CARVER Analysis – Are you defending the right things?

Simple CARVER exampleThe French resistance in WWII blew up the curved portion of rail lines because they used CARVER analysis to figure out that was the best way to delay a response to D-day. This concept was developed by the OSS during WWII to select targets for irregular forces. Yes, that looks like too much History Channel... guilty :-)

 

This simple acronym, CARVER, can be developed into a risk matrix to rank areas for enhanced defenses. Conversely, you can also understand an actor's motivation by the targets they go after. Just think if we could tell the difference between information, identity, and card thieves or nation state from competitor from hacktivist. There is no better intelligence than understanding an attacker's motives and thus what they are likely to do next. This can really help us think like a bad guy. 

 

You are also analyzing your risk from a more adversary-centric perspective so you can defend what is likely to be attacked. Understanding a bad guy's motives can even help you lure them into a honeypot or to steal tagged dis-information. If you list the technology subcomponents of your major business applications and then score them across CARVER (and from the point of view of different malicious actors), you have a useful risk matrix (simplified example shown above and an example ranking matrix is shown below).

 

A recent conversation at our customer advisory board refined the idea with a good example. A majority of attacks occur against what is monetizable (effect indicates a card thief) rather than against critical business information (criticality is potentially a competitor or information broker). The CARVER matrix is open to interpretation for any new domain; below, I am proposing some ways to define each area. Some from both perspectives: attacker and defender.

 

Criticality – What is the value of this asset to core business?

  • Impact on business operations
  • Impact on competitiveness
  • Impact on consumer confidence
  • Impact on stock price

Accessibility – What network and access protections are in place?

  • Buried in a protected enclave
  • Accessible from the user environment 
  • DMZ or external service
  • Flat or segmented network architecture
  • Public, B2B or private cloud

Recuperability – How difficult would it be to recover from an attack?

  • Cloud or dedicated hardware
  • Level of redundancy
  • Total cost of recovery (HW/SW/Labor/Svcs/Opportunity costs)

Vulnerability – How vulnerable to common attacks is this asset?

  • Hardened, managed, personal, mobile
  • Application and Operating Systems

Effect – What would be the impact of a successful attack?

  • Easily monetizable (e.g. loss of credit card numbers)
  • Increased or unfair competition
  • Company ending
  • Danger to life or limb

Recognizability – How easy is it to locate and recognize this asset?

  • Easy text patterns to match (searchable)
  • Number of users with access (visible)
  • Network broadcast or un-encrypted traffic
  • Detectible in progress or after the fact (noticeable in the underground)

Using CARVER analysis helps you defend what an attacker is most likely to attack. This means you can much more effectively focus your efforts and be prepared to defend yourself when they do attack. Are you protecting what the bad guys are really after?

 

CARVER Rating Example

 

 

For more information on how HP’s enterprise security products can help you know your enterprise to defend your critical information, visit hp.com/go/espservices.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.