In our previous article we introduced the idea of cyber insurgency and irregular warfare. Building on effective techniques from the Marine Corps, we now want to discuss combating the threat.
COUNTERINSURGENT FORCES MUST UNDERSTAND THE ENVIRONMENT
As destructive attacks surge, integrity attacks become the nightmare scenario for multi-national corporations. System integrity is paramount. Successful conduct of counterinsurgency operations depends on thoroughly understanding the environments within which they are being conducted. In most counterinsurgency operations in which foreign forces participate, insurgents hold a distinct advantage in their level of local knowledge. They speak the language, move easily within the society, and are more likely to understand the population’s interests.
From a cyber perspective the “culture” lies within network topology, netflow and user behavior analytics. Understanding the operational environment allows the counter insurgent to identify the conditions which impact the prerequisites for the insurgency and the root causes that are driving the population to accept the insurgency. Only through understanding the operational environment can the counter insurgent plan and execute successful operations to counter the conditions that allow the insurgency to exist in the first place. Updated network topology diagrams coupled with regular penetration tests and the use of EDR endows the defender with greater situational awareness of the operational environment.
INTELLIGENCE DRIVES OPERATIONS
Effective counterinsurgency operations are shaped by timely, relevant, tailored, predictive, accurate, and reliable intelligence, gathered and analyzed at the lowest possible level and disseminated throughout the force. Without accurate and predictive intelligence, it is often better to not act rather than act.
Gaining situational understanding before action is often essential in avoiding long term damage to objectives. In environments where commanders do not have situational understanding, the first action they should take is to use forces to gain that understanding or drive to a known state. We are dealing with data fatigue. How do we improve the OODA Loop? How do we improve the contextual accuracy of intelligence? Without knowing the strategic and tactical battlefields teams often do a lot of work but blindly and with little to know strategic value. Intelligence can help focus the team’s efforts on what actually matters while focusing on the bigger picture. Not everyone needs to worry about APT groups that target financial systems. Having the right intel can focus the team on the right threats to help better craft their defensive posture.
Because of the dispersed nature of counterinsurgency operations, the actions of counterinsurgency forces are key generators of intelligence. In counterinsurgency operations, a cycle often develops where intelligence drives operations, which produces additional intelligence that facilitates subsequent operations.
“Human interpretation of data is fundamental. Reporting by tactical “hunt teams” and IT teams is often of greater importance than reporting by specialized assets. In cyberspace this must be automated.”
It is impractical in a cyber world to even think this can be manually achieved. There are far too many activities for humans to vet on their own. It must be pushed down to the lowest practical level on your team. Security leaders are responsible for driving the intelligence process.
These factors, along with the need to generate a favorable tempo drive the requirement to produce and disseminate intelligence at the lowest practical level. Leaders are responsible for driving the intelligence process.
Understanding the operational environment extends beyond insurgent combatants and insurgent leaders.
LEARN AND ADAPT
The official motto of the Marine Corps is Semper Fidelis (always faithful). The unofficial motto is adapt, improvise and overcome. This mindset is a must for counter insurgents. The insurgents will change their tactics on a dime. So should you.
An effective counterinsurgency force lies within an organization that is constantly learning. Insurgents connected with other organizations constantly exchange information about their enemy’s vulnerabilities—even with insurgents in distant theaters. However, skillful counterinsurgency forces can adapt at least as fast as insurgents.
“Every unit needs to be able to make observations, draw and apply lessons, and assess results.”
Leaders must develop an effective system to circulate best practices throughout their organization. Leaders might also need to seek new policies that authorize or resource necessary changes. Insurgents shift their locations looking for weak links, so widespread competence is required throughout the counterinsurgency force.
In cyberspace, standing up hunt teams is fundamental to countering a cyberinsurgency. These hunt teams must first develop a threat profile. This will help a hunter know where to prioritize hunting (and ultimately where to start hunting). Apply streaming analytics to unfiltered data. This will allow hunters to sort information faster and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks. As a result, teams can anticipate and focus on the organization’s defensive weaknesses.
As your team gels, develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm.
- Assessing threat intel from IPs, domains and hashes applied to historical data.
- Query similar threads that are not identical matches in historical data.
- Anomaly detection – requires continuous analysis of unfiltered data from the endpoint.
Threat Hunting is most most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User-entity behavior analytics must be employed as it is critical to baseline “normal” network and host behavior in a threat hunt; contextualizing normal behavior is the most effective way of determining where an adversary might lie in wait.
A hunter must position themselves on the high ground. The high ground is defined by greater situational awareness. Specifically, the hunter must analyze threat intel from customer IPs, domains and hashes applied to historical data. From that vantage one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.
EMPOWER THE LOWEST LEVELS
On the battlefield, especially when operating in an environment where insurgency exists, communications will break down. Time will be a factor. Individual team members need to be empowered with the right data to make the right decision at the right time.
Ground truth is imperative. In order to achieve it you must empower everyone on your team. Security team and IT teams should be empowered to know their environment, know their intel sources and make decisions in the best interest of your organization.
Often, system administrators and security teams will have the best grasp of their situations, but they require access to or control of the resources needed to produce timely intelligence, conduct effective tactical operations, and manage intelligence and civil-military operations.
Within your network your system administrators must be empowered to make tactical security decisions. These same people must receive cybersecurity training. Effective counterinsurgency operations are decentralized, and leaders owe it to their teams to push as many capabilities as possible down to their levels. However, this must be balanced with ensuring that tactical leaders have the situational intel to make rapid decisions.