Читать книгу Cyber Intelligence-Driven Risk - Richard O. Moore III - Страница 10
CHAPTER 1 Objectives of a Cyber Intelligence-Driven Risk Program
ОглавлениеKnowledge must become capability.
– Carl von Clausewitz, Prussian general
ANY FRAMEWORK, methodology, or process has to have objectives and outcomes. The CI-DR™ program strives to achieve two objectives. First, the program provides accurate, timely, and relevant knowledge about cyber adversaries and the digital environment in which it operates. Adversaries within the cyber ecosystem are internal or external. An internal cyber adversary could be an employee, contractor, or someone with an objective and the physical or logical access to information otherwise not known to the public. External cyber adversaries include malicious actors, nation-states, competitors, or even outsourced platforms or processing environments and those employed or influenced there.
To achieve the first objective of the CI-DR program, there are four tasks that are required to be performed. First, the program must evaluate the existing cyber conditions, cyber risks, and potential operational losses from cyber events and incidents while taking into account the many internal or external adversarial capabilities holistically. Second, based on existing cyber conditions and cyber capabilities, the program estimates possible cyber adversarial courses of action and provides insight into possible future actions. Third, the program aids in identifying vulnerabilities that could be exploited by adversaries and the operational impact it can have on the organization. Fourth, the program and the “knowledge” created assists in the development and evaluation of the organization's courses of action for decisions based on the first three tasks.
The second objective of the CI-DR program is to protect organizations, through cyber counterintelligence activities, intending to deny adversaries valuable information about an organization's situation. These two objectives demonstrate how the CI-DR cyber risk programs support both the exploitative and protective elements necessary to operate in today's digital economy and infrastructure. The program aims to create timely and meaningful images of the situation confronting the decision-maker. CI-DR is the analysis and synthesis of information into knowledge. CI-DR cyber intelligence is “knowledge” that is distinguished from information or data, in that few pieces of information speak for themselves conclusively but must be combined and compared with other pieces of information, analyzed, evaluated, and given meaning.1 Good cyber intelligence does not simply repeat the information that a source may reveal. Rather, it develops this raw material in order to tell us what that information means and identifies the implications for decision-making.2
The two objectives of the CI-DR program are created with simplicity that establishes the boundaries for how the program will operate and the areas in which it will collect information to provide value back to the organization's decision-makers. Additionally, the objectives provide executives and directors with a high-level understanding about what the program goals are, how they can be leveraged, and how they are connected with business leadership, and ultimately what analysis can be expected to support business objectives. The four tasks associated with the first objective provides the initial measurement of whether the options available are feasible or risky. To be able to describe a complete intelligence picture that provides us everything we need to know about a given situation, we would need that description to include knowledge of established conditions that have existed in the past, unfolding conditions as they exist in the present, and conditions which may exist in the future. Our complete image of what has been, what is, and what might be provides us with two classes of intelligence. The first is descriptive cyber intelligence, which describes existing and previously existing conditions. The second class, which attempts to anticipate future possibilities and probabilities, is estimative cyber intelligence.3 This initial measurement does not have to be exact or futuristic, and doesn't have to be either qualitative or quantitative. What it does have to be is factual, and without bias or opinion, specifically when leadership is expecting intelligence and options on a particular subject.
Our CI-DR example for this chapter shows how the frame can support a business decision. Suppose a business leader wants to move an application from the organization's on-premises location to having it hosted at an outsourced provider (i.e. software as a service, platform as a service, or infrastructure as a service). The CI-DR program would begin with the analysis and collection of risk information from the current cyber environment as the baseline. A question would be posed to the team by the business leader, such as: “Is it safer to move existing system from on-premises to an externally hosted provider?” Additionally, the CI-DR program would collect and ingest into the CI-DR's cyber intelligence life cycle–specific information, cyber risks, vulnerabilities, cyber threats, costs, regulatory issues, and other relevant information to analyze and evaluate the various options where the leader wants to move the application. The result for this example could provide two or three options for providers and their risk ratings from a cyber intelligence perspective; they would also incorporate those ratings with the financial review of the provider, giving the business decision-maker the impact, risks, and profit or loss financial information for their review. The business leader is now able make better informed decisions about the outcome of their course of action, and to articulate and defend their position to senior leadership or the board of directors. The CI-DR program is not a stand-alone program. Discussed in the upcoming chapters, the program must have the right capabilities and resources available to evaluate the information collected and analyzed, with the ability to provide risks, options, and decision structures that can be generated for any consumer or leader within the organization. The decisions could be as simple as a “go or no-go” comparison chart or as complicated as total costs of ownership, potential losses, potential savings, or increased revenues, all with cyber risks included.
The second objective is not overly difficult to implement, but many U.S. commercial businesses are not as familiar with this approach as would military commanders be and maybe a few foreign countries that leverage cyber counterintelligence methods regularly. We can recall from our denial-of-service attack example against the banks in the Introduction that some organizations did leverage cyber counterintelligence and cyber deception methods to move the attacker's mindset into thinking they crippled the bank, thereby having them focus and move on to other targets while the banks resumed operations and returned to online activities that same day. Additionally, while U.S. businesses do protect their information from cyber adversaries in more traditional approaches, the cyber counterintelligence objective is a new concept for many businesses, except for a few of the Fortune 100 organizations.
Within the CI-DR functions and capabilities the cyber counterintelligence capability can be used within commercial businesses for mergers and acquisitions, for protecting information systems security strategies, or as part of the overall use of deception technologies or information to gain advantages in proactively identifying what cyber adversaries might be searching for within your networks. Organizations can test their cyber deceptive capabilities through tasks such as “red-teaming” activities. Red-teaming is usually performed by external organizations with the overall objective of gaining access to your facilities, systems, and data, and reporting on physical and digital compromises. The deceptive technologies are useful in validating those activities, as they could lead the testing team to encounter the deception systems and give them false information. Implementing the cyber counterintelligence portion of the CI-DR program will assist organizations in determining reconnaissance activities from adversaries, and assist with appropriate business or technology strategies to counter known cyber adversarial techniques, technologies, and processes. Organizations are performing some type of counterintelligence activity all the time, through marketing, delaying of products based on market research, keeping startups in “stealth,” or by controlling access and release of information about their strategy or business processes. The counterintelligence activities are there, but the term or rational connection to that term has not been formally used for cyber activities. We are asking the reader to accept that the CI-DR cyber counterintelligence–type practices are occurring in organizations and to accept our usage of the term as not just a military action or function.
For example, passive cyber counterintelligence measures are designed to conceal, deceive, and deny information to adversaries, whether internal or external. Many businesses today do this by creating shared folders or locations where access is restricted to certain individuals. These folders are created by thinking about the content, the sensitivity, or the regulatory requirements to keep them separate to a select few. However, many businesses have missed the key components of restricting that information by not implementing either concealment or deceptive tactics to protect, restrict, and identify who may be trying to access the information, thereby usually providing a false sense of protection.
Another key objective for formally recognizing and having cyber counterintelligence as part of the CI-DR program is to protect personnel from subversion and acts of hostilities. Again, many organizations have travel security programs for executives and key personnel, implement phishing training and education, have evacuation drills, and provide some type of education for active shooters, etc., but again do not formally embrace the counterintelligence benefit or create formal counterintelligence objectives. An easy formal objective of using counterintelligence could be to protect facilities (i.e. removing signs for data centers or key processing facilities, etc.) and material against sabotage (internal, external, or even competitors). The full measures of counterintelligence can include security of restricted material, personnel security, physical security, security education, communications security, data security, electromagnetic emission security (i.e. Bluetooth, Wi-Fi, NFC, Bonjour, etc.), and censorship.4 The overlooked counterintelligence objective can be useful and provide value to industries such as financial services, manufacturing, utilities, pharmaceuticals, insurance, social media, and many others that are often overlooked as critical infrastructure or social services.
Another key concept we want the reader to understand is that a CI-DR program should not be thought of just as a product, but also as the processes which produce specific needed knowledge in order to make better business decisions. Process activities and capabilities are driven by the need to answer questions that are crucial to both the tactical and strategic interests of the organization or to meet business objectives. A CI-DR program operates in an environment characterized by uncertainty and with it risks that must be understood and reduced by the decision-makers.