Formalizing Cyber Threat Intelligence Planning: Part VII

Part 7 of 10: Center of Gravity Analysis (COG) and the CARVER Matrix, by Chris Ruel, Army Special Forces.

“Know your enemy, know his sword.” ― Miyamoto Musashi, A Book of Five Rings

In Part 5 — Intelligence Preparation of the Environment (IPE); Determine Adversary Course of Action (COA), you were exposed to the concept of an Adversary’s Center of Gravity (COG). There are varying definitions that have evolved over time. Carl Von Clausewitz was the first to use it in his pivotal work On War, first published in 1832. “Center of gravity, (Schwerpunkt) appears about 40 times in Clausewitz’s book”, albeit with slight variations. It is generally described as “a center of power and movement…on which everything depends, and against…all the forces must be directed.”

The Australian Defense Force described it as “The primary entity that possesses the inherent capability to achieve an objective or the desired end state.” The US Department of Defense describes it as “The source of power that provides moral or physical strength, freedom of action, or will to act.”

To COG or not to COG?

Military strategists are split on the practicality of the COG concept. The critics feel that it is an unsettled theory that is “so abstract to be meaningless” and that “The [theory] won’t work if it takes a Zen master decades of rumination from atop the highest peak in Tibet to apply it.” The practitioners feel that “despite its flaws (poor definitions and lack of a clear methodology for identification and analysis), it can become useful.”

Using COG in a dynamic environment like cyberspace can, at times, be the proverbial square peg in the round hole. Where its true value lay in the world of Cyber Threat Intelligence (CTI) is giving analysts a different way to look at a problem. A new tool to put on their belt.

The “Must-knows” of COG Analysis

This article is about what COG analysis is and where it can be applied to CTI, not how to do it. There are a few key terms that you’ll need to know first:

Start Thinking Like an Adversary

Going by the traditional approach, you would look for the Adversary’s COG first. As was mentioned earlier, unless you are a Nation-State, Criminals, or Red Team, your operations will be defensive in nature. Like a jetty, you keep the rough seas at bay. You don’t try and defeat the ocean. Here is the oversimplified version of the process from the perspective of the defender. To do this; however, you have to think like the Adversary:

1. Start at the End. What does your Adversary want to accomplish? What is their goal? Do they want to disrupt your business to make a statement? Seize your Intellectual Property IP to make a profit? What does success look like to them?
2. Figure out the Ways. What actions could they take to reach those ends? Let’s say they want to get your login credentials so they can steal your IP. They could socially engineer you to provide them. They could crack your password, or beat it out of you.
3. Identify what Means are available to your Adversary. Does your Adversary have the resources to implement the Ways? If your Adversary was an Advanced Persistent Threat (APT) with access to advanced AI and a supercomputer capable of 500 billion keys per second, what would they choose? What about a criminal organization with an underpowered laptop and a penchant for violence?
4. Determine what Way is the one that can best achieve their Ends.
5. What Mean allows them to execute the Way? The Mean does the Way. This is the Center of Gravity!
6. Now that you know the COG and what it does (Critical Capability), what are the essential conditions, resources, and means (Critical Requirements) it needs to perform the Critical Capability?
7. List the vulnerabilities and exposures of those CRs. Often these can be sub-systems or sub-components of the CR.
8. Perform a CARVER (Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognizability) Matrix assessment.

Putting the CARVER Matrix to Work

Example: You believe that your Adversary, a well funded and highly skilled APT, is determined to seize your IP with the intent of selling a knock-off product in a competing market. Success for them is obtaining your IP without being detected and with avoiding attribution. The best way for them to do this is to obtain legitimate admin credentials and export the data. There are only two individuals (John and Jane) in your company with the credentials to access the data, which for some reason is weakly encrypted. From the Adversary’s perspective, what is it that can get them access to the data? John and Jane! They are the COG, the primary entity that possesses the inherent capability to achieve an objective or the desired end state. They are the center of power that all efforts must be directed.

The Adversary knows they can’t just go up to John and Jane and ask for their passwords and beating it out of them is politically infeasible. Since they cannot attack the victim directly, they must find a vulnerability to exploit. Let’s say they decide to target John. Besides controlling access to the data what else does John do, and what does he require to do it?

This graphic is rudimentary and by no means inclusive but it does start to paint a picture. Are there lots of shared CRs and CVs? Which would make the most likely target? Enter the CARVER Matrix. The origin of the CARVER Matrix is unclear, but it rumored to have started with the Office of Strategic Services (OSS) during WWII. The OSS was disbanded after the war and from its ashes rose the phoenixes of the CIA (1947) under Title 50 of the US Code, and The Special Forces (1952) under Title 10.

The U.S Army’s explanation of the CARVER matrix can be found on pages 34–36 of their field manual.

“The CARVER selection factors assist in selecting the best targets or components to attack. As the factors are considered, they are given a numerical value. This value represents the desirability of attacking the target. The values are then placed in a decision matrix. After CARVER values for each target or component are assigned, the sum of the values indicate the highest-value target or component to be attacked within the limits of the statement of requirements and commander’s intent.”

In short, the CARVER Matrix assign objective numerical values to each criterion and the highest score is the best target from the list of HVTs.

Criticality: How vital is this to the overall organization? A target is critical when it’s compromise or destruction has a highly significant impact in the overall organization.

Accessibility: How easy is it to reach the target? What are the defenses? Does the attacker have the knowledge and capability to access it

Recuperability: How long will it take for the organization to replace, repair, or bypass the destruction or damage caused to the target? Once the compromise was found, how long will it take for the system to recuperate from it.

Vulnerability: What is the degree of knowledge and resources needed to exploit the target? Are there known exploits? Would an Adversary have access to Zero-day exploits?

Effect: What’s the impact of the attack on the organization? Similar to Criticality this point considers possible reactions from the entity targeted. How extreme will the response be?

Recognizability: Can I identify the target as such? How easy is to recognize that a specific system / network / device is the target and not a security countermeasure.

And the winner is? The email server! Criticality is the single most important factor, but that doesn’t necessarily make it the best target. The email server was chosen in the end because of its easy of compromise with little risk of detection. In addition, access to the mail server would provide critical information to the attacker allowing them to escalate their attacks. Information like data to improve dictionary attacks, spear-phishing and malware distribution. Now that probable target identified, the Adversary’s Courses Of Action become clearer.

COG Analysis and the CARVER Matrix definitely has a bias for offense and the attack. They can be incredibly useful for a red team (ethical hackers), when they are coming up with their plan of attack; however, for every attacker, there has to be a defender. With a little bit of tweaking to the process, COG analysis can be a useful tool to blue teams and security analysts. In the next post, we’ll continue along with Mission Analysis and discuss tasks, facts, assumptions, and constraints.

Part 7 has concluded Step 2 of the Mission Analysis Process. Part 8 will cover Part 3 through 6, Tasks, Facts, Assumptions, and Constraints.

If you’re just joining us for this series, you can catch-up by reading Formalizing Cyber Threat Intelligence Planning: Part I, Part II, Part III, Part IV, Part V and Part VI.

Christopher Ruel is an Army Special Forces Officer with years of operational experience overseas. He has also worked closely with the Intelligence Community in pursuit of US strategic objectives. He has earned a BA in history, as well as an MBA with a concentration in Business Analytics.