Courses of Action Matrix in Cyber Threat Intelligence
A Courses of Action (CoA) matrix is a table that shows the defensive capabilities available at each phase of the Cyber Kill Chain.
On the y-axis, you put the Cyber Kill Chain steps (the adversary’s actions): Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), Actions on Objectives.
On the x-axis, you put the defensive capabilities: Discover, Detect, Deny, Disrupt, Degrade, Deceive, and Destroy.
In each cell within the matrix, you put the specific defensive capabilities relevant to the intersecting kill chain step and defensive action.
For example, at the intersection of Reconnaissance and Deny you can put firewall, because a firewall can deny (block) recon. Or, at the intersection of Actions on Objectives and Deceive you can put honeypot, because a honeypot can deceive an adversary during their actions on objectives.
Courses of Action Matrix in CTI
The Courses of Action Matrix can be useful in cyber threat intelligence because you can plan the defensive actions that can counter each step of a threat actor’s campaign. You can provide this info to defenders to better prevent, respond to, and remediate attacks.
Defensive Capabilities
If you’re not familiar with the defensive capabilities Discover, Detect, Deny, Disrupt, Degrade, Deceive, and Destroy, they come from the DoD’s Joint Publication 3–13, Information Operations (2006 edition).
- Discover: identify adversary’s past activity (e.g., logs)
- Detect: identify adversary’s current activity
- Deny: prevent adversary activities
- Disrupt: interrupt adversary’s activities or flow of info
- Degrade: reduce effectiveness or efficiency of adversary’s activities or flow of info
- Deceive: mislead adversary
- Destroy: damage adversary’s infrastructure so it won’t function
