Richard O. Moore, III - Cyber Intelligence-Driven Risk

Technical, social, legal, financial, or other vulnerabilities that the adversary has.

Information that enables the defender to influence an adversary as they move through the process of executing their intent and actions (i.e. attack chain). 10

The strategic level of cyber activity is the determination of objectives and guidance by the highest organizational entity representing a group or organization and their use of the group or organization's resources toward achievement of those objectives. This is the level where the business executive officers and directors provide direction, guidance, and requests or requirements for knowledge based on business objectives. Examples of strategic cyber intelligence might include:

The decision by a competitor or potential competitor to enter your market space (e.g. a foreign competitor's new five-year plan now shows interest in developing a domestic capability in a technology your company is known for).

Indications that a competitor, or foreign government, may have previously acquired intellectual property via cyber exploitation.

Indications that a competitor, or foreign government, is establishing an atypical influential relationship with a portion of your supply chain.

Indications that your corporate strategic objectives may be threatened due to adversarial cyber activity. 11

Now that we have structured the type, levels, and some examples of cyber intelligence we have to take that information and make it knowledge, which means analysis. There are many books, university courses, whitepapers, and frameworks that detail many of the various analysis tools and techniques. I am only going to list a few and will not go into the detail of what method is better than another; the reader should be aware of the various types to prepare them for the types of reports they may receive. Below is a list that the United Kingdom's National Intelligence Model uses and provides a good framework for a detailed list of products and purposes for different types of analysis. 12

Results Analysis – this process provides gaps, best practices, or may be used as an After-Action Report (AAR).

Pattern Analysis – can be used to provide management decisions for tactical or operational prioritization, or may be used to identify emerging threats, trends, and new requirements.

Market Analysis – can be used to see if there is proliferation of tools, techniques, processes (TTPs) for sale, and may be used by management to provide prioritization of remediation activities, or operational enhancements in defending their organization.

Demographics and Social Trend Analysis – can be used by management to highlight future pressures, used for incident planning and response activities based on emerging social phenomena or sensitivities.

Malicious/Criminal Business Profiles – can be used by management for understanding key points of operational disruption, the need for new regulations or legislation, change in resources to meet the threat, or to ensure the organization has training to meet new threats (i.e. phishing, malware, social engineering, etc.)

Network Analysis – can be used by management strategically as an indicator for the seriousness of an activity. Can also be used tactically and operationally to understand operational losses, highlights gaps, and provide potential targets within the organization.

Risk Analysis – can be used by management to create risk management planning (i.e. impact, probability, consequences both financially and reputational, etc.). Provides the prelude to prioritizing actions, at both the strategic and operational levels.

Target Profile Analysis – TTPs of the malicious actor or group, informs which targets will most likely be attacked, and provides decisions about how resources can be deployed to mitigate the attack.

Operational Intelligence Analysis – can be used by management to prevent mission creep or scope creep, prioritization of intelligence work, needs, or requirements stemming from current intelligence.

The use of the CI-DR cyber intelligence life cycle, the types of analysis, and the dissemination of knowledge to business leadership is how our program works in conjunction with the overall approach of having functions and capabilities and can inform, guide, direct, and provide the ability to adapt and prioritize for any change or emerging threat to an organization.

The CISOs and CIOs are not necessarily involved with strategic directions for the organization, but need to be informed so that cyber intelligence “knowledge” can be created to support the strategy.

Business leaders when creating critical or priority cyber intelligence requirements (CIRs or PIRs) should be aware of the type of analysis and usage that can contribute to decisions.

The CI-DR cyber intelligence process is a proven method taken from the military intelligence process that provides a repeatable method of reporting but may require further iterations or new processes for different organizations.

Business leaders should be disciplined in not getting too much involved in the tactical level of cyber intelligence but should focus on prioritization and direction at the operational and strategic levels of cyber intelligence.

1 1 US Government, Marine Corps Doctrinal Publication 2-Intelligence, (GAO) 1997.

2 2 US Government, Marine Corps Doctrinal Publication 2-Intelligence, (GAO) 1997.

3 3 US Government, Marine Corps Doctrinal Publication 2-Intelligence, (GAO) 1997.

4 4 Ibid.

5 5 Ibid.

6 6 US Government, Marine Corps Warfighting Publication 2-14 Counterintelligence, GAO, 2002.

7 7 Elizabeth Finan, INSA, Operational Levels of Cyber Intelligence, “Cyber Intelligence Taskforce,” 2013.

8 8 US Government, Joint Publication 1-02, “Department of Defense Dictionary of Military and Associated Terms,” 2016, http://www.dtic.mil/doctrine/dod_dictionary.

9 9 Elizabeth Finan, INSA, Operational Levels of Cyber Intelligence, “Cyber Intelligence Taskforce,” 2013.

10 10Ibid.

11 11Elizabeth Finan, INSA, Operational Levels of Cyber Intelligence, “Cyber Intelligence Taskforce,” 2013.

12 12 United Nations Office of Drugs and Crime, Criminal Intelligence Manual for Analysts, United Nations, NY, 2011.

Текст предоставлен ООО «ЛитРес».

Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.

Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.