Skip to main content

A Standardized Vocabulary for Evaluating the Impact of Cyber Defense Decisions on Adversary Behavior

I. Introduction

A. Background on cyber mission assurance decisions and their impact on cyber adversary behavior

Cybersecurity is a critical component of modern society as almost every facet of our daily lives relies on computer systems and the internet. However, with the increasing dependence on these systems, cyber adversaries have become more sophisticated in their tactics, techniques, and procedures (TTPs) for exploiting vulnerabilities and causing harm. Cyber mission assurance decisions refer to the choices made by defenders in mitigating and managing the risk of cyber attacks against their systems, networks, and data.

The impact of cyber mission assurance decisions on cyber adversary behavior is significant, as these decisions can affect the adversary's ability to launch successful attacks, the effectiveness of their TTPs, and the overall threat landscape. Thus, it is essential to have a standardized vocabulary for evaluating the impact of these decisions on adversary behavior.

B. Purpose of the paper: to present a vocabulary for stating claims or hypotheses about these effects

The purpose of this paper is to present a standardized vocabulary from NIST 800-160 vol 2 rev 1 for stating claims or hypotheses about the impact of cyber mission assurance decisions on cyber adversary behavior. The vocabulary consists of five high-level, desired effects on the adversary: redirect, preclude, impede, limit, and expose, and 14 specific classes of effects that fall under these categories.

By having a standardized vocabulary, claims and hypotheses about the impact of cyber mission assurance decisions can be stated clearly and compared across different environments, enabling evidence-based evaluation and improvement of cyber security, resiliency, and defensibility.

C. Importance of clear and comparable claims and hypotheses for evaluating and improving cyber security, resiliency, and defensibility

Clear and comparable claims and hypotheses about the impact of cyber mission assurance decisions on cyber adversary behavior are critical for evaluating and improving cyber security, resiliency, and defensibility. They provide a framework for understanding the impact of different cyber mission assurance decisions and enable the comparison of the effectiveness of different mitigation strategies.

Having a standardized vocabulary for stating claims and hypotheses also facilitates communication and understanding across different domains, including technical, operational, and strategic. This is particularly important in the context of cybersecurity, where the complexity and interdependence of systems, networks, and data require cross-disciplinary collaboration and understanding.

D. Overview of the vocabulary and its potential applications in various modeling and analysis techniques

The standardized vocabulary for stating claims and hypotheses presented in this paper has the potential to be used in various modeling and analysis techniques. These include Red Team analysis, game-theoretic modeling, attack tree and attack graph modeling, and cyber attack lifecycle analysis.

By using the vocabulary in these techniques, the effectiveness of different mitigation strategies can be evaluated, potential attack paths can be identified and prioritized, and opportunities for disruption or detection of adversary activities can be uncovered.

Overall, the vocabulary provides a comprehensive and standardized framework for evaluating the impact of cyber mission assurance decisions on cyber adversary behavior, enabling evidence-based decision-making and continuous improvement of cyber security, resiliency, and defensibility.


II. Cyber Mission Assurance Decisions

A. Definition and examples of cyber mission assurance decisions

Cyber mission assurance decisions are the choices made by cyber defenders to improve the security, resilience, and defensibility of their information technology (IT) systems. These decisions may include the selection of security technologies, the implementation of security policies and procedures, and the deployment of defensive measures to protect critical assets from cyber attacks.

Examples of cyber mission assurance decisions may include the following:

  • Selecting and deploying intrusion detection and prevention systems (IDPS)
  • Configuring network security controls, such as firewalls, to restrict access to critical resources
  • Implementing multi-factor authentication to reduce the risk of unauthorized access
  • Conducting regular vulnerability assessments and penetration testing to identify and remediate vulnerabilities
  • Developing and implementing incident response plans to mitigate the impact of cyber attacks
  • Encrypting sensitive data to prevent unauthorized disclosure
  • Implementing data backup and recovery strategies to ensure the availability of critical systems and data in the event of a cyber attack

B. Importance of these decisions in improving cyber security, resiliency, and defensibility

Cyber mission assurance decisions are critical to improving the security, resilience, and defensibility of IT systems. By making informed decisions about the selection and implementation of security technologies, policies, and procedures, cyber defenders can reduce the likelihood of successful cyber attacks and minimize the impact of those that do occur.

Effective cyber mission assurance decisions can also help organizations to achieve compliance with regulatory requirements and industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).

