Intelligence Driving Security Governance
Link to PDF version: Intelligence Driving Security Governance
Military commanders have long understood that intelligence is a key factor to success in the conduct of warfare. Now, with the evolution of cyberwarfare, traditional threats, methods and boundaries are being challenged across both government and industry. Threat actors now openly target and traverse governments, military and private industries as part of their cyberwar, based on their motivation and desired end state.
How can organizations respond to this global cyberepidemic?
CSC believes that through this period of open cyberwarfare, a key component of the solution is to understand the threat actors through Strategic Threat Intelligence. This includes collecting and analyzing threat actors’ techniques, practices and procedures, as well as other capability information, to form a holistic and effective defense. Intelligence about the threat will help to build an effective IT security strategy focused on the controls required, will establish the supporting business processes, and will also assist in quantifying the threat for executives. This activity provides a physical element to the traditionally faceless cyberactivists targeting industries. This is discussed by John Strand and Paul Asadoorian in their book, Offensive Countermeasures: The Art of Active Defense, citing a strategy of “attribution”
Research and analysis
The key to any good intelligence lies in the quality of the research, sources of information available and analysis by professionals. CSC uses all intelligence sources — which include open, restricted and proprietary sources — to gather information about threat actors that pose a risk for an organization, covering tactics, techniques and procedures. This information is then analyzed by an experienced senior team of security and intelligence professionals to produce comprehensive threat actor profiles and threat actor attribution matrices relevant to an industry, government or event.
Once the threat actors have been established and researched, the methods of attack must be analyzed because without analysis, this information is useless. CSC establishes tailored attack trees for clients that focus on the scope of the engagement. Attack trees are developed based on CSC’s breadth and depth of global technical security knowledge and the latest attack vectors. This is later overlaid with the threat actors’ analysis to develop a capability matrix.
It is not enough to just know your threat actors; you must also implement a plan and rehearse this plan to ensure that your organization is adequately positioned. Cyberwarfare has its limitations, since in most cases organizations can take only defensive measures because offensive measures may incur a breach of law or spiral into the domain of law enforcement organizations.
CSC works with our clients by applying the threat actor research and attack trees to scenario-based tabletop exercises, allowing clients to walk through “action-reaction” style war games. Such an exercise clearly results in a state of readiness, defines the threat actor’s available courses of action and assists with developing decision points that might trigger such an attack. Outcomes from the exercise include risk and exposure registers, course-of-action analyses, and intelligence requirements for any unknown or trigger points for a particular attack.
Monitoring the threat
The threats and their methods continue to develop, change and evolve. Therefore, continual surveillance is the key. Just as with planning any good military operation, you cannot take your eye off the enemy, and the plan must evolve with the threat. CSC works with its clients to establish continual strategic monitoring of the threat actors, including changes in tactics, technique or procedures. Additionally, CSC works with its clients to analyze and establish key decision points that change the threat evaluation or could serve as a trigger for a potential attack. This forms part of an overall intelligence-collection plan.
SECURITY INTELLIGENCE — EVENT SECURITY
Organizations sometimes host high-profile events where additional protection measures may be needed (such as a summit conference for government and business leaders and their boards). Such events attract threat actors because of a higher pay-off in terms of gaining sensitive information or in using the event as an elevated media platform to launch their own agenda.
Strategic Threat Intelligence is important for these events, since an organization’s operation and profile have changed, which may attract more threat actors, or it may also change the intent of the existing threat actors. Even more important is when events are multi-organizational or even public facing, resulting in additional threat actors being attracted or inherited by the host organization, along with the complexities of new shared environments being created or connected to each organization.
Having a threat-driven defense for events will provide a heightened level of awareness for participating individuals and organizations, as well as implementation of pragmatic and focused defensive measures for the event.
SECURITY INTELLIGENCE — PART OF BUSINESS STRATEGY
Traditionally, an IT security strategy is done in isolation of an organization’s threat and is based on generic best practices, compliance or standards. Using these legacy methods to develop a strategy will generally provide a base layer of defense across an organization and potentially provide some additional protective measures for known or perceived critical assets. Using Strategic Threat Intelligence will validate which security controls are specific to an organization, and where they are to be placed, based on the threat actors and even which asset(s) they are likely to target. It will also help to identity gaps and exposures that can be addressed or mitigated through additional measures.
Continuous monitoring of the threat will allow your IT security strategy to become dynamic by allowing for adaptive security controls and measures to be based on the level of threat at a particular time or even the evolution of a threat actor in either capability or intent.
SECURITY INTELLIGENCE — DRIVING INCIDENT RESPONSE PLANNING
Regardless of the defenses in place, it is inevitable that organizations will be attacked at some time. Using Strategic Threat Intelligence as part of your incident response planning will provide critical information on the security gaps of your organization and how an attack can potentially occur. Importantly, during an attack it puts you one step ahead of the threat, as you are likely to already know who the attacker is, which will provide your organization with a focused and tailored response to that threat — allowing for quick restoration of services and efficient use of resources. Strategic Threat Intelligence dovetails with CSC’s Incident Response service, which provides a 24×7 team that will rapidly assist organizations in resolving an incident.
Threats and methods of attack will continue to evolve in their capability. Meanwhile, our traditional security strategies are generic and formed at a point in time without consideration for threat actors and instead based on compliance, standards or best practices (a “one-size-fits-all” approach). Organizations must adapt their strategy to first analyze the threat, work that in-depth analysis into their strategy, and then be prepared to tailor defenses to respond to the changing nature of the threat landscape.
No military strategy ever survived without knowledge of the enemy, so organizations should include threat-intelligence analysis as part of their planning strategy. Without it there is no valid context to the controls and protection measures put in place and ultimately they will be largely ineffective.