Title: Cyber Table Top Cyber Table... · 3 Cyber Table Top. 4 Cyber Table Top. 5 Cyber Table Top. 6 Cyber Table Top. 7 Cyber Table Top. Cyber Table Top (CTT ) • Input to Controls

Title: Cyber Table Top

Date: 8 August 2018

Presenter: Roy Wilson, Professor of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region

Moderator: Jim Davis, Logistics Department Chair, Defense Acquisition University, Mid-Atlantic Region

2

Cyber Table Top

• Cyber Table Top (CTT) Guidebook• 2 July 2018• DASD/DT&E

• CTT Facilitator Training• DASD/DT&E• DAU• On-site, 1-day

3

Cyber Table Top

4

Cyber Table Top

5

Cyber Table Top

6

Cyber Table Top

7

Cyber Table Top

Cyber Table Top (CTT)• Input to Controls Selection / Risk Assessment / Pre-Test• User Reps / Focused Mission Areas

*Facilitator Training Available via Ms. Standard, Sarah M CIV OSD OUSD ATL (US), [email protected]

Event Preparation

Event Execution

Post Mission Analysis

Reporting

Develop Mission Plan

• Analyze Architecture, CONOPS, Intelligence

• Define Mission• Identify Control, Blue,

Red, Analysis, Reporting Teams

• Define Attack Paths, & Vulnerabilities

• Analyze adversary attacks

• Determine Cyber effects: F/P/NMC

• Risk: Likelihood, Consequence

• Risk Cube• Mitigations• Executive, Detailed

& Full Report

Execute Attacks

Describe Effects

Develop Mitigations

Define Access Paths

~ 3 days

Color CodeOperational (Blue) TeamAdversarial (Red ) Team

~ Weeks~ Weeks

PresenterPresentation NotesQ- What is most critical part of a CTT? – prep and User repsF/P/NMC = full, partial not mission capableFacilitator Training Available from the National Cyber Range via Ms Christa Pettie ([email protected])

9

Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, Mitigations

Mission, Attack, Variant no.

Attack goal concerning mission.

Broad class of attack e.g. DDOS. Specific

description of attack.

Attack assumptions. Explain why this matters.

Description of possible outcomes.

Description of impact if the attack is successful

Description of the operational impact to the mission

Description of consequence to blue team mission state:

F/P/NMC

Analysis Team

M1A1V1

OPFOR

IDAttack Method

Attack DescriptionGoal

Control Team/ OPFOR

Attack Result (Then)

Operational Team

AssumptionsWhen in the

Mission Timeline

Possible System Effect (If)

Mission Effect (If)

Mission Impact (Then)

OPFOR Attacks

Level of Access to Operational Data is Critical

OPFOR Mission 1 e.g. Degrade

Mission, Attack, Variant no.Attack goal concerning mission.Broad class of attack e.g. DDOS. Specific description of attack.Attack assumptions.Explain why this matters.Description of possible outcomes.Description of impact if the attack is successfulDescription of the operational impact to the mission Description of consequence to blue team mission state: F/P/NMCUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.

Analysis TeamOPFOR Control Team/ OPFOROperational TeamAnalysis TeamSystem Test Leads

IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible System Effect (If) Attack Result (Then) Mission Effect (If) Mission Impact (Then)Numerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis

In Place TodayPlanned for the Future

M1A1V1

Distribution Statement A - approved for public release; distribution is unlimited, as under NAVAIR Public Release Authorization 2015-710

OPFOR Mission 2 e.g. Deny

Mission number Attack number and variant number: e.g.M2A1V2Goal of the attack with respect to the mission; e.g. delay operational missionThe broad class of attack e.g. SQL injection the adversary team will employ to execute the mission; there may be multiple attack types capable of executing the missionThe specific description for the attack e.g. delete entries for customer database; split out b/c they can have very different mission impacts, consequences, costs etc.Assumptions about the attack process and systems under attack e.g. the adversary team has previously gained a presence on the networkSpecific event, circumstances, or specific times in the operational scenario when the attack is executed; and explanation why that mattersDescription of possible outcomes to the systems under attack e.g. customer entries are deleted from the databases; Don't have to break out into separate rows, unless relevant.Description of the impact on the system if the outcome occurs e.g. customer data is unavailable under restore from backupDescription of the operational impact to the mission e.g. operators can't pull up customer records in support of mission execution and have to bring system down for unplanned maintenance for 3 hoursDescription of the high level consequence to the overall blue team mission state: Full Mission Capable, Partial Mission Capable, Not Mission CapableUsing an operational mission rubric to assess mission consequence, assign a numerical value for columns I and J (1-5)A estimation of how difficult the attack is to execute; this is a combination of the technical complexity, the availability of system information (or the system) to the adversary prior to the attack; Assumption should be excluded from consideration e.g. if network access if assumed the difficulty of that should be excludedThe likelihood the attack will be successful when executed and have the stated attack result (due to techinical complexity, etc) and NOT an estimate of the likelihood that an real-world adverary would use this attackUsing a likelihood rubric that takes into account the level of effort and the ease of the atack as well as the likelihood of the attack successeding, a numerical value will be assigned for likelihood. Value is 1-5.If the attack required some type of access to a specific network, this column will factor the difficulty of gaining that access with the attack level of effort and likelihod of success. This may result in the likelihood value in column N increasing or decreasingColumn K and O, (if the value in N was adjusted) represented as coordinates, e.g. (3,5)Description of how specific IA and cyber-security mechanisms the system under analysis has in place today would mitigate the attackDescription of how specific IA and cyber-security mechanisms the system under analysis planned for the future would mitigate the attackFollow-on recommendations the program conducitng the CTT should consider for each attack. Should be some high level categorization with amplifying data e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Any unanswered questions or requests for more information that are needed to inform CTT analysis; Questions that need to be investigated after the CTT is over.


