OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: OpenC2 & Effects-Based Courses of Action

OpenC2 Community,

 

OpenC2 is a language used to express a command (an action, the associated target and optional actuator/ options).  When we select commands that lead to an action, we need to understand what the desired and expected effect(s) will be on the adversary by taking this action. If we know the intended effect or effects then we have something to measure. We can look for evidence to see if we achieved the desired effect or effects from taking the action that the command was issued for.

 

I provided an overview of the Effects based vocabulary from NIST 800-160 vol 2 app I in my Talking Science of Security (SoS) video #3.

Video - https://www.youtube.com/watch?v=qcAgVtr6rbI

Slides - https://www.slideshare.net/shawnriley2/talking-sos-with-shawn-riley-cyber-resiliency-effects-on-adversary-activities

 

These defender’s resiliency effects should be looked at in relationship to the adversary’s cyber attack lifecycle stages, objectives (tactics) during each stage, and action (techniques) to achieve the objectives. We call this the Cyber Effects Matrix (attached graphic) and it is a modern update to the Lockheed Martin Course of Action matrix from their 2010 Intelligence-Driven Defense white paper that introduced the kill chain. For the last decade defenders using kill chain like approaches have been mapping courses of action manually to understand what effect or effects they can have on the adversary as they move through the cyber attack lifeycycle. They think beyond the single effect of ‘detect’ to what other effects courses of action can have to protect, respond, and recover so they build resiliency to the adversary groups and their TTPs.

 

During a cyber attack, just as we need to understand what effect or effects the adversary’s behavior is having on the defender’s enterprise/business to assess impact and damage, we need to understand what effect or effects the defender’s actions will have on the adversary’s behavior as the adversary moves through the cyber attack lifecycle. I believe that mapping OpenC2 commands to a standardized set of effects, like those in NIST 800-160 vol 2 app I, is key to understanding the effect or effects of the actions taken by the defender using OpenC2.

 

Best regards,

Shawn

 

 

Shawn Riley

Chief Visionary Officer &

Technical Advisor to the CEO

DarkLight, Inc.

Mobile: (314) 695-2602

Email:  shawn@darklight.ai

www.darklight.ai

 

 

 

This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected.

 

Attachment: CEM_Blank.PNG
Description: CEM_Blank.PNG

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]