Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cyber vulnerabilities and select countermeasures effective at mitigating those vulnerabilities. TARA is part of a MITRE portfolio of systems security engineering (SSE) practices that contribute to achievement of mission assurance (MA) for systems during the acquisition process. The TARA assessment approach can be described as conjoined trade studies, where the first trade identifies and ranks attack vectors based on assessed risk, and the second identifies and selects countermeasures based on assessed utility and cost. Unique aspects of the methodology include use of catalog-stored mitigation mappings that preselect plausible countermeasures for a given range of attack vectors, and use of countermeasure selection strategies that prescribe the application of countermeasures based on level of risk tolerance. This paper outlines the SSE-MA portfolio and describes the TARA methodology.
TARA TARA is an engineering methodology used to identify and assess cyber vulnerabilities and select countermeasures effective at mitigating those vulnerabilities. The methodology utilizes a catalog of attack vector and countermeasure data, together with web-based tools used to search and process catalog data.
Figure 1 TARA Assessment Workflow Figure 1 depicts the TARA assessment workflow, which is summarized as follows. System technical details are used to construct a cyber model of the system architecture, which provides a basis for searching the catalog for plausible attack vectors. The list of attack vectors is filtered
I have compiled a collection of the most common questions asked regarding the Threat Agent Risk Assessment (TARA) methodology.
Top 10 Questions for the Threat Agent Risk Assessment (TARA) methodology
- What is the purpose of TARA?
TARA is a method to distill the immense number of possible threats into a manageable picture of the most likely attacks to occur, based upon the objectives and methods of those who possess the capability and desire to do harm. It is a way of conducting risk assessments to produce a more understandable and realistic picture, so effective security decisions can be made.
- Why should my organization incorporate TARA?
TARA can help if your organization is challenged with building a practical, accurate, and comprehensive security risk analysis which scales and adapts to the changing risk landscape. This has been a major challenge in the industry, where vulnerability assessments are the norm and resulting outputs, controls value, and recommendations are nebulous. TARA may be able to help.
- What are the primary benefits of TARA?
I have seen 3 primary areas of benefit.
1. Greatly distilling the cloud of potential attacks, down to a manageable list of likely attacks
2. Improving the quality of risk and control evaluations, to better understand the value of security investments
3. Communicating risks and recommendations to management and non-security audiences
TARA is highly customizable by the user and can help provide relevant information necessary for management to make good security decisions.
- Does TARA replace all other methods of risk assessment?
No. TARA is a methodology. It is a way of looking at and assessing the threat landscape. It complements and integrates with an organization’s embedded tools, methods, and processes. It can improve results, reduce overall risk analysis effort, and contribute to better decision making.
- Is TARA a tool, application, device, or checklist?
TARA is a way of analyzing risks (risk of loss) based upon the relationship between attacker’s capability and desire to cause loss, the applicable vulnerabilities, controls, and the residual exposures. The method can be incorporated into risk analysis tools, applications, and processes.
- Is TARA relevant for a whole enterprise and applicable to small projects?
The methodology applies well across the risk assessment spectrum. It works when determining the overall risk posture of large enterprises and scales to highlight discrete risks for small projects.
- Where did TARA come from, is it free to use?
TARA was created within Intel in response to a need of evaluating the security risks of a very complex, rapidly changing threat landscape for a large, extremely valuable, and diverse environment. As the saying goes, ‘necessity is the mother of invention’. Available risk tools and methods were insufficient for the needs. TARA was created and used very successfully to evaluate and communicate risks and recommendations. Intel has shared our success with the industry and TARA is free for anyone to adopt and use.
- How can I use TARA to communicate risks to non-security audiences?
TARA results in an easily understandable story of risk. Even non-security audiences have readily embraced the outputs of TARA as it helps them to understand the sometimes vast and complex world of security risks.
- What industries have embraced TARA?
Over the past few years I have consulted to a number of different industries including: manufacturing, insurance, healthcare, technology, education, financial, government, and security/risk consultancy firms.
- Where can I get more information, resources, or help on TARA?
A number of whitepapers, blogs, presentations, and interviews are available. As each adoption of TARA is different, an important necessity by design, there is no mandated template or standard playbook. TARA is customized to meet specific needs of users as a way of embedding threat agent analysis into risk assessments.
Intel’s original Threat Agent Risk Assessment whitepaper: http://communities.intel.com/community/openportit/blog/2010/01/05/whitepaper-prioritizing-information-security-risks-with-threat-agent-risk-assessment
Related Blogs, Videos, and Papers:
- Intel whitepaper: Improving Healthcare Risk Assessments to maximize Security Budgets
- Intel whitepaper: Managing a divestiture
- Intel whitepaper: Threat Agent Library
- Intel Blog: Blog: Attacks, Threat Agents, and Vulnerabilities are the Key to Prioritizing Security
- TARA Presentation to Society of Information Risks Analysts (SIRA) Aug 2011: https://www.societyinforisk.org/content/sira-monthly-webinar-8112011-1200pm-edt900am-pst-matthew-rosenquist-tara
The recording of my presentation can be streamed here
Risk Community Blogs:
- Well done Intel: Threat Agent Risk Assessment: http://thirddefense.wordpress.com/2010/01/08/well-done-intel-threat-agent-risk-assessment/
- IT risk assessment frameworks: real-world experience: http://www.csoonline.com/article/592525/it-risk-assessment-frameworks-real-world-experience
- Comparison of IT Risk Assessment Framework: Octave, Fair, NIST-RMF and TARA: http://www.financesheets.com/comparison-of-it-risk-assessment-framework-octave-fair-nist-rmf-and-tara/
- Prioritizing Information Security Risks with Threat Agent Risk Assessment: http://connectedsocialmedia.com/5725/prioritizing-information-security-risks-with-threat-agent-risk-assessment/
- How to implement an enterprise threat assessment methodology: http://searchsecurity.techtarget.com/tip/How-to-implement-an-enterprise-threat-assessment-methodology
- How Risky is Your Business?: http://www.robobak.com/Blog/index.aspx?id=66
- TARA (the Threat Agent Risk Assessment): http://itsecurityoffice.blogspot.com/2011/09/tara-threat-agent-risk-assessment.html