C. Role of cyber defender actions, architectural decisions, and technologies in these decisions

Cyber mission assurance decisions are informed by a range of factors, including cyber defender actions, architectural decisions, and technologies. Cyber defender actions may include the development and implementation of security policies and procedures, as well as the deployment of defensive measures to protect critical assets from cyber attacks.

Architectural decisions, such as the selection and configuration of network security controls, also play a critical role in cyber mission assurance. These decisions are based on an understanding of the organization's IT environment, including the types of systems and applications in use, as well as the potential threats and vulnerabilities that may be present.

Finally, the selection and implementation of security technologies, such as IDPS and encryption solutions, are critical to improving cyber security, resilience, and defensibility. These technologies can help organizations to detect and prevent cyber attacks, as well as mitigate the impact of those that do occur.

Overall, cyber mission assurance decisions require a comprehensive understanding of an organization's IT environment, as well as the potential threats and vulnerabilities that may be present. By making informed decisions about the selection and implementation of security technologies, policies, and procedures, organizations can improve their cyber security posture and reduce the risk of successful cyber attacks.

III. Vocabulary for Stating Claims and Hypotheses

A. Definition and Importance of a Standardized Vocabulary for Stating Claims and Hypotheses

In the field of cybersecurity, the ability to make clear and comparable claims and hypotheses about the effects of cyber mission assurance decisions on adversary behavior is critical. However, often these claims and hypotheses are not well-defined or standardized, which can lead to misunderstandings and ineffective decision-making. This is where a standardized vocabulary comes in, providing a common language for cybersecurity professionals to communicate and evaluate the impact of their decisions.

A standardized vocabulary allows for clear and precise communication of claims and hypotheses. It enables researchers and practitioners to compare the effects of different cyber mission assurance decisions in various real-world environments, improving the evaluation and implementation of cyber defense strategies. A standardized vocabulary also provides a basis for evidence-based evaluation, as it enables the creation of more precise and testable claims and hypotheses. 

B. Overview of the Five High-Level, Desired Effects on the Adversary: Redirect, Preclude, Impede, Limit, and Expose

The standardized vocabulary presented in this paper focuses on five high-level, desired effects on the adversary: redirect, preclude, impede, limit, and expose. Each of these effects represents a different way in which cyber mission assurance decisions can impact the behavior of cyber adversaries.

  1. Redirect: Redirecting the adversary's activities to a less harmful or less critical target. This can involve diverting the adversary's attention to a decoy system or preventing the adversary from reaching the primary target altogether. 
  2. Preclude: Precluding the adversary's ability to conduct a successful attack. This can involve preventing the adversary from gaining access to the target system, or disrupting the adversary's ability to conduct reconnaissance on the target.
  3. Impede: Impeding the adversary's ability to conduct an attack. This can involve slowing down the adversary's progress or making it more difficult for the adversary to achieve its objectives.
  4. Limit: Limiting the impact of a successful attack. This can involve reducing the duration or scope of the attack, or minimizing the damage caused by the attack.
  5. Expose: Exposing the adversary's activities to better prepare defenders for future attacks. This can involve detecting the adversary's activities and sharing intelligence with other defenders to better understand and prevent similar attacks in the future.

By understanding and applying these five high-level effects, cybersecurity professionals can more effectively communicate and evaluate the impact of their cyber mission assurance decisions on adversary behavior. In the next section, we will explore the specific classes of effects within each of these five high-level effects.

C. Definition and examples of the specific classes of effects and how they are related to the five high-level effects: deter, divert, deceive, expunge, preempt, negate, contain, degrade, delay, exert, shorten, detect, scrutinize, and reveal

The five high-level effects on the adversary (redirect, preclude, impede, limit, and expose) serve as useful starting points for discussing the impact of cyber mission assurance decisions on cyber adversary behavior. However, these high-level effects are often too general to provide specific measures of effectiveness. Therefore, more specific classes of effects have been defined to support each of the five high-level effects.

The specific classes of effects are:

  1. Deter, divert, and deceive in support of redirect: These effects are aimed at preventing an adversary from achieving their objectives by deterring, diverting, or deceiving them. Deterrence involves persuading the adversary that the risk of attack outweighs the potential gain. Diversion involves directing the adversary's attention away from the intended target. Deception involves misleading the adversary by presenting false information or misleading them about the intended target. Examples of techniques that support these effects include honey pots, honeynets, and honeypots. Impact on risk: Reduce the likelihood of occurrence, and (to a lesser extent) reduce the likelihood of impact.
  2. Expunge, preempt, and negate in support of preclude: These effects are aimed at preventing an adversary from gaining a foothold or establishing a presence in the system. Expunging involves removing adversary presence or artifacts from the system. Preempting involves stopping an adversary's activity before they are able to establish a foothold. Negating involves rendering an adversary's activity ineffective. Examples of techniques that support these effects include patching vulnerabilities, disabling unused services, and using intrusion prevention systems. Impact on risk: Reduce the likelihood of occurrence, and/or reduce the likelihood of impact.
  3. Contain, degrade, delay, and exert in support of impede: These effects are aimed at slowing down an adversary's progress or preventing them from achieving their objectives. Containment involves limiting an adversary's ability to move laterally within the system. Degradation involves reducing an adversary's ability to perform certain actions. Delay involves slowing down an adversary's progress towards their objectives. Exertion involves increasing the cost or effort required for an adversary to achieve their objectives. Examples of techniques that support these effects include network segmentation, access control, and rate limiting. Impact on risk: Reduce the likelihood of impact and reduce the level of impact. 
  4. Shorten and reduce in support of limit: These effects are aimed at reducing the window of opportunity for an adversary to achieve their objectives. Shortening involves reducing the time available for an adversary to achieve their objectives. Reduction involves reducing the number of opportunities available to an adversary to achieve their objectives. Examples of techniques that support these effects include time-based access controls and reducing the attack surface. Impact on risk: Reduce the level of impact, and reduce the likelihood of impact of subsequent events in the same threat scenario.
  5. Detect, reveal, and scrutinize in support of expose: These effects are aimed at identifying an adversary's activities or presence in the system. Detection involves identifying an adversary's activity or presence in the system. Reveal involves exposing an adversary's activity or presence in the system to defenders or other parties. Scrutiny involves examining an adversary's activity or presence in the system to gain more information about their objectives or methods. Examples of techniques that support these effects include intrusion detection systems, log analysis, and threat intelligence. Impact on risk: Reduce the likelihood of impact.

The specific classes of effects are related to the five high-level effects in that they support and enable the achievement of the desired effects. By using a standardized vocabulary to define and communicate these specific classes of effects, it is easier for defenders to evaluate and compare the effectiveness of different cyber mission assurance decisions across different environments and contexts.

Let's look at the 14 more specific resiliency effects more closely.

