TARA (the Threat Agent Risk Assessment)

TARA (the Threat Agent Risk Assessment) is a relatively new risk-assessment framework that was created by Intel in order to help companies manage risk by distilling the immense number of possible information security attacks into a digest of only those exposures that are most likely to occur. The points here is that it would be prohibitively expensive and impractical to defend every possible vulnerability. By using a predictive framework to prioritize areas of concern, organizations can proactively target the most critical exposures and apply resources efficiently to achieve maximum results.

The TARA methodology identifies which threats pose the greatest risk, what they want to accomplish and the likely methods they will use. The methods are cross-referenced with existing vulnerabilities and controls to determine which areas are most exposed. The security strategy then focuses on these areas to minimize efforts while maximizing effect. Intel says awareness of the most exposed areas allows the company to make better decisions about how to manage risks, which helps with balancing spending, preventing impacts and managing to an acceptable level of residual risk. The TARA methodology is designed to be readily adapted when a company faces changes in threats, computing environments, behaviors or vulnerabilities.

TARA relies on three main references to reach its predictive conclusions. One is Intel's threat agent library, which defines eight common threat agent attributes and identifies 22 threat agent archetypes. The second is its common exposure library, which enumerates known information security vulnerabilities and exposures at Intel. Several publicly available common exposure libraries are also used to provide additional data. The third is Intel's methods and objectives library, which lists known objectives of threat agents and the methods they are most likely to use to accomplish these goals.

A main benefits deriving from TARA is that the threat agent library and the methods and objectives library can be easily used within other risk-assessment methodologies, especially if there is a need to standardize on common threat agents and corresponding methods. TARA appears to be a good tool for identifying, predicting and prioritizing threats against your infrastructure and can be used to create common libraries that can be shared among different groups.

The framework focuses on threats rather than assets, identifying more or less on what bad things can happen. This is both good and bad because by focusing on threats rather than asset value, an assessor may miss the mark in identifying true infrastructure risks. It also seems to make the assumption that the only way to view risk is from the perspective of 'What's the worst thing that could happen?'A drawback of TARA is that only addresses the likelihood of threat events, but doesn't take into account the risk's impact. Another drawback of the framework is that it's new and untested. It is not very common and not widely used as a single risk management methodology but usually in conjunction with other framework.

TARA also appears to be yet another qualitative methodology rather than one that can be used for quantitative analysis.

1 Response to "TARA (the Threat Agent Risk Assessment)"

  1. Matt Pascucci September 12, 2012 at 4:44 AM
    I've downloaded the Intel whitepaper, but I'd be curious as to how you went about creating lists like the TAL, CEL and MOL.

Post a Comment