Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

CARVER Analysis – Are you defending the right things?

ChrisCalvert ‎05-14-2014 12:56 PM - edited ‎07-07-2015 11:16 AM

The French resistance in WWII blew up the curved portion of rail lines because they used CARVER analysis to figure out that was the best way to delay a response to D-day. This concept was developed by the OSS during WWII to select targets for irregular forces. Yes, that looks like too much History Channel... guilty :-)


This simple acronym, CARVER, can be developed into a risk matrix to rank areas for enhanced defenses. Conversely, you can also understand an actor's motivation by the targets they go after. Just think if we could tell the difference between information, identity, and card thieves or nation state from competitor from hacktivist. There is no better intelligence than understanding an attacker's motives and thus what they are likely to do next. This can really help us think like a bad guy. 


You are also analyzing your risk from a more adversary-centric perspective so you can defend what is likely to be attacked. Understanding a bad guy's motives can even help you lure them into a honeypot or to steal tagged dis-information. If you list the technology subcomponents of your major business applications and then score them across CARVER (and from the point of view of different malicious actors), you have a useful risk matrix (simplified example shown above and an example ranking matrix is shown below).


A recent conversation at our customer advisory board refined the idea with a good example. A majority of attacks occur against what is monetizable (effect indicates a card thief) rather than against critical business information (criticality is potentially a competitor or information broker). The CARVER matrix is open to interpretation for any new domain; below, I am proposing some ways to define each area. Some from both perspectives: attacker and defender.


Criticality – What is the value of this asset to core business?

  • Impact on business operations
  • Impact on competitiveness
  • Impact on consumer confidence
  • Impact on stock price

Accessibility – What network and access protections are in place?

  • Buried in a protected enclave
  • Accessible from the user environment 
  • DMZ or external service
  • Flat or segmented network architecture
  • Public, B2B or private cloud

Recuperability – How difficult would it be to recover from an attack?

  • Cloud or dedicated hardware
  • Level of redundancy
  • Total cost of recovery (HW/SW/Labor/Svcs/Opportunity costs)

Vulnerability – How vulnerable to common attacks is this asset?

  • Hardened, managed, personal, mobile
  • Application and Operating Systems

Effect – What would be the impact of a successful attack?

  • Easily monetizable (e.g. loss of credit card numbers)
  • Increased or unfair competition
  • Company ending
  • Danger to life or limb

Recognizability – How easy is it to locate and recognize this asset?

  • Easy text patterns to match (searchable)
  • Number of users with access (visible)
  • Network broadcast or un-encrypted traffic
  • Detectible in progress or after the fact (noticeable in the underground)

Using CARVER analysis helps you defend what an attacker is most likely to attack. This means you can much more effectively focus your efforts and be prepared to defend yourself when they do attack. Are you protecting what the bad guys are really after?




For more information on how HP’s enterprise security products can help you know your enterprise to defend your critical information, visit

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all