Cyber
The Magazine of the MCPA




Click here to be published and contribute to the professional dialogue!

Full Text Listing of All Stories


Cyber Shield 2018

posted by James Caroland   [ updated ]

By LTC BE Rhodes, Colorado Army National Guard 

Article Summary

Cyber Shield is a recurring national-level exercise.   Cyber Shield 2018 involved more than 800 participants in one of the largest US National Guard’s cyber-operations exercise. Participants include members of the Army National Guard, Air National Guard, Army Reserve and representatives of State and Federal government agencies, Industry partners and Academia taking part - to test their collective skills and evaluate their defensive capabilities in response to cyber warfare.

Cyber Shield 2018 incorporated two phases: the first week focused on military, government and private sector training on vital cyber skills. The second week challenged National Guard Soldiers and Airmen to face off against experienced opposing force adversaries, utilizing their training and skills to defend networks to mitigate the effects of cyber-attacks against vulnerable infrastructure. The Exercise week scenario consisted of an infiltration by hacktivists, to key infrastructure operated within a Transportation Industry network. Governors requested National Guard support to provide traditional and cyber incident response support.

MCPA sponsored the Cyber Shield Social event at the conclusion of Cyber Shield 2018 training week.

FOR THE FULL ARTICLE ABOUT CYBER SHIELD 2018 AND MCPA'S CYBER SHIELD SOCIAL, PLEASE SEE THE ATTACHED PDF

The Three M's of the Cybersecurity Insider Threat Revealed

posted Jun 13, 2018, 7:03 AM by James Caroland   [ updated Jun 13, 2018, 7:04 AM ]

By John Galliano, Contributing Editor 

Article Summary
:  

Very likely, as a military cyber professional, you work in well secured environment with next-generation firewalls, intrusion detection/prevention and other specialized sensors to safeguard your perimeter and protect your organization's information. But how often do you consider your internal defenses and the trusted people already on the inside? The cyber insider threat should be of concern to military cyber professionals because it puts your organization, your data, and your people at heightened risk. Given the associated tangible and intangible costs, clearly the insider threat is an important issue. 

The cyber insider threat is not a new problem. Operating from the inside and unconcerned with perimeter defenses, insiders like Snowden and Manning have arguably caused unparalleled damage to the U.S. intelligence and diplomatic missions. Insiders in the context of cybersecurity have access to an organization’s network, system, or data and may intentionally exceed or use that access in a manner that negatively impacts the C-I-A of the organization’s information or information systems. 

By examining the cyber insider threat in this article, I clarify the meaning, the motivation, and the mitigation of the cyber insider threat. Insider threat attacks are costly both in terms of time and money, and ultimately may put military operations and lives in jeopardy. Insiders are influenced by a range of motivations including personal gain, perceived injustice, and the greater cause. The good news for military leaders is that a number of mitigating factors may be employed to counter the potential impacts of the cyber insider threat including education, monitoring, and control. Implementing a strong and vigilant insider threat program is your first line of defense and your best protection.

PLEASE SEE THE ATTACHED PDF FILE FOR THE FULL ARTICLE

The Role of Foreign Expertise in the UAE's Strategy for Cyber Security

posted Jun 12, 2018, 5:35 AM by James Caroland   [ updated Jun 12, 2018, 5:39 AM ]

By Al Stovall, Contributing Editor 

Article Summary:  

The United Arab Emirates is in the process of completing a multi-stage plan to establish itself as a major cyber power in the Middle East. Currently, the Emirati government focuses on identifying and recruiting cyber professionals from the United States and Europe that can increase its cyber capabilities while it develops indigenous expertise. Its pursuit of these professionals has become more aggressive in response to its increasing cyber security needs as a popular target for cyber attacks.

PLEASE SEE THE ATTACHED PDF FILE FOR THE FULL ARTICLE

Using Recombinant Innovation for Post-Cyber Strike Recovery Means

posted May 6, 2018, 4:55 PM by James Caroland   [ updated May 6, 2018, 5:00 PM ]

By LtCol John Dobrydney, U.S. Marine Corps, CISSP, Contributing Editor  

Article Summary:  

A large-scale cyber strike is expected to disrupt many governmental, economic, and societal processes that rely on the Internet’s inherent connectedness.  The disruption is expected to cause cascading second and third order effects through society that are not easily recoverable given an increasing reliance on all things digital.  One major challenge with the aftermath of a debilitating cyber-strike is how to return to a functioning “normal” without the expected conveniences, Internet provided communications capabilities, or even the resident knowledge and processes from the old, “analog” processes.

Applying the economic principle of rational people acting to satisfy unlimited wants with limited means, Recombinant Innovation provides a means to repurpose previously unconsidered processes and resources to solve the post-strike challenges.  Automobile manufacturing, the music industry, and even medical surgery materially benefited from recognizing a need and then satisfying it with recombining existing processes and resources.
 
Effective post-strike recovery begins with proper planning prior of the disaster.  Those members of society closest to the emerging post-strike problems are best suited to solve them; therefore, government agencies should encourage and support Recombinant Innovation at the lowest governmental and societal levels and provide guidance and resources as society rebuilds its capabilities.    

PLEASE SEE THE ATTACHED PDF FILE FOR THE FULL ARTICLE

Image credits for article (in order of appearance):  Time, sportskeeda.com, i-Vigilant Technologies, pluspng.com, philmckinney.com

Leader's Guide to Protecting Cyber and Operational Security

posted Feb 26, 2018, 7:32 PM by James Caroland   [ updated Mar 2, 2018, 10:08 AM ]

By Major Michael Senft, U.S. Army

Cyberspace is a contested domain of warfighting and information technology. Capable and intelligent adversaries, namely state and non-state actors, seek to asymmetrically disrupt U.S. advantages in communications by targeting the weakest link in our technical and human defenses1,2. A single weak security practice can result in the widespread compromise of a network or information system, endangering not only the lives of U.S. military and civilian personnel, but also business viability3,4. The purpose of this guide is to provide leaders with a concise outline of significant Cybersecurity and Operational Security (OPSEC) concerns with recommendations to protect network dependent warfighting and other essential functions including mission command, fires, intelligence, and sustainment. Cybersecurity and OPSEC are processes that should be incorporated into all phases of operations to protect people, equipment, and ensure mission success3. This guide will cover three topics: Cybersecurity concerns, OPSEC concerns, and recommendations.  Let’s address the foundational cybersecurity concerns first.


