COMMENTARY: The IC’s Cyber Threat Framework
Was it really worth it?
The Intelligence Community (IC) recently released its Cyber Threat Framework (CTF). They have been working on this since 2012–really, all THIS took 7 years. Does anyone even care that it was designed to characterize and create an ontology (common terms) to tell us how the bad-guys attack systems or networks?
No one can argue about a need for a common lexicon to describe cyber threat attacks, but hasn’t, for example, the EC Council (giving us Certified Ethical Hacker (CEH) certification) already accomplished that? Why not just extend that from the existing Department of Defense (DOD) 8140 (formerly 8570) compliance requirements? The CTF appears far less than complete than the CEH’s model of the threat’s attack pathway Point of View:
Here are those major headings:
- Reconnaissance–Can include social engineering, “dumpster diving,” etc.
- Scanning and enumeration–Includes scans of open ports and using them for identifying multiple vectors of attack.
- Gaining access–The threat has gained a foothold into the system and/or network.
- Escalation of privilege–This is very important where weak password protection and not changing the factory set password of “PASSWORD.”
- Maintaining access–Leaving malware and keystroke capture software behind to help expand future intrusions.
- Covering tracks and emplacing backdoors–Wiping logs and creating backdoors to the system to include the current challenge of Ransomware.
While we should certainly applaud the multi-billion IC and the Office of the Director of National Intelligence (ODNI) should we have not expected far more?
What would have provided greater value (and taken less than 7 years!!)?
A more valuable “CTF” that companies and agencies could employ would include a better categorization of how to DETECT, ISOLATE, and DEFEAT threats. This would have had greater value to the cybersecurity community at-large.
Here is a current ODNI slide deck on the CTF
Twenty-two years of military service. Support for Government and Department of Defense (DOD) and Intelligence Community (IC) as a contractor;Â Information Systems Security Manager, Information Systems Security Officer, Security Certification Assessor, and Security Analyst. Provided cybersecurity experience with the following frameworks and guidance documents: DCID 6/3, ICD 503, and Risk Management Framework (RMF). Contractor with: The Analytical Science Corporation (TASC), Systems High Corporation (SHC), and Mantech International Corporation on Chantilly, VA.