  • Deter: Discourage adversaries from attempting an attack through threats or other means of dissuasion. Deterrence can be achieved through various means, such as showing the strength of a defense system or establishing legal consequences for an attack.
    • Example: A company may publicize its robust cybersecurity measures to deter potential attackers from attempting to breach its systems.
    • Impact on Risk: Reduce the likelihood of occurrence.
  • Divert: Channel adversaries away from high-value targets by creating false targets or deception. Diversion can be used to misdirect attackers to reduce the likelihood of successful attacks against critical systems or resources.
    • Example: A company may deploy honeypots, which are decoy systems designed to appear vulnerable to attackers, in order to lure them away from the actual targets.
    • Impact on Risk: Reduce the likelihood of occurrence.
  • Deceive: Mislead adversaries into taking ineffective or suboptimal actions. Deception can be used to confuse or misdirect attackers to gain an advantage.
    • Example: A company may use decoys or false information to deceive attackers into thinking they have successfully breached a system or accessed valuable information.
    • Impact on Risk: Reduce the likelihood of occurrence, and/or reduce the likelihood of impact.
    • MITRE Engage™ is a framework for adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.
  • Expunge: Eradicate adversaries from the system or network entirely. Expungement can be used to remove attackers from the system or network to prevent further damage or reconnaissance.
    • Example: A company may employ anti-malware tools that removes an attacker's foothold from a system or network, effectively expunging them.
    • Impact on Risk: Reduce the likelihood of impact of subsequent events in the same threat scenario.
  • Preempt: Anticipate and prevent adversaries from carrying out an attack before it occurs. Preemption can be used to stop an attack before it is executed.
    • Example: A company may detect suspicious activity and shut down a system or network to prevent an attack from occurring.
    • Impact on Risk: Reduce the likelihood of occurrence. 
  • Negate: Neutralize the impact of an adversary's attack. Negation can be used to reduce the harm or damage caused by an attack.
    • Example: A company may implement redundancy measures to negate the impact of a successful attack by ensuring that critical systems or data can be recovered in the event of an attack.
    • Impact on Risk: Reduce the likelihood of impact. 
  • Contain: Restrict the spread of an attack to minimize the damage caused. Containment can be used to prevent an attack from spreading to other systems or resources.
    • Example: A company may isolate an infected system or network segment to contain the spread of malware.
    • Impact on Risk: Reduce the level of impact.
  • Degrade: Reduce the effectiveness of an adversary's attack. Degradation can be used to make an attack less damaging or less effective.
    • Example: A company may implement network traffic filtering to degrade the effectiveness of a distributed denial-of-service (DDoS) attack.
    • Impact on Risk: Reduce the likelihood of impact, and/or reduce the level of impact. 
  • Delay: Slow down an adversary's attack to provide additional time for response or recovery. Delay can be used to increase the amount of time available to respond to an attack.
    • Example: A company may implement rate limiting to delay the progress of an attack, giving defenders more time to respond.
    • Impact on Risk: Reduce the likelihood of impact, and/or reduce the level of impact. 
  • Exert: Apply pressure to adversaries to discourage them from continuing an attack or to force them to reveal their tactics or objectives. Exertion can be used to alter the adversary's behavior or reduce their options.
    • Example: A company may deploy active defenses such as MITRE Engage™ that attempt to disrupt an attacker's activities, such as by injecting false data or modifying network traffic.
    • Impact on Risk: Reduce the likelihood of impact.
  • Shorten: Reduce the duration of an adversary's attack to minimize the damage caused. Shortening can be used to limit the amount of time an attacker has to carry out an attack.
    • Example: A company may implement intrusion detection systems to detect and respond to attacks as soon as they occur. By shortening the time an attacker has to operate within the system, the potential damage that can be caused is reduced.
    • Impact on Risk: Reduce the level of impact. 
  • Detect: Identify the presence of an adversary within a system or network. Detection can be used to quickly identify an attacker and initiate a response to mitigate the impact of their actions.
    • Example: A security team may use network monitoring tools to detect unusual activity, such as an unauthorized user attempting to access a sensitive system. By detecting the attack early, the security team can take steps to prevent further damage.
    • Impact on Risk: Reduce the likelihood of impact, and reduce the level of impact.
  • Scrutinize: Analyze the behavior and actions of an adversary to gain insight into their tactics, techniques, and procedures. Scrutinizing can be used to gain an understanding of an attacker's capabilities and motives, and to develop effective countermeasures.
    • Example: A security team may analyze the tactics and tools used by an attacker in a previous attack to identify weaknesses in their own defenses. By scrutinizing the attacker's actions, the security team can develop more effective defenses to prevent future attacks.
    • Impact on Risk: Reduce the likelihood of impact.
  • Reveal: Publicly disclose information about an adversary's actions or capabilities. Reveal can be used to expose an attacker's activities to a wider audience, such as law enforcement or the public, and to apply pressure on the attacker to cease their activities.
    • Example: A company may publicly disclose information about an attack on their systems to raise awareness of the issue and to encourage other organizations to improve their own security measures. By revealing details of the attack, the company can also assist law enforcement in identifying and prosecuting the attackers. Threat information sharing with machine readable industry standards like STIX and TAXII is also a key activity of reveal effect. 
    • Impact on Risk: Reduce the likelihood of impact, particularly in the future.

D. Benefits of using this vocabulary for clear, comparable, and evidence-based claims and hypotheses

The benefits of using a standardized vocabulary for stating claims and hypotheses about the effects of cyber mission assurance decisions on adversary behavior are numerous. By adopting a common vocabulary, claims and hypotheses can be stated clearly and comparably across different real-world or assumed environments. This helps to promote effective communication and understanding among various stakeholders, such as cybersecurity analysts, decision-makers, and researchers.

Furthermore, this standardized vocabulary allows for more evidence-based claims and hypotheses to be developed. The specific classes of effects can be used to define measurable and observable indicators of effectiveness. This, in turn, can lead to more rigorous testing and evaluation of cybersecurity measures, which can improve overall cyber resiliency and defensibility.

The vocabulary also enables comparisons of the effectiveness of different cyber mission assurance decisions, such as defender actions, architectural decisions, and technology choices. This helps decision-makers to prioritize their cybersecurity investments based on the expected impact on adversary behavior.

Additionally, the vocabulary is applicable to various modeling and analysis techniques, such as Red Team analysis, game-theoretic modeling, attack tree and attack graph modeling, and cyber attack lifecycle analysis. The vocabulary allows for a consistent framework for analysis, which can help to identify potential weaknesses in the cyber defense strategy and inform the development of new cybersecurity measures.

Overall, the benefits of using a standardized vocabulary for stating claims and hypotheses about the effects of cyber mission assurance decisions on adversary behavior are improved communication and understanding, evidence-based decision-making, and more effective cybersecurity strategies.

IV. Applications of the Vocabulary in Modeling and Analysis Techniques

A. Overview of various modeling and analysis techniques that can use this vocabulary

The vocabulary for stating claims and hypotheses about the effects of cyber mission assurance decisions on cyber adversary behavior can be used in a variety of modeling and analysis techniques. These techniques enable analysts to simulate and study the behavior of both defenders and adversaries under different scenarios and conditions. By applying the vocabulary to these techniques, analysts can make more informed decisions and develop evidence-based recommendations for improving cyber security, resiliency, and defensibility.

Red Team Analysis: Red team analysis is a methodology used to simulate and evaluate the effectiveness of defensive measures against simulated adversary attacks. The red team acts as the adversary, attempting to breach the organization's security defenses and identify vulnerabilities. The vocabulary can be used to assess the effectiveness of the defensive measures employed by the organization against these simulated attacks. For example, the vocabulary can be used to identify gaps in the organization's defensive posture and recommend specific measures to improve its resiliency to cyber attacks.

Game-theoretic modeling: Game theory is a mathematical framework used to study strategic interactions between multiple agents. In the context of cyber security, game-theoretic models can be used to study the interactions between defenders and adversaries. The vocabulary can be used to define the objectives of the defenders and adversaries, and to analyze how different decisions and actions by each side affect the other. For example, the vocabulary can be used to study how different cyber mission assurance decisions affect the adversary's behavior and how the adversary might respond.

Attack Tree and Attack Graph Modeling: Attack trees and attack graphs are modeling techniques used to identify and prioritize potential attack paths and mitigation strategies. The vocabulary can be used to define the goals and objectives of the attacker, and to identify the specific classes of effects that the defender can use to impede or prevent these attacks. For example, the vocabulary can be used to prioritize the different mitigation strategies that the defender can use to reduce the likelihood or impact of an attack.

Cyber Attack Lifecycle Analysis: Cyber attack lifecycle analysis, also known as cyber kill chain analysis or cyber campaign analysis, is a framework used to map the activities of an adversary during an attack. The vocabulary can be used to identify opportunities for disruption or detection at each stage of the attack lifecycle, and to define the specific classes of effects that the defender can use to limit or impede the adversary's progress. For example, the vocabulary can be used to identify the specific measures that the defender can use to detect and prevent the adversary from moving from one stage of the attack lifecycle to another.

By using the vocabulary in these modeling and analysis techniques, analysts can develop more comprehensive and evidence-based recommendations for improving cyber security, resiliency, and defensibility. The vocabulary enables analysts to clearly and consistently define the objectives and goals of the defender and adversary, and to identify specific classes of effects that can be used to achieve those goals. This, in turn, enables more accurate assessments of the effectiveness of cyber mission assurance decisions and the development of more effective defensive measures.

V. Implications and Benefits of the Vocabulary

A. The vocabulary’s potential to improve the evaluation and implementation of cyber mission assurance decisions

The standardized vocabulary presented in this paper has significant implications and benefits for the evaluation and implementation of cyber mission assurance decisions. By using a consistent vocabulary to describe the effects of cyber security measures, it becomes easier to compare and evaluate the effectiveness of different approaches, and to make evidence-based decisions about which measures to implement.

The vocabulary can help organizations and cybersecurity professionals to better understand the potential impact of their decisions on adversary behavior, and to develop more effective strategies for protecting their networks and systems. It can also aid in the development of metrics and methods for evaluating the effectiveness of cyber security measures, and in the communication of these measures to stakeholders and decision makers.

Furthermore, the vocabulary can help to identify gaps in current cyber security practices and highlight areas where additional research and development are needed. This can lead to the creation of new tools and techniques for enhancing cyber security, and to the refinement of existing approaches.

Overall, the use of a standardized vocabulary for evaluating the impact of cyber mission assurance decisions on adversary behavior has the potential to greatly improve the effectiveness of cyber security efforts, and to enhance the resilience and defensibility of networks and systems against adversarial threats.

B. The vocabulary’s potential to enable clearer and more evidence-based claims and hypotheses

The standardized vocabulary presented in this paper has the potential to enable clearer and more evidence-based claims and hypotheses related to the impact of cyber mission assurance decisions on adversary behavior. By providing a common language and framework for discussing the effects of various defensive measures, the vocabulary can facilitate more precise and rigorous evaluation of cyber security strategies.