Cybersecurity Concerns:

Rob Joyce, the former Chief of the National Security Agency’s Tailored Access Operations and current White House Cybersecurity Coordinator, succinctly captured this concern by stating, "If you really want to protect your network, you really have to know your network"5,6. Knowing the network is essential to defending your key cyber terrain. Leaders must consider that:

  • Every device that emits a signal or has a processor is a potential vulnerability4
  • Three primary attack vectors within your formations3,4,5,7:
  • Email – Spear phishing emails can fool even experienced security professionals6,8,9
  • Removable media –  Adversaries use removable media to gain access to systems9
  • Websites – Adversaries compromise trusted websites to precisely target specific user groups6,10



The second concern is the threat posed by privilege escalation and lateral movement. Leaders must identify, monitor, and protect high-value assets within their organizations by considering the following11:
  • Mission critical data, systems and networks12
  • Network and system configuration, security, and monitoring systems13
  • Users with elevated privileges (e.g., network and system administrators, users with removable media writing or cross-domain data transfer rights, etc.)14


OPSEC Concerns:

The first thing leaders should understand is that large enterprise networks including the Non-classified Internet Protocol Router Network (NIPRNET) are not secure. Sensitive but Unclassified (SBU) information should be encrypted prior to transmission via email as communications can be targeted for interception and exploitation at any time16. Likewise, SBU data stored on mobile computing devices (data-at-rest) should be encrypted to prevent compromise in the event of loss or theft of these devices [9]. SBU data includes, but is not limited to:
  • Network Configuration Files, Network Architecture Diagrams, and Network Vulnerability Reports15
  • Password and System Credential Files15
  • Personally Identifiable Information (PII)15
  • Very Important Person (VIP) Travel15
  • Locations, movements and mission planning of essential elements15
Secondly, leaders must understand and mitigate operational vulnerabilities created by cell phones4,16,17
  • Cell phones are prime targets for enemy Signals Intelligence (SIGINT) and Electronic Intelligence (ELINT) even when used in a disciplined manner4
  • Compromised smart phone applications can provide adversaries with geo-location and other valuable intelligence16
  • Loss or theft of cellphones and other mobile devices can provide an avenue of attack for adversaries to gain access to enterprise networks or provide access to sensitive information
Third, leaders must understand and mitigate operation vulnerabilities created by insider threats18
  • Insider threats abuse their authorized access to information and information systems to execute theft, espionage, fraud and sabotage18
  • Unintentional insider threats may unknowingly aid adversaries to gain access to systems or exfiltrate data18
Finally, leaders should gain increased understanding of and seek to mitigate the vulnerabilities introduced by the use of social media, social engineering, and PII. 
  • Adversaries use social media to gather intelligence and target Service Members, their families and others4,16,17,19 
  • Social engineering is a highly effective and low-cost attack vector used by threat actors to bypass the most effective defenses to compromise systems and gain access to sensitive information20
  • Awareness and training are the most effective countermeasures20
  • Adversaries target PII to exploit financial and other personal interests of Service Members, their families and others4

Recommendations:

To counter the dual concerns of cybersecurity and OPSEC, leaders should foremost train their people, but also implement and enforce best practices. For cybersecurity concerns, the following recommendations will strengthen your ability to know your network and defend against the insider threat:

Protect Credentials 
  • Implement the Principle of Least Privilege to limit account rights to the minimum required by the user5,6,7
  • Log and monitor privileged user activity and the use of administrative tools6,7,12
  • Enforce password management since default, weak, or stolen passwords enable adversaries to gain access to and elevate privileges12,21

Defend Against the Insider Threat 

  • Know your Service Members and employees
  • Know the behavioral indicators of malicious threat activity18
  • Employ security technology, including multifactor authentication, to detect and prevent insider attacks12,18

Even the most secure network can be compromised, thus it is essential to harden the network and introduce resiliency [4].
  • Disable unnecessary services.  Unnecessary services provide potential avenues of attack for adversaries6,7,21
  • Disable use of insecure protocols (FTP, SNMPv1, Telnet, etc.).  Insecure protocols transmit user names and passwords in the clear.
  • Identify systems that are not patched on a continuous basis and apply other risk mitigations such as traffic filtering and network segmentation to reduce the attack surface.  Program of Record systems are an example as they typically receive software updates and patches on a quarterly basis21
  • Prevent unauthorized devices from connecting to the network [6,14].  Unauthorized devices provide avenue of attack for adversaries to gain access to systems or exfiltrate data6,14
  • Restrict physical access to network devices and infrastructure to the greatest extent possible [23].  Physical access enables a skilled adversary to quickly bypass technical security measures to gain full control of systems23
  • Develop Continuity of Operations Plans to operate despite degraded or disrupted communications.1,11  Ensure communications Primary, Alternate, Contingency, and Emergency (PACE) plans enable mission command even in the event unclassified and/or one or more classified networks are compromised or disrupted.4,11
As outlined in this guide, a single weak security practice can result in the widespread compromise of a network or information system. Protecting network dependent warfighting and other essential functions requires incorporating cybersecurity and OPSEC into all phases of operations. Like good OPSEC, effective cybersecurity requires the development and promotion of an organizational culture that is cyber risk and adversary threat aware, and emphasizes and enforces standards and practices that minimize vulnerabilities to Department of Defense and corporate networks, systems, and information.3



About the Author

Major Michael Senft is a Functional Area 26A Information Network Engineering Officer and has multiple deployments in support of Joint and Special Operations units. He holds a Master's Degree in Computer Science from the Naval Postgraduate School and a Master's Degree in Engineering Management from Washington State University.



End Notes

1. U.S. Department of the Army. (2014). The Army Operating Concept, Win in a Complex World. TRADOC Pamphlet 525-3-1. Retrieved from http://www.tradoc.army.mil/tpubs/pams/tp525-3-1.pdf

2. U.S. Army Asymmetric Warfare Group. (2016) Russian New Generation Warfare Handbook. Retrieved from https://www.milsuite.mil/book/docs/DOC-334149 (CAC Login Required).

3. U.S. Army Chief Information Office/G-6. (2015). Leaders Information Assurance/Cybersecurity Handbook. Retrieved from https://www.army.mil/e2/c/downloads/299601.pdf

4. R. Leonhard, (2016). The Defense of Battle Position Duffer – Cyber Enabled Maneuver in Multi-Domain Battle. Retrieved from https://www.milsuite.mil/book/docs/DOC-332615 (CAC Login Required).

5. R. Joyce, (2016). Disrupting Nation State Hackers. USENIX 2016 Presentation. Retrieved from https://www.usenix.org/node/194636

6. Center for Internet Security. (2016). Critical Security Controls for Effective Cyber Defense. Retrieved from https://www.cisecurity.org/critical-controls/documents/CSC-MASTER-VER61-FINAL.pdf

7. National Security Agency. (2015). NSA Methodology for Adversary Obstruction. Retrieved from https://www.iad.gov/iad/library/reports/nsa-methodology-for-adversary-obstruction.cfm

8. FireEye. (2016). Spear-Phishing Attacks - Why They are Successful and How to Stop Them. Retrieved from https://www.fireeye.com/current-threats/best-defense-against-spear-phishing-attacks.html

9. Defense Security Service (n.d.) Common Cyber Threats: Indicators and Countermeasures. Retrieved from http://cdsetrain.dtic.mil/cybersecurity/data/pdf/Common_Cyber_Threats_Indicators_and_Countermeasures.pdf

10. FireEye. (2015). Zero-Day Danger. Retrieved from
https://www.fireeye.com/current-threats/recent-zero-day-attacks.html

11. BG P. Frost and  M. Hutchison, (2015). Top 10 Questions for Commanders to Ask About Cybersecurity. Retrieved

from http://smallwarsjournal.com/jrnl/art/top-10-questions-for-commanders-to-ask-about-cybersecurity

12. Verizon. (2016). 2016 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

13. P. Stone,and A. Chapman, (2015). WSUSpect – Compromising the Windows Enterprise via Windows Update. Retrieved from https://www.contextis.com//documents/161/CTX_WSUSpect_White_Paper.pdf

14. U.S. Department of the Navy (2014). Commander’s Cyber Security and Information Assurance Handbook. COMNAVCYBERFORINST 5239.2A. Retrieved from https://www.cool.navy.mil/usn/ia_documents/5239_NCF_Cybersecurity_IA_HANDBOOK.pdf

15. National Security Agency. (2016). JCMA Findings and Trends – 2016 Information Assurance Symposium. Retrieved from https://www.iad.gov/iad/library/ias/defense-at-cyber-speed/jcma-findings-and-trends.cfm

16. CrowdStrike. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units. Retrieved from https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf

17. U.S. Computer Emergency Readiness Team. (2011). Cyber Threats to Mobile Phones. Retrieved from https://www.us-cert.gov/sites/default/files/publications/cyber_threats_to_mobile_phones.pdf

18. National Cybersecurity and Communications Integration Center. (2014). Combating the Insider Threat. Retrieved from https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat_0.pdf.

