search menu icon-carat-right cmu-wordmark

Situational Analysis, Software Architecture, Insider Threat, Threat Modeling, and Honeynets: The Latest Research from the SEI

Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, white papers, webinars, and podcasts. These publications highlight the latest work of SEI technologists in military situational analysis, software architecture, insider threat, honeynets, and threat modeling. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

Applying the Goal-Question-Indicator-Metric (GQIM) Method to Perform Military Situational Analysis
By Douglas Gray

This report describes how to use the goal-question-indicator-metric method in tandem with the military METT-TC method (mission, enemy, time, terrain, troops available, and civil-military considerations).

When developing situational awareness in support of military operations, the U.S. armed forces use a mnemonic, or memory aide, to enable planners at all echelons to provide a comprehensive analysis of the situation. The mnemonic is METT-TC, which stands for mission, enemy, time, terrain, troops available, and civil-military considerations. By coupling METT-TC with the goal-question-indicator-metric (GQIM) method for goal-driven measurement, military planners can develop operational resilience metrics that are mission oriented and take advantage of situational awareness. This technical note describes how to use the two methods in tandem.
Download a PDF of the Report

An Insider Threat Indicator Ontology
By Daniel L. Costa, Michael J. Albrethsen, Matthew L. Collins, Samuel J. Perl, George Silowash, Derrick Spooner

This report presents an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated.

The insider threat community currently lacks a standardized method of expression for indicators of potential malicious insider activity. We believe that communicating potential indicators of malicious insider activity in a consistent and commonly accepted language will allow insider threat programs to implement more effective controls through an increase in collaboration and information sharing with other insider threat teams. In this report, we present an ontology for insider threat indicators. We make the case for using an ontology to fill the stated gap in the insider threat community. We also describe the semi-automated, data-driven development of the ontology, as well as the process by which the ontology was validated. In the appendices, we provide the ontology's user's manual and technical specification.

Download a PDF of the Report

What Makes a Good Software Architect?
By John Klein, Andrew Kotov, Ipek Ozkaya, and Michael Keeling

For two decades, the SEI has been instrumental in the creation and development of the field of software engineering known as software architecture. An architect whose skills and capabilities match a project's needs is more likely to be successful. So what are those skills?

In this webinar, SEI researchers and an industry colleague discussed in two talks What Makes a Good Software Architect?

  • John Klein and Andrew Kotov on Skills and Knowledge of Successful Architects
  • Ipek Ozkaya and Michael Keeling on Architects Design Trade-off Toolbox: Balancing Agility and Technical Debt

What viewers will learn:

  • How the technical skills needed by a software architect change throughout a system's lifecycle and how this influences the architect's success
  • How architects should be the champions of product quality while making the right (and timely) design trade-offs

View the Webinar

Using Honeynets and the Diamond Model for ICS Threat Analysis
By John Kotheimer, Kyle O'Meara, Deana Shick

The use of a honeynet--a network of seemingly vulnerable machines designed to lure attackers--is an established technique for collecting threat intelligence across various network environments. As a result, organizations have begun to use this approach to protect networked industrial control systems (ICS). Organizations hope to observe attempts to compromise their systems in an isolated environment, enabling them to deploy mitigations and harden their networks against emerging threats.

This report presents an approach to analyzing approximately 16 gigabytes of full packet capture data collected from an ICS honeynet. The data is analyzed in the context of other open source information about known threats to ICS to understand how adversaries interacted with the network and the types of attacks they attempted. To provide a more rigorous approach to characterizing these threat actors, the study employed the well-known Diamond Model of Intrusion Analysis. It applied this model to define and categorize several groups of potential threat actors observed within the data. The study also evaluated the effectiveness of honeynets as a tool for ICS threat intelligence. This report includes several recommendations for their deployment and emphasizes active interaction with external hosts to generate higher quality data.
Download the Report

Threat Modeling and the Internet of Things
By Art Manion, Allen D. Householder

Threat modeling, which has been popularized by Microsoft in the last decade, provides vulnerability analysts a means to analyze a system and identify various attack surfaces and use that knowledge to bolster a system against vulnerabilities. In this podcast, Art Manion and Allen Householder of CERT's vulnerability analysis team, talk about threat modeling and its use in improving security of the Internet of Things.

View the Podcast

Additional Resources

For the latest publications on SEI research, please visit

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed