Several years ago, I wrote this white paper with my mentor MG Dave Scott. We wrote it as an early attempt to explain to I.T. professionals how to employ tactics, techniques, and procedures of the Land, Sea, and Air Domains of warfare and apply them to the Cyber Domain of war.
I recently was browsing through Linked In and saw my friends at Gradient Cyber reference Cyber Security to Navy Seals. And since SEALs fight in Land Sea and Air, the first three domains of warfare, I thought I would post something we never widely distributed in the hopes it might help I.T. professionals in some small way fight in the 5th Domain of Warfare.
While I personally (and with incredible bias) believe securing your data using a distributed database technology will positively reduce the number of data breaches at quite a large scale and be a disruptive flip of “conventional” cyber thinking, these fundamentals will still hold. So much so that we have Cyber Security Security Companies building marketplaces today on our Information Technology Sector Exchange and building strategies for minting stable coins as we speak.
I hope you enjoy both the doctrinal and operational tactics in the document. I recognize there are many ways you can accomplish a secure network. I remember my Ranger Instructor in Dahlonega (winter class) asking me why I was selected as the RTO (the guy
who carried the radio) for every patrol. I said something about my platoon liked my tactics. He promptly replied:
While I don't profess this to be doctrinal truth, here are some tactics you might want to consider using in the 5th domain of warfare.
The eight fundamentals of cybersecurity - the building blocks of a successful defense.
We are engaged in a global Cyber War. According to Cyber Security Ventures, it's in the range of 10 Trillion Dollars. The challenge is the sheer onslaught of attacking forces coming at your frontline defense at the speed of light while conducting asymmetric warfare tactics on your personnel and your supply chain. With the advent of A.I. and Bots automating the attacks and the readily available kits to purchase on the Dark Web - the noise amplitude on your cyber systems is unmanageable.
The signal-to-noise ratio in new technology advances with Cyber Security makes it difficult for I.T. professionals and their C-Suite to distinguish the credibility in all the new approach claims. Unfortunately, many professional services organizations that conduct security use outdated detection technologies and confusing concierge language that confuse prospective customers. As a result, an organization may be following practices that extend incident response times; I.T. departments are falling behind the speed and diversity of today's evolving threat landscape.
Using traditional detection and alert generating appliances is not enough to combat threat actors that can bypass outdated detection measures. 66 % of attackers may use never-before-seen techniques every two months, sometimes less. The problem is that the longer an attacker is in your network and goes unnoticed, the more time they have to steal from you. In recent surveys, 77 % of attackers say their presence is rarely or never detected. 54% of the respondents say that they can complete an attack within 15 hours!
Organizations need to tackle this problem head-on by going back to the basics and following simple fundamentals that can bring a team effort to Cyber Security to augment what they already own.
Adopting concepts from the 1st, 2nd, and 3rd Domains of warfare offer both technology and strategy fundamentals for CIOs and CXOs, that aren't new. They are proven. These fundamentals come from the land, sea, and air domains of warfare. Like the other three domains, the 5th domain of warfare, Cyber, benefits from employing these fundamentals.
There are eight fundamentals your organization can follow to preemptively block gaps in your network before the threat can exploit them. By following these fundamentals, organizations elevate their cyber situational awareness to a level that enables them to detect and respond to threats proactively and finally provide a more unified approach to Cyber Security.
The ability to track and maintain hardware and software assets on your network is an operational imperative for your Cyber Defense. It helps you understand what your adversary will attack and provides valuable insight into your potential vulnerabilities. The National Vulnerability Database stores 20 years of past common vulnerabilities and exploits. Understanding the assets you own through their entire lifecycle makes financial sense. Not only will you save money by reclaiming unused licenses, but it also assists in your ability to manage vendors and contracts and even forecast budget allocations in the I.T. budget. Understanding your hardware and software allows I.T. staff to establish the level of risk in your network based on a pattern of life. Knowing the inherent pattern of life in the hardware or software helps define the risk level you have in your network.
Knowing your network segments and the routes and avenues of approach available to an attacker can build a better plan. The cyber terrain spans the cyberspace domain, and network segmentation is crucial to understanding. Key terrain in cyberspace is similar to seeking the high ground in Land Warfare. Defenders need to know what is logically assembled within a network by segment to identify their key terrain. Key terrain refers to areas that afford an advantage to an attacker or defender if seized.
During a cyber operation, the analysis of key terrain aids in the strategy and tactics of both the offense and the defense. Cyber key terrain often manifests itself logically instead of physically. A router that connects a network to an Internet service provider (ISP) is an example of what resides on cyber terrain. Identifying these kinds of cyber terrain features within the operating network segments allows defenders to effectively plan and modify their use of existing capabilities and surface gaps. The concept of Key Cyber Terrain within cyberspace helps defenders place all activity into context. Once identified, group them into Engagement Areas with defined rules of engagement.
Here are four recommendations for Engagement Areas:
Building the concept of Engagement Areas will help IT professionals interconnect systems an organization already owns and define the rules for fusing a better threat picture and automated response. It delivers a unified view of the business ecosystem, defeats threat actors, and strengthens physical and logical boundaries. It facilitates the unification of management by starting from the ground up preemptive protection of endpoints by neutralizing malware and ransomware.
Building engagement areas in your strategy will help you build a hammer anvil defense. A Hammer & Anvil is one of the oldest, most effective, and easy-to-understand tactics for executing a defense. It was popular in several battles fought by the ancient Greeks with Alexander the Great and then by the Romans. It is a relatively simple maneuver. It begins with forces sandwiching their enemy between them.
Defining engagement areas as rules of engagement as part of your solution interconnects all available resources inside and outside a network to erode and attrit a cyber attacker’s strength. They will help orchestrate Big Data sets to automate a more proactive response. Intelligence preparation, orchestration, disruption, massing all available resources, and flexibility characterize successful leveraging engagement areas.
Leveraging Engagement Areas allow I.T. professionals to architect a disruptive and aggressive solution to leverage direct, indirect actions to include deception with a uniquely delivered ability to block malware and ransomware, rendering the attacker ineffective preemptively. The establishment of Engagement Areas maximizes the existing kinds of capabilities an organization already owns to defeat the attacker.
Engagement Area 1: ECOSYSTEM RISK - Conduct preemptive analytics of your business ecosystem and transform your vendors, customers, and business relationships into an early warning sensor. By conducting DarkWeb Analysis, Penetration Testing, and scoring Known Networks and Hidden Networks, your organization can preemptively block unwanted traffic before a hacker can exploit them.
Engagement Area 2: PERIMETER RISK -Using machine learning and conducting orchestration with learned from ecosystem risk, the potential attacker’s ability to access your network is preemptively blocked. By conducting Big Data Analytics at the perimeter for incoming and outgoing traffic orchestrated with east-west traffic, additional anomalies are discovered for a rapid and proactive response.
Engagement Area 3: NETWORK SEGMENT RISK – Using data from the asset data automatically collected from asset agents, east-west traffic is massively reduced. Big Data analytics can identify port utilization, both static and dynamic, to be preemptively blocked, further enabling micro-segmentation analytics through micro-segmentation.
Engagement Area 4: ENDPOINT RISK – Always deploy a fail-safe mechanism that is simple to install and renders all malware and ransomware inert: Automated Backup. Interconnecting security appliances with network appliances is a must for effective defense. Antivirus technologies, firewalls, and many other security solutions are list-based solutions and can only deal with known threats.
Today, organizations need to embrace a "capabilities-intentions" and "gap-identification" approach to Cyber Security. This approach demands an assessment of the capabilities owned by an organization but the kinds of capabilities favored by cyber threat actors. After building a terrain analysis of the network, organizations are now armed with an analytic overlay of the cyber terrain behind the router. More importantly, they have a keen understanding of the inherent risk of the hardware and software they own.
By conducting the gap identification, organizations are more likely to conduct an accurate estimate of the enemy's "most likely" or "most probable" course of action (COA). Organizations can see their strengths by examining capabilities like firewalls, secure web gateways, endpoint detection, intrusion detection, and other cyber appliances. When organizations understand the vulnerabilities inherent within the hardware and software they own, they can now accurately identify the gaps inherent in their network. Matching internal gaps against the tactics and capabilities of a cyber threat actor, defenders can highlight what the enemy can do and forecast what they will do.
Cybersecurity specialists can leverage many different data sources from the crowd to build cybersecurity insight. This insight helps to fortify networks and fight threats. Some simple examples include hiring white hat hackers to ensure that a network doesn't contain any gaps that introduce security vulnerabilities. Using security testers to find security vulnerabilities in a product or network in exchange for payment ensures that security vulnerabilities are tested and identified.
Sourcing shared intelligence is another effective form of crowdsourcing. One of the enormous benefits of intelligence sharing is that it fosters awareness.
One such example of intelligence sharing is the Open Threat Exchange platform. Alien Vault, Facebook, and IBM encourage their users to share their information about security threats. Technologies that facilitate the transition of knowledge and understanding of business ecosystems in both industry and government that face the same problems serve as an excellent source for helping to enrich threat forecasting.
The goal of orchestration is typically described as a kind of end-to-end service management approach that is achieved through zero-touch (automated) provisioning, configuration, and assurance. The drive behind orchestration is that as the complexity of networks and attackers grows exponentially, abstracting complexity through automation is vital to keeping up with the constant change in tactics and complexity.
Unfortunately, orchestration is not enough. A disjointed effort not synchronized finds the benefits of automation negated improper or untimely use. Lessons from the first three domains of warfare are replete with a thousand years of pre-built responses deployed by a defending force, only to cause disaster. The complexity of managing when or when not to automate has almost a harmonic element. The ebb and flow of data influenced by the attacker and defender continually change. Understanding what efforts are critical to a successful defense versus decisive actions ensures that vital data or software applications are left wide open to attack because of a disjointed automated response. Network defenders should follow a model that deployed a well-thought-out and phased Cyber RoadMap that is rehearsed. A Cyber RoadMap assists cyber defenders in understanding the nuance of when to and when not to automate activities through orchestration.
Network digital forensic investigation is a scientific process that follows a forensic and deliberate method to recover and analyze digital evidence to support or disprove a hypothesis about an activity, user, or event. Cyber Security efforts have become increasingly reliant on a variety of point solutions deployed piecemeal on the Cyber terrain with little to no situational awareness of the inherent risk in devices they are meant to protect, let alone the activities of other cyber appliances.
Conducting a phased investigation procedure is vital for conducting cyber forensic investigations. Suppose organizations were to establish a premise that breach probability is 100%. In that case, they could put methods, techniques, and tools in a daily and iterative investigative process to continually be looking for how the breach occurred, even if it hasn't. Leveraging a cyber forensic approach is proven to be a more preemptive and proactive approach to cybersecurity because it relies on leveraging diverse data sets; the process itself unifies your cyber efforts. The time of Big Data Analytics for Cyber Security is now. The analytic models and technologies are mature and less cumbersome to deploy than a few short years ago.
Joint cybersecurity operations prioritize integrating the various cyber appliances, networks, and devices fed into one unified view. Joint cybersecurity operations are, in essence, a form of combined technology warfare where an existing organization's people, process, technology, and data together in joint operations, rather than planning and executing security processes separate from each other. A straightforward way to make joint operations are a reality for any organization is a Security Operations Center (SOC).
A SOC is more than a technology; it's the fusion of people, process, technology, data, risk, and compliance that come together to identify, protect, detect, respond and recover to cybersecurity incidents. A SOC doesn't have to be a facility home to a highly-skilled security team, relying solely on sophisticated technology. A dedicated mix of executive level, manager level, and staff level team members can put in place a well-honed process to achieve top-line security objectives for the organization.
The first step is defining who will act as a SOC manager; this should be someone to whom engineers and security analysts report. Even if they are outsourced, work with the manager to download documentation and place Crisis, Emergency Management, and Business Continuity, teams. A great resource is to contact your Property and Casualty Agents to bring in your insurance company experts. This is an essential step in learning how best to coordinate physical security incidents and avoid them becoming critical events. Who better to get a consultation from than the organization on the hook to cover the expenses?
Get team buy-in and let them know that their primary duties may not be in monitoring the organization’s security posture. Still, they can analyze how well the team can identify, protect, detect, respond, and recover to security incidents. Another critical aspect of building a SOC on a budget is building a security strategy tied to a roadmap.
Building a team that is measured against a roadmap is essential because today’s advanced network equipment and cyber technology aren’t enough to achieve organizational security goals.
Additionally, more and more organizations ranging from attorneys, lawmakers, and national regulators are moving aggressively to mandate baseline security measures. If you don't, the impact on Cyber Liability, D&O, and E&O insurance claims will be lasting.
The business world has long since understood the value of a balanced scorecard. Organizational leadership commonly uses the scorecard as a way to measure performance. Strategic business objectives are put in place based on how well the scorecard helps to identify issues. A good scorecard will help improve the operations of a business and how well the operational changes improve the bottom line. A balanced scorecard is an excellent method to measure and provide feedback to organizations. Cyber risk is no longer just relegated to information technology; with physical security and cyber security merging more rapidly each day, the Cyber Domain increasingly impacts an organization’s financial and enterprise security. Organizations need to measure if their people, process, technology, data, risk initiatives, and compliance efforts are helping or hindering their cyber security efforts. Specifically, their impact on its ability to identify, protect, detect, respond and recover to today's advanced threat actors.
These are eight fundamentals your organization can and should follow to preemptively block gaps in their network before the threat can exploit them. An organization must assemble a solution that delivers cyber consensus in depth. Big data analytics and AI will build corroboration with the data by leveraging cyber, and network appliances organizations already own. Ensure the algorithms you deploy mimic the human cognitive skills required to implement these fundamentals. These eight fundamentals will help IT professionals to elevate their cyber situational awareness to a level that enables them to detect and respond to threat proactively and finally provide them a more unified approach to Cyber Security that uses a scorecard to measure, mitigate and transfer risk away from their enterprise. Implementing these fundamentals will only get you most of the way. What will take you over the edge to excellence is to train yourself on these eight fundamentals with your team members—another lesson from my time in the military: