The United Nations (UN) has developed a new cyber-attack assessment framework, building on and complementing existing models like the MITRE ATT&CK framework.
The new United Nations Institute for Disarmament Research (UNIDR) Intrusion Path framework is designed to analyze both malicious and security activities in the ICT environment.
It aims to help UN member states and non-technical stakeholders better understand malicious IT activities, amid the use of “complex language” in the technical community.
It provides a “simplified” view of the different layers of the IT network where malicious activities take place, providing a means of making cyber diplomacy more inclusive and better informed.
“As malicious activities in the ICT environment increase and pose growing threats to international peace and stability, it is essential to equip policymakers, practitioners and other stakeholders with tools to understand, inform and act for a more transparent, stable and peaceful digital space. We hope that the UNIDIR Intrusion Path will contribute to this end,” the UN wrote.
The UNIDIR Intrusion Path model was used in a research project published in December 2024, which aimed at understanding how AI is changing the capabilities and behaviors of both perpetrators and defenders throughout the different layers of the intrusion path.
Visualizing the Network Perimeter
The framework incorporates three layers of analysis built around the concept of the network perimeter – outside the perimeter, on the perimeter and inside the perimeter. It provides a simplified summary of what both perpetrators and defenders can do in each layer of the model.
- Outside the perimeter encompasses all systems, networks and data sources that exist beyond an organization’s direct control, such as public websites and the dark web
- On the perimeter represents the boundary between an organization’s internal systems and the external world, incorporating security tools such as firewalls and intrusion detection systems
- Inside the perimeter is the internal, private part of an organization’s network, containing subnetworks and devices that hold sensitive data and operational systems
The framework sets out activities perpetrators can take to breach system defenses across these layers, and how defenders can monitor and deter such intrusions.
The UNIDIR Intrusion Path complements two well-established tools for analyzing malicious ICT activities – the MITRE ATT&CK framework and the Cyber Kill Chain.
The MITRE ATT&CK framework was created by the Mitre Corporation and released in 2013. It categorizes the tactics, techniques and procedures used by perpetrators across different stages of an intrusion.
The Cyber Kill Chain, developed by Lockheed Martin in 2011, is a model that outlines different stages of a cyber-attack, from initial reconnaissance to data exfiltration.
