Enhancing Collective Defense with Taxonomies for Operational Cyber Defense

Cyberspace is our interconnected information technology. And since everything either is or is becoming connected, one of the defining characteristics of cyberspace is its complexity. This adds burden to cyber defenders. Defense teams require experience, education, training and a mindset that lets them continually learn. They also must forge broad teams across multiple subject and functional areas. An ability to rapidly collaborate and exchange data while in a fight is a must.

For years computer security professionals have sought the best ways to dialog on incidents, and some great foundational work has been done in this area.  This post reviews a work found to be of special relevance to today’s cyber defenders, a 1998 publication titled “A Common Language for Computer Security Incidents.”  This foundational work is important since it is a bit of a stage setter relevant to all the current work I see on standards for information exchange and even human dialog/discussion.

What is a taxonomy?

A taxonomy is a set of related terms. It is a classification scheme. How do you judge a good taxonomy?  It should meet several criteria, including being:

  1. Mutually exclusive – classifying in one category excludes all others because categories do not overlap,
  2. Exhaustive – taken together, the categories include all possibilities,
  3. Unambiguous – clear and precise so that classification is not uncertain, regardless of who is classifying,
  4. Repeatable – repeated applications result in the same classification, regardless of who is classifying,
  5. Accepted – logical and intuitive so that categories could become generally approved,
  6. Useful – could be used to gain insight into the field of inquiry

Caution: there is probably no such thing as a perfect taxonomy. They are all approximations of reality and therefore you will never have one that meets every criteria perfectly. But the characteristics above are good goals to judge the taxonomy by.

When it comes to cyberspace activity, the taxonomy presented by John Howard and Thomas Longstaff comes pretty close to meeting those goals which is why it is still so relevant today.

They define a taxonomy of terms in a way that can be logically and graphically expressed.

See, for example, the picture below:

incidenttaxonomy

This is from their report and it lets you related terms in a way that can help in dialog between humans and also help in automating information exchange.

The top line of words can be easily thought of as a sentence. Attackers use Tools against Vulnerabilities to cause an Action against a Target to achieve an Unauthorized Result to meet an Objective.

The details of their work spell out with clarify what the individual terms are and that is also a huge help to dialog. Over time there has been a little modification by operational users on some of the terms, and the adversaries in cyberspace have continued to change their craft and a few more terms have entered the lexicon.  But overall the framework is sound.

Since this first ground-breaking work the community has continued to improve on this notion, converting concepts into processes and standards and influencing the technology used in cyber defense. Some of the greatest work in this domain is coordinated by MITRE. I’ll make that a topic for future posts, but for an overview of their current work see: MITRE Cybersecurity Standards.

 

 

Connect Here

Bob Gourley

Partner at Cognitio Corp
Bob Gourley is a Co-founder and Partner at Cognitio and the publisher of CTOvision.com andThreatBrief.com. Bob's background is as an all source intelligence analyst and an enterprise CTO. Find him on Twitter at @BobGourley
Connect Here
About Bob Gourley

Bob Gourley is a Co-founder and Partner at Cognitio and the publisher of CTOvision.com and ThreatBrief.com. Bob's background is as an all source intelligence analyst and an enterprise CTO. Find him on Twitter at @BobGourley

Comments

  1. Mitre has been work in this problem for years with a variety of standards. http://cve.mitre.org/

  2. al fink says:

    Bob…is an attack against…say…a virtualized register the same thing as an attack against a real/hw register? how do these taxonomies account for…or is there a need…for what is emulated/non-persistent? how do these taxonomies account for computing entities whose fundamental properties continually change? … al

Leave a Reply