Iron Rain: Gaining Situational Intelligence to Make Rapid Decisions

Share and earn Cybytes
Facebook Twitter LinkedIn Email

In our previous article we introduced the idea of cyber insurgency and irregular warfare. Building on effective techniques from the Marine Corps, we now want to discuss combating the threat.                                                                                                                 


As destructive attacks surge,  integrity attacks become the nightmare scenario for multi-national corporations.  System integrity is paramount. Successful conduct of counterinsurgency operations depends on thoroughly understanding the environments within which they are being conducted. In most counterinsurgency operations in which foreign forces participate, insurgents hold a distinct advantage in their level of local knowledge. They speak the language, move easily within the society, and are more likely to understand the population’s interests.

From a cyber perspective the “culture” lies within network topology, netflow and user behavior analytics.  Understanding the operational environment allows the counter insurgent to identify the conditions which impact the prerequisites for the insurgency and the root causes that are driving the population to accept the insurgency. Only through understanding the operational environment can the counter insurgent plan and execute successful operations to counter the conditions that allow the insurgency to exist in the first place.  Updated network topology diagrams coupled with regular penetration tests and the use of EDR endows the defender with greater situational awareness of the operational environment.                                          

INTELLIGENCE DRIVES OPERATIONS                                   

Effective counterinsurgency operations are shaped by timely, relevant, tailored, predictive, accurate, and reliable intelligence, gathered and analyzed at the lowest possible level and disseminated throughout the force. Without accurate and predictive intelligence, it is often better to not act rather than act.

Gaining situational understanding before action is often essential in avoiding long term damage to objectives. In environments where commanders do not have situational understanding, the first action they should take is to use forces to gain that understanding or drive to a known state.  We are dealing with data fatigue. How do we improve the OODA Loop?  How do we improve the contextual accuracy of intelligence? Without knowing the strategic and tactical battlefields teams often do a lot of work but blindly and with little to know strategic value. Intelligence can help focus the team’s efforts on what actually matters while focusing on the bigger picture. Not everyone needs to worry about APT groups that target financial systems. Having the right intel can focus the team on the right threats to help better craft their defensive posture.                             

Because of the dispersed nature of counterinsurgency operations, the actions of counterinsurgency forces are key generators of intelligence. In counterinsurgency operations, a cycle often develops where intelligence drives operations, which produces additional intelligence that facilitates subsequent operations.

“Human interpretation of data is fundamental.  Reporting by tactical “hunt teams” and IT teams is often of greater importance than reporting by specialized assets. In cyberspace this must be automated.”  

It is impractical in a cyber world to even think this can be manually achieved. There are far too many activities for humans to vet on their own. It must be pushed down to the lowest practical level on your team. Security leaders are responsible for driving the intelligence process.

These factors, along with the need to generate a favorable tempo drive the requirement to produce and disseminate intelligence at the lowest practical level. Leaders are responsible for driving the intelligence process.                                             

Understanding the operational environment extends beyond insurgent combatants and insurgent leaders.

LEARN AND ADAPT                          

The official motto of the Marine Corps is Semper Fidelis (always faithful). The unofficial motto is adapt, improvise and overcome. This mindset is a must for counter insurgents. The insurgents will change their tactics on a dime. So should you.

An effective counterinsurgency force lies within an organization that is constantly learning. Insurgents connected with other organizations constantly exchange information about their enemy’s vulnerabilities—even with insurgents in distant theaters. However, skillful counterinsurgency forces can adapt at least as fast as insurgents.

“Every unit needs to be able to make observations, draw and apply lessons, and assess results.”

Leaders must develop an effective system to circulate best practices throughout their organization. Leaders might also need to seek new policies that authorize or resource necessary changes. Insurgents shift their locations looking for weak links, so widespread competence is required throughout the counterinsurgency force.

In cyberspace, standing up hunt teams is fundamental to countering a cyberinsurgency. These hunt teams must first develop a threat profile. This will help a hunter know where to prioritize hunting (and ultimately where to start hunting). Apply streaming analytics to unfiltered data. This will allow hunters to sort information faster and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks. As a result, teams can anticipate and focus on the organization’s defensive weaknesses.

As your team gels, develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm.

  1. Assessing threat intel from IPs, domains and hashes applied to historical data.
  2. Query similar threads that are not identical matches in historical data. 
  3. Anomaly detection – requires continuous analysis of unfiltered data from the endpoint.

Threat Hunting is most most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User-entity behavior analytics must be employed as it is critical to baseline “normal” network and host behavior in a threat hunt; contextualizing normal behavior is the most effective way of determining where an adversary might lie in wait.  

A hunter must position themselves on the high ground. The high ground is defined by greater situational awareness. Specifically, the hunter must analyze threat intel from customer IPs, domains and hashes applied to historical data. From that vantage one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.      

EMPOWER THE LOWEST LEVELS                    

On the battlefield, especially when operating in an environment where insurgency exists, communications will break down. Time will be a factor. Individual team members need to be empowered with the right data to make the right decision at the right time.

Ground truth is imperative.  In order to achieve it you must empower everyone on your team. Security team and IT teams should be empowered to know their environment, know their intel sources and make decisions in the best interest of your organization.

Often, system administrators and security teams will have the best grasp of their situations, but they require access to or control of the resources needed to produce timely intelligence, conduct effective tactical operations, and manage intelligence and civil-military operations.

Within your network your system administrators must be empowered to make tactical security decisions. These same people must receive cybersecurity training. Effective counterinsurgency operations are decentralized, and leaders owe it to their teams to push as many capabilities as possible down to their levels. However, this must be balanced with ensuring that tactical leaders have the situational intel to make rapid decisions.

The post Iron Rain: Gaining Situational Intelligence to Make Rapid Decisions appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?