welcome cybersecurity and global affairs workshop enhancing situational awareness through cyber...
TRANSCRIPT
WELCOME
CyberSecurity and Global Affairs Workshop
Enhancing Situational Awareness Through Cyber Intelligence
Henry Horton, CISMPartner, CyberSecurity
2
The Challenge
Cyber Security represents an evolution of securityComputer security = 1970’sIT Security = 1980’sIA = 1990’sCyberSec = 2000’s Characterized by advances in information warfare (state sponsored), a focus on intent (criminal activity) and the need for situational awareness.
An organization’s Information Technology (IT) supports the mission or business of the enterprise. Information Assurance (IA e.g. confidentiality, integrity, availability) facilitates the IT to carry out this task. Cyber Security advances IA to include all things digital and its data connected through Cyberspace. Security is a function of business.
Cyberspace is a the new Battle Space (e.g. air, land, sea, space)
3
Cyber SuperiorityCyber operations historically been built around traditional threat analysis,
malware identification, monitoring, engineering and response. These mechanisms only allow analysts to perform reactive functions and forensics with some predictive analysis based upon state of the art of network behavior analysis and anomalies detection representing a “post-launch” attack analysis or malware detection capability.
The concept of Cyber Superiority reflects the need of a nation to exercise absolute control and authority over the cyberspace within its territory or jurisdiction
Dominance in cyberspace requires the need to maintain a strength of readiness to prevent potential adversaries from interference. This facilitates the transformation of current information operations (IO): information warfare (IW) and information assurance (IA) strategies to include political assertions and cyber intelligence to maintain national cyber sovereignty and superiority.
4
Cyber Intelligence (CYINT)
The ongoing need for Situational Awareness of internal and external security threats is critical for understanding what is challenging an enterprise so to protect the organization.
Being able to have early warning of ‘what’s coming’, ‘to see over the horizon’, so to tweak and tune defenses is desired by CISOs.
CyberIntelligence can facilitate Information Warfare, allow for refinement of defenses, shorten sense and respond times, provide data for enhanced metrics, save critical funds and staffing vice “fighting through” and clean-up
5
CYINTAs with any battle space (e.g. air, land, sea, space), intelligence is critical to predict,
provide forewarning, take proactive offensive measures and defensive countermeasures to deter, detect, delay, defend and defeat threats in order to mitigate risk to friendly forces or the organization.
CYINT moves the questions “upstream” of any potential disruptive incident for proper tasking to HUMINT, SIGINT, ELINT, MASINT, and OSINT for collection, closer examination, confirmation and analysis. CYINT must include an “Order of Battle” that can leverage traditional analysis of indicators such as an analysis of signatures of malware design, software development organizations, academics and instruction design where software engineers are trained, exploitation of the knowledge base, biographic analysis, court case analysis, patent filings, technical writings and open source writings to perform threat analysis actions.
By understanding the intent of actors, their behaviors, their technical training, logistics and their “delivery” technologies and methods can help enhance situational awareness to become more proactive and predictive.
6
CYINT: So What Do We KnowWe know the state of the art and what information that provides
We know how Hackers attack
We know some behaviors of malware
We rapidly can know what is the impact of malware
But what is missing?IndicatorsSource; domain, state-sponsored, individual criminalIntentOrder of Battle; ISR ConstructConfiguration of malwareWhen will the next attack occurWhere will the next attack occur
Who is the targetImpact and Outcome MetricsWho is the perpetrator
7
CYINT Improves Capabilities
Reactive & ManualPeople-based following doctrine and doing their
best to “put out fires”
Decision Advantage
Dynamic IAPredictive and agile, the
enterprise instantiates policy, illuminates events and helps the operators find, fix and
target for response
Response Time
Leve
l of C
onfid
ence
AA
DD
CC
BB
EE
Tools-basedApplying tools and
technologies piecemeal to assist people in reacting
faster
IntegratedLoosely integrated with focus on interoperability and standards-
based data exchange
StrategicIntegrated with focus on
policy management and consistency across the
enterprise
BB CC DD EE
FF
Present Day
AA
FF
CYINTAdvance detection of inbound and malware
destined to an organization to provide for Early
Warning
Reactive & ManualPeople-based following doctrine and doing their
best to “put out fires”
Decision Advantage
Dynamic IAPredictive and agile, the
enterprise instantiates policy, illuminates events and helps the operators find, fix and
target for response
Response Time
Leve
l of C
onfid
ence
AA
DD
CC
BB
EE
Tools-basedApplying tools and
technologies piecemeal to assist people in reacting
faster
IntegratedLoosely integrated with focus on interoperability and standards-
based data exchange
StrategicIntegrated with focus on
policy management and consistency across the
enterprise
BB CC DD EE
FF
Present Day
AA
FF
CYINTAdvance detection of inbound and malware
destined to an organization to provide for Early
Warning
Decision Advantage
Dynamic IAPredictive and agile, the
enterprise instantiates policy, illuminates events and helps the operators find, fix and
target for response
Response Time
Leve
l of C
onfid
ence
AA
DD
CC
BB
EE
Tools-basedApplying tools and
technologies piecemeal to assist people in reacting
faster
IntegratedLoosely integrated with focus on interoperability and standards-
based data exchange
StrategicIntegrated with focus on
policy management and consistency across the
enterprise
BB CC DD EE
FF
Present Day
AA
FF
CYINTAdvance detection of inbound and malware
destined to an organization to provide for Early
Warning
8
CYINT Answers
Reactive & ManualReactive & Manual
Dynamic IA
Response Time
Leve
l of C
onfid
ence
AA
DD
CC
BB
EE
Tools-basedIntegratedStrategicBB CC DD EE
FF
Present Day
AA
FF
CYINT Dynamic IA
Response Time
Leve
l of C
onfid
ence
AA
DD
CC
BB
EE
Tools-basedIntegratedStrategicBB CC DD EE
FF
Present Day
AA
FF
CYINT
Situational Awareness at boundary and back into the org
Over The Horizon Where’s
TheAttackingServer
Who isAttacking Me
9
One Model Learning from the Anti-Virus Community, we know software/code has
signatures We know that programmers are taught either in academic settings or training
centers. In some cases, like protéges, some will adopt the signatures of their mentors
By moving into the upstream into the cloud we can detect the malware, capturing the code/script and conducting forensics to understand its behaviors and signatures
We already have server and IP source information but the intent is to get as specific as we can so to determine if it is State Sponsored or an Individual
Need to develop Indicators list for I&W Develop and Overlay with an Intell/Surveillance/Recon CONOPS In the analysis of code, geographic source, signatures etc so to task HUMINT,
MASINT, SIGINT etc to potential source targets for IW activities, tweak for defense or attack
10
IdeaConducting cyber warfare needs to be done in real-time, similar to a multi-seat
military aircraft or a tank operations; it’s hard to determine who the operator is when all the parts make up the whole during the mission. This requires that requires collaboration that often blurs the lines between CYINT analyst and operator skills; however, organizational charters will delineate roles in support of the mission. Collaboration will require real-time connections and shared common operational views
Threats are envisioned to be categorized (e.g. nation/state, non-state, military, hackers, etc.). Analysts will seek to determine, in advance, who will attack, why, when, where, and how using a range of skills focused on specific threats. These skills are broken into basic threat assessment (who, why, when, where) and technical assessment (how) orchestrated around effective intelligence cycles applied against standard ISR sources. The technical assessments sources come from monitoring cyber activity directly on the network as well as through SIGINT, ELINT and MASINT.
11
Strategies
Action Plans
Vision
Goals
Objectives
Provide for Ehanced Situational Awareness , Assure our infrastructures,
systems, and data are secure from exploitation, theft and disasterMission
ProtectInformation:
Human Capital
Defend Enterprise
Systems
Enhance Situational Awareness/
Sense
DevelopCyber
Intelligence:Collection and
Analysis
EnhanceResponse
Protect and Defend Networks
Cyber Security Strategic FrameworkCreating a Roadmap
EXAMPLE
12
Specific Steps
Create Cyber Security Policy and Program
Develop Objectives and Strategies in each Swimlane
Coordinate with LE, Mil, Industry to develop Indicators
Overlay ISR constructs
Stand up Analytical Cell; Seek collaborative agreements from monitoring sources, industry and governments
Configure Distribution of Intelligence
Integrate and Enhance Situational Awareness Capabilities to look upstream and over the horizon
Questions
Henry Horton, CISMPublic Service-NA Security
and Cyber Security Initiative703.675.9498
Alastair MacWillsonGlobal Managing Director, Security
[email protected]: +44 207 844 3599
14
Information Assurance Program
CurrentIT
Program
InformationAssuranceProgram
Recommendations
Where You Want To Be!Where You Are!
How To Get There!
15
One Model
Understand
Organize
Synthesize
ProvideAssessment
Develop FriendlyCourse of Action
Mission View
Courses of Action
Avenues ofApproach
AdversaryStrategy
Critical Capabilities
Assessment ofAdversary
AdversaryCapabilities
Ways and Means
Adversary View
Friendly View
Legend
Understand
Organize
Synthesize
ProvideAssessment
Develop FriendlyCourse of Action
Mission View
Courses of Action
Avenues ofApproach
AdversaryStrategy
Critical Capabilities
Assessment ofAdversary
AdversaryCapabilities
Ways and Means
Adversary View
Friendly View
Legend