Classifying the objects of study by their similarities is a fundamental step when doing research. Passion for classification became one of the signatures of the Enlightenment. During this period, many researchers, following the modern scientific method, tried to unravel the mysteries of an apparently ordered cosmos. One of them was Carl Linnaeus, who classified the living beings in kingdoms and species in a hierarchical manner, giving birth to one of the first taxonomies. Taxonomy is a classification approach used now in many research fields, including Cybersecurity, in which a threat taxonomy groups threats in hierarchical classes according to certain common characteristics. This classification becomes fundamental for identifying the detection and prevention approaches to be applied, as different cyberattacks require different methods according to their nature.
Having a good classification of attacks becomes especially relevant when the diversity of cyberattacks is high. This is the case of attacks against Critical Information Infrastructures (CIIs), whose complexity and variety have increased as the information and communications technology (ICT) networks where CIIs operate have become more sophisticated. A threat taxonomy is proposed in the context of the CyberSANE project to characterize the attacks against CIIs and to develop security mechanism adapted to each kind of threat.
This classification is tailored towards the specificities of the system the attacks aimed to, so CyberSANE’s Threat Taxomy has been built considering the characteristics and particularities of the three kinds of CIIs for which the final system is intended: Healthcare, Energy and Transport.
Many threat taxonomies already exist in the literature, defined by different security organisms. ENISA’s Threat Taxonomy1 has been taken as a reference to build CyberSANE’s one. This choice has been motivated by the simplicity of its layout and because it offers the possibility of adding new threats to the hierarchical tree without modifying its inherent structure. The layout conceived by ENISA can be presented as a table with three levels of classification. As an example of how this classification works, a phishing campaign would fall under “Nefarious Activity/Abuse”:“Social Engineering”:“Phishing attacks”.
The Design Science Research (DSR) method presented by Omair and Alturki2 has been followed to develop CyberSANE’s Threat Taxonomy. This method presents seven steps:
- Problem definition and justification
- Definition of objectives and meta-characteristics
- Definition of ending condition
- Design and development
The guidance CIIs to protect of these steps has been completed by answering a set of questions related to the and to the nature of the potential threats:
- Which systems should be covered?
Defining the scope of application of the taxonomy is a fundamental step. In the case of CyberSANE, the attack scenarios considered belong to the three kinds of CIIs previously mentioned (Healthcare, Energy and Transport).
- What are the most common cyber-threats against these systems?
The most common attacks considered are the ones affecting all the three kinds of CIIs in the scope. These attacks constitute a basis that is independent from the particularities of each CII. Denial of Service (DoS) attacks, packet sniffing or Man-in-the-Middle (MitM) attacks are some of the threats that can be found in this first selection.
- What are the other cyber-threats that can act against these systems?
An analysis of the services and possible vulnerabilities in each CII provides a set of more specific threats. For instance, an attack against wireless communications is considered as non-common because its execution requires the existence of wireless infrastructure, which is not always the case.
- Are there any non-cyber-threats which must be covered by the taxonomy?
There exist threats that do not propagate on cyberspace but that can harm the ICT infrastructure, such as a physical terrorist attack or a natural disaster.
- What representation should the taxonomy take?
The form the taxonomy can take when it is represented should be chosen according to how it is going to be applied in a security system and in which context is going to be used. CyberSANE’s Threat Taxonomy follows a tabular format, the same as ENISA’s.
- Which threat categories need to be represented?
Threat categories are inherited from the ones presented by ENISA but introducing a subcategory for the “High-Level Threat”, “Threat Type”, to increase the degree of granularity in the classification. Being more specific will lead to more pertinent threat detection methods in CyberSANE’s system.
- What supplementary information must the taxonomy contain?
Apart from the taxonomical classification itself, some supplementary information can be added to each category, such as comments about individual threats or a list of systems that can be impacted. This information constitutes a knowledge compendium that can be invaluable when the taxonomy is used, for example to create a Threat Model.
The Threat Taxonomy created in the context of CyberSANE project following DSR method and answering the mentioned questions has ended up having seven main fields, adapted from the ones defined by ENISA:
- High Level Threat
- Threat Type
- Threat Description
- Class Description
A total of 248 threats have been listed, spread across the 22 different threat types. The resulting hierarchical diagram is shown in the figure.
This taxonomy is a fundamental piece in the context of CyberSANE project, as its classification is followed when doing Threat Modelling and attack detection. The most important aspect of the taxonomy is that it is open to the addition of new attacks. We should not see the classes where attacks are classified as immutable, as they can be easily modified to adapt to new scenarios. Future research on Cybersecurity and changes in the threatened infrastructures could lead to modifications in the threat landscape. CyberSANE’s Threat Taxonomy is prepared to adopt them.