INTRODUCTION
Courtesy of csiac.org
A modern organization’s operations depend largely on information technology (IT). Ubiquitous adoption of IT due to technological advancements creates both efficiencies and vulnerabilities in an organization’s operations. Physical threats to IT infrastructure from both human and environmental sources have remained mostly consistent over time. The continuous development of IT systems for exchanging, processing, and storing information introduces many weaknesses. Criminals, activists, nation-stations, and other adversaries are increasingly successful at attacking these systems to accomplish their objectives. Many organizations are adopting Cyber Threat Intelligence (CTI) to address the increase in adversarial cyber threats. Since the primary use of CTI is the sharing of an adversary’s activities, several taxonomies and ontologies exist for maintaining a common lexicon within and between organizations. However, in addition to nefarious humans, sources of IT threats may also be accidental, environmental, political, or economic. Leadership must evaluate risk to IT by assessing the likelihood of threat events from all of these sources and their impact on the organization. Risk management professionals from the information security community have published comprehensive taxonomies for grouping threats events. Each taxonomy presents a hierarchy of discrete threat event groups with succeeding levels providing terms with more detail. Categorization and definitions of terms for threat events support communication with decision makers who must select a course of action to counter a threat. A threat taxonomy can improve communication in two ways. First, language barriers between professionals with different expertise can be broken down into clear definitions for IT threats. As mass media quickly spreads news of IT failures, like cyberattacks or data breaches, a foundation of terms can help decision-makers understand the active threats. Second, an ordered taxonomy structure of the entire IT threat landscape enables analysis and assessment at various granularities. Comparing the risk of high-level threat categories can empower leadership to make the right decisions to protect their organization. COMMUNICATING THREAT Threat Language Language is an intricate cognitive process requiring an agreement of standard definitions for effective communication. While the English language has broadly held standards, there are many deviations that can present communication problems. In particular, slang differences occur at many levels: i National: Americans live in apartments, while Brits live in flats. i Regional: Soda, pop, coke, and soft drink are all terms for a sweetened carbonated beverage. i Local: In Texas, a nag is called a worrit. i Professional: In the health profession, a virus is a microorganism that infects living cells to live and reproduce itself and causes human illness (Definition of Virus, 2018). In the IT profession, a virus is a hidden, self-replicating section of computer software, usually malicious logic, propagating by infection of another program (Glossary of Security Terms, 2018). Adhering to standard definitions for threat terms can improve comprehension of the dialog between echelons in any organization. There is no authoritative source for IT threat terms, but there are several glossaries or lexicons of security terms published by a variety of governing bodies. The United States (U.S.) government alone has many sources including: i Department of Defense (DoD) - Dictionary of Military and Associated Terms, i Department of Homeland Security (DHS) - Risk Lexicon, i National Institute of Standards and Technology (NIST) - Glossary of Key Information Security Terms, i Committee on National Security Systems (CNSS) - Glossary, and i National Initiative for Cybersecurity Careers and Studies (NICCS) - A Glossary of Common Cybersecurity Terminology. Many information security organizations also maintain security term definitions: i SysAdmin, Audit, Network, and Security (SANS) Institute - Glossary of Security Terms, i Information Systems Audit and Control Association (ISACA) - Cybersecurity Fundamentals Glossary, i International Organization for Standardization (ISO) - Search for Terms & Definitions, i Internet Engineering Task Force (IETF) Trust - Request for Comments (RFC) 4949 Internet Security Glossary, i Information Technology Infrastructure Library (ITIL) v3 - Foundation Course Glossary. There is some agreement between definitions, but it is not reasonable for non-technical professionals to learn the abundant terms and nuances of each. A smaller set of organizationalwide IT threat terms are necessary for more business-oriented professionals. A discrete set of IT threat categories with standard definitions can increase communication and support risk reduction. Information security operations provide analysts with a rich vocabulary of cyber threat terms and a structure for appropriately characterizing attacks. CTI and incident response operations describe and analyze an attack in great detail to support threat hunting, sharing, and governance of information security operations. A taxonomy of IT threat terms can provide appropriate categories at various levels of granularity to aid threat analysis, risk assessments, and ultimately decision-making. Capturing and organizing unstructured threat information through CTI and incident response activities requires a standard set of threat terminology. Reports and metrics with a common set of terms can speed comprehension of the threats and incident response times. Business unit management and organizational leadership can more quickly understand the greatest threats to their organization after reviewing threat reports and metrics with standard terminology. Since organizational leadership makes decisions based on risk, threat terms must be able to support risk management. All businesses must balance risk with reward, but severe consequences may result from misunderstanding the risk. An accurate depiction of the threats to information technology is vital for leadership to make appropriate decisions. Organizations in many industries use a variety of risk frameworks that may be threat-, vulnerability-, or asset-based. Regardless of the risk framework type, the quantities of threats should be commensurate with the maturity of the organization’s risk management. Listing every possible hazard in an immature implementation of a risk framework can overwhelm risk analysis and bring the process to a halt. The risk management process should use threat categories appropriate for the maturity of the organization’s risk assessment. Threat Taxonomy for Cyber Threat Intelligence CTI was born from the application of military intelligence doctrine to data analysis of cyberattacks. The DoD describes the intelligence process as a cycle of phases: direction, collection, processing, analysis, dissemination, and feedback ( JP 2-0, 2013). While represented as a cycle, the steps may happen concurrently or may be skipped entirely depending on the situation. The intelligence cycle prescribes the process for collecting threat data and transforming it into threat intelligence. Brian P. Kime’s article, “Intelligence Preparation of the Cyber Operational Environment” relates the DoD intelligence cycle to information security by presenting a collection method for threat data from IT infrastructure (Kime, 2016). Figure 1 shows the transformation of threat data into information, via structure and context, then into intelligence, via analysis, as it flows through the intelligence cycle phases. Structuring data to produce information is precisely where an IT threat taxonomy fits into CTI. A threat taxonomy sits on top of the available standards and ontologies for capturing threat data. There are several CTI standards for modeling, storing and sharing threat data from cyberattack investigations. These standards capture indicators of compromise (IOC) or attacker tactics, techniques, and procedures (TTP). IOC are the easy-to-modify artifacts with the context pertinent to a cyberattack, such as file hashes of malicious program files or domain names of phishing websites. TTP describe the actions, skills, methods, or modus operandi (MO) adversaries use to accomplish their goals. Threat models help relate IOC and TTP to each other for an illustration of the overall attack process and objectives during analysis. Robert M. Lee and Mike Cloppert describe threat modeling, such as Cyber Kill Chain and Diamond models, as an intrusion analysis technique for understanding threats and prioritizing defensive efforts that drive security (Lee, 2016). Organization and collection of the similar actions and techniques of cyberattacks facilitate sharing between industry partners and government bodies. Greg Farnham’s paper on “Tools and Standards for Cyber Threat Intelligence Projects” (Farnham, 2013) presents and defines many CTI standards for an evaluation of a project management process. Those relevant for storing and sharing TTP include Structured Threat Information eXpression (STIX), Open Indicators of Compromise (OpenIOC) framework, and Collective Intelligence Framework (CIF).