MITRE has developed the Cyber Operations Rapid Assessment (CORA) methodology to help organizations identify areas in their cybersecurity defensive practices related to threat information that can be improved. The authors discuss the methodology in detail.
Cyber Operations Rapid Assessment (CORA): Examining the State of Cybersecurity Assessment Methodologies and Introducing a New Alternative
Actionable threat intelligence plays a critical role in cyber defense in all respects, from helping to protect systems and data, to protecting organizations, industries, and even countries. A growing number of highly publicized breaches have led to tremendous activity in both the public and private sector to enhance capabilities to collect, utilize, and share cyber threat intelligence. Many organizations, however, are behind the curve in terms of threat intelligence, relying predominantly on static defensive measures and compliance-oriented processes. Transitioning to a threat-oriented posture is not easy, and change needs to occur across the triad of people, processes and technologies.
Some organizations have taken the important step of joining a formal industry-sector or regional cyber threat sharing collaborative such as an Information Sharing Analysis Center (ISAC). In such collaborative efforts, members’ capability and resource levels often fall on a spectrum. It is important for the success of information sharing groups to understand the maturity levels of their respective memberships, and to identify ways to help improve the exchange of threat information for all parties.
In this paper we analyze modern cyber operations assessments and present an alternative to fill a gap in the current state of practice. MITRE has developed and piloted the Cyber Operations Rapid Assessment (CORA) methodology with the goal of helping organizations quickly identify areas in their cyber security defensive practices where improvements can be made in the collection, utilization, and sharing of threat information. CORA is not intended to be a complete review of an organization’s entire security program, but rather focuses on those elements that are critical to the incorporation of threat information into defensive operations and risk management. We discuss the methodology in detail and the motivation behind each of its five main focus areas.