Plan for Success: Using the CARVER Matrix and Red Teaming Your Plan
Plan for Success: Using the CARVER Matrix and Red Teaming Your Plan
One of the most important things you can do when you develop a plan is to do your best to ensure it survives Mr. Murphy. We’ve talked about this many times, but here’s a small brain dump of what Red Teaming your plan would look like. Please note that your mileage may vary depending on the plan.
Red Teaming a Plan
Once you have your plan in place, bring in your team and identify the risks, threats and vulnerabilities.
- Risks are the the likelihood of being targeted by a given attack.
- Threats are what could happen.
- Vulnerabilities are the weaknesses that an adversary will exploit to make the attack successful.
Translate Your Plan
What could break the plan, how and by what?
- Identify the key aspects of the plan.
- Identify threats most likely to impact those parts of the plan.
- Determine the vulnerabilities that might make those threats real.
Rank by Importance
Start by listing the most important aspects of the plan, which are the parts that would cause it to fail if they don’t occur. Rank these by importance:
- Critical: The plan will fail.
- Essential: The plan might fail, but you can still run a contingency.
- Non-Essential: Good to have, but it if doesn’t happen the plan will still succeed.
Write these on a whiteboard and make a table listing each one by critical ranking.
What can happen? When? What is most likely to happen? How? Write the questions and the answers next to each part identified. Give a probability rank to those threats:
- High: This will most likely happen.
- Medium: There is a chance of this happening, but we have mitigating controls.
- Low: It will rarely happen.
You should have in front of you now a table with the most important parts of the plan, how critical they are and the threats to those parts marked by probability. You can already begin to see the parts that are most likely to fail and how important they are.
The next step is to think about the vulnerabilities. Which of the threats identified above has the greatest likelihood of disrupting the plan? How? What’s the thing that can break and cause that threat to become real? Things like equipment failure due to batteries, weather causing traffic and delaying execution, etc.
After adding these to your table, you should have a clear picture of the things that could go wrong with the plan. Now focus on the critical parts and high probability threats. Discard anything else for now. List the possible solutions for those and add them to the plan.
When you’re done, bring in the 10th man. Meaning an external party that hasn’t been part of the process and show them the entire plan. After going through this feedback, you’re now ready.
Remember Rule 29: If you’re happy with your security, so are the bad guys.
CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used by Special Forces to assess the targets and see which one needs to be addressed first. This is included to help with the Red Teams assessment above. Below you’ll find what each component means in terms of information security:
Criticality: The target value. How vital is this to the overall organization? A target is critical when its compromise or destruction (failure to provide any of the CIA triad components) has a highly significant impact in the overall organization.
Accessibility: How easily can I reach the target? What are the defenses? Do I need an insider? Is the target computer off the Internet?
Recuperability: How long will it take for the organization to replace, repair, or bypass the destruction or damage caused to the target? Once the compromise is found, how long will it take for the system to recuperate from it?
Vulnerability: What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible 0-day exploits?
Effect: What’s the impact of the attack on the organization? Similar to the first point (Criticality) this point should also analyse possible reactions from the organization.
Recognizability: Can I identify the target as such? How easy is to recognize that a specific system / network / device is the target and not a security countermeasure.
How to use the CARVER Matrix
Wikipedia states: Employing the Carver matrix can help identify targets that are vulnerable to attack and for defensive purposes, the Carver matrix can indicate “High Risk” targets that require additional security assets allotted to them to prevent the degradation of said assets via enemy assault or terrorist action.
This is also accurate in the world of information security. How do we use the CARVER Matrix? Write down the targets in a table, on top of that table write the components of CARVER, then rank each target on each component with values from 1 to 5, 5 being the highest priority or, in our case, the highest value:
This example shows that within our fictitious network, the most vulnerable part is the Mail Server (total score 23). Why? Let’s answer that from the CARVER perspective:
Criticality: In this organization the mail server is vital to daily work, it gets a 5.
Accessibility: The mail server is easily accessible from the internet; there are some defenses, but they’re trivial and the score is 5.
Recuperability: Since the organization’s IT personnel know that the mail server might be vulnerable, they make a backup every day. In the event of something going wrong, there will be some downtime and possibly some lost messages, but the backup will be up and running soon. The score then for Recuperability is 2.
Vulnerability: The attacker doesn’t have to be an expert or have a high degree of knowledge to attack the mail server, however some degree of knowledge and proficiency is required (a script kiddy cannot do this) so it gets a 3.
Effect: We know the mail is critical, but what happens if it gets compromised? The organization will be down for some time, however since a backup is in place, hopefully no one will panic. The score is 3.
Recognizability: It is trivial to recognize a mail server as such, so it gets a 5.
Beyond the fact that the email server’s score is 23, the matrix shows that since it’s a critical part of the organization (C=5) and the knowledge required to penetrate this server is of medium to low (V=3), it should be secured first.
Try running several analyses on different assets in a network. You’ll see patterns begin to appear and it’ll be clear what parts of the networks are the most vulnerable.
Editor-in-Chief’s Note: U. Fridman is a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.