19. Wired. (2017). Meet Mia Ash, the Fake Woman Iranian Hackers Used to Lure Victims. Retrieved from https://www.wired.com/story/iran-hackers-social-engineering-mia-ash/

20. U.S. Department of State Overseas Security Advisory Council. (2015). Social Engineering: Threats and Best Practices. Retrieved from https://www.osac.gov/Pages/ContentReportDetails.aspx?cid=18454

21. U.S. Army Cyber Center of Excellence. (2016). Cyberspace Operations Bulletin 16-13. Retrieved from https://lwn.army.mil/documents/2802697/3387032/cyberspace+bulletin+2.pdf (CAC Login Required)

22. US Army Communications-Electronics Command (CECOM) Software Engineering Center. (2014). Software Engineering Center Productions and Services Catalog. Retrieved from http://www.sec.army.mil/secweb/files/SEC%20Products%20and%20Services%20Catalog%20v3.0.pdf

23. D. Ollam, (2008). Ten Things Everyone Should Know About Lockpicking & Physical Security. Retrieved from https://www.blackhat.com/presentations/bh-europe-08/Deviant_Ollam/Whitepaper/bh-eu-08-deviant_ollam-WP.pdf


Image credits (in order of appearance):  Pixabay, Moody Air Force Base, U.S. Department of Defense

Meltdown and Spectre: Analyzing the Lasting Costs

posted Jan 19, 2018, 1:33 PM by James Caroland   [ updated Jan 19, 2018, 1:39 PM ]

By James Loving

Introduction

Earlier this month, researchers with Google’s vulnerability research group Project Zero released a pair of exploits, Meltdown and Spectre, that threaten nearly every workstation and server on the Internet. These kernel attacks exploit performance features to violate process isolation measures, allowing an adversary to read private information, such as passwords. Patches are being rapidly developed and distributed, but the mitigations typically result in performance hits ranging up to 20%. Because of the long-term performance impact, these vulnerabilities may become the most financially costly in recent memory, despite the rapid patching preventing significant harm to systems’ security.

Overview of Vulnerabilities

Meltdown (CVE-2017-5754)

The Meltdown attack exploits speculative exhaustion, which is a performance feature where a CPU will begin simultaneous execution of multiple instructions, so that when an instruction is reached, execution has already begun, increasing apparent performance. Specifically, the CPU will begin execution of multiple lines of code, assuming that any out-of-order instructions can be undone. Unfortunately, these out-of-order instructions are able to avoid the measures that prevent code from accessing kernel memory, because these privilege checks have a significant impact on performance and are thus executed only on the “correct” path of code execution.

This vulnerability primarily affects Intel processors. While the Meltdown paper presents some evidence that the out-of-order exploitation of speculative execution is possible on AMD and ARM chipsets, the researchers were unable to produce a proof-of-concept password leaker for these architectures. ARM has confirmed that this vulnerability impacts only their Cortex-A75 line; their other processors are not vulnerable.This processor is used by some Snapdragon chipsets, which are common in mobile devices.

For more information on Meltdown, I recommend this developer’s analysis, the researchers’ original blog post, and their paper.

Spectre


Project Zero’s original blog post outlined two variants on the Spectre attack; the Spectre paper lumps both variants together and provides five additional variants. This article discusses only the two primary variants included in the blog post; for details on the additional variants, consult pages 10-12 of the paper.

Variant 1 (CVE-2017-5753)

Spectre variant 1 also exploits speculative execution, but it relies on branch prediction, wherein the CPU will begin execution of multiple branches of a conditional statement, concurrent to the condition being evaluated. Therefore, when the condition is evaluated and the branch-to-be-executed has been determined, execution is already in progress. The CPU assumes that any instructions from unchosen branches can be undone; the Spectre attack exploits this assumption. To execute the attack, the adversary chooses a “gadget,” an instruction from the victim’s address space, which is then speculatively executed. When the CPU attempts to undo the effects of this unchosen branch, changes to the memory cache are not undone. Thus, the adversary can force leakage of sensitive data in other processes’ memory.

Below is pseudocode example of the Spectre variant 1 vulnerability.  Due to compiler optimizations, this snippet does not present a real-life instance of speculative execution.

This vulnerability has a much wider impact than Meltdown; it affects Intel, AMD, and ARM architectures. All three manufacturers have acknowledged the vulnerability and are working with OS developers to provide mitigation instructions and patches for their hardware. Snapdragon has not commented on this variant’s impact to its chipsets, but both Android and Apple iOS have acknowledged their vulnerability and issued patches.

Variant 2 (CVE-2017-5715)

Like variant 1, Spectre variant 2 exploits branch prediction speculative execution, but variant 2 has an adversary process influencing the branch prediction of a victim process and redirecting it, thus forcing the victim process to speculatively execute a “gadget” - code located elsewhere in memory that can be used to leak sensitive information. This variant affects the same platforms as variant 1, although it may be more difficult to execute against certain chipsets.



Impact

Because of the unprecedented range of vulnerable devices, the Spectre and Meltdown attacks have a significant impact. Cloud vendors, and organizations that rely on cloud services, are likely to bear the majority of the cost. However, due to the pace at which cloud services are patching their servers, they are likely to face a primarily monetary cost as a result of these vulnerabilities, instead of a legitimate cybersecurity threat. In comparison, the Internet of Things (IoT) is likely to face legitimate cybersecurity challenges due to these vulnerabilities, as IoT devices are notoriously difficult to patch and/or infeasible to replace.

Users

Compared to other groups, individual computer users are likely the least affected. The industry has responded quickly to the attacks. Microsoft, Apple, and Red Hat have published patches addressing the vulnerabilities, and Ubuntu and FreeBSD are currently developing patches, as of the writing of this article. While these patches generally have significant performance hits, most user tasks, such as Internet browsing, word processing, video streaming, etc., are not computationally intensive; the noticed impact of the patch-reduced performance should be little.

The Cloud

Because most cloud services run on virtual servers (versus bare metal), Meltdown and Spectre have massive potential impact. A particular customer/server can take all necessary precautions and still be victimized by another, insecure customer/server, as the exploited server and the victim server may exist on the same hardware, thus allowing for memory access between servers. Fortunately, the industry responded quickly: Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and other companies have already begun patching their systems.

