OpenC2 Community, OpenC2 is a language used to express a command (an action, the associated target and optional actuator/ options). When we select commands that lead to an action, we need to understand what the desired and expected effect(s) will be on the adversary by taking this action. If we know the intended effect or effects then we have something to measure. We can look for evidence to see if we achieved the desired effect or effects from taking the action that the command was issued for. I provided an overview of the Effects based vocabulary from NIST 800-160 vol 2 app I in my Talking Science of Security (SoS) video #3. Video -
https://www.youtube.com/watch?v=qcAgVtr6rbI Slides -
https://www.slideshare.net/shawnriley2/talking-sos-with-shawn-riley-cyber-resiliency-effects-on-adversary-activities These defender’s resiliency effects should be looked at in relationship to the adversary’s cyber attack lifecycle stages, objectives (tactics) during each stage, and action (techniques) to achieve the objectives. We call this the Cyber Effects Matrix (attached graphic) and it is a modern update to the Lockheed Martin Course of Action matrix from their 2010 Intelligence-Driven Defense white paper that introduced the kill chain. For the last decade defenders using kill chain like approaches have been mapping courses of action manually to understand what effect or effects they can have on the adversary as they move through the cyber attack lifeycycle. They think beyond the single effect of ‘detect’ to what other effects courses of action can have to protect, respond, and recover so they build resiliency to the adversary groups and their TTPs. During a cyber attack, just as we need to understand what effect or effects the adversary’s behavior is having on the defender’s enterprise/business to assess impact and damage, we need to understand what effect or effects the defender’s actions will have on the adversary’s behavior as the adversary moves through the cyber attack lifecycle. I believe that mapping OpenC2 commands to a standardized set of effects, like those in NIST 800-160 vol 2 app I, is key to understanding the effect or effects of the actions taken by the defender using OpenC2. Best regards, Shawn Shawn Riley Chief Visionary Officer & Technical Advisor to the CEO DarkLight, Inc. Mobile: (314) 695-2602 Email:
shawn@darklight.ai www.darklight.ai This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected. Attachment: CEM_Blank.PNG Description: CEM_Blank.PNG