Clear and precise claims and hypotheses are essential for effective decision-making in any field. In the context of cyber security, these claims and hypotheses are critical for identifying and evaluating the effectiveness of defensive measures against adversarial attacks. However, without a standardized vocabulary, it can be challenging to make precise claims about the effects of various defensive measures. This can lead to ambiguous or imprecise claims that are difficult to compare across different contexts.

The use of a standardized vocabulary can help to address these challenges by providing a common language and framework for discussing the effects of various defensive measures. This can facilitate more precise and rigorous evaluation of cyber security strategies, enabling defenders to better understand the potential impact of different defensive measures and to make more informed decisions about how to allocate resources.

In addition, the vocabulary can help to ensure that claims and hypotheses are evidence-based, rather than based on intuition or subjective impressions. By defining specific classes of effects and providing examples of how these effects can be achieved, the vocabulary provides a clear basis for evaluating the effectiveness of various defensive measures. This can help to ensure that claims and hypotheses are grounded in empirical evidence, rather than speculation.

Overall, the standardized vocabulary presented in this paper has the potential to enable clearer and more evidence-based claims and hypotheses related to the impact of cyber mission assurance decisions on adversary behavior. By providing a common language and framework for discussing the effects of various defensive measures, the vocabulary can facilitate more precise and rigorous evaluation of cyber security strategies, enabling defenders to better understand the potential impact of different defensive measures and to make more informed decisions about how to allocate resources.

C. The vocabulary’s potential to facilitate cross-disciplinary communication and understanding

The Resiliency Effects vocabulary has the potential to facilitate cross-disciplinary communication and understanding in the field of cybersecurity. The use of standardized terminology provides a common language for stakeholders from different backgrounds, including technical and non-technical professionals, to communicate about cyber risks and defenses.

This vocabulary can help bridge the gap between technical experts and decision-makers who may have different levels of understanding of cybersecurity. With a shared vocabulary, technical experts can more easily communicate the risks and benefits of different security measures to decision-makers who may not have technical expertise. Decision-makers can then make informed decisions based on a common understanding of the potential impacts of various security measures.

Furthermore, the vocabulary can facilitate communication between different departments within an organization, such as IT and legal or compliance. Each department may have different priorities and concerns when it comes to cybersecurity, but the use of a standardized vocabulary can help them understand each other's perspectives and work together to create a comprehensive security strategy.

The vocabulary can also promote communication between different organizations in the same industry or sector. For example, a vocabulary that is widely adopted across the financial sector can facilitate collaboration and information sharing between banks, regulators, and other stakeholders. This can lead to a more coordinated and effective approach to addressing cyber threats in the industry as a whole.

Overall, the use of a standardized vocabulary can improve communication and collaboration among various stakeholders in the cybersecurity field, leading to more effective decision-making and a stronger defense against cyber threats.

D. The vocabulary’s potential to inform future research and development efforts in cybersecurity

The standardized vocabulary for evaluating the impact of cyber mission assurance decisions on adversary behavior has the potential to inform future research and development efforts in cybersecurity. By providing a clear and comprehensive framework for describing and analyzing the effects of defensive measures, the vocabulary can guide the development of new technologies, architectures, and strategies that are more effective in countering cyber threats.

For example, the vocabulary can be used to identify gaps in current defensive capabilities and prioritize areas for improvement. Researchers and developers can use the vocabulary to evaluate the effectiveness of existing technologies and techniques, and to design new ones that better address the specific classes of effects identified in the vocabulary.

Furthermore, the vocabulary can help to identify new research questions and areas of inquiry. As the cybersecurity landscape continues to evolve and new threats emerge, it is important to continually reassess the effectiveness of defensive measures and explore new approaches for mitigating risk. The standardized vocabulary provides a common language for researchers, practitioners, and policymakers to communicate and collaborate on these issues, fostering a more coordinated and informed approach to cybersecurity research and development.

VI. Limitations and Challenges of the Vocabulary

A. Potential limitations of the vocabulary and its applications:

Despite the benefits of the standardized vocabulary presented in this paper, there are some limitations that must be acknowledged. One limitation is that the vocabulary is only as effective as the understanding of the adversary's behavior and motivations. If the adversary's behavior and motivations are not well understood, the vocabulary may not be as useful in developing effective cyber mission assurance decisions.

Another limitation is that the vocabulary may be too broad and not specific enough to be useful in certain contexts. For example, in highly specialized environments, the vocabulary may not be granular enough to capture the nuances of specific attacks and mitigation strategies. In such cases, domain-specific terminology may be more useful.

Finally, there may be a learning curve associated with the adoption of the vocabulary. It may take time and effort for cybersecurity professionals to become familiar with the terminology and understand how to use it effectively.

