Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/4/2015
10:30 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Shifting Paradigms: The Case for Cyber Counter-Intelligence

Cyber Counter-Intelligence and traditional information security share many aspects. But CCI picks up where infosec ends -- with an emphasis on governance, automation, timeliness, and reporting.

It’s early morning, sometime between 1:30 and 3:00 AM, and you, our intrepid cyber defender, can’t sleep.

You’re contemplative rather than restless or uncomfortable. It’s times like this that you become brutally, soul-searchingly honest with yourself. You admit, for example, that you’re not really pushing yourself as hard as you could at the gym. Or that your latest mobile phone upgrade was the result of clever rationalization. And that your demand for larger volumes of threat intelligence is driven more by the sexy-cool factor than by architecturally validated cyber defense requirements.

Wait. What?

Exercise and personal electronics notwithstanding, contemporary cybersecurity practice is biased toward externally focused intelligence collection and analysis. Cyber intelligence, in the words of Chris Reilley, a former US intelligence community analyst and cyber warrior who spent more than a decade inside the US intelligence community, is:

The collection, analysis, and dissemination of cyber-related information to satisfy identified requirements and deliver relevant and timely cyberspace situational awareness to decision-makers to enable understanding and mitigation of strategic and functional risks. It includes adversary tactics, techniques, procedures (TTPs), global attack trends, impact and countermeasure assessments, environmental footprints, threat models and predictive analysis.

The bias toward intelligence derives in part from the human tendency toward binary (us vs. them) characterizations. We’re wired to want to perceive problems as corporeal and thus defensible. We’re also wired to want to be James Bond (cue the James Bond theme and dig out the Walther PPK). We may see the word “intelligence,” but what we hear is “spooky spy stuff.” Spooky spy stuff is cool. Who wouldn’t want to be cool?

This inclination doesn’t mean that threat intelligence is unnecessary or unimportant. It means that threat intelligence often becomes an end in and of itself to the detriment of effective cybersecurity. Stripped to its essentials, cybersecurity is about mitigating risks inherent to operating in a hostile environment such that goals and objectives are met with minimal disruption. An organization only has the mechanisms they control to mitigate risk. As a result, effective cybersecurity is fundamentally introspective in nature. Knowing oneself (or one’s network) is the first step toward both health and security.

Unfortunately, terms like “introspection” neither fire the imagination nor stir passions like the word “intelligence.” As both optics and passion are important, let’s recast “introspective analysis” as “cyber counter-intelligence” (CCI). And, as with cyber intelligence, a clear and comprehensive definition is required:

The collection and real-time maintenance of information related to the presence and configuration of all data stores, devices and entry points within an organization’s or network’s control, including hardware, firmware and software installation, versioning and updating, the presence and status of endpoint and network security tools, and baseline operational and usage parameters. It includes tools and mechanisms to review, process and display the information in a meaningful and timely manner to entities authorized to initiate response procedures.

CCI then, is not only about knowing what information and devices an organization owns and controls, but also what state they are in and when they are being operated in an uncharacteristic or anomalous manner. Additionally, CCI includes mechanisms for reporting, dashboarding, and alerting.

If these sound like the elements of a traditional information security program, they should. CCI and information security share many aspects, with CCI picking up where traditional information security ends, emphasizing governance, automation, timeliness, and reporting.

Effective CCI begins with the establishment of an organizational security governance posture. This includes defining security policies which cover areas such as access control, encryption, and data protection, permissible configurations, baselines for traffic amounts and types, and frequencies for patching and updating. The policies must reflect the needs of both business and security stakeholders and they must be both accessible and actionable.

Security policies are implemented as rule sets, which drive automated workflows and reporting and ensure timely knowledge of questionable or unacceptable conditions. Additionally, automation enables rapid incident response, quickly remediating insecure conditions or containing the spread of anomalous or malicious activity prior to metastasis.

In contrast to the specialized communities traditionally associated with cyber intelligence (e.g., information security and threat intelligence), CCI is broadly based. CCI stakeholders include executive management, business operations, human resources, systems engineering, development, finance, and legal. This stakeholder breadth is demanded by CCI’s bifurcated nature, which analyzes human behaviors and codifies them in security policies and then mitigates risk through technology implementations that identify and address vulnerabilities.

CCI’s inward, mitigation-based focus is agnostic to the external threat environment. Security is assured by recognizing, reporting, and remediating internal exposures and vulnerabilities that give rise to risk, not by reacting to outside actors. As a result, CCI creates an environment able to capitalize on the knowledge and wisdom generated by traditional cyber intelligence.

So, maybe we don’t get to be James Bond. But there’s a lot to be said for being James Angleton.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andregironda
50%
50%
andregironda,
User Rank: Strategist
2/5/2015 | 1:32:24 PM
Totally confused
You are talking about internal intelligence, not counterintelligence.

Counterintelligence is offensively taking over enemy command and control through sting and dangle operations.

But wait -- there's more! I do like your definition and perhaps it fits correctly, but this dilemma certainly has me being pulled in multiple directions.

Did you just come up with this out of thin air or are you pulling this new CCI definition from somewhere? Searching for Cyber-CI only produces the offensive definition, not the internal intelligence one.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2015 | 11:37:38 AM
James Bond v James Angleton
Angleton (chief of the Central Intelligence Agency's Counterintelligence Staff from 1954 to 1975) sounds pretty much like a cool, spooky spy to me!  Definitely a good role model for CCI!

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25747
PUBLISHED: 2020-09-25
The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightn...
CVE-2020-25748
PUBLISHED: 2020-09-25
A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP s...
CVE-2020-25749
PUBLISHED: 2020-09-25
The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet...
CVE-2020-24592
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVE-2020-24593
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.