While the majority of press surrounding the impact on the cloud of Meltdown and Spectre has centered around these cybersecurity issues, I believe the long term performance reduction is a greater impact. Unlike users, who often have computer resources to spare, modern cloud systems are designed to run at extremely high loads. The customer is typically paying for the infrastructure, and therefore wants to get their money’s worth. Because of the reduced performance resulting from the necessary patches, these customers may find their cloud-associated costs rising to compensate for the reduced performance: each server being, e.g., 10% less effective means that 11% more servers are necessary for equivalent computational capability.

The Internet of Things

However, the largest impact of Meltdown and Spectre may be to the security of the Internet of Things. IoT devices are often deployed and not administered again, so many such devices will likely never receive the patches necessary to protect against Meltdown/Spectre. In the long term, this vulnerability may persist, as traditional devices - servers, workstations - are replaced with new hardware, which will hopefully be resistant to Meltdown/Spectre, and the IoT devices remain in place.

Fortunately, I have little reason to believe that these exploits will be readily weaponized for the Internet of Things. All current proofs of concept are used for information theft; they execute fragments of code already present on the victim device to leak memory, thus accessing private information. I have not seen an example of remote code execution, which would be necessary for the majority of malicious activity in the IoT. While an adversary may be able to, for example, use Spectre on an ARM-based smart light bulb to steal a WiFi password, they should be unable to use these exploits to create a botnet.

Conclusions

The Meltdown and Spectre attacks may, in the long term, be extremely costly: they could increase the costs of cloud computing by up to 20%. However, due to the rapidity with which patches are being developed and deployed, combined with the narrow use of the exploits - leaking private information while already on a device - they do not appear to pose a significant threat to the security of the Internet or its users.



About the Author

James Loving is a security engineer, research affiliate with the Massachusetts Institute of Technology (MIT) Internet Policy Research Initiative, and copy editor of Cyber magazine. His research interests include security and privacy in the Internet of Things and the intersection of Internet and international security. He holds BS degrees from Florida State University in Computer Criminology and International Affairs and MS degrees from MIT in Computer Science and the Technology and Policy Program. He currently serves as an officer in the Massachusetts Army National Guard.

-------------
Image credits:  all images from meltdownattack.com

Every Marine is a Cyber Marine Too: The Four Internet Safety Rules

posted Jan 17, 2018, 6:13 PM by James Caroland   [ updated Jan 17, 2018, 6:14 PM ]

By LtCol John Dobrydney, USMC, CISSP

An oft repeated phrase, "The network would be secure if it weren’t for the users” is a wishful thought of many cyber security professionals.  Repeated mistakes such as plugging in unauthorized USB drives, opening unsolicited emails and thoughtlessly clicking on the embedded malicious links, and uploading publicly viewable personally identifiable information provide never-ending job security for security professionals.  They also provide never-ending security risks for the security professionals who are charged with protecting the information and information systems.  What seems common sense to those whose life’s work revolves around all things cyber security, most users have little to no understanding of computer networks, application development, social engineering, or malware.  These concepts are not their areas of specialization, so it is unrealistic to assume common users have the requisite knowledge to recognize the wide variety of threats facing them.  Therefore, users need a few, easy to remember, yet inclusive, “safety rules” to promote Internet safety and protect user’s information and information systems. 

The United States Marine Corps recognized a similar situation.  By training and necessity, every Marine is considered to be a “Rifleman”  capable of employing a rifle if called upon, but there are varying levels of weapons handling proficiency across the Marine Corps.  Combat arms Marines are expected to have the highest levels while Marines in other occupational specialties who do not regularly exercise their weapons handling skills will have less.  Regardless, a Marine is expected to employ any weapon in a safe and professional manner, to shoot only valid targets, and exercise discipline to ensure the weapon is operated in safe manner.  Human nature does intervene and inevitably, “things happen”.  Marines do fire weapons in the wrong place, at the wrong time, or at the wrong target.  Commonly referred to as a “negligent discharge” such acts are punishable under the Uniform Code of Military Justice1.   The Marine Corps took action to prevent negligent discharges and developed the “Four Weapons Handling Safety Rules ” that every Marine knows by heart.  The Four Safety Rules are:

    1. Treat every weapon as if it were loaded.
    2. Never point a weapon at anything you do not intend to shoot.
    3. Keep your finger straight and off the trigger until you are ready to fire.
                                                                4. Keep the weapon on SAFE until you intend to fire.2 

The Four Safety Rules will guide development of “Four Internet Safety Rules” for everyday Internet users’ application to protect their information and information systems.  The First Weapons Handling Safety Rule, “Treat every weapon as if it were loaded” charges the Marine to maintain a proper mindset when handling and using a weapon.  Likewise, computer users must maintain a proper mindset when using computer devices, whether a personal desktop, mobile device, or work computer.  This leads to the:

First Internet Safety RuleTreat your device and information as if it were constantly under threat.

Users must be mindful that their device and the information on the device is under a varying level of threat every time the device connects to the Internet.  Threat types and levels vary per user; therefore, users need to periodically review the threats affecting their environment and then plan appropriately.   Maintaining a proper defensive mindset will guide each decision the user makes regarding security settings, choice of passwords, timely operating system and application software updates, and use of anti-virus and anti-malware protection.  Protecting information also means developing and executing an appropriate data backup plan and then verifying that the plan works as designed.  Maintaining a defensive mindset on a network requires timely reporting if anything seems amiss.  A noted problem on a network can affect other users on the same network.

The Second Weapons Handling Safety Rule, “Never point a weapon at anything you do not intend to shoot” reminds Marines to be mindful of the damage a weapon could cause if a projectile struck an unintended object.  Similarly, users must be mindful of where they “point” their browsers , what emails they open, what they download, and the links they click.  This mindfulness leads to the:

Second Internet Safety Rule:  Do not access websites, download applications, or open email with which you are not familiar.

Accessing unfamiliar or questionable websites, downloading non-authentic applications, or opening spam email can lead to installing unwanted malware on an unknowing user’s device.  The unintended consequences resulting from the malware can lead to information theft or corruption, slower operating devices, and even complete information loss via ransomware.  Constant awareness of where a device “points” is a necessary condition to avoiding the resultant damage.

The Third Weapons Handling Safety Rule, “Keep your finger straight and off the trigger until you are ready to fire” makes use of external safety measures to ensure that a weapon can fire only if a Marine engages a key external component, in this case, the trigger finger.  In this case, it is the absence of an external component that provides a measure of safety.  The weapon will not function properly unless this component is added in the course of normal operations.  In the case of cyber security, it is the addition of external safety measures that provide extra measures of security.  Users have an ability to make use of external safety measures appropriate to their use to maintain and increase their security level.  These measures lead to the:
Third Internet Safety Rule:  Keep all applications, firmware, middleware, operating systems, and anti-malware program software patched  and up to date. 

Using external application, operating system, and anti-malware update servers to patch and detect known vulnerabilities will help users reduce the number of vulnerabilities on their devices and make them harder to exploit.  Hardened targets will dissuade all but the most dedicated attackers and cause them to search for easier targets.  A safe course of action is for users to learn how to enable their auto-update settings.  Auto-update will ensure patching occurs on a regular basis; however, it is smart practice to periodically check and ensure that auto-update functions correctly.   

