Greater precision and understanding of cyber-attacks, attackers and defenders can be achieved by using an agreed set of terms to enable more meaningful discussions about security, which in turn will allow us to more closely match our defensive efforts to expected threat levels.
That’s the premise of a blog put out today by the NCSC in the name of Mat P, CTO for Private Sector Critical National Infrastructure, calling for a common vocabulary to differentiate different levels of cyber-attacks and attackers - from script kiddies to APTs (though these are not the terms he uses).
Mat P draws particular attention to the machine-readable threat sharing language STIX (Structured Threat Information eXpression) postulated as an emerging de-facto standard. The blog explains how the system defines Threat Actor Sophistication in seven levels. These range, "... from None ('Can carry out random acts of disruption or destruction by running tools they do not understand'), all the way through Minimal, Intermediate, Advanced, Expert, and Innovator, to Strategic ('State actors who create vulnerabilities through an active programme to influence commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest')."
Examples of situations which would benefit from a common vocabulary are provided including defining risk appetite, from achieving security from an Advanced level attack to defending operational systems from Intermediate level attacks while detecting Advanced and recovering from Expert level attacks.
It can also help the board, who currently ask, 'Is it secure?', and it can get them to move to something less vague, such as: 'Is it secure against attacks requiring an Intermediate level of capability?'
Similarly, dialogue about priorities with senior stakeholders will be aided, such as allocation of resources, eg should government ensure all government departments cannot be compromised by mere Intermediate level attacks, or ensure that a smaller number of government systems can defend against Expert level?
These definitions then enable statistics to be used when, for example, defining the threat faced, such as the number of potentially attackers able to overcome existing defences.
System comparisons can also then be made between organisations and facilities, including national strategies about the ability for specific types of organisations to defend against particular levels of attack.
Such vocabulary also enables articulation of how threats change over time, with the example given being: Stuxnet at discovery = Innovator. Stuxnet today = Advanced. Stuxnet next year = Intermediate?
In addition, it allows exercise scenarios to replicate attacks of a specific capability level.
Finally, the author says that such definitions will facilitate generation of statistics to enable data-driven decisions, such as what defence level should be used against what attack level.
Mat P acknowledges that assigning levels to specific attackers is difficult, especially for the most capable as it represents the maximum capability they are currently judged to have, whereas threat actors will often use the easiest route, and avoid deploying their most valuable capabilities (eg such as zero days) unless truly necessary. So they are likely to use tactics, techniques and procedures used by much lower capability actors, exploiting known vulnerabilities and publicly available tools. Or they may be extremely capable in one area but far less capable in another.
Mat P describes trialling use of the STIX scale with various critical national infrastructure (CNI) clients, and though they had found benefits, for some the scale was too granular so they reduced the points, making it more difficult to compare between organisations. Input is now sought by the NCSC for further discussion, including the role of STIX and alternatives.