A look at Sandia National Labs’ Threat Analysis Model and why it won’t work
Last Updated on Wednesday, 3 February 2010 09:50 Written by Jeffreycarr Wednesday, 3 February 2010 09:49
In my earlier post on the need for a new Cyber Intelligence model, I discussed problems with the approach Deloitte recommended in its report “Cyber Crime: a Clear and Present Danger“. Today I’ll be taking an indepth look at an integral part of the National SCADA Test Bed - Sandia’s Threat Analysis model – and its reliance on a flawed OSINT methodology.
Sandia National Labs, in an ongoing effort to protect U.S. critical infrastructure from physical and network attacks, has developed a Threat Analysis Framework comprised of 5 elements:
- the identification of an adversary
- the development of generic threat profiles
- the identification of generic attack paths
- the discovery of adversary intent
- the identification of mitigation strategies
Sandia researcher David Duggan and his colleagues, who are responsible for developing this tool, recognized the limitations of classified threat data (i.e., a very slow process to get it to the people who need it) and chose to develop an unclassified threat analysis framework instead. Duggan’s report “Threat Analysis Framework” is available for public release and should be read if you want a full understanding of this model.
For the purpose of this post, however, I’m only focusing on one very problematic dilemma for everyone in the Threat Assessment business – Is an attack being formulated by a threat seeking to exploit a vulnerability?
Duggan’s approach to answering this question involves breaking it into two separate questions:
- Are any threats discussing aspects of exploiting a specific vulnerability?
- Could the threat find enough information about a vulnerability to develop an attack?
He recommends accessing web forum data sets, such as the Dark Web project owned by the University at Arizona AI Lab, Intelligence Community reporting, and other open source data in order to find the answer to both questions.
The following scenario describes Sandia’s approach. Screen captures come from the Threat Analysis workshop presentation (June 24, 2008).
Figure 1: Discover adversary intent from open and closed sources
Figure 2: Are SCADA vulnerabilities discoverable online?
Figure 3: Note that this approach relies on Search capabilities
Figure 4: The 6 steps by which discovery is made
Figure 5: The Results
The results show that the second question “Could the threat find enough information about a vulnerability to develop an attack?” can be answered with a “yes”. In fact, it’s distressingly easy to find detailed SCADA vulnerability information online. However, Sandia’s Threat Analysis model failed to find chatter in public online sources.
The Sandia Threat Analysis Model suffers from the same problem that Deloitte’s model does. It looks for threat data in the wrong places – open forums. Bad actors with the smarts to understand SCADA software vulnerabilities, devise a plan of attack to exploit that vulnerability, and execute on it are not stupid enough to plan it on a publicly accessible forum. It’ll be done in IRC channels or on private, more secure online venues. And that requires different sources and methods than those used even as late as last year.
In yesterday’s post, I outlined a new approach to developing cyber threat intelligence. With today’s post on Sandia’s Threat Analysis for the NSTB, I hope to point out how critical it is that organizations with the responsibility of protecting our most vital assets begin re-evaluating how emerging threats can be detected. My recommendation, obviously, is the adoption of a more aggressive, active intelligence gathering process.
Ask your security vendor what they’re doing about detecting emerging threats. If you’re not satisfied with the answer, ask them to contact GreyLogic. Sandia’s excellent research in this area aptly shows how complex the problem is. No one company has all of the resources needed to provide a complete threat picture. A joint effort is needed, and my company is happy to collaborate with any security vendor currently operating in this space.
While the labs seem to be doing their best with the internal constraints they have (stifling old politics and bureaucracy), I think this is an intelligent assessment of Sandia’s Threat Analysis Framework, and accurately echoes the underlying changes that are needed on an even larger level than just one lab.