The Fourth Weapons Handling Safety Rule, “Keep the weapon on SAFE until you intend to fire” makes use of internal safety measures and defenses purposefully designed into the device.  A service rifle has a built-in safety feature that prevents a weapon from firing even if the Marine squeezes the trigger.  This built-in safety feature aids in preventing negligent discharges and the Marine should disable this feature and select FIRE only when ready to employ the weapon.  At all other times the weapon should be on SAFE.  Likewise, users need to make use of internal operating system settings, security application controls, and ancillary peripherals to the maximum extent practical to reduce risk to personal information and information systems.  Lack of knowledge or inexperience is a common reason why internal controls are not used properly or to the fullest extent.  For example, users commonly deploy wireless routers “out of the box” with easy to find default configurations and passwords, post to social media sites that don’t have proper security settings checked, and place misconfigured servers online.  These common mistakes lead to the:

Fourth Internet Safety Rule:  Know and use maximum level security settings to keep online personal information as safe as possible.

Applying Moore’s Law , phones, tablets, laptop and desktop computers, applications, and networking devices will be smaller, faster, more complex, and more capable.  The old joke used to be about how hard it was to program a VCR.  Today, a mobile device can easily overwhelm a novice user in terms of privacy settings, default configurations, and what is considered a trusted application.  Fortunately, the same Internet that poses danger at every turn also provides help in the form of Google searches and YouTube instructional videos.  Users can search for “how-do-I-…?” instructions and can receive a wealth of content in return.  Blogs, manufacturer websites, communities of interest, and videos all provide tips, tricks of the trade, and more, but users must beware of illegitimate sites.  Surfing to reputable sites is best, starting with the manufacturer and branching out from there.  Trusted friends, co-workers, or the “IT guy” are good sources too.  Above all, users need to ask if unsure.


Thus, the Four Internet Safety Rules are:
1. Treat your device and information as if it were constantly under threat.
2. Do not access websites, download applications, or open email with which you are not familiar.
3. Keep all applications, firmware, middleware, operating systems, and anti-malware program software patched and up to date.
4. Know and use maximum level security settings to keep online personal information as safe as possible.

Prior to every Marine Corps live-fire exercise, the Officer-in-Charge or Range Safety Officer conducts a safety brief for every participating shooter.  Without a doubt, the Four Weapons Handling Safety Rules are discussed and each shooter will restate each Safety Rule.  Since the Rules are ingrained in every Marine, each shooter can easily rattle them off.  Generally, the briefer will discuss each Rule and ensure that the weapons handling knowledge is front and center in each shooter’s mind prior to starting the exercise.  So it should be with the Four Internet Safety Rules.  How each office, shop, unit, or organization chooses to indoctrinate and reiterate the Four Internet Safety Rules is a matter of analysis, decision, and execution.  Publishing policy that addresses each Rule, user expectations and consequences, and, most importantly, why the Four Internet Safety Rules are important, is the best place to start.  Publicly addressing and “selling” the policy and Four Internet Safety Rules provides the leadership the opportunity to look users in the eye and reinforce the need for Internet safety and each user’s role in ensuring that safety for the entire organization.  Leaders who take the opportunity to remind users of the importance of Internet safety and use novel discussion methods will eventually drive the point home, if only to remind users that when they see the leadership walking about Internet safety will come to mind.  Posting the Four Internet Safety Rules on websites, in break rooms, on log-on banners, and on pop-ups will reinforce the message.  Developing a very public award system for users or departments that go the longest without cybersecurity incidents introduces the natural competitive spirit and peer pressure to reduce incidents.  Likewise, developing and discussing use cases of users reported by news agencies who suffered the consequences of not following the Rules will add a needed dose of “It really can happen to you” to any instruction or discussion period.  Regardless of how well users accept the Four Internet Safety Rules presented in this article, users do need a few, simple, and general rules to guide their Internet use and remain reasonably secure in the course of their online activities. 



About the Author

A Marine Communications Officer, Lieutenant Colonel John Dobrydney is an experienced cybersecurity and network operations planner. He recently served as the Commanding Officer of Marine Wing Communications Squadron – 18, the Executive Officer of 7th Communication Battalion, the Network Operations Officer for the III MEF G6, and served as the Enterprise Information Assurance Branch Head at Headquarters, Marine Corps C4 Directorate. He currently serves as the Cybersecurity Division Chief, Joint Staff J6. Lieutenant Colonel Dobrydney has a Masters of Security Studies from the Marine Corps War College and a Master of Science in IT Management from the Naval Postgraduate School.



--------------
1UCMJ art. 134 (2012).
2U.S. Marine Corps. (2012). Rifle marksmanship REVISED (MCRP 3-01A). Albany, GA:
Author. 

Image credits (in order of appearance):  marinerecruitmom.blogspot.com, techtarget.com, intel.com

[Book Review] On Cyber: Towards an Operational Art for Cyber Conflict

posted Dec 28, 2017, 3:07 PM by James Caroland   [ updated Dec 28, 2017, 3:13 PM ]

By James Caroland, Editor-in-Chief, Cyber Magazine

On War is one of the preeminent books on military strategy and war and is practically required reading for any officer in the United States military, as well as many international militaries.  You will find it in curriculums at Service and National War Colleges where warfare is studied, and any officer who has completed their Joint Professional Military Education (JPME) probably has a copy on their bookshelf.  I can see my tattered, dog-eared copy from across my office as I write this.   On War was written by Prussian General Carl von Clausewitz … in the early 1800s … long before the Advanced Research Projects Agency (ARPA) invented what came to be known as the Internet.   

Fast forward over a century and a half to encounter ubiquitous cyberspace, its designation as the fifth domain of warfare, and the creation of military commands for cyber warfare. Cyber conflict has already been happening for over a decade. While there have been many articles written about various aspects of cyber conflict over that time, there has not been a comprehensive book that addresses how militaries defend, fight, and win in cyberspace – until now.

With a title that I assume is a nod to Clausewitz’s On War, Gregory Conti and David Raymond have written On Cyber: Towards an Operational Art for Cyber Conflict, updating Clausewitz’s teachings (among others) to account for the advent of cyberspace.  With cyber conflict being primarily -- though not exclusively -- a military realm, the foundation of the book is a lot of military doctrine.  However, Conti and Raymond are able to take the language of warfighting and make it accessible to a non-military audience. They logically organize the book by the various elements of combat (terrain, maneuver, intelligence, command and control, etc.); address each of these across the strategic, operational, and tactical levels of war; and explain how each relates to and can be leveraged in cyber conflict.

Conti and Raymond creatively balance quoting historical military strategists (e.g., Clausewitz, Jomini, Sun Tzu, Napolean, Patton) and discussions of traditional warfighting (e.g., Battle of Marathon (490 BC), Civil War, World Wars I/II) with quoting modern day cybersecurity professionals (e.g., Dan Kaminsky, the grugq, Whitfield Diffie, Dan Geer) and discussions of recent cyber events. There are sometimes two camps in the cyber versus kinetic warfighting debate – those that say cyber can be applied to any kinetic warfighting concept and those that say cyber is completely unique.  Conti and Raymond caution either camp in dismissing the other and do a credible job presenting how traditional kinetic warfighting may or may not apply in cyber conflict, providing concrete examples, illustrative graphs and tables, and well-researched points to make their cases and recommendations.

The book is certainly not without its references to geek culture, which is appreciated by many of us in the cyber community. These include books, movies, comics, and television shows such as Star Trek, The Matrix, Harry Potter, Ender’s Game, Robocop, The Terminator, and X-Men, as well as nerdcore music lyrics. Although, I was a little sad to see Star Wars did not make the cut. These references are not simply randomly inserted, but deliberately used to elucidate some facet of cyber conflict in a clever way.

