Enhancing Collective Defense with Taxonomies for Operational Cyber Defense
Cyberspace is our interconnected information technology. And since everything either is or is becoming connected, one of the defining characteristics of cyberspace is its complexity. This adds burden to cyber defenders. Defense teams require experience, education, training and a mindset that lets them continually learn. They also must forge broad teams across multiple subject and functional areas. An ability to rapidly collaborate and exchange data while in a fight is a must.
For years computer security professionals have sought the best ways to dialog on incidents, and some great foundational work has been done in this area. This post reviews two key works I have found to be of special relevance to today’s cyber defenders. One is a 1998 publication titled “A Common Language for Computer Security Incidents,” the other is a matrix developed by Dr. John Mallary of MIT’s CSAIL. Both these documents have already had impacts on the community and the many automated data exchange models in place today. But both are also relevant to the human to human dialog and understanding on cyberspace operations and are important pieces for continued study.
What is a taxonomy?
A taxonomy is a set of related terms. It is a classification scheme. How do you judge a good taxonomy? It should meet several criteria, including being:
- Mutually exclusive – classifying in one category excludes all others because categories do not overlap,
- Exhaustive – taken together, the categories include all possibilities,
- Unambiguous – clear and precise so that classification is not uncertain, regardless of who is classifying,
- Repeatable – repeated applications result in the same classification, regardless of who is classifying,
- Accepted – logical and intuitive so that categories could become generally approved,
- Useful – could be used to gain insight into the field of inquiry
Caution: there is probably no such thing as a perfect taxonomy. They are all approximations of reality and therefore you will never have one that meets every criteria perfectly. But the characteristics above are good goals to judge the taxonomy by.
When it comes to cyberspace activity, the taxonomy presented by John Howard and Thomas Longstaff comes pretty close to meeting those goals which is why it is still so relevant today.
They define a taxonomy of terms in a way that can be logically and graphically expressed.
See, for example, the picture below.
This is from their report and it lets you related terms in a way that can help in dialog between humans and also help in automating information exchange.
The top line of words can be easily thought of as a sentence. Attackers use Tools against Vulnerabilities to cause an Action against a Target to achieve an Unauthorized Result to meet an Objective.
The details of their work spell out with clarify what the individual terms are and that is also a huge help to dialog. Over time there has been a little modification by operational users on some of the terms, and the adversaries in cyberspace have continued to change their craft and a few more terms have entered the lexicon. But overall the framework is sound.
For organizations who need to focus more on the threat, taxonomies have also been devised that delve deeper into the motivations and resources and capabilities of adversaries. Most computer security books today have some articulation of the threat at a high level, but to find the most operationally useful articulation of the threat I recommend the works of John Mallery of MIT’s Computer Science and Artificial Intelligence Laboratory. With John’s permission I have reproduced one of his taxonomy’s of the threat below:
Note that John’s articulation of threat actors is different than the October 1998 work of Sandia and CERT. Part of that is due to the passing of time, but you should also keep in mind that although we like a common language for all mission areas, there are also differences of taxonomies based on how information is used. Some organizations may choose to slightly modify John’s approach (but I would recommend the default be to keep his taxonomy unless there is specific reason to clarify, since it is helpful to have a common expression of terms).
John is working on a paper that captures many of the key considerations from his work in things cyber. As soon as that is publicly available we will review it here.