Open in app

Sign in

Write

Sign in

Formalizing Cyber Threat Intelligence Planning: Part VI

SecureSet
Command Line
Published in
7 min readDec 18, 2018

--

Part 6 of 10: Intelligence Preparation of the Environment (IPE); Determine Adversary Course of Action (COA) by Chris Ruel, Full-Time Instructor at SecureSet Denver campus.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” –Sun Tzu, The Art of War

The next step of IPE identifies and describes the Adversary’s course of action (COAs) that can influence friendly operations. In military planning, this phase ends with the development of a graphical overlay (map + terrain analysis + adversary template). This concept is easy to understand in the physical world but is somewhat more difficult in the digital one. With a small amount of abstraction, however, the same principles can be applied. If this step is done right, decision-makers will not be taken by surprise by unanticipated adversary action. If done poorly, the adversary could exploit opportunities in the environment not anticipated by the decision maker.

A Two-Step Process

Determining your Adversary’s course of action is a two-step process. These steps are labeled 2.d Determine Adversary Course of Action and 2.e Develop the Event Template Matrix in our mission analysis chart above.

Step 1: Develop Adversary Course of Action

1.1. Identify likely objectives and end state
1.2. Identify the full set of COAs available to the Adversary
1.3. Evaluate and prioritize Adversary COA
1.4. Develop each COA as much as time allows
1.5. Identify High-Value Target (HVT) for each COA
1.6. Identify initial collection requirements

Developing Adversary COAs is a six-step process that requires an understanding of the Adversary’s characteristics (Step 3) and the effects of terrain (Step 2). Decision makers need to plan for all feasible contingencies. Analysts assist decision makers by presenting all valid Adversary COAs from most to least likely. At a minimum, the most likely and most dangerous COAs should be presented. For a COA to be considered “valid” it should be deemed:

  • Suitable: It must be able to achieve the end state
  • Feasible: Time and resources available
  • Acceptable: Worth the risk or expenditure of resources
  • Distinguishable: Must be significantly different (method of attack, vector or attack, or time)
  • Complete: Completes the mission statement

1.1. Identify Likely Objectives and End State

By this time the analyst should know enough about the Adversary to understand its objectives (clearly defined, decisive, and attainable goal toward which every operation is directed) and end state (the desired conditions that, if achieved, meet the conditions of policy, orders, guidance, and directives issued).

Example Objectives:

“Get victim to open infected file.”

“Encrypt victim files with ransomware.”

“Extract payment from victim.”

Example End State:

“Payment from victim received and files returned to their original state with no loss of data.”

The better decision makers understand the motives of their adversary, the better they can respond. In the example above, let’s assume the Adversary was successful. If the victim was fairly certain the Adversary would restore their data (even criminals have reputations to uphold), paying the ransom would be a good business decision.

1.2. Identify Full Set of COAs Available to the Adversary: There are really only two types of operations in the cyber world: attack or defend. Unless you’re a criminal, nation-state, or red team, chances are you’re the defender and the Adversary is attacking and has multiple options available. Regardless of the Adversary you are facing, they will likely, even if informally, plan their operations based on task, purpose, method, and end state. All ancillary efforts are planned to support that task and purpose. For all COAs’ the analyst should attempt to determine the following:

Before moving on to the next step, COAs are checked again to make sure they answer six basic questions:

1.3. Evaluate and Prioritize Adversary COA: Once the analyst has identified all of the valid Adversary COAs they are evaluated and prioritized by number (e.g. COA 1 is the most likely). At a minimum, the Most Likely and Most Dangerous COA should be covered. Sometimes, though not often, they can be the same (good OPSEC/InfoSec can prevent the disclosure of information that would reveal the most dangerous). Generally an Adversary will take the course of action that offers the greatest advantage while minimizing risk; however, based on the situation and their objectives, they may accept significant risk. In the end, it is impossible to know for sure what the Adversary will do, so the more COAs that are examined, the better prepared you’ll be.

“No plan survives first contact with the enemy” — Military Axiom

1.4. Develop Each COA as Much as Time Allows: Each COA should consist of the following products:

  • Situation Template for the Adversary COA: This is modified based on the effects of the environment. “A technique is to design a sketch to depict an Adversary action or COA which is a graphic representation that will show key outputs or a graphic representation of an Adversary action or COA.” For Example, how would an Adversary, who primarily uses Windows-based attacks, alter their tactics to go after a target that only uses Macs?
  • Adversary COA Statement: This is the narrative that accompanies the situation overlay. Figure 1 is an example of a COA statement.
  • HVTs and HVTL for the Adversary COA are created with a Center Of Gravity (COG) Analysis and a CARVER (Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognizability) Matrix. For more information on COG Analysis, check out this Pocket Guide by the RAND Corporation and the article “Think Like a Green Beret: The CARVER Matrix”, by Mark Miller, or “USING CARVER TO IDENTIFY RISKS AND VULNERABILITIES” by RedTeams.net

1.5. Identify High-Value Target (HVT) for Each COA: The output of the CARVER Matrix will give you an objective numerical value to rank the HVTs. When doing this as the defender you should look at your own systems and not the Adversary’s. This will inform your priorities for defense because the HVTs identified are the ones most likely to be attacked.

1.6. Identify Initial Collection Requirements: As mentioned earlier, the adversary gets a vote. You won’t know for certain how they will act until they do. What you do have is a list of possible actions they can take. If you know the actions and the methods used by the Adversary, then you have Indicators of Attack (IoA). A list of the Top 10 IoAs can be found here. As IoAs are detected, logged, and analyzed, they allow analysts to confirm or deny the Adversary’s COA, or unique to the cyber domain, who the Adversary is.

Step 2: Develop the Event Template and Matrix

The event template is used to confirm enemy COAs. It is usually in abstracted graphical form and is always accompanied by a matrix. The location where the IoA’s are likely to occur become NAIs (Named Areas of Interest). NAIs are assigned numbers for simplicity. Let’s say, for example, an Adversary communicates “to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port.” You would create an NAI around port 80 (NAI 1) and 443 (NAI 2) and in the event matrix list at a minimum: the NAI, IoA, COA indicator.

Part 6 has lead us into the final step of the IPE process. In Part 7 we will look at Center of Gravity Analysis (COG) and the CARVER (Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognizability) Matrix.

References:

  1. The Diamond Model of Intrusion Analysis,
  2. ATP 2–01.3 — Intelligence Preparation of the Battlefield/Battlespace
  3. “Use offense to inform defense. Find flaws before the bad guys do” Winterfeld — SANS Institute
  4. FM 34–130 — Intelligence Preparation of the Battlefield
  5. https://redteams.net/redteaming/2013/using-carver-to-identify-risks-and-vulnerabilities
  6. https://loadoutroom.com/13821/green-berets-and-the-carver-matrix/
  7. https://www.rand.org/content/dam/rand/pubs/tools/TL100/TL129/RAND_TL129.pdf
  8. https://www.threatconnect.com/blog/diamond-dashboard-hunting-your-adversaries/
  9. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
  10. https://securelist.com/russian-financial-cybercrime-how-it-works/72782/
  11. https://gbhackers.com/soc-indicator/
  12. https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-indicators-of-attack.pdf

If you’re just joining us for this series, you can catch-up by reading Formalizing Cyber Threat Intelligence Planning: Part I, Part II, Part III, Part IV and Part V.

Christopher Ruel is a Full-Time Instructor at the SecureSet Denver Campus. He teaches Cyber Threat Intelligence as well as Strategy and Analysis. Chris is an Army Special Forces Officer with years of operational experience overseas. He has also worked closely with the Intelligence Community in pursuit of US strategic objectives. He has earned a BA in history, as well as an MBA with a concentration in Business Analytics.

War
Cybersecurity
Tech
Hacking
Computers

--

--

SecureSet
Command Line

Written by SecureSet

222 Followers

The #cybersecurity bootcamp with campuses in #Denver and #CoSprings. A @flatironschool. Educating the next generation of cybersecurity professionals.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams