Читать книгу Cyber Intelligence-Driven Risk - Richard O. Moore III - Страница 13

Our knowledge of circumstances has increased, but our uncertainty, instead of having diminished, has only increased. The reason of this is that we do not gain all our experience at once, but by degrees; so our determinations continue to be assailed incessantly by fresh experience; and the mind, if we may use the expression, must always be under arms.

– Carl von Clausewitz, Prussian general

WE READ PREVIOUSLY that the CI-DR™ program has two objectives and a few tasks that create the interactions and the “connective tissue” between both command (leadership) and operations; its primary objective is to support decision-making by reducing uncertainty.¹ The traditional intelligence axiom of “knowledge is power” is the goal of the CI-DR program and that knowledge needs to support critical business decisions, specifically in our digital and cyber working environment. As a regularly attending contributor to a few boards of directors and as an advisor to other boards, the one area of concern I continue to identify is that many cybersecurity or IT security programs lack the business risk information with proper analysis when presenting to boards. This analysis and reporting of cyber risk requires the information provided to be articulated for discussion, be clearly understood by business executives, and be able to be debated in business terms with reinforceable facts to support the decisions made. How many readers of this book have been presented with technology vulnerabilities, only to see numbers and not understand the real intent or criticality of the information being presented? A CI-DR program provides businesses with the relevant information needed to make decisions. Do not think of providing vulnerabilities metrics as a negative report, but understand that it needs to be transformed into a report that is informing the business leader that a decision has to be made. That decision can be that we need to update our systems, the technology teams need time to reboot or restore a critical system, or that we will lose revenue due to particular identified compromises in that system. Reporting from cyber metrics to business has to be made clearer to those making decisions, and to those readers who are reporting vulnerabilities. Our CI-DR program cyber intelligence life cycle can be used to support how the functions and capabilities drive decision-making processes. The dissemination portion that produces the reporting or options is done without obfuscation of why those vulnerabilities being reported are important for the business leader to make decisions whether to ignore or action the report. (See Figure 2.1.)

The CI-DR program objectives provide an organization with guidance to assist in building a formal charter for the program, which can build rational processes of how the cyber data enters the life cycle and how analysis processes transform raw data to become “knowledge” and produce appropriate reporting in business terms. There is a ton of reporting being done today around cyber but most of it is done reactively and at the tactical level, meaning no business decisions are being made, and the information being reported is only valuable for use by a chief information security officer (CISO) or chief information officer (CIO) and is only used to make technology risk decisions. While this type of information is still valuable to the technician, as a risk or business leader you can most likely only use these tactical-level metrics and reporting as a way to find key performance indicators. The data or information at this stage in the cyber intelligence life cycle is still raw and provides no indicators of risk or useful information to business leaders.

FIGURE 2.1 CI-DR™ Cyber intelligence life cycle.

We talk a lot about leveraging tradition intelligence concepts and processes within this book and our CI-DR cyber intelligence life cycle is a direct offspring of one of those concepts. Similar to traditional descriptions of the types of intelligence, the CI-DR types of cyber intelligence do not require much change to the definition or require advanced degrees in cybersecurity; it is, in fact, simplistic in nature. The two primary classes of the CI-DR cyber intelligence are “descriptive cyber intelligence” and “estimative cyber intelligence.” Descriptive cyber intelligence has two components. “Basic cyber intelligence,” which is the general background knowledge about established and relatively constant cyber conditions, is often encyclopedic in nature and often mundane. This information is easiest to gather, and is often available through open sources.² Basic cyber intelligence is usually not decisive in nature, like providing vulnerability metrics without analysis and trends. Descriptive cyber intelligence also includes “current cyber intelligence,” which is concerned with describing the existing cyber situation. The differentiator between basic and current cyber intelligence is that current cyber intelligence describes more changeable factors. For example, if the organization has identified vulnerabilities within a certain system, but nothing yet has occurred to impact or exploit that system, this is basic cyber intelligence. However, if there is an exploit that leads to a compromise of the system from that identified vulnerability, this would be considered current cyber intelligence as the existing situation changed, and the intelligence is more time-sensitive for making a decision.

The second class of the CI-DR cyber intelligence is known as “estimative cyber intelligence,” and is focused on potential developments. Estimative cyber intelligence is the most demanding and is the most important task of creating “knowledge” from raw digital intelligence, as it seeks to anticipate a possible future or several futures.³ Just as military commanders cannot reasonably expect traditional estimative intelligence to precisely predict the future, estimative cyber intelligence deals with the realm of possibilities and probabilities. It is inherently the less reliable of the classes of intelligence because it is not based on what actually is or has been, but rather on what might occur.⁴ A good example of estimative cyber intelligence is described in our real-world example in the Introduction.

As we continue to describe the types of cyber intelligence used in our CI-DR framework and program, it is important for the reader to understand that efforts to provide “knowledge” and decisions are complicated by the ability to assess cyber capabilities and estimate adversarial intentions, which can become a complication during the interpretation of the information collected. To develop objective and accurate cyber intelligence, we must understand this problem. We can examine it through a discussion of signals or indicators and noise.⁵ Indicators or signals refer to information that can lead to valuable insight, whereas noise is simply useless information that interferes with identifying the truth. A good example of weeding through the noise can be found in the same example in our Introduction, where the QCF (Qassam Cyber Fighters) had been posting comments about their upcoming or past cyberattacks. This information was mostly false and extremely distracting, and misled or tainted much of the real intentions of their cyberattacks. Fortunately, there were clear signals and indicators that were being provided to see clearly through their many online rantings. However, the difference between true and false information is rarely easy to distinguish and the reader must take care to understand that effort must be made to differentiate.

As we continue to discuss the types of cyber intelligence and why the CI-DR uses these, we must also discuss the levels of intelligence. There are only three, to continue with simplicity, and these lead to our building cyber intelligence requirements in the upcoming chapters. The three levels of our CI-DR cyber intelligence types are strategic, operational, and tactical, in that order. Tactical cyber intelligence is the most fundamental, concerning location (i.e. geographical, networks, or internet protocols), capabilities (i.e. sophistication levels, skills, or method of delivery), and potential adversarial intent. Tactical cyber intelligence is the tactics, techniques, and procedures, or TTPs⁶ used in the cyber threat intelligence capability of the CI-DR program. In cyber it is wise to take care and understand that this is where most of the attention of cyber defense is focused today. While the tactical level deserves attention, the problem with a singular focus at this level means that the adversary is either already in the network, or at the door of your gateway trying to get in. Yet, if appropriate resources were expended in the previous two levels, some of this tactical activity may be precluded and have better usage by business leaders for decisions.⁷ The Security Operations Center (SOC) is fundamentally where tactical activities occur and will be discussed in a later chapter.

Operational cyber intelligence is the level at which campaigns and major operations are planned, conducted, and sustained.⁸ At the operational level, malicious actors plan their campaigns based upon what they have learned in collecting their own cyber intelligence and on what they had surmised as being necessary based upon their strategic goals. Actors build the capabilities (botnets, malware, delivery methodology [phishing], etc.) needed to support the tactical operations. They maneuver in cyberspace (hop points) to position capability where they need to in order to be effective in their tactical missions. This is the level where a hacktivist group may plan both cyber and physical world activities to support their objectives.⁹ Examples of operational-level cyber intelligence could be the following:

 Trend analysis indicating the technical direction in which an adversary's capabilities are evolving.

 Indications that an adversary has selected an avenue of approach for targeting your organization.

 Indications that an adversary is building capability to exploit a particular avenue of approach.

 The revelation of adversary tactics, techniques, and procedures.

 Understanding of the adversary operational cycle (i.e. decision-making, acquisitions, command-and-control [C2] methods for both the technology and the personnel).

 Technical, social, legal, financial, or other vulnerabilities that the adversary has.

 Information that enables the defender to influence an adversary as they move through the process of executing their intent and actions (i.e. attack chain).10

The strategic level of cyber activity is the determination of objectives and guidance by the highest organizational entity representing a group or organization and their use of the group or organization's resources toward achievement of those objectives. This is the level where the business executive officers and directors provide direction, guidance, and requests or requirements for knowledge based on business objectives. Examples of strategic cyber intelligence might include:

 The decision by a competitor or potential competitor to enter your market space (e.g. a foreign competitor's new five-year plan now shows interest in developing a domestic capability in a technology your company is known for).

 Indications that a competitor, or foreign government, may have previously acquired intellectual property via cyber exploitation.

 Indications that a competitor, or foreign government, is establishing an atypical influential relationship with a portion of your supply chain.

 Indications that your corporate strategic objectives may be threatened due to adversarial cyber activity.11

Now that we have structured the type, levels, and some examples of cyber intelligence we have to take that information and make it knowledge, which means analysis. There are many books, university courses, whitepapers, and frameworks that detail many of the various analysis tools and techniques. I am only going to list a few and will not go into the detail of what method is better than another; the reader should be aware of the various types to prepare them for the types of reports they may receive. Below is a list that the United Kingdom's National Intelligence Model uses and provides a good framework for a detailed list of products and purposes for different types of analysis.¹²

 Results Analysis – this process provides gaps, best practices, or may be used as an After-Action Report (AAR).

 Pattern Analysis – can be used to provide management decisions for tactical or operational prioritization, or may be used to identify emerging threats, trends, and new requirements.

 Market Analysis – can be used to see if there is proliferation of tools, techniques, processes (TTPs) for sale, and may be used by management to provide prioritization of remediation activities, or operational enhancements in defending their organization.

 Demographics and Social Trend Analysis – can be used by management to highlight future pressures, used for incident planning and response activities based on emerging social phenomena or sensitivities.

 Malicious/Criminal Business Profiles – can be used by management for understanding key points of operational disruption, the need for new regulations or legislation, change in resources to meet the threat, or to ensure the organization has training to meet new threats (i.e. phishing, malware, social engineering, etc.)

 Network Analysis – can be used by management strategically as an indicator for the seriousness of an activity. Can also be used tactically and operationally to understand operational losses, highlights gaps, and provide potential targets within the organization.

 Risk Analysis – can be used by management to create risk management planning (i.e. impact, probability, consequences both financially and reputational, etc.). Provides the prelude to prioritizing actions, at both the strategic and operational levels.

 Target Profile Analysis – TTPs of the malicious actor or group, informs which targets will most likely be attacked, and provides decisions about how resources can be deployed to mitigate the attack.

 Operational Intelligence Analysis – can be used by management to prevent mission creep or scope creep, prioritization of intelligence work, needs, or requirements stemming from current intelligence.

The use of the CI-DR cyber intelligence life cycle, the types of analysis, and the dissemination of knowledge to business leadership is how our program works in conjunction with the overall approach of having functions and capabilities and can inform, guide, direct, and provide the ability to adapt and prioritize for any change or emerging threat to an organization.