Over the years I’ve seen an evolution with respect to how the infosec industry approaches corporate security. In the (my) beginning, it was very asset/defense-centric - What do we have? Patch all the things! Turn on all the blinky security appliances. Next, we added a new layer that was more attacker/threat-driven - red teaming, threat modeling, threat intelligence, etc… So what’s the next advancement? How can we build upon these disciplines in a way that helps us further prioritize and ultimately mitigate risk? Consider now a business-focused, or better yet, mission-oriented approach to security. Rather than focus on potential operational impacts from the perspective of known threat actors or working on a bottomless approach to defense-in-depth, let’s instead orient ourselves around what is important to us (in the context of the respective organization) and define key mission objectives in which to center our security strategy. This is in fact step one of MITRE’s Crown Jewels Analysis (CJA), a process designed to identify cyber assets most critical to the accomplishment of an organization’s mission.
As the name implies, one product of a completed CJA is a list of key assets (the “crown jewels”) which represent the most important atomic constructs your organization relies upon. In the absence of any other output, you could take these identified systems/assets as a prioritized queue and feed them into traditional security models such as defense-in-depth (defensive model) or threat modeling (offensive model) and quickly see the value. But the CJA also yields a dependency map, which illustrates a hierarchy of nodes and relationships that explains not only the technological/process dependencies your mission objectives rely on but can be leveraged to build far more insightful views including (but not limited to) where to apply security controls or where attackers may find weak spots to disrupt operations through nth order effects. 1, 2
Before diving into the more fine-grained mechanics of the CJA, here is a summarization of the assorted benefits you could expect as a result of performing one…
- Facilitates joint conversation among key stakeholders. Breaks down assumptions and supports greater understanding of the mission
- Promotes balanced resource allocation between business innovation and security safeguards
- Prioritizes security investments
- Identifies true risk and business impact posed by potential compromise/degradation
- Determines acceptable levels of residual risk associated with each critical asset
- Establishes security countermeasures to effectively manage business risk profile 5, 7
MITRE Crown Jewels Analysis (CJA) Process
Crown Jewels Analysis (CJA) [SEG, pg. 167] is a methodology designed by MITRE to identify the cyber assets (“crown jewels”) most critical to mission accomplishment. It consists of three distinct steps. 2
* MITRE’s CJA is often used as an input into MITRE’s threat modeling and risk analysis model, TARA. Together, the CJA and TARA compose MITRE’s Mission Assurance Engineering (MAE) process. (I will not cover TARA/MAE much in this post.)
Ultimately, by increasing the work factor for an adversary and coupling security decisions with a more intimate understanding of mission priorities, an organization can better endure the constant barrage of attacks present within the modern threat landscape and build more robust operational resiliency. 2
Establish Mission Priorities
Step one of conducting a Crown Jewels Analysis is to identify and establish mission priorities. This is an area of MITRE’s CJA documentation that is curiously light. The question is simple though, “what is important to your organization?” My recommendation? Start locally, within the security team, and brainstorm a list of probable objectives. If this is a challenging exercise for the team, it is an opportunity to reach outside the security silo, learn more about the business and become far more effective at practicing business-aware security moving forward. For a more authoritative perspective on key mission priorities, consider approaching security leadership, broader IT leadership or go directly to the source and invoke business leaders themselves. 2
Once we have established what the priorities of the business/organization are, we can begin constructing the map of interconnected tasks, functions and assets which comprise the dependency tree.
Identify Mission Dependencies
Step two of the CJA is to identify mission dependencies. For this, MITRE prescribes a technique for dependency mapping, a (moderately rigorous) adaptation of the Risk-to-Mission Assessment Process (RiskMAP). The Dependency Map is a graph/tree built using mission priorities/objectives as the root/top-level parent nodes, then child nodes are linked using the following mapping “If <child> fails or is degraded (as defined by the SMEs), the impact on <parent> is <failure, degrade, work-around, nominal>.” Once complete, it is possible to analyze the impact of an asset/process failure/degradation through cascading if/then statements. 2
* A more rigorous approach to dependency mapping can be adapted using the Cyber Mission Impact Assessment (CMIA) process. 4
Consider the following when identifying potential crown jewels/key processes. System design details influence “criticality” in ways that developers (not operators) will more readily understand, so identifying key system accounts, critical files, and other critical assets will require technical insights from the development team. Deciding which cyber assets are most important to “protect” is based on the insights provided by the dependency map “linkage” to the Tasks and Mission Objectives. CJA can provide insight into which nodes to protect, what security controls to apply and where and how to apply them. 2
CAIP
One tool which can be used to facilitate critical asset ideation is the Critical Asset Identification Process (CAIP), brought to us by DODIG-2013-119. The report provides the following guidance for identifying and prioritizing critical assets. 3
- Break down missions and functions into required tasks, standards, and capabilities
- Identify the task assets that support the missions to the required standards and capabilities
- Prioritize the assets identified based on the criticality of the mission and the availability of other assets that could satisfy required standards and capabilities
Mission Impact Analysis
Once mission dependencies have been identified, the third and final stage of the CJA can commence, the mission impact analysis. The dependency map depicted below demonstrates how failures/degradation of a (cyber) asset results in compromise of upstream information assets, tasks, functions and potentially entire missions. 2
Employing a graph-based mission dependency model can help show the transitive (nth order) mission impacts of cyberattacks. For example, a graph traversal query can begin at the victim host of an attack, and traverse the graph (vertically) to enumerate the mission components that depend on it, showing impact on all effected levels of the mission dependency hierarchy. After modeling a larger volume of potential attacks, common critical pathways will emerge which represent high probability vectors attackers tend to gravitate towards (“gravitational nodes”). A query could also traverse in the opposite direction, e.g., to show the “cyber key terrain” supported by a given mission component. Moreover, a mission dependency model could include important semantics such as relative criticality, ownership, geographic location, etc… 6, 8
For describing criticality of an asset in the context of the mission, consider MITRE’s SCRAM Criticality Levels (listed below). 8
- Level I: Total Mission Failure
- Level II: Significant Degradation
- Level III: Partial Capability Loss
- Level IV: Negligible or No Loss
The mission impact analysis should yield insights into which nodes, specifically which cyber assets (leaf nodes) result in the most catastrophic mission failure upon compromise/degradation. These are your crown jewels.
Appendices
Courses of Action
When performing mission impact analysis, consider resource allocation in the context of risk mitigation. The list below summarizes courses of action for mitigating potential weaknesses identified in the dependency map. 8
- Technical – redundant or spare cyber assets
- Replace: Can the cyber asset (e.g., system, network) be replaced with redundant components (e.g., spare servers, redundant network paths)?
- Reconstitute: Can the cyber asset be reconstituted? For example, can the system replicate a server instance from a gold master virtual machine image, or dynamically reconfigure the network.
- Service – redirect from other area or fall back on alternative functionality
- Reposition: Are there identical services, potentially in neighbouring geographic regions, that can be repositioned to cover the mission area?
- Repurpose: Can the lost service functionality be (partially) replicated by repurposing other services? For example, email service may be used to provide some data transmission functionality similar to chat. Voice services (radio, VOIP) can be used as an alternative to digital communications (email, chat).
- Operational – leverage concept of operations (CONOPS), call alternative commands for support
- Reuse: Can the missing functionality be fulfilled by reusing a similar service offered by another entity or organization?
- Retask: Can another entity or organization be retasked to complete or support the mission?
References
- 1 Crown Jewels Analysis | MITRE
- 2 MITRE Systems Engineering Guide - SEG .pdf
- 3 Critical Asset Identification Process (CAIP)
- 4 CMIA
- 5 Crown Jewels Analysis | Dragos
- 6 Crown Jewels Analysis - A Risk of Bias | Mitiga
- 7 Crown Jewels Security Assessment | Mandiant
- 8 Mission Dependency Modeling for Cyber Situational Awareness
- MITRE Threat Assessment and Remediation Analysis (TARA)
- TARA | Shellsharks
- RiskMAP | MITRE
- Evaluating the Impact of Cyber Attacks on Missions
- Crown Jewels Analysis | Air Force
- How to Identify Cyber Critical Systems with a Crown Jewels Analysis | Dragos
- CyGraph: Big-Data Graph Analysis for Cybersecurity and Mission Resilience