Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/4/2015
10:30 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Shifting Paradigms: The Case for Cyber Counter-Intelligence

Cyber Counter-Intelligence and traditional information security share many aspects. But CCI picks up where infosec ends -- with an emphasis on governance, automation, timeliness, and reporting.

It’s early morning, sometime between 1:30 and 3:00 AM, and you, our intrepid cyber defender, can’t sleep.

You’re contemplative rather than restless or uncomfortable. It’s times like this that you become brutally, soul-searchingly honest with yourself. You admit, for example, that you’re not really pushing yourself as hard as you could at the gym. Or that your latest mobile phone upgrade was the result of clever rationalization. And that your demand for larger volumes of threat intelligence is driven more by the sexy-cool factor than by architecturally validated cyber defense requirements.

Wait. What?

Exercise and personal electronics notwithstanding, contemporary cybersecurity practice is biased toward externally focused intelligence collection and analysis. Cyber intelligence, in the words of Chris Reilley, a former US intelligence community analyst and cyber warrior who spent more than a decade inside the US intelligence community, is:

The collection, analysis, and dissemination of cyber-related information to satisfy identified requirements and deliver relevant and timely cyberspace situational awareness to decision-makers to enable understanding and mitigation of strategic and functional risks. It includes adversary tactics, techniques, procedures (TTPs), global attack trends, impact and countermeasure assessments, environmental footprints, threat models and predictive analysis.

The bias toward intelligence derives in part from the human tendency toward binary (us vs. them) characterizations. We’re wired to want to perceive problems as corporeal and thus defensible. We’re also wired to want to be James Bond (cue the James Bond theme and dig out the Walther PPK). We may see the word “intelligence,” but what we hear is “spooky spy stuff.” Spooky spy stuff is cool. Who wouldn’t want to be cool?

This inclination doesn’t mean that threat intelligence is unnecessary or unimportant. It means that threat intelligence often becomes an end in and of itself to the detriment of effective cybersecurity. Stripped to its essentials, cybersecurity is about mitigating risks inherent to operating in a hostile environment such that goals and objectives are met with minimal disruption. An organization only has the mechanisms they control to mitigate risk. As a result, effective cybersecurity is fundamentally introspective in nature. Knowing oneself (or one’s network) is the first step toward both health and security.

Unfortunately, terms like “introspection” neither fire the imagination nor stir passions like the word “intelligence.” As both optics and passion are important, let’s recast “introspective analysis” as “cyber counter-intelligence” (CCI). And, as with cyber intelligence, a clear and comprehensive definition is required:

The collection and real-time maintenance of information related to the presence and configuration of all data stores, devices and entry points within an organization’s or network’s control, including hardware, firmware and software installation, versioning and updating, the presence and status of endpoint and network security tools, and baseline operational and usage parameters. It includes tools and mechanisms to review, process and display the information in a meaningful and timely manner to entities authorized to initiate response procedures.

CCI then, is not only about knowing what information and devices an organization owns and controls, but also what state they are in and when they are being operated in an uncharacteristic or anomalous manner. Additionally, CCI includes mechanisms for reporting, dashboarding, and alerting.

If these sound like the elements of a traditional information security program, they should. CCI and information security share many aspects, with CCI picking up where traditional information security ends, emphasizing governance, automation, timeliness, and reporting.

Effective CCI begins with the establishment of an organizational security governance posture. This includes defining security policies which cover areas such as access control, encryption, and data protection, permissible configurations, baselines for traffic amounts and types, and frequencies for patching and updating. The policies must reflect the needs of both business and security stakeholders and they must be both accessible and actionable.

Security policies are implemented as rule sets, which drive automated workflows and reporting and ensure timely knowledge of questionable or unacceptable conditions. Additionally, automation enables rapid incident response, quickly remediating insecure conditions or containing the spread of anomalous or malicious activity prior to metastasis.

In contrast to the specialized communities traditionally associated with cyber intelligence (e.g., information security and threat intelligence), CCI is broadly based. CCI stakeholders include executive management, business operations, human resources, systems engineering, development, finance, and legal. This stakeholder breadth is demanded by CCI’s bifurcated nature, which analyzes human behaviors and codifies them in security policies and then mitigates risk through technology implementations that identify and address vulnerabilities.

CCI’s inward, mitigation-based focus is agnostic to the external threat environment. Security is assured by recognizing, reporting, and remediating internal exposures and vulnerabilities that give rise to risk, not by reacting to outside actors. As a result, CCI creates an environment able to capitalize on the knowledge and wisdom generated by traditional cyber intelligence.

So, maybe we don’t get to be James Bond. But there’s a lot to be said for being James Angleton.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andregironda
50%
50%
andregironda,
User Rank: Strategist
2/5/2015 | 1:32:24 PM
Totally confused
You are talking about internal intelligence, not counterintelligence.

Counterintelligence is offensively taking over enemy command and control through sting and dangle operations.

But wait -- there's more! I do like your definition and perhaps it fits correctly, but this dilemma certainly has me being pulled in multiple directions.

Did you just come up with this out of thin air or are you pulling this new CCI definition from somewhere? Searching for Cyber-CI only produces the offensive definition, not the internal intelligence one.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2015 | 11:37:38 AM
James Bond v James Angleton
Angleton (chief of the Central Intelligence Agency's Counterintelligence Staff from 1954 to 1975) sounds pretty much like a cool, spooky spy to me!  Definitely a good role model for CCI!

 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.