It’s early morning, sometime between 1:30 and 3:00 AM, and you, our intrepid cyber defender, can’t sleep.
You’re contemplative rather than restless or uncomfortable. It’s times like this that you become brutally, soul-searchingly honest with yourself. You admit, for example, that you’re not really pushing yourself as hard as you could at the gym. Or that your latest mobile phone upgrade was the result of clever rationalization. And that your demand for larger volumes of threat intelligence is driven more by the sexy-cool factor than by architecturally validated cyber defense requirements.
Exercise and personal electronics notwithstanding, contemporary cybersecurity practice is biased toward externally focused intelligence collection and analysis. Cyber intelligence, in the words of Chris Reilley, a former US intelligence community analyst and cyber warrior who spent more than a decade inside the US intelligence community, is:
The collection, analysis, and dissemination of cyber-related information to satisfy identified requirements and deliver relevant and timely cyberspace situational awareness to decision-makers to enable understanding and mitigation of strategic and functional risks. It includes adversary tactics, techniques, procedures (TTPs), global attack trends, impact and countermeasure assessments, environmental footprints, threat models and predictive analysis.
The bias toward intelligence derives in part from the human tendency toward binary (us vs. them) characterizations. We’re wired to want to perceive problems as corporeal and thus defensible. We’re also wired to want to be James Bond (cue the James Bond theme and dig out the Walther PPK). We may see the word “intelligence,” but what we hear is “spooky spy stuff.” Spooky spy stuff is cool. Who wouldn’t want to be cool?
This inclination doesn’t mean that threat intelligence is unnecessary or unimportant. It means that threat intelligence often becomes an end in and of itself to the detriment of effective cybersecurity. Stripped to its essentials, cybersecurity is about mitigating risks inherent to operating in a hostile environment such that goals and objectives are met with minimal disruption. An organization only has the mechanisms they control to mitigate risk. As a result, effective cybersecurity is fundamentally introspective in nature. Knowing oneself (or one’s network) is the first step toward both health and security.
Unfortunately, terms like “introspection” neither fire the imagination nor stir passions like the word “intelligence.” As both optics and passion are important, let’s recast “introspective analysis” as “cyber counter-intelligence” (CCI). And, as with cyber intelligence, a clear and comprehensive definition is required:
The collection and real-time maintenance of information related to the presence and configuration of all data stores, devices and entry points within an organization’s or network’s control, including hardware, firmware and software installation, versioning and updating, the presence and status of endpoint and network security tools, and baseline operational and usage parameters. It includes tools and mechanisms to review, process and display the information in a meaningful and timely manner to entities authorized to initiate response procedures.
CCI then, is not only about knowing what information and devices an organization owns and controls, but also what state they are in and when they are being operated in an uncharacteristic or anomalous manner. Additionally, CCI includes mechanisms for reporting, dashboarding, and alerting.
If these sound like the elements of a traditional information security program, they should. CCI and information security share many aspects, with CCI picking up where traditional information security ends, emphasizing governance, automation, timeliness, and reporting.
Effective CCI begins with the establishment of an organizational security governance posture. This includes defining security policies which cover areas such as access control, encryption, and data protection, permissible configurations, baselines for traffic amounts and types, and frequencies for patching and updating. The policies must reflect the needs of both business and security stakeholders and they must be both accessible and actionable.
Security policies are implemented as rule sets, which drive automated workflows and reporting and ensure timely knowledge of questionable or unacceptable conditions. Additionally, automation enables rapid incident response, quickly remediating insecure conditions or containing the spread of anomalous or malicious activity prior to metastasis.
In contrast to the specialized communities traditionally associated with cyber intelligence (e.g., information security and threat intelligence), CCI is broadly based. CCI stakeholders include executive management, business operations, human resources, systems engineering, development, finance, and legal. This stakeholder breadth is demanded by CCI’s bifurcated nature, which analyzes human behaviors and codifies them in security policies and then mitigates risk through technology implementations that identify and address vulnerabilities.
CCI’s inward, mitigation-based focus is agnostic to the external threat environment. Security is assured by recognizing, reporting, and remediating internal exposures and vulnerabilities that give rise to risk, not by reacting to outside actors. As a result, CCI creates an environment able to capitalize on the knowledge and wisdom generated by traditional cyber intelligence.
So, maybe we don’t get to be James Bond. But there’s a lot to be said for being James Angleton.