Richard O. Moore, III

Cyber Intelligence-Driven Risk


Скачать книгу

target="_blank" rel="nofollow" href="#ulink_91b7ef54-e6cd-5450-9d85-d87303f6f5df">FIGURE 2.1 CI-DR™ Cyber intelligence life cycle.

      The second class of the CI-DR cyber intelligence is known as “estimative cyber intelligence,” and is focused on potential developments. Estimative cyber intelligence is the most demanding and is the most important task of creating “knowledge” from raw digital intelligence, as it seeks to anticipate a possible future or several futures.3 Just as military commanders cannot reasonably expect traditional estimative intelligence to precisely predict the future, estimative cyber intelligence deals with the realm of possibilities and probabilities. It is inherently the less reliable of the classes of intelligence because it is not based on what actually is or has been, but rather on what might occur.4 A good example of estimative cyber intelligence is described in our real-world example in the Introduction.

      As we continue to discuss the types of cyber intelligence and why the CI-DR uses these, we must also discuss the levels of intelligence. There are only three, to continue with simplicity, and these lead to our building cyber intelligence requirements in the upcoming chapters. The three levels of our CI-DR cyber intelligence types are strategic, operational, and tactical, in that order. Tactical cyber intelligence is the most fundamental, concerning location (i.e. geographical, networks, or internet protocols), capabilities (i.e. sophistication levels, skills, or method of delivery), and potential adversarial intent. Tactical cyber intelligence is the tactics, techniques, and procedures, or TTPs6 used in the cyber threat intelligence capability of the CI-DR program. In cyber it is wise to take care and understand that this is where most of the attention of cyber defense is focused today. While the tactical level deserves attention, the problem with a singular focus at this level means that the adversary is either already in the network, or at the door of your gateway trying to get in. Yet, if appropriate resources were expended in the previous two levels, some of this tactical activity may be precluded and have better usage by business leaders for decisions.7 The Security Operations Center (SOC) is fundamentally where tactical activities occur and will be discussed in a later chapter.

      Operational cyber intelligence is the level at which campaigns and major operations are planned, conducted, and sustained.8 At the operational level, malicious actors plan their campaigns based upon what they have learned in collecting their own cyber intelligence and on what they had surmised as being necessary based upon their strategic goals. Actors build the capabilities (botnets, malware, delivery methodology [phishing], etc.) needed to support the tactical operations. They maneuver in cyberspace (hop points) to position capability where they need to in order to be effective in their tactical missions. This is the level where a hacktivist group may plan both cyber and physical world activities to support their objectives.9 Examples of operational-level cyber intelligence could be the following:

       Trend analysis indicating the technical direction in which an adversary's capabilities are evolving.

       Indications that an adversary has selected an avenue of approach for targeting your organization.

       Indications that an adversary is building capability to exploit a particular avenue of approach.

       The revelation of adversary tactics, techniques, and procedures.

       Understanding of the adversary operational cycle (i.e. decision-making, acquisitions, command-and-control [C2] methods for both the technology and the personnel).

       Technical, social, legal, financial, or other vulnerabilities that the adversary has.

       Information that enables the defender to influence an adversary as they move through the process of executing their intent and actions (i.e. attack chain).10

      The strategic level of cyber activity is the determination of objectives and guidance by the highest organizational entity representing a group or organization and their use of the group or organization's resources toward achievement of those objectives. This is the level where the business executive officers and directors provide direction, guidance, and requests or requirements for knowledge based on business objectives. Examples of strategic cyber intelligence might include:

       The decision by a competitor or potential competitor to enter your market space (e.g. a foreign competitor's new five-year plan now shows interest in developing a domestic capability in a technology your company is known for).

       Indications that a competitor, or foreign government, may have previously acquired intellectual property via cyber exploitation.

       Indications that a competitor, or foreign government, is establishing an atypical influential relationship with a portion of your supply chain.

       Indications that your corporate strategic objectives may be threatened due to adversarial cyber activity.11