T hreat -based Cyber secur i ty
D o D C y b e r s e c u r i t y A n a l y s i s & R e v i e wDoDCAR
Office of the National Manager for NSS
Cyber threat increases exponentially as our reliance on
IT and Cyberspace increases to keep pace with global
mission demands
Cyber Threat and Mission Dependency
The USG resources to include expertise and
expenditures are fail in comparison to what is required
to ensure mission dependency in the face of a capable
adversary
Cybersecurity Resources
Problem SpaceEnvironmental Factors
THR
EAT
TIME
Mission Dependency
Cybersecurity Resources
To support the Defense Department’s missions in
cyberspace, endless guidance is published to bolster
collective cybersecurity practices and protect our
national interests. For example, the DoD cooperates
with USG departments and agencies, the private
sector, and foreign allies to share information, build
alliances, and promote accountability.
Strategic Direction
Are we really giving clear guidance?
Against the adversary, perspective is EVERYTHING.
UNCLASSIFIED
UNCLASSIFIED
Architects & Engineers
System Admins
Incident Responders
Operations
Executives
1
2
3
4
5
Technical Cyber Threat FrameworkPublic dissemination of the lexicon
allows for collaboration with whole-of-
community.
NSA/CSS Technical Cyber Threat Framework v1 can
be used as reference for US Government
Collaboration with partners and stakeholders in
discussing adversary activities through the
adversary lifecycle.
Characterizes adversary activity
1. One page view of the Threat Framework
2. Stages and Objectives
3. Action Definitions
4. How terms relate to various stages and objectives
5. References and License Information
Five appendices are included:
UNCLASSIFIED
UNCLASSIFIED
Capability Get In (Engage; Access)
Enterprise Perimeter (IAP) Protect Detect RespondProtectDetectRespond Protect Detect RespondStrategic Sensor N/A S N/A N/A M N/A N/A N/A N/AECOS (Trickler) L N/A M N/A L N/A M L N/AWeb Content Filter L N/A N/A N/A M N/A M S N/ANGFW (url reputation) L N/A N/A N/A L N/A N/A N/A N/AIPS N/A N/A M N/A N/A N/A N/A S N/AZND Web N/A N/A N/A L S N/A N/A L N/AZND Mail S N/A L S N/A N/A M L N/AEEMSG N/A N/A N/A N/A N/A N/A N/A N/A MECOS (NETFLOW) N/A N/A N/A S N/A N/A N/A N/A N/AECOS (Packet Capture) N/A N/A L L S N/A M L SSSL Proxy/Inspection N/A N/A M N/A N/A N/A N/A S N/AECOS (IDS) N/A N/A N/A N/A N/A S L M N/ADDoS Detection/Mitigation internal S N/A N/A N/A L N/A N/A N/A N/ADDoS Detection/Mitigation external M N/A N/A N/A N/A N/A N/A N/A N/AACLs and Whitelist N/A M N/A N/A L N/A N/A M N/ASDN N/A N/A M N/A N/A N/A N/A S N/ADNS Proxy and Recursive Services N/A M N/A L L M N/A N/A MEnterprise Remote Access N/A N/A N/A N/A N/A N/A N/A N/A N/ACloud: IPS N/A L N/A N/A S N/A L N/A N/ACloud: NGFW N/A N/A N/A N/A N/A N/A N/A N/A N/ACloud: PCAP N/A S M N/A N/A N/A N/A N/A N/ACloud: FWD Proxy N/A S L L N/A N/A N/A N/A N/ACloud: Premise Router/ MeetMe M L N/A N/A N/A L N/A L MCyber SA: Security Event Management (as is) N/A N/A N/A L L N/A N/A N/A LCyber SA: Security Event Management (as planned)N/A N/A L S N/A N/A S N/A N/ACyber SA: Big Data Fusion Analytics (as is) N/A L N/A M N/A N/A N/A M N/ACyber SA: Big Data Fusion Analytics (as planned) N/A N/A L N/A N/A N/A N/A N/A N/ACyber SA: Continuous Security Monitoring N/A N/A M N/A M S L N/A N/ACyber SA: DCO/Analyst Collaboration (as is) S N/A N/A N/A N/A N/A N/A M MCyber SA: DCO/Analyst Collaboration (as planned) N/A N/A L N/A N/A M M N/A N/A
DeliverySpear-phishing Emails w/
attachmentsWebsites
as implementedas implemented as implemented
Removable Media (i.e. USB)
Capability Mitigation Scoring Based on SME
assessment
PDR Protect, Detect, RespondSME Subject Matter Expert
Security Capability Coverage – effectiveness for PDR
Threat Framework
PRIORITY GAP IN PDR
ThreatFramework
Threat ActionHeat Map
Capability MitigationScoring
SecurityCapabilityCoverage
DODCARTHREAT COVERAGE, PRIORITIZATION
& GAP IDENTIFICATION( NOTATIONAL DATA )
Threat Action Heat Map – Structures Prioritization
Heat MapBased on
actual intel threat data
Operations & Maintenance
DoDCARFeedback Loop
Acquisition Architecture / Engineering
CyberHygiene
Analysis Incident ResponseSOCEVENT
C o m m o d i t y T h r e a t
N a t i o n - S t a t e T h r e a t
Operations & Maintenance
DoDCARFeedback Loop
Acquisition Architecture / Engineering
CyberHygiene
Analysis Incident ResponseSOCEVENT
A P T
C o m m o d i t y T h r e a t
Acquisition Architecture / Engineering
CyberHygiene
Analysis Incident ResponseSOC
E V E N T
Dagger (Mission)
MITYCAR (SA)
Unfetter (Operators / Analyst)
BluGen (SSE)
NextGen (PM)
DoDCARUser Toolsets
Provides a rationale for DoD
acquisitions processes by
highlighting improvements to
enterprise security
Supports portfolio managers in
balancing capability costs and
capability coverage of threat
landscape
DoDCAR Threat Framework
incorporated across the DoD,
Intelligence Community, and
DHS (GOVCAR)
Scoring and analysis results
feed the DoD Cybersecurity
Portfolio Manager’s Cyber
Competency Scoring process
Security Posture
Costs vs. Coverage
Threat Actions & Heat Maps
Cyber Competency Scoring
DoDCAR Influence on DoD Cybersecurity Portfolio
DoDCARAccomplishments
Adoption of Threat Framework for EO13587 Independent Assessments
Broad Adoption
Command Cyber Operational Readiness Inspections (CCORI)
Military Readiness
Reduction of Cyber Vulnerabilities, Enhanced Security & Maximized ROI through end-point and perimeter security modernization
IT Modernization
Provides Decision Makers Across Federal Government Insight & Knowledge to Make Well-Informed, Prioritized Cybersecurity Investment Decisions
Threat Driven Model
To Establish Data-Driven Threat-Based Cybersecurity as an Industry Best Practice
NIST Coordination
Evolves the DoD’s cybersecurity posture by creating
an implementation roadmap for the DODIN based on
an holistic review of the security architecture.
Creates a solid rationale using the Adversary
Lifecycle as a framework, informed by current
classified and unclassified threat intelligence data.