[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: OpenC2 & Effects-Based Courses of Action
OpenC2 Community, OpenC2 is a language used to express a command (an action, the associated target and optional actuator/ options). When we select commands that lead to an action, we need to understand what the desired and expected effect(s) will be on
the adversary by taking this action. If we know the intended effect or effects then we have something to measure. We can look for evidence to see if we achieved the desired effect or effects from taking the action that the command was issued for. I provided an overview of the Effects based vocabulary from NIST 800-160 vol 2 app I in my Talking Science of Security (SoS) video #3.
Video -
https://www.youtube.com/watch?v=qcAgVtr6rbI These defender’s resiliency effects should be looked at in relationship to the adversary’s cyber attack lifecycle stages, objectives (tactics) during each stage, and action (techniques) to achieve the objectives. We call this the Cyber
Effects Matrix (attached graphic) and it is a modern update to the Lockheed Martin Course of Action matrix from their 2010 Intelligence-Driven Defense white paper that introduced the kill chain. For the last decade defenders using kill chain like approaches
have been mapping courses of action manually to understand what effect or effects they can have on the adversary as they move through the cyber attack lifeycycle. They think beyond the single effect of ‘detect’ to what other effects courses of action can have
to protect, respond, and recover so they build resiliency to the adversary groups and their TTPs.
During a cyber attack, just as we need to understand what effect or effects the adversary’s behavior is having on the defender’s enterprise/business to assess impact and damage, we need to understand what effect or effects the defender’s
actions will have on the adversary’s behavior as the adversary moves through the cyber attack lifecycle. I believe that mapping OpenC2 commands to a standardized set of effects, like those in NIST 800-160 vol 2 app I, is key to understanding the effect or
effects of the actions taken by the defender using OpenC2. Best regards, Shawn Shawn Riley Chief Visionary Officer &
Technical Advisor to the CEO DarkLight, Inc. Mobile: (314) 695-2602 Email: shawn@darklight.ai This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received
this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected. |
Attachment:
CEM_Blank.PNG
Description: CEM_Blank.PNG
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]