Resources
What is CORA (Cyber Operational Readiness Assessment)?
In March 2024, Joint Force Headquarters Department of Defense Information Network (JFHQ-DODIN) officially launched its Cyber Operational Readiness Assessment (CORA) Program.
The Joint Force Headquarters-Department of Defense Information Network (JFHQ-DoDIN) is a part of US Cyber Command (CYBERCOM) and is in charge of overseeing the day-to-day operations and defense of DoD network around the world.
CORA replaces the Command Cyber Readiness Inspections (CCRIs) that the DoD has used for over ten years. JFHQ-DoDIN have introduced it as a more flexible and effective program for measuring cyber readiness. Previously the inspection mindset has been very focused on compliance, but the CORA program aims to change this with a focus on operational resilience.
“CORA assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture.”
Lt. Gen. Robert Skinner, commander of JFHQ-DODIN
CORA provides a critical approach for the DoD towards achieving operational readiness by reducing the attack surface of their cyber terrain and enhancing security measures where it matters most, ensuring continuity of operations. It’s not just about reacting to threats but anticipating and neutralizing risk before operations are disrupted.
Its aim is to measure and deliver the foundational cybersecurity outcomes of:
- Hardening information systems
- Reducing attack surface of the cyber terrain
- Enhancing a more proactive defense
What's the difference between CCRI and CORA?
A Command Cyber Readiness Inspection (CCRI) was a formal inspection conducted by the US Department of Defense. It was a comprehensive look at the cyber security posture of a military installation in order to improve the security of the DoDIN with a pass/fail assessment.
Now the focus is on cyber security efforts for those systems that are mission- critical and also most at risk of attack. This reflects a mindset shift from tick-box compliance to operational resilience assessments, represented by the launch of the Cyber Operational Readiness Assessment (CORA) program.
The CORA program which has replaced the CCRI, shifts the focus from compliance to operational readiness. CORA recognizes that not all parts of your network are the same. Some are more mission-critical than others and the focus should be on assessing the right part of the network in the right way for mission success.
The CORA program will also consider risk factors when it chooses which DoD organizations to assess and when. This may result in some bases undergoing multiple CORAs within a single year, whereas others may go for a number of years without an assessment.
It also represents a mindset shift – no longer is every misconfiguration or vulnerability considered as equal in importance, but rather it focuses on the assets that are important to the mission, and where the risks to those assets lie.
The Role of CORA in DoD Cybersecurity
"The Cyber Operational Readiness Assessment helps strengthen the posture and resiliency of the Department of Defense Information Network (DoDIN) by supporting DoDIN Areas of Operation (DAO) commanders and directors in their efforts to harden their information systems, reduce the attack surface of their cyber terrain, and enhance a more proactive defense. These are the foundational cybersecurity principles measured by the CORA program."
The CORA program offers commanders and directors a clearer insight into their critical cyber landscape and security defense posture, giving them improved command and control and better decision-making.
With its focus on operational resilience, CORA will help support bases and missions to become more proactive in their defense against attacks. By hardening their critical networks, they will be ready when an attack comes, more resilient to it, and quicker to recover and strike back.
CORA and MITRE ATT&CK
The program focuses on three principles when deciding what and when to assess:
- Assessing the right things
- Assessing the right places
- Assessing for mission success
CORA emphasizes using risk-based metrics to guide assessments and remediation. These risk-based metrics, derived from threat intelligence and MITRE ATT&CK to determine an organization's risk exposure, ensure that they are assessing the critical areas.
ATT&CK is a knowledge base of known tactics, techniques and procedures (TTPs) that are used by adversaries to attack networks and exploit vulnerabilities. Cyber defenders worldwide use it to protect their information systems and to hunt malicious actors.
CORA emphasizes the use of ATT&CK to assess and identify a DoD entity's vulnerability to TTPs that might allow an intruder to achieve initial access or conduct privilege escalation, lateral movement, and data exfiltration within the DoDIN network.
Key Components of CORA
CORA assessments provide leaders with a point-in-time view of their high-priority and mission-critical cyber posture including continuity planning, risk assessment, disaster recovery and incident response. It recognizes that not all parts of the network are the same and that some parts will be more mission critical than others, and it is these that should be the focus of assessments.
This means CORA includes:
- An assessment of current operational readiness, not tick box compliance.
- Measures how vulnerable an organization is to current threats.
- Point-in-time view of cyber posture and recommendations of how to improve operational resilience.
- Focus on current threats with the use of MITRE ATT&CK and threat intelligence to derive key indicators of risk.
- Provides an agile assessment that adjusts as TTPs change.
- Allows for scarce resources to be focused on fixing the critical issues that are vulnerable to real world TTPs.
Key Indicators of Risk (KIOR) within CORA
A key component of the CORA program is a focus on the key indicators of risk. These are taken from threat intelligence and the MITRE ATT&CK framework. They are fed down from the JFHQ-DoDIN and shared with teams conducting CORA assessments.
KIORs offer essential insights into the tactics, techniques, and procedures (TTPs) that could potentially be employed in an attack, highlighting activities that pose existential risks to an organization. Understanding where these risks lie enables remediation efforts to be directed at these vulnerable points, which actual threats may be targeting.
These KIORs will change over time as attack vectors change and different TTPs are employed.
How Nipper Resilience can support preparations for CORA
CORA places a strong importance on network devices, especially routers and firewalls, due to their significance in maintaining network security. They play a crucial role in protecting and segmenting information systems.
These devices must be securely configured, as any misconfigurations or vulnerabilities in these devices could leave networks and mission-critical segments open to attack. So, teams need to be aware of any configuration changes—whether planned or unauthorized—as these changes can introduce new risks. Given the complexity of modern network devices, DoD teams require automation tools that can accurately assess configurations for misconfigurations and vulnerabilities that jeopardize the mission.
Nipper Resilience
Titania's Nipper Resilience is designed to meet these needs, providing DoD teams with a robust solution to prepare for a CORA. Nipper Resilience assists teams in four key ways:
Initial Analysis:
Nipper Resilience can perform an initial analysis of all router, switch and firewall configurations, identifying any misconfigurations or vulnerabilities.
Remediation Workflows:
It can then inform remediation workflows, with actions prioritized based on MITRE ATT&CK TTPs and KIORs. This ensures that the most critical issues are addressed first.
Re-assessment:
After remediation efforts, Nipper Resilience can re-assess the devices to confirm that the fixes have been successful and that the devices are now secure.
Monitoring:
Nipper Resilience can continually monitor the network in near real time for any change, giving visibility of exposure to the attack vectors and KIORs that network defenders really care about on the mission-critical parts of their network.
By automating the assessment process, it reduces the time and resources required to evaluate the risk exposure of network infrastructure. This ensures that teams are better positioned to enhance the overall security posture of their networks.