High Value Targets (HVTs) are information systems, roles, third parties and data for which
unauthorized access, use, disclosure, disruption, modification, or destruction could cause a
significant impact to an organization’s ability to perform its mission or conduct business.
These systems may contain sensitive controls, configurations, instructions or data which is
then leveraged for critical information systems’ management, they may house unique
collections of secrets as well as be systems that perform defensive operations (such as
delivering protect, detect, investigate, respond capabilities).
HVTs can as well be referred to as transversal
technology supporting important business services (or an organization’s crown jewels),
which need to be identified and properly secured to better handle the environmental changes
caused by an advanced adversary.
Request a free copy of the High Value Target Methodology overview:
Current Cyber Resilience and Business Impact Analysis (BIA) industry best practices lack clear guidance on how organizations can identify the value that an advanced attacker places on possible targets, which defines the tactical reliance on the attack value chain from an architectural system standpoint.
By doing so, you can prioritize your security budget without over-investing in controls for some assets (Crown Jewels) and under-investing in others (HVTs).
The main purpose of an organization’s cyber resilience efforts is to implement best practices, strategies and techniques that would ensure survivability of essential functions during a coordinated, destructive cyberattack. This goal is achieved by making it costly and difficult for advanced adversaries to break into an organization’s environment, to maintain stealthy presence and hence strengthening the system-of-system’s ability to recover mission critical functions after adversity.
Once HVTs are identified, secured and continuously governed, an organization’s cyber resilience posture is significantly increased.
Read about the seven High Value Target design principles that underpin our work:
High Value Target allows you to focus defenses where they matter most. Definitions can be hard, but certain systems are highly targeted by threat actors because they perform functions critical to trust and are thus stepping-stones into everything else. The High Value Target methodology hones in on often overlooked but critical assets.
Once you identify the High Value Target you can:
Contingency plan, train and exercise for when things go wrong and increase readiness to adapt against imminent attacks based on predicted intelligence.
Develop resiliency reporting that measures performance with transparency, accuracy and precision.
"The High Value Target (HVT) methodology is exactly what organizations and their leaders need to be thinking about as they seek to defend themselves, their critical infrastructure and their business. It is no longer good enough – frankly it hasn’t been for a while – to try to defend everything.
As Alexander the Great said, “if you try to defend everything, you defend nothing!”.
Using HVTM thinking, you integrate your cyber defense assets and your overall architecture into a MITRE ATT&CK supported, cyber resilience posture with an immediately useful, quantifiable risk method across all of your cyber terrain.
This is the way we need to go and High Value Target will get you there!"
Former Assistant Director,
United States Cybersecurity and Infrastructure Security Agency (CISA)
Cyber Resilience is an outcome of Cyber Security and Operational Resilience and is defined as “the ability of an organization to transcend any stresses, failures, hazards and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture and maintain its desired way of operating” (WEF, 2022).
Cyber Resilience is an extension of Cyber Security and is defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources” (MITRE, 2018).
Cyber Resilience is grounded on NIST 800-160 and MITRE CREF (the most authoritative industry resources known nowadays).
Defining High Value Targets
Categories of HVTs
Critical infrastructure targets, an organization’s assets whose unavailability, exposure, modification or corruption would significantly disrupt an organization's mission;
Control plane targets, an organization’s assets which contain sensitive controls, configurations and instructions;
Cyber defense targets, an organization’s assets which provide protective, detective, investigative and responsive capabilities;
Informational value targets, an organization’s assets which contain significant value in the form of stored or transit data, otherwise referred to as crown jewels.
Stealthiness, the target could provide an adversary with the ability to bypass detection tools;
Internal prospecting, the target could provide an adversary visibility into the control plane;
External exposure, the asset could be exposed to an adversary due to its location in accessible zones for initial compromise, allows pivoting from non-trusted to trusted networks.
Stores secrets, the asset could provide an adversary access to stored secrets that can be stolen or abused;
Infiltrate comms, the asset could provide an adversary access to defender in-band or out-of-band communication tools;
Blindside defense, the asset could provide an adversary the ability to impair investigative capabilities and detective visibility to the defender.
Tamper prone, the asset functionalities could be weaponized by an adversary to support malicious actions such as confuse defense;
Inhibit restoration, the asset could provide an adversary the ability to permanently damage backup and restore capabilities;
Stores data, the asset could provide an adversary access to highly valuable or large amount of data;
Widespread presence, the assets’ pervasive implementation and capabilities could provide an attacker the means to dynamically establish a foothold within the environment.
NIST Special Publication 800-160 v2 and how High Value Target aligns to it
NIST Special Publication (SP) 800-160, Volume 2, focuses on cyber resiliency engineering—an emerging specialty systems engineering discipline applied in conjunction with systems security engineering and resilience engineering to develop survivable, trustworthy secure systems. Cyber resiliency engineering intends to architect, design, develop, implement, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources. From a risk management perspective, cyber resiliency is intended to help reduce the mission, business, organizational, enterprise, or sector risk of depending on cyber resources.
Appendix E (E.5.1.1) – “A focus on critical assets (i.e., resources valued due to their importance to mission or business accomplishment) is central to contingency planning, continuity of operations planning, and operational resilience, as well as to safety analysis."
Focus on Common Critical Assets
Appendix E (E.5.1.1) – “Determining which properties or attributes make the asset critical (e.g., correctness, non-observability, availability) or high value (e.g., providing access to a set of critical system elements, providing information which could be used in further malicious cyber activities)”.
Understand the context
188.8.131.52 Identify the Operational Context - “Identify whether the system is or contains high value assets (HVAs)”.
3.2.3 Analyze the system – “Second, an adversarial perspective is applied to identify high value primary and secondary targets of APT actors”.
184.108.40.206 Represent the Adversary Perspective - “Depending on the scope of the analysis, these attack scenarios can be complemented by scenarios driven by adversary goals, scenarios targeting critical assets or high value assets, or scenarios that take advantage of sources of fragility.”
Cyber Resiliency considerations
Appendix F (SN-2.3) – “SN-2.3 Prioritize assets based on the adverse consequence of asset loss. an asset which initially appears to have low priority to stakeholders can be a high value target to an adversary”.
High Value Target is a concept to enable the cyber community to be more effective at defining our defensive strategies and approaches.
The Cyber Resilience Officer is accountable for the organization’s ability to manage cyber resilience and for implementing cyber-resilience goals. As such, the Cyber Resilience Officer should drive the need for ensuring the High Value Targets are properly identified, protected, assessed and governed.
The Cyber Resilience Officer should have regular Board access, sufficient authority, command of the subject matter, experience and resources to fulfil these duties.
The role should be formally defined and documented with clearly understood expectations and obligations.
The organization has clear mechanisms for providing the Cyber Resilience Officer ready access to each of the following: communication with the Board of Directors; empowerment over cyber-resilience strategy, management and enforcement actions; cyber-resilience expertise and executive training; the acquisition of personnel, financial and technology resources.
Read about our proposal for a new role for the industry called "Cyber Resilience Officer".
We are a research firm that specializes in designing methodologies aimed at significantly increasing an organization’s cyber resilience posture against sophisticated cyber threats. We are actively engaged in leading cybersecurity communities and collaborate with best-in-class peers such as MITRE, ISSA, FIRST, NIST, OASIS Open.