Other than hoping for a Star Wars allusion, as a Naval officer, I personally was hoping for more Navy context (along with the other military services).  Although there is mention of the Phalanx weapons system found on Navy ships, the book is rather Army-centric in its context.   This isn’t surprising as Conti and Raymond are retired Army officers with over 50 years of service combined.  At the same time, you don’t have to be in the military to understand the book.   It is extremely well-researched with 693 endnotes and has many footnotes throughout its pages explaining various concepts, both military and cyber related.

Conti and Raymond also highlight several key themes that are integrated throughout the book such as automation in cyber conflict is key, speed matters in cyberspace, attribution is hard, laws and policy can be limiting (for the good guys), modern technology influences decisions, geography is “different” in cyber conflict, and command and control is more than just humans. If for some reason you choose not to read the entire book, you can always skip to the end of each chapter which has conclusions and recommendations that effectively tie together concepts from the chapter.    

The book ends with “A Look at the Future”. While this final chapter does an excellent job covering technology on the horizon and potential ramifications for cyber conflict, it also emphasizes that cyber conflict is more than just technology. It addresses creating an agile culture, having multi-disciplinary teams, adapting cyber institutions, growing cyber talent, and updating doctrine. 

I highly recommend this educational, entertaining, and insightful book to anyone interested in cyber conflict/warfare. Military and government members, particularly senior leaders, strategists, planners, and decision-makers, should order their copy now. Much like my copy of On War, On Cyber: Towards an Operational Art for Cyber Conflict will undoubtedly become tattered and dog-eared from reference and use. 

Book Details

Authors:     Gregory Conti, David Raymond
Editor:        John Nelson
Pages:        352 (paperback)
Publisher:   Kopidion Press
Date:          July 18, 2017
ISBN-10:    0692911561
ISBN-13:    978-0692911563

Punching Above Its Weight: Estonia as a Cyber Power

posted Dec 14, 2017, 8:35 PM by James Caroland   [ updated Dec 14, 2017, 8:43 PM ]

By Michael Lenart

An Unlikely Model?

In 2007, the Baltic nation of Estonia moved a statue of a Red Army soldier from the center of its capital, Tallinn, to a military cemetery on the outskirts of town. The move reflected the ethnic Estonian majority population’s perspective that the Red Army symbolized occupation and oppression, rather than the defeat of Nazism – the intended message of the Soviet authorities who had erected the statue in 1947.1 Similarly, many of Estonia’s ethnic Russians perceived the relocation as disrespect toward a generation of patriots who had ostensibly liberated Estonia from Nazi invaders. As a result, many ethnic Russians rioted in protest, while Russian hackers launched massive Distributed Denial of Service attacks against Estonian government and private sector websites. This was the first ever large-scale cyber attack on a nation-state, and it took down the online services of banks, media outlets, and government organizations.2  Fortunately, however, the attacks were mitigated and eventually stopped. Perhaps even more fortunately, as we’ll see later on, Estonia’s decision to be publicly transparent about the attacks significantly advanced global discussion of cyber issues.

Estonia is a country of roughly 1.3 million people in a world of around 7.6 billion. Its land mass is about twice that of New Jersey3. Most people in the world probably aren’t sure where Estonia is located. From a tourism perspective, its biggest draw is the medieval Old Town section of its capital, complete with defensive walls going back as far as the thirteenth century.4

And, as previously recounted, the first cyber-related news most people ever heard about Estonia portrayed it undeniably as a victim.

These may not sound like the characteristics of a rising cyber power. However, Estonia continues to build its reputation as an innovative, IT-savvy state determined to shape the international information environment and fight effectively on the ever-evolving cyber battlefield. Described as a “high-tech hub whose engineers helped invent Skype,”5 Estonia boasts an impressive array of cyber accomplishments and initiatives. For one, the country maintains an unprecedented e-governance system. It also hosts NATO’s Cooperative Cyber Defense Center of Excellence, and it frequently kickstarts international conversations on key cyber issues.

e-estonia

The foundation of Estonia’s global reputation for electronic innovation is its trailblazing e-governance system. This system allows the overwhelming majority of government services to be performed online, greatly increasing efficiency and convenience. The e-estonia website’s description of the system is worth quoting at length, as it shows Estonians’ tendency to be both practical and strategic in their thinking:

"e-Governance is a strategic choice for Estonia to improve the competitiveness of the state and increase the well-being of its people, while implementing hassle free governance.

Citizens can select e-solutions from among a range of public services at a time and place convenient to them, as 99% of public services are now available to citizens as e-services. In most cases there is no need to physically attend the agency providing the service.

The efficiency of e-Government is most clearly expressed in terms of the working time ordinary people and officials save, which would otherwise be spent on bureaucracy and document handling.6"

At the center of this system is the national ID card, containing a chip with the cardholder’s embedded files. Using 2048-bit public key encryption, the card provides digital proof of identity and enables the 
holder access to a host of e-services, ranging from registering property titles to submitting court records, managing health care records and prescriptions, filing quick tax returns, registering businesses, voting, and a host of others.7 The result is that only a tiny fraction of a person’s periodic administrative tasks requires physically going somewhere or mailing paper documents. Creating this virtual ecosystem has required significant investment in network and internet infrastructure, but the investment has made Estonia “the most advanced digital society in the world.”8

Perhaps the most novel feature of Estonia’s e-governance system is that, pending a background check, it’s open to literally anyone. Any person in any country can apply to be an “e-resident” of Estonia. The advantages of this openness are found in the global marketing of Estonia’s innovative national brand, and the increased possibility that a person who, for instance, registers a new business in Estonia will end up paying for some government services there, using an Estonian bank, or partnering with other Estonian business.9

Cyber Defense Center of Excellence

Another very visible example of Estonia’s special status in cyber and electronic issues is the NATO Cooperative Cyber Defense Center of Excellence, located in Tallinn. The Center enhances the cyber expertise of NATO and its partners through education, research and development, lessons learned, and consultation.10 These efforts extend to the fields of technology, strategy, operations, and law as they apply to cyberspace.11


The Center’s most exciting activity is the Locked Shields live-fire cyber defense exercise, which has been held annually since 2010. Locked Shields challenges teams to maintain the networks and services of a fictional country by handling and reporting incidents, solving forensic challenges, and responding to various scenario injects. The 2017 Locked Shields tasked teams to maintain the services and networks of a military air base experiencing severe attacks on its electrical grid, command and control systems, unmanned aerial vehicles, critical information infrastructure components, and other operational infrastructure. The exercise featured around 800 participants from 25 countries, and deployed over 3,000 virtualized systems in the simulated fight.12

The Center also hosts CyCon, perhaps the world’s pre-eminent cyber conference. Each year, CyCon attracts hundreds of international decision-makers and experts from government, academia, and industry. Like the Center’s overall approach to cyber issues, CyCon approaches topics from a variety of perspectives, e.g., legal, technological, and strategic. CyCon 2017, for instance, focused on the following themes: How can the ‘core’ elements of cybersecurity be defined? How do they relate to the essential assets and principles in technical, legal, and political contexts? How can defenders protect critical information infrastructure? How can critical vulnerabilities be mitigated and the most serious threats countered? How can legal frameworks be established and applied to cybersecurity? What technologies can help counter emerging cyber threats? How can effective cybersecurity strategies be developed and implemented? What should the role of the armed forces be in executing these strategies? How can countries deter cyber attacks against core national assets?13

