Courses of Action Matrix in Cyber Threat Intelligence

A Courses of Action (CoA) matrix is a table that shows the defensive capabilities available at each phase of the Cyber Kill Chain.

On the y-axis, you put the Cyber Kill Chain steps (the adversary’s actions): Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), Actions on Objectives.

On the x-axis, you put the defensive capabilities: Discover, Detect, Deny, Disrupt, Degrade, Deceive, and Destroy.

In each cell within the matrix, you put the specific defensive capabilities relevant to the intersecting kill chain step and defensive action.

For example, at the intersection of Reconnaissance and Deny you can put firewall, because a firewall can deny (block) recon. Or, at the intersection of Actions on Objectives and Deceive you can put honeypot, because a honeypot can deceive an adversary during their actions on objectives.

Courses of Action Matrix from Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (PDF)

Courses of Action Matrix in CTI

The Courses of Action Matrix can be useful in cyber threat intelligence because you can plan the defensive actions that can counter each step of a threat actor’s campaign. You can provide this info to defenders to better prevent, respond to, and remediate attacks.

Defensive Capabilities

If you’re not familiar with the defensive capabilities Discover, Detect, Deny, Disrupt, Degrade, Deceive, and Destroy, they come from the DoD’s Joint Publication 3–13, Information Operations (2006 edition).

  • Discover: identify adversary’s past activity (e.g., logs)
  • Detect: identify adversary’s current activity
  • Deny: prevent adversary activities
  • Disrupt: interrupt adversary’s activities or flow of info
  • Degrade: reduce effectiveness or efficiency of adversary’s activities or flow of info
  • Deceive: mislead adversary
  • Destroy: damage adversary’s infrastructure so it won’t function

Additional Resources

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (PDF)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Seeking a cyber threat intelligence (CTI) or OSINT job. I'm a CTI, OSINT, & cybersecurity enthusiast; bookworm; and fan of Tolkien & LEGO.