IDGoalAttack MethodAttack DescriptionAssumptionsWhen in the Mission TimelinePossible OutcomeAttack ResultMission ImpactMission ConsequenceNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinatesCapabilitiesRecommendationsQuestions, RFIs, Further Analysis


M1A1V1Attack Type 1System / Subsystem 1

System / Subsystem 2

M1A1V2System / Subsystem 1










OPFOR Mission 3 e.g. Exfil

















10


Mission, Attack, Variant number

Assess mission consequence, (1-5)

Combination of technical complexity, system

information availability

Likelihood attack is successful when executed, NOT

likelihood adverary would use attack

Combination of level of effort,

ease, and likelihood attack succeeding, (1-5)

Difficulty or ease of access to

specific Network

Final Value

Analysis Team

M1A1V1

IDNumerical Likelihood

Attack Cost / Level of Effort

Attack Success Likelihood

Analysis of numerical Likelihood

Analysis TeamFinal Risk

Assessment coordinates

Numerical Mission Impact and Consequence

Effects, Impacts, Likelihood

User Representation is Critical


Mission, Attack, Variant numberAssess mission consequence, (1-5)Combination of technical complexity, system information availability Likelihood attack is successful when executed, NOT likelihood adverary would use attackCombination of level of effort, ease, and likelihood attack succeeding, (1-5)Difficulty or ease of access to specific NetworkFinal Value

Analysis TeamAnalysis Team

IDNumerical Mission Impact and Consequence Attack Cost / Level of EffortAttack Success Likelihood Numerical LikelihoodAnalysis of numerical Likelihood factoring in access methods. Put new (or unchanged) likelhood value from N.Final Risk Assessment coordinates

M1A1V1




































11


Mission, Attack, Variant number: e.g.M2A1V2

Description of how specific cyber-security in place ould mitigate

Description of how specific cyber-security planned would mitigate

Recommendations, e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.

Questions or requests for information

Analysis Team

In Place Today Planned for the Future

M1A1V1

ID

System Test LeadsCapabilities

Recommendations Questions, RFIs, Further Analysis

Recommendations, Mitigations

All Participants are Part of the Solution





































Mission, Attack, Variant number: e.g.M2A1V2Description of how specific cyber-security in place ould mitigate Description of how specific cyber-security planned would mitigateRecommendations, e.g. Accept Risk, Conduct Follow-on Analysis, Test, etc.Questions or requests for information

Analysis TeamSystem Test Leads

IDCapabilitiesRecommendationsQuestions, RFIs, Further Analysis


M1A1V1

12

Impact RiskProbability

Impact Mission Impact

1 Fully Mission Capable

2 Partial to Fully Mission Capable

3 Partially Mission Capable

4 Non to Partially Mission Capable

5 Non-Mission Capable

CTT Risk Cubes: Impact vs Probability

M=Mission A=Attack V=Variant

Questions?

13

Cyber Table Top

Resources

• Cyber Tabletop Home Pagehttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/SitePages/Home.aspx

• Cyber Table Top Guidebookhttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/Shared%20Documents1/CTT%20Facilitators/Cyber%20Table%20Top%20Handbook.pdf

• Cybersecurity Community of Practice

• Cybersecurity Tools (enter “Cybersecurity” into the ‘Search Tools’ area and click ‘Apply Filters’

14

https://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/SitePages/Home.aspxhttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops/Shared%20Documents1/CTT%20Facilitators/Cyber%20Table%20Top%20Handbook.pdfhttps://www.dau.mil/cop/cybersecurity/Pages/Default.aspx?utm_source=landl&utm_medium=ctt080818&utm_campaign=prshttps://www.dau.mil/tools?utm_source=landl&utm_medium=ctt080818&utm_campaign=prs

Contact Info

DAU Cybersecurity Enterprise Team• Vinny Lamolinara

[email protected]

• Roy [email protected]

15

DASD/DT&E Contact InfoE-mail: [email protected] Website: https://www.acq.osd.mil/dte-trmc/

mailto:[email protected]:[email protected]

Title: Cyber Table TopSlide Number 2Slide Number 3Slide Number 4Slide Number 5Slide Number 6Slide Number 7Slide Number 8Analysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, MitigationsAnalysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, MitigationsAnalysis Spreadsheet: OPFOR Attacks; Effects, Impacts, Likelihood; Recommendations, MitigationsCTT Risk Cubes: Impact vs ProbabilitySlide Number 13ResourcesContact Info