While CyCon generally occurs in the spring, the Center also co-sponsors CyConU.S. each fall with the U.S. Army Cyber Institute. CyConU.S. 2017’s overarching theme was “The Future of Cyber Conflict.” The conference explored how the increasing prominence of cyberspace’s place in everyday life combines with emerging technologies and scientific breakthroughs such as quantum computing, machine learning, Big Data, and robotics to expand the battlespace, and perhaps even redefine the concepts of war and peace.14

Last but not least, the Center also facilitated the writing and publishing of the Tallinn Manual 2.0. Written by nineteen international law experts and technically titled The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, this publication is an update of the original 2013 Tallinn Manual. While both versions are based on the understanding that pre-existing international law applies to cyberspace, the original manual focused only on the most extreme cyber incidents, such as those that occur during armed conflict. Tallinn 2.0 also addresses more “day-to-day” legal considerations, however. These include principles of general international law, such as sovereignty and jurisdiction, as well as issues of state responsibility such as legal standards for attribution. Tallinn 2.0 also delves into human rights law, air and space law, the law of the sea, and diplomatic and consular law as they apply to cyber operations.15 Though the views expressed in Tallinn 2.0 are only those of its authors and not necessarily official policy of NATO or its member states, Tallinn 2.0 nevertheless remains a well-recognized and, in many outlets, valued legal resource.

Kickstarting the Big Conversations

The final way Estonia exerts its outsized cyber influence is more abstract than its e-governance system and center of excellence, but is perhaps equally important. Namely, it encourages – and sometimes even initiates – key global discussions that otherwise might not occur. The most prominent example was its decision to admit publicly in 2007 that it was under attack, and to be unusually forthcoming about some of the details. As a result, the issues exposed and lessons learned from the attacks led to much greater international cooperation in cybersecurity.16 A more typical, protect-our-secrets-and-reputation style of communication about the attacks may have delayed much of the progress Estonia and its partners have since enjoyed.

A recent and particularly clever example of Estonia’s knack for convening important cyber discussions is CYBRID 2017.17 Estonia, taking advantage of its turn as President of the Council of the European Union (EU), gathered EU Defense Ministers for an exercise to see how they would respond to a fictional cyber attack. In the exercise scenario, a minor cyber incident slowly and ambiguously evolved into a full-out attack on military communications systems, eventually preventing EU headquarters from communicating with ships operating in the Mediterranean. With each (often unclear) development in the scenario, the Defense Ministers were asked how they would respond. The exercise quickly 
revealed “how difficult it is to evaluate how bad things are,” and presented “bureaucratic roadblocks and geopolitical concerns“ that the ministers had difficulty addressing.18 Primary challenges included determining when and how to communicate with other countries, the public, and critical infrastructure providers.19 Many of these requirements simply hadn’t been thought through before, at least not at the national (and international) policymaker level. But CYBRID 2017 began to remedy that, and one hopes similar exercises will follow.

Looking Ahead

One can arguably say that the word “innovative” gets thrown around too easily in contemporary discussions about people, organizations, and other types of entities. However, with a unique e-governance system, a world-renowned cyber center of excellence, and a creative knack for goading its friends in the right direction on key issues, Estonia can make a more legitimate claim than most to this tired (but still relevant) descriptor. Consequently, its reputation as a major player in cyber and digital issues is well-deserved. Considering its size and only recent entry back into the free world, these distinctions are all the more impressive.

Further, as the world’s everyday activities become increasingly electronic and data-driven, the relative power of states will be determined at least a bit more by digital competencies and capital. Thus, proactive countries like Estonia will be well-positioned to benefit from this shift, whatever its magnitude.



About the Author

Michael Lenart is an Army Strategist on detail to the U.S. State Department. His areas of interest include U.S. and international security issues, cyberspace operations, and organizational change.


--------------------
1Damien McGuinness, BBC News. “How a cyber attack transformed Estonia.” http://www.bbc.com/news/39655415
2Ibid.
3CIA World Factbook. https://www.cia.gov/library/publications/the-world-factbook/geos/en.html
4visit estonia. https://www.visitestonia.com/en/tallinns-city-wall-29
5Ott Ummelas, Bloomberg Politics. “NATO’s Baltic Outpost Digging Cyber Trenches for Europe.”
6e-estonia. https://e-estonia.com/
7Ibid.
8Ben Hammersley. “Concerned about Brexit? Why not become an e-resident of Estonia. http://www.wired.co.uk/article/estonia-e-resident
9Ibid.
10Cooperative Cyber Defence Center of Excellence. About Us. https://ccdcoe.org/about-us.html
11Cooperative Cyber Defence Center of Excellence. https://ccdcoe.org/
12Locked Shields 2017. https://ccdcoe.org/locked-shields-2017.html
13CyCon 2017. https://ccdcoe.org/cycon-2017.html
14CyCon U.S. http://aci.cvent.com/events/2017-international-conference-on-cyber-conflict-cycon-u-s-/event-summary-004d598d31684f21ac82050a9000369f.aspx
15Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. https://ccdcoe.org/sites/default/files/documents/CCDCOE_Tallinn_Manual_Onepager_web.pdf
16Lauri Almann. 10 Years of Cyber Estonia: What will the Next Decade Bring? Panel discussion, Center for Strategic and International Studies, November 6, 2017.
17Caroline Houck. “Cyber Defense is Very Much About Political Decisions.” http://www.defenseone.com/threats/2017/09/cyber-defense-very-much-about-political-decisions/141198/
18Ibid.
19Ibid.

Photo credits (in order of appearance): Radio Free Europe Radio Liberty, Operation World, e-estonia, OSET Foundation, NATO, Indian Strategic Studies, Delfi.


Monitoring the Landscape of Cyberspace

posted Nov 5, 2017, 10:25 AM by James Caroland   [ updated Nov 5, 2017, 10:26 AM ]

By Ray Mollison

In my previous article, Building a Cadre of Cyber Intellectuals, it introduces Cyber Intelligence (CYBINT) as an intelligence discipline providing clarity to understand vulnerabilities, exploits, and threats in cybersecurity. Cyber Intelligence can help build a stronger cybersecurity posture by conceptualizing the cyberspace landscape in three levels: operational, tactical and strategic. This will provide to the decision-makers a comprehensive analysis of state actors’ and non-state actors’ capabilities, skillsets, and intentions of their cyber attacks. 

This article will focus on Cyber Threat Intelligence (CTI), which is a sharing platform within a community on current and emerging cyber threat trends within businesses, organizations, and government entities. The future is uncertain if an impenetrable cybersecurity posture could ever exist or if there is a technical solution to stop cyber threats. It is going to take more than firewalls to stop malicious threats and attacks from penetrating computers and systems. To gain an upper hand on combating cyber threats, there is a need to understand the cyberspace landscape of vulnerabilities and exploits. The implementation of CTI could be a tangible solution to enhance the cybersecurity posture against cyber threats.

