High Value Target Methodology

Abstract

This paper proposes a qualitative and quantitative methodology to significantly increase an organization's cyber resilience posture against common and advanced adversaries by accounting for the value that these threat actors place on a given asset instead of solely focusing on the asset's value from a business criticality or informational value perspective.

In order to maximise its applicability, the High Value Target methodology is meant to be integrated with existing publications such as Special Publication NIST 800-160, MITRE Cyber Resiliency Engineering Framework and tied to the MITRE ATT&CK Framework.

Introduction

Cyber Resilience refers to the ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.

One of the first steps to kick-start a Cyber Resilience program is by identifying critical data, processes and systems that are high value assets and develop plans to address gaps in resiliency and recovery.

Defining High Value Targets

High Value Targets (HVTs) are information systems, data, roles, processes for which unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to an organization's ability to perform its mission or conduct business.

Identifying High Value Targets

The types of HVT systems that are identified in Phase 1 are:

• Critical infrastructure targets, an organization's assets whose unavailability, exposure, modification or corruption would significantly disrupt an organization's mission due to their widespread presence and network of dependencies in the organization's environment.
• Control plane targets, an organization's assets which contain sensitive controls, configurations and instructions used in information system management operations.
• Cyber defense targets, an organization's assets which provide protective, detective, investigative and responsive capabilities which assure cyber resilience posture on a day-to-day basis and especially while under an advanced attack.
• Informational value targets, an organization's assets which contain significant value in the form of stored or transit data, otherwise referred to as crown jewels.

Scoring Methodology

The methodology is composed of two phases which aim to provide a practical approach to identifying the organization's HVTs.

Phase 1 focuses on assigning a binary score to each asset in the organization with the main objective to group the assets in the four main HVT types.

Phase 2 takes the outcome of Phase 1 and provides every asset filtered from Phase 1 with scores against the ten HVT attributes in terms of how the given asset inherently provides value for plausible adversarial mission intent.

This methodology focuses on the attack value chain and is an inherent impact assessment for assets. It excludes vulnerabilities and security controls because the detailed cyber resilience analysis comes after the HVTs are identified.

Conclusion

Current cyber resilience best practices lack clear guidance on how organizations can identify the value that an advanced attacker places on possible targets, which defines the tactical reliance on the attack value chain from an architectural system standpoint.

Once HVTs are identified, secured and continuously governed, an organization's cyber resilience posture is significantly increased.