B. Potential challenges in the adoption and implementation of the vocabulary:

The adoption and implementation of a standardized vocabulary may face several challenges. One challenge is the resistance to change. Cybersecurity professionals may be used to using their own terminology and may be reluctant to adopt a new vocabulary. Additionally, the implementation of a new vocabulary may require changes to existing policies, procedures, and training materials.

Another challenge is the need for widespread adoption to achieve the benefits of standardization. If only a few organizations adopt the vocabulary, it may not be as effective in facilitating communication and understanding across different organizations and disciplines.

Finally, there may be challenges in ensuring that the vocabulary remains up-to-date and relevant. As the cybersecurity landscape evolves, new attack vectors and mitigation strategies will emerge, and the vocabulary will need to be updated to remain effective. Maintaining a standardized vocabulary will require ongoing effort and resources. Thankfully, NIST continues to evolve and update 800-160 vol 2 and the resiliency effects vocabulary. 

VII. Case Study Examples

A. Examples of how the vocabulary can be applied in real-world scenarios

The vocabulary for stating claims and hypotheses based on the resiliency effects can be applied to various real-world scenarios in cybersecurity. Two examples of these applications are provided below:

Effect on mitigations actions for MITRE ATT&CK TTPs

MITRE ATT&CK is a widely used framework for describing the tactics, techniques, and procedures (TTPs) used by attackers in cyber operations. The framework provides a comprehensive list of adversarial TTPs, which can be used to assess the effectiveness of cyber defenses. Using the resiliency effects vocabulary, an organization can identify the TTPs that are most critical to their operations and use the vocabulary to assess the effectiveness of their defenses against those TTPs.

For example, an organization may use the resiliency effects vocabulary to evaluate the effectiveness of their current defenses against the MITRE ATT&CK TTP "Spearphishing Attachment". The organization may determine that their current defenses are only effective in impeding the attack, but not in precluding or redirecting it. They can then use this information to implement additional defenses to address the identified gaps.

Cyber Kill Chain Course of Action Matrix that used Information Operations Effects instead of Resiliency Effects

The Cyber Kill Chain (CKC) is a framework that describes the different stages of a cyber attack, from initial reconnaissance to final exfiltration of data. A Course of Action (COA) matrix is a tool used to evaluate the effectiveness of different security controls in disrupting an attacker's progress through the CKC. When Lockheed Martin released the Cyber Kill Chain paper, it included a Course of Action matrix that used effects from Information Operations (Detect, Deny, Disrupt, Degrade, Deceive, and Destroy). There wasn't resiliency effects for cybersecurity when Lockheed Martin published the Cyber Kill Chain paper a decade ago but the intended use of the two different effects vocabularies is the same. 


By using the resiliency effects vocabulary, an organization can enhance the COA matrix by identifying the specific effects that different security controls can achieve at different stages of the CKC. For example, a security control that can detect and delay an attacker's progress can be classified as achieving both the detect and delay effects, and can be applied to multiple stages of the CKC.

B. Case study 1: Using the vocabulary to evaluate the effectiveness of a new cybersecurity technology in mitigating risks

In this case study, a company has developed a new cybersecurity technology that is intended to mitigate the risk of cyber attacks. To evaluate the effectiveness of this technology, the resiliency effects vocabulary can be used to define clear and comparable claims and hypotheses. 

For example, the company may claim that the new technology is effective in precluding attackers from exploiting vulnerabilities in their systems. To test this claim, the company can use the resiliency effects vocabulary to define specific measures of effectiveness, such as the percentage reduction in successful exploitation attempts, and conduct testing to collect evidence to support the claim. 

Another example, MITRE ATT&CK Evaluations. The cybersecurity technology evaluation process by the MITRE Center for Threat Informed Defense could benefit from including a standardized resiliency effects vocabulary to set the example. The resiliency effect vocabular used by NIST 800-160 vol 2 grew out of a MITRE research effort from about a decade ago. 

C. Case study 2: Using the vocabulary to analyze the impact of a specific architectural decision on the adversary's ability to launch successful attacks

In this case study, an organization is considering a specific architectural decision, such as segmenting their network or implementing a new access control system, to improve their cyber defenses. The resiliency effects vocabulary can be used to evaluate the impact of this decision on the adversary's ability to launch successful attacks.

For example, the organization may claim that the new access control system is effective in limiting the attacker's ability to move laterally within their network. Using the resiliency effects vocabulary, the organization can define specific measures of effectiveness, such as the percentage reduction in successful lateral movement attempts, and conduct testing to collect evidence to support the claim. Additionally, the organization can use the resiliency effects vocabulary to evaluate the impact of the architectural decision on other resiliency effects, such as the potential increase in detection and reveal effects.

