Richard O. Moore, III

Cyber Intelligence-Driven Risk


Скачать книгу

      1 1 International Electrotechnical Commission, Risk Management – Risk Management Techniques, 2009–2011, www.iec.ch/searchpub

      2 2 Financial Services – Information Sharing and Analysis Center, 1999, located on the internet at https://www.fsisac.com/who-we-are

      3 3 SEC memo

      Knowledge must become capability.

       – Carl von Clausewitz, Prussian general

      ANY FRAMEWORK, methodology, or process has to have objectives and outcomes. The CI-DR™ program strives to achieve two objectives. First, the program provides accurate, timely, and relevant knowledge about cyber adversaries and the digital environment in which it operates. Adversaries within the cyber ecosystem are internal or external. An internal cyber adversary could be an employee, contractor, or someone with an objective and the physical or logical access to information otherwise not known to the public. External cyber adversaries include malicious actors, nation-states, competitors, or even outsourced platforms or processing environments and those employed or influenced there.

      The second objective of the CI-DR program is to protect organizations, through cyber counterintelligence activities, intending to deny adversaries valuable information about an organization's situation. These two objectives demonstrate how the CI-DR cyber risk programs support both the exploitative and protective elements necessary to operate in today's digital economy and infrastructure. The program aims to create timely and meaningful images of the situation confronting the decision-maker. CI-DR is the analysis and synthesis of information into knowledge. CI-DR cyber intelligence is “knowledge” that is distinguished from information or data, in that few pieces of information speak for themselves conclusively but must be combined and compared with other pieces of information, analyzed, evaluated, and given meaning.1 Good cyber intelligence does not simply repeat the information that a source may reveal. Rather, it develops this raw material in order to tell us what that information means and identifies the implications for decision-making.2

      Our CI-DR example for this chapter shows how the frame can support a business decision. Suppose a business leader wants to move an application from the organization's on-premises location to having it hosted at an outsourced provider (i.e. software as a service, platform as a service, or infrastructure as a service). The CI-DR program would begin with the analysis and collection of risk information from the current cyber environment as the baseline. A question would be posed to the team by the business leader, such as: “Is it safer to move existing system from on-premises to an externally hosted provider?” Additionally, the CI-DR program would collect and ingest into the CI-DR's cyber intelligence life cycle–specific information, cyber risks, vulnerabilities, cyber threats, costs, regulatory issues, and other relevant information to analyze and evaluate the various options where the leader wants to move the application. The result for this example could provide two or three options for providers and their risk ratings from a cyber intelligence perspective; they would also incorporate those ratings with the financial review of the provider, giving the business decision-maker the impact, risks, and profit or loss financial information for their review. The business leader is now able make better informed decisions about the outcome of their course of action, and to articulate and defend their position to senior leadership or the board of directors. The CI-DR program is not a stand-alone program. Discussed in the upcoming chapters, the program must have the right capabilities and resources available to evaluate the information collected and analyzed, with the ability to provide risks, options, and decision structures that can be generated for any consumer or leader within the organization. The decisions could be as simple as a “go or no-go” comparison chart or as complicated as total costs of ownership, potential losses, potential savings, or increased revenues, all with cyber risks included.

      Within the CI-DR functions and capabilities the cyber counterintelligence capability can be used within commercial businesses for mergers and acquisitions, for protecting information systems security strategies, or as part of the overall use of deception technologies or information to gain advantages in proactively identifying what cyber adversaries might be searching for within your networks. Organizations can test their cyber deceptive capabilities through tasks such as “red-teaming” activities. Red-teaming is usually performed by external organizations with the overall objective of gaining access to your facilities, systems, and data, and reporting on physical and digital compromises. The deceptive technologies are useful in validating those activities, as they could lead the testing team to encounter the deception systems and give them false information. Implementing the cyber counterintelligence portion of the CI-DR program will assist organizations in determining reconnaissance activities from adversaries, and assist with appropriate business or technology strategies to counter known cyber adversarial techniques, technologies, and processes. Organizations are performing some type of counterintelligence activity all the time, through marketing, delaying of products based on market research,