How we made the GovAssure profiles.
By Tony Badsey-Ellis
When using the Cyber Assessment Framework (CAF), it’s not a case of trying to achieve every single Contributing Outcome (CO). Whilst this might be nice, it is neither appropriate nor proportionate for most systems and their threat levels. Our previous blog explained the use of profiles to handle this.
Proving the profile matched the threat
When we created GovAssure, we didn’t want to assume that government could use the existing CAF baseline profile. We knew that government faces a different threat profile to the private sector, and we wanted to ensure that the chosen profile reflected that. It didn’t mean that the profile had to differ, but we wanted to prove that the profile matched the threat.
To do this, we created a set of scenarios based on attacks that had been seen in the public sector or that were seen as being credible for the public sector. The GovAssure team documented the scenarios using open-source research – this was important for transparency. Each scenario was divided into several stages, depending on complexity. For example, WannaCry was split as follows:
- Initial compromise – getting into the network.
- Establish a foothold – install a back door for persistence.
- Device enumeration – search local and network devices in order to spread.
- Locate and encrypt – find files and prevent legitimate access.
- Complete mission – operation capability affected and ransom message delivered.
Staged analysis
Each stage was then analysed in relation to the CAF to determine which of the Contributing Outcomes would help mitigate the stage of attack from succeeding, particularly which of the Indicators of Good Practice (IGPs) would help. For obvious reasons, we only looked at the IGPs showing partial or full achievement, and where possible, we used those for partial achievement. This was on the premise that if the attack stage could be mitigated with a ‘partially achieved’ IGP, then there was no need to implement a ‘fully achieved’ IGP, which might be more complex or expensive to implement. The IGPs were identified numerically – although they aren’t numbered in the CAF, we allocated them numbers to ease this task.
Once a scenario analysis was complete, we had a list of applicable IGPs by stage defined and some additional IGPs that couldn’t be linked to a single stage (for example, Contributing Outcome A2.a Risk Management Process would be useful throughout the attack scenario). This latter group of IGPs was put into a ‘Support’ stage.
So, we now had up to six stages defined for ten scenarios – this was felt to be a good number by the GovAssure team, balancing the effort in performing the analysis against the need for a broad spectrum of attacks and failures. The scenarios encompassed ransomware attacks, trojans, loss of an official device, and credential stealers. This was a lot of data.
Modelling the data
Based on a model one of the regulators created, we built a spreadsheet to capture the data for each scenario. Each Contributing Outcome has a differing number of IGPs at each of the two levels (partial and full achievement). The spreadsheet was coded with the number of each type of IGP for each CO, and a series of formulae of every-increasing complexity crunched the data around the scenario IGPs to create a statistical analysis. This looked at which IGPs were used and how often each was used. The picture below shows what this looks like (but is not showing the data used by the GovAssure profiles.
A threshold value was set above which a CO was deemed ‘significant’ in mitigating the risk, which was assessed for both full and partial achievement. Each CO that reached the threshold was highlighted for addition to the Government profile, the starting point for which was the existing baseline profile. This meant there would be no Contributing Outcomes for the Government profile with an achievement level below the baseline profile.
Many of the significant Contributing Outcomes had the same achievement level as the baseline profile, but a number were higher – mostly moving from ‘partially achieved’ to ‘fully achieved’. This created what we termed the Indicative Government Baseline Profile.
Sensitivity analysis
Our final task was to perform a sensitivity analysis on this new profile. By excluding each scenario in turn, we could see its impact on the final outcome. Of our ten scenarios, eight made no difference if individually excluded. The remaining two had a significant impact, and we found that the indicative profile was made somewhat more complicated to achieve if they were included. A review of the scenarios showed that the attackers in both cases were more sophisticated, so these scenarios were better suited to the enhanced profile. They were, therefore, excluded from the baseline profile.
Once the final indicative profile was created, we documented it, focusing on the areas of difference from the original baseline profile. We then presented it to a large meeting of Government Department CISOs. We looked at each CO in turn, but with more time spent on those that were different, we agreed on which would be changed for the government profile. This led to the conclusion that only two Contributing Outcomes would be changed, as follows:
-
- B3.e Media Sanitisation was increased from not achieved to partially achieved
- D1.a Response plan was increased from partially achieved to fully achieved
The attendees felt this appropriate for Government usage, and the new profile was subsequently signed off for use. The same process, with a new set of scenarios, was then repeated to create the enhanced CAF profile for the Government sector.
The GovAssure CAF profiles are provided to the government assurance teams when they are completing a CAF return, and are not made available more generally.
You may be interested to read our blog Using the CAF in practice.
Contact Us
Please get in touch with us for more information about how 2T Security can help with CAF-based work.
2T Security became one of the first NCSC-assured cybersecurity consultancies to offer GovAssure services. You can find out more here
