Cyber Threat Framework

Building Blocks of Cyber Intelligence

The Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries.

The Cyber Threat Framework is applicable to anyone who works cyber-related activities, its principle benefit being that it provides a common language for describing and communicating information about cyber threat activity.

The framework and its associated lexicon provide a means for consistently describing cyber threat activity in a manner that enables efficient information sharing and cyber threat analysis, that is useful to both senior policy/decision makers and detail oriented cyber technicians alike.

howitworks

The framework captures the adversary life cycle from PREPARATION of capabilities and targeting to initial ENGAGEMENT with the targets or temporary nonintrusive disruptions by the adversary, to establishing and expanding the PRESENCE on target networks, to the creation of EFFECTS and CONSEQUENCES from theft, manipulation, or disruption.

blankbanner
mastergraphic
howtouse

The CTF with an associated lexicon can be used to describe cyber activity in a consistent and repeatable fashion. The framework can:

 

  • Establish a shared ontology and enhance information-sharing. It is far easier to map the translation of multiple models to a common reference than directly to each other.
  • Characterize and categorize threat activity in a straightforward way that can support missions ranging from strategic decision-making to analysis and cybersecurity measures and users from generalist to technical experts.
  • Support common situational awareness across organizations.

 

Since 2012, the Office of the Director of National Intelligence has worked with interagency partners to build and refine a Common Cyber Threat Framework approach reflecting these key attributes and goals:

 

  • Incorporate a hierarchical/layered perspective that allows tailoring of focus on a level of detail appropriate to the audience while maintaining linkage and traceability to other layers of data
  • Employ structured and documented categories with explicitly defined terms and labels (lexicon)
  • Focus on empirical/sensor-derived "objective" data
  • Accommodate a wide variety of data sources, threat actors and activity
  • Provide a foundation for analysis and decision-making

 

The CTF is not intended to displace or replace an organizations existing model which should be tailored to its specific mission and requirements; rather it is intended to:

 

  • Serve as a viable Universal Translator (a cyber-Esperanto or Rosetta Stone) facilitating efficient and possibly automated exchange of data and insight across models once each has been mapped to it and the mappings shared
  • Provide a starting point for organizations that have not yet adopted a threat Framework. Built around simple model and value neutral concepts, the CTF can be customized for an organization's needs and these modifications from the original CTF are readily apparent, facilitating mapping and data exchange.
dev

The idea of creating a cyber threat framework came from observations among the US policy community that cyber was being described by different agencies in a variety of ways that made consistent understanding difficult. There are over a dozen analytic models being used across government, academia, and the private sector. Each model reflects the priorities and interests of its developer, but the wide disparities across models made it difficult to facilitate efficient situational analysis that was based on objective data.

 

The framework will be scalable and facilitate data sharing at “machine speed.” Implementation within the USG will include processes to reduce or eliminate double-counting of threat data.

relationship ctf nistframework

The idea of creating a cyber threat framework came from observations among the US policy community that cyber was being described by different agencies in a variety of ways that made consistent understanding difficult. There are over a dozen analytic models being used across government, academia, and the private sector. Each model reflects the priorities and interests of its developer, but the wide disparities across models made it difficult to facilitate efficient situational analysis that was based on objective data.

 


cyber attribution banner

The National Intelligence Manager for Cyber is charged with integrating cyber intelligence within the US Government and of looking strategically for ways to improve the quantity, quality, and impact of cyber intelligence. As part of this dialogue within Government, the National Intelligence Manager and the National Intelligence Office for Cyber jointly authored this compendium of analytic best practices and a simple rubric for describing attribution of malicious cyber operations in the face of incomplete or contradictory information.

 

A Guide to Cyber Attribution - PDF

 


key challenges banner

While NIST has not promulgated or endorsed a specific threat framework, it advocates the use of a threat framework in addition to a cybersecurity framework to inform risk decisions and evaluate safeguards and actions taken.  NIST notes in its Cybersecurity Framework documentation that such threat frameworks may provide insight into which safeguards are more important at a given point in time and specific threat circumstances.  NIST’s FAQ cites the CTF as an exemplar of a threat framework that can standardize or normalize data collected within an organization or shared between them by providing a common ontology and lexicon.

 

White Paper on Cyber Threat Intelligence - PDF

Key Challenges Infographic - PDF

 


resources

This email address is being protected from spambots. You need JavaScript enabled to view it. Submit Questions or Comments about Cyber Threat Framework

 
 

ctiic    ODNI