VIII. Conclusion

A. Summary of the key points and contributions of the paper:

In this paper, a standardized vocabulary from NIST 800-160 Vol 2 Rev 1 has been proposed for evaluating the impact of cyber mission assurance decisions on adversary behavior. The vocabulary consists of five high-level effects on the adversary: redirect, preclude, impede, limit, and expose. More specific classes of effects have also been defined to facilitate the definition of specific measures of effectiveness. The benefits of using this vocabulary include clear, comparable, and evidence-based claims and hypotheses. The vocabulary can also facilitate cross-disciplinary communication and understanding and inform future research and development efforts in cybersecurity.

B. Implications of the vocabulary for improving cyber security, resiliency, and defensibility in various contexts:

The proposed vocabulary can be used to improve cyber security, resiliency, and defensibility in various contexts. It can be applied to evaluate the effectiveness of defensive measures against simulated adversary attacks, analyze the strategic interactions between defenders and adversaries, identify and prioritize potential attack paths and mitigation strategies, and map adversary activities and identify opportunities for disruption or detection. By using the vocabulary, defenders can better articulate their goals and objectives and evaluate the effectiveness of their defensive measures against adversarial threats.

C. Recommendations for using and refining the vocabulary in future research and practice:

To maximize the effectiveness of the proposed vocabulary, it is recommended that it be integrated into existing modeling and analysis techniques. The vocabulary can also be refined by further clarifying the relationships between the high-level effects and specific classes of effects and identifying additional classes of effects. In addition, efforts should be made to promote the adoption and implementation of the vocabulary by cybersecurity practitioners and researchers. Collaborate with NIST on the next revision to 800-160 Vol 2 Rev 1 with feedback on the resiliency effects included under adversary oriented analysis.  

Popular posts from this blog

The Interconnected Roles of Risk Management, Information Security, Cybersecurity, Business Continuity, and IT in Modern Organizations

In the rapidly evolving digital landscape, understanding the interconnected roles of Risk Management, Information Security, Cybersecurity, Business Continuity, and Information Technology (IT) is crucial for any organization. These concepts form the backbone of an organization's defense strategy against potential disruptions and threats, ensuring smooth operations and the protection of valuable data. Risk Management is the overarching concept that involves identifying, assessing, and mitigating any risks that could negatively impact an organization's operations or assets. These risks could be financial, operational, strategic, or related to information security. The goal of risk management is to minimize potential damage and ensure the continuity of business operations. Risk management is the umbrella under which information security, cybersecurity, and business continuity fall. Information Security is a subset of risk management. While risk management covers a wide range of pot...

Attack Path Scenarios: Enhancing Cybersecurity Threat Analysis

I. Introduction A. Background on Cybersecurity Threats Cybersecurity threats are an ongoing concern for organizations of all sizes and across all industries. As technology continues to evolve and become more integral to business operations, the threat landscape also becomes more complex and sophisticated. Cyber attackers are constantly seeking new ways to exploit vulnerabilities and gain unauthorized access to sensitive data and systems. The consequences of a successful cyber attack can be severe, including financial losses, reputational damage, and legal consequences. Therefore, it is critical for organizations to have effective cybersecurity strategies in place to identify and mitigate potential threats. B. Definition of Attack Path Scenarios Attack Path Scenarios are a type of threat scenario used in cybersecurity to show the step-by-step sequence of tactics, techniques, and procedures (TTPs) that a cyber attacker may use to penetrate a system, gain access to sensitive data, and ach...

A Deep Dive into the Analysis and Production Phase of Intelligence Analysis

Introduction In the complex and ever-evolving world of intelligence, the ability to analyze and interpret information accurately is paramount. The intelligence cycle, a systematic process used by analysts to convert raw data into actionable intelligence, is at the heart of this endeavor. This cycle typically consists of five stages: Planning and Direction, Collection, Processing, Analysis and Production, and Dissemination. Each stage plays a vital role in ensuring that the intelligence provided to decision-makers is accurate, relevant, and timely. While all stages of the intelligence cycle are critical, the Analysis and Production phase is where the proverbial 'rubber meets the road.' It is in this phase that the collected data is evaluated, integrated, interpreted, and transformed into a form that can be used to make informed decisions. The quality of the intelligence product, and ultimately the effectiveness of the decisions made based on that product, hinge on the rigor and ...