Using CARVER to identify risks and vulnerabilities

CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used by Special Forces to assess the targets and see which one needs to be addressed first. Let me write down what each component means in terms of information security:

Criticality: The target value. How vital is this to the overall organization? A target is critical when its compromise or destruction (failure to provide any of the CIA triad components) has a highly significant inpact in the overall organization.

Accessibility: How easily can I reach the target? What are the defenses? Do I need an insider? Is the target computer off the internet?

Recuperability: How long will it take for the organization to replace, repair, or bypass the destruction or damage caused to the target? Once the compromise was found, how long will it take for the system to recuperate from it.

Vulnerability: What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible 0day exploits?

Effect: What’s the impact of the attack on the organization? Similar to the first point (Criticality) this point should also analyse possible reactions from the organization.

Recognizability: Can I identify the target as such? How easy is to recognize that a specific system / network / device is the target and not a security countermeasure.

How to use the CARVER system – enter the CARVER Matrix. Wikipedia states:

… employing the Carver matrix can help identify targets that are vulnerable to attack and for defensive purposes the Carver matrix can indicate “High Risk” targets that require additional security assets allotted to them to prevent the degradation of said assets via enemy assault or terrorist action.

This is accurate also in the world of information security. How do we use the CARVER Matrix? Write down the targets in a table, on top of that table write the components of CARVER, then rank each target on each component with values from 1 to 5, 5 being the highest priority or, in our case, the highest value:

Target C A R V E R Total
SQL Server 3 2 4 2 5 5 21
Mail Server 5 5 2 3 3 5 23
CEO’s workstation 5 1 2 5 5 1 11


This example shows that in our fictitious network the most vulnerable part is the Mail Server (total score 23). Why? Criticality, in this organization the mail server is vital to daily work, it gets a 5. Accessibility, the mail server is easily accessible from the internet; yes, there are some defences but it’s trivial, the score is 5. Recuperability, because the organization’s IT personel know that the mail server might be vulnerable they make a backup every day so in the event of something going wrong there will be some downtime and some messages might be lost but the backup will be up and running soon. the score then is 2. Vulnerability, the attacker doesn’t have to be an expert or have a high degree of knowledge to attack the mail server, however some degree of knowledge and proficiency is required (a script kiddy cannot do this) so it gets a 3. Effect, we know the mail is critical, but what will happen if it gets compromised? The organization will be down for some time and that’s bad, however since a backup is in place no one will panic. The score is 3. Finally, recognizability. It is trivial to recognize a mail server as such so it gets a 5.

Beyond the fact that the email server’s score is 23, the matrix shows that since it’s a critical part of the organization (C = 5) and the knowledge required to penetrate this server is of medium to low (V = 3), this resource should be secured first.

Try running several analyses on different assets in a network. You’ll see patterns begin to appear and it’ll be clear what parts of the networks are the most vulnerable.

For more info, check here and here (PDF).