Gartner best describes Cyber Threat Intelligence as the “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard”.1 The collection of raw cyber threat information gathered to evaluate and aggregate actionable intelligence, CTI is performed through the lenses of the intelligence lifecycle: plan, collect, process, produce and disseminate information by focusing on identifying types of indicators of cyber threats such as Malware, Spear-Phishing, Password Attacks, Ransomware and Denial of Service (DOS).2   These cyber threats are examples of what a business, organization and government entity become exposed to within their network daily. This highlights the importance in why networks need to be monitored and controlled to ensure computers and systems are secured against cyber threats. 

CTI is the integration of human intelligence with technical intelligence, allowing an organization to concentrate on existing and emerging threats.3 It is a forward leaning methodology in order to detect possible threat trends in real-time. To understand cyber threats, there are three factors to consider when assessing actors’ motives, which are their Intent, Capability, and Opportunity. 

Intent is a malicious actor’s desire to target your organization
Capability is their means to do so (such as specific types of malware)
Opportunity is the opening the actor needs (such as vulnerabilities, whether it be in software, hardware, or personnel)4

Understanding these three factors can add insight of current cyber threat activities and subsequently project future outcomes by analyzing the actors’ actions, means, and needs. Defining the actors’ motives will help understand their techniques, tactics, and procedures. The methodologies and motives of cyber attacks are the virtual fingerprints of cyber threats; therefore, utilizing a collaborative platform to share real-time threats will add clarity to the composition and characteristics of attacks. Using CTI, a Cyber Threat Analyst examines the actor’s digital fingerprint through aggregated collection sources ranging from technical sources, open sources, and closed sources.5

Technical Sources include the Security Information and Event Manager (SIEM), Intrusion Detection Systems (IDS), firewalls, next-generation endpoint security platforms, and logs from any number of devices
Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc.), and media sources
Closed Sources may include community mailing lists, or organizations such as Information Sharing and Analysis Center (ISACs)

There are many Threat Intelligence Platforms (TIPs) available for threat analysts to aggregate, correlate, and analyze threat data from multiple sources in real-time.6 These platforms offer an advantage to Threat Intelligence Analysts to corroborate threat data to quantify the strength of identifying indicators of potential cyber threats. This platform is designed to be shared across small and large businesses, manufacturers, industries, banks, and government and private organizations in order to improve security within a trusted community. An example of a Threat Intelligence Platform is ThreatStream (Anomali), which was pioneered and founded by Greg Martin.7 ThreatStream is a threat intelligence platform designed to Collect, Optimize, Integrate, and Share.8

Collect: portal to access hundreds of threat intelligence feeds.
Optimize: normalizes and optimizes intelligence, making it more actionable.
Integrate: out of the box integrations with SIEMs, firewalls, and other systems.
Share: offers two-way sharing and secure trusted circles for vetted collaboration.

The advantages to utilizing TIPs is that most organizations are currently using threat intelligence as a part of their cybersecurity program, where it has become valuable to their security mission, and it has become necessary to maximize the value of intelligence data.9 TIPs have become critical to organizations that value a collaborative community and exercise innovative solutions to deter and combat cyber threats. However, there are disadvantages to using TIPs.  They are overwhelmingly complex, have difficulty in platform integration with other security technologies, and suffer a lack of alignment between analyst and operational security events.10
The lack of professional expertise is one of the biggest hurdles to overcome in threat intelligence platforms.11 For example, at the heart of a threat intelligence platform is the Security Operations Center (SOC) where technical information is collected in real-time. The SOC is the nucleus of threat intelligence to examine and evaluate current threat trends by technical experts who aggregate data into actionable intelligence.12 The technical experts monitor an integration of systems in real-time from SIEMs to firewalls. The SOC will need technical experts with the right education and experience to correctly and accurately identify cyber threats. These technical experts must possess the technical knowledge and a broad range of capabilities and diversity of experiences.13 Therefore, the pool of talent will be limited to a select few applicants making it hard to the fulfill roles and responsibilities for this position. 

Figure 114 to the right details the process of threat intelligence as a visual representation. The diagram conceptualizes threat intelligence as an ecosystem referring to it as an interactive organism within interconnected communities or systems. The preservation of the Threat Intelligence Ecosystem is positioned in the center, which is governed by other pyramids: a Threat Intelligence Analyst who collects and analyzes information while the Security Operations Center monitors threats in order for the Leadership to make decisions. These pyramids fortify the epicenter of the ecosystem in conserving and preserving a healthy collection of Threat Intelligence for the Leadership to act upon. Most importantly, the Leadership will be able to understand how and what cyber threats impact the cyberspace landscape for the decision makers to accurately develop strategic and tactical intelligence frameworks. The maturity of strategic and tactical intelligence frameworks can help an organization focus their energy and resources to effectively and efficiently neutralize or degrade cyber threats while stabilizing the cyberspace ecosystem.

CTI will soon become a greater part of businesses, government and private organizations’ cybersecurity portfolios, which can help identify the likelihood of future threats. The utilization of CTI can detect and prevent potential threats, which reinforce a strong cybersecurity posture by having the ability to counter threats before they materialize. The Threat Intelligence Platforms can strengthen the collection of data gathered in real-time for the intent to produce accurate and actionable intelligence reports to prepare and plan for potential cyber threats. This could lead to a stronger defensive security posture of developing Operational, Tactical, and Strategic Cyber Intelligence products that is adaptable and innovative against cyber threats. In addition, these platforms can assist in holistically comprehending the virtual landscape of potential threats deployed within cyberspace. Potential future threats will continue to grow and progressively cultivate new threats. 

About the Author

Ray Mollison is a field-grade officer in the Military Intelligence Readiness Command (MIRC) as an Army Reservist. He is pursuing his Master’s degree in Cybersecurity at the University of South Florida. Ray enjoys working out and spending time with family.


--------------------
1iSightpartners (2014) What is cyber threat intelligence and why do I need it? [online], http://www.isightpartners.com/ wp-content/uploads/2014/07/iSight_Parterns_What_Is_20-20_Clarity_Brief.pdf 
2https://www.tripwire.com/state-of-security/security-data-protection/ cyber threat-intelligence/
3iSightpartners (2014) What is cyber threat intelligence and why do I need it? [online], http://www.isightpartners.com/ wp-content/uploads/2014/07/iSight_Parterns_What_Is_20-20_Clarity_Brief.pdf 
4https://www.tripwire.com/state-of-security/security-data-protection/ cyber threat-intelligence/  
5https://www.darkreading.com/vulnerabilities---threats/how-to-roll-your-own-threat-intelligence-team/a/d-id/1326445?
6https://en.wikipedia.org/wiki/Threat_Intelligence_Platform
7https://en.wikipedia.org/wiki/Threat_Intelligence_Platform
8https://www.anomali.com/platform/threatstream
9https://www.infosecurity-magazine.com/news/threat-intelligence-strategies/
10https://www.infosecurity-magazine.com/news/threat-intelligence-strategies/
11https://www.infosecurity-magazine.com/news/threat-intelligence-strategies/
12https://www.recordedfuture.com/security-operations-center-strategy/
13http://www.ey.com/Publication/vwLUAssets/EY-security-operations-centers-helping-you-get-ahead-of-cybercrime/$FILE/EY-security-operations-centers-helping-you-get-ahead-of-cybercrime.pdf
14https://semiengineering.com/threat-intelligence/

Photo credit:  Tripwire.com  


1-10 of 57