of the attack with respect to the mission; e.g. delay operational
missionThe broad class of attack e.g. SQL injection the adversary
team will employ to execute the mission; there may be multiple
attack types capable of executing the missionThe specific
description for the attack e.g. delete entries for customer
database; split out b/c they can have very different mission
impacts, consequences, costs etc.Assumptions about the attack
process and systems under attack e.g. the adversary team has
previously gained a presence on the networkSpecific event,
circumstances, or specific times in the operational scenario when
the attack is executed; and explanation why that mattersDescription
of possible outcomes to the systems under attack e.g. customer
entries are deleted from the databases; Don't have to break out
into separate rows, unless relevant.Description of the impact on
the system if the outcome occurs e.g. customer data is unavailable
under restore from backupDescription of the operational impact to
the mission e.g. operators can't pull up customer records in
support of mission execution and have to bring system down for
unplanned maintenance for 3 hoursDescription of the high level
consequence to the overall blue team mission state: Full Mission
Capable, Partial Mission Capable, Not Mission CapableUsing an
operational mission rubric to assess mission consequence, assign a
numerical value for columns I and J (1-5)A estimation of how
difficult the attack is to execute; this is a combination of the
technical complexity, the availability of system information (or
the system) to the adversary prior to the attack; Assumption should
be excluded from consideration e.g. if network access if assumed
the difficulty of that should be excludedThe likelihood the attack
will be successful when executed and have the stated attack result
(due to techinical complexity, etc) and NOT an estimate of the
likelihood that an real-world adverary would use this attackUsing a
likelihood rubric that takes into account the level of effort and
the ease of the atack as well as the likelihood of the attack
successeding, a numerical value will be assigned for likelihood.
Value is 1-5.If the attack required some type of access to a
specific network, this column will factor the difficulty of gaining
that access with the attack level of effort and likelihod of
success. This may result in the likelihood value in column N
increasing or decreasingColumn K and O, (if the value in N was
adjusted) represented as coordinates, e.g. (3,5)Description of how
specific IA and cyber-security mechanisms the system under analysis
has in place today would mitigate the attackDescription of how
specific IA and cyber-security mechanisms the system under analysis
planned for the future would mitigate the attackFollow-on
recommendations the program conducitng the CTT should consider for
each attack. Should be some high level categorization with
amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test,
etc.Any unanswered questions or requests for more information that
are needed to inform CTT analysis; Questions that need to be
investigated after the CTT is over.
Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis
TeamSystem Test Leads
IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the
Mission TimelinePossible OutcomeAttack ResultMission ImpactMission
ConsequenceNumerical Mission Impact and Consequence Attack Cost /
Level of EffortAttack Success Likelihood Numerical
LikelihoodAnalysis of numerical Likelihood factoring in access
methods. Put new (or unchanged) likelhood value from N.Final Risk
Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs,
Further Analysis
In Place TodayPlanned for the Future
M1A1V1Attack Type 1System / Subsystem 1
System / Subsystem 2
M1A1V2System / Subsystem 1
System / Subsystem 3
M1A1V3System / Subsystem 2
System / Subsystem 3
M1A2V1Attack Type 2System / Subsystem 1
System / Subsystem 2
M1A2V2System / Subsystem 1
System / Subsystem 3
M1A2V3System / Subsystem 2
System / Subsystem 3
OPFOR Mission 3 e.g. Exfil
Mission, Attack, Variant number: e.g.M2A1V2Description of how
specific cyber-security in place ould mitigate Description of how
specific cyber-security planned would mitigateRecommendations, e.g.
Accept Risk, Conduct Follow-on Analysis, Test, etc.Questions or
requests for information
Analysis TeamSystem Test Leads
IDCapabilitiesRecommendationsQuestions, RFIs, Further
Analysis
In Place TodayPlanned for the Future
M1A1V1
-
12
Impact RiskProbability
Impact Mission Impact
1 Fully Mission Capable
2 Partial to Fully Mission Capable
3 Partially Mission Capable
4 Non to Partially Mission Capable
5 Non-Mission Capable
CTT Risk Cubes: Impact vs Probability
M=Mission A=Attack V=Variant
-
Questions?
13
Cyber Table Top
-
Resources
• Cyber Tabletop Home
Pagehttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/SitePages/Home.aspx
• Cyber Table Top
Guidebookhttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/Shared%20Documents1/CTT%20Facilitators/Cyber%20Table%20Top%20Handbook.pdf
• Cybersecurity Community of Practice
• Cybersecurity Tools (enter “Cybersecurity” into the ‘Search
Tools’ area and click ‘Apply Filters’
14
https://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/SitePages/Home.aspxhttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/Shared%20Documents1/CTT%20Facilitators/Cyber%20Table%20Top%20Handbook.pdfhttps://www.dau.mil/cop/cybersecurity/Pages/Default.aspx?utm_source=landl&utm_medium=ctt080818&utm_campaign=prshttps://www.dau.mil/tools?utm_source=landl&utm_medium=ctt080818&utm_campaign=prs
-
Contact Info
DAU Cybersecurity Enterprise Team• Vinny Lamolinara
[email protected]
• Roy [email protected]
15
DASD/DT&E Contact InfoE-mail:
[email protected] Website:
https://www.acq.osd.mil/dte-trmc/
mailto:[email protected]:[email protected]
Title: Cyber Table TopSlide Number 2Slide Number 3Slide Number
4Slide Number 5Slide Number 6Slide Number 7Slide Number 8Analysis
Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood;
Recommendations, MitigationsAnalysis Spreadsheet: OPFOR Attacks;
Effects, Impacts, Likelihood; Recommendations, MitigationsAnalysis
Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood;
Recommendations, MitigationsCTT Risk Cubes: Impact vs
ProbabilitySlide Number 13ResourcesContact Info