Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/4/2015
10:30 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Shifting Paradigms: The Case for Cyber Counter-Intelligence

Cyber Counter-Intelligence and traditional information security share many aspects. But CCI picks up where infosec ends -- with an emphasis on governance, automation, timeliness, and reporting.

It’s early morning, sometime between 1:30 and 3:00 AM, and you, our intrepid cyber defender, can’t sleep.

You’re contemplative rather than restless or uncomfortable. It’s times like this that you become brutally, soul-searchingly honest with yourself. You admit, for example, that you’re not really pushing yourself as hard as you could at the gym. Or that your latest mobile phone upgrade was the result of clever rationalization. And that your demand for larger volumes of threat intelligence is driven more by the sexy-cool factor than by architecturally validated cyber defense requirements.

Wait. What?

Exercise and personal electronics notwithstanding, contemporary cybersecurity practice is biased toward externally focused intelligence collection and analysis. Cyber intelligence, in the words of Chris Reilley, a former US intelligence community analyst and cyber warrior who spent more than a decade inside the US intelligence community, is:

The collection, analysis, and dissemination of cyber-related information to satisfy identified requirements and deliver relevant and timely cyberspace situational awareness to decision-makers to enable understanding and mitigation of strategic and functional risks. It includes adversary tactics, techniques, procedures (TTPs), global attack trends, impact and countermeasure assessments, environmental footprints, threat models and predictive analysis.

The bias toward intelligence derives in part from the human tendency toward binary (us vs. them) characterizations. We’re wired to want to perceive problems as corporeal and thus defensible. We’re also wired to want to be James Bond (cue the James Bond theme and dig out the Walther PPK). We may see the word “intelligence,” but what we hear is “spooky spy stuff.” Spooky spy stuff is cool. Who wouldn’t want to be cool?

This inclination doesn’t mean that threat intelligence is unnecessary or unimportant. It means that threat intelligence often becomes an end in and of itself to the detriment of effective cybersecurity. Stripped to its essentials, cybersecurity is about mitigating risks inherent to operating in a hostile environment such that goals and objectives are met with minimal disruption. An organization only has the mechanisms they control to mitigate risk. As a result, effective cybersecurity is fundamentally introspective in nature. Knowing oneself (or one’s network) is the first step toward both health and security.

Unfortunately, terms like “introspection” neither fire the imagination nor stir passions like the word “intelligence.” As both optics and passion are important, let’s recast “introspective analysis” as “cyber counter-intelligence” (CCI). And, as with cyber intelligence, a clear and comprehensive definition is required:

The collection and real-time maintenance of information related to the presence and configuration of all data stores, devices and entry points within an organization’s or network’s control, including hardware, firmware and software installation, versioning and updating, the presence and status of endpoint and network security tools, and baseline operational and usage parameters. It includes tools and mechanisms to review, process and display the information in a meaningful and timely manner to entities authorized to initiate response procedures.

CCI then, is not only about knowing what information and devices an organization owns and controls, but also what state they are in and when they are being operated in an uncharacteristic or anomalous manner. Additionally, CCI includes mechanisms for reporting, dashboarding, and alerting.

If these sound like the elements of a traditional information security program, they should. CCI and information security share many aspects, with CCI picking up where traditional information security ends, emphasizing governance, automation, timeliness, and reporting.

Effective CCI begins with the establishment of an organizational security governance posture. This includes defining security policies which cover areas such as access control, encryption, and data protection, permissible configurations, baselines for traffic amounts and types, and frequencies for patching and updating. The policies must reflect the needs of both business and security stakeholders and they must be both accessible and actionable.

Security policies are implemented as rule sets, which drive automated workflows and reporting and ensure timely knowledge of questionable or unacceptable conditions. Additionally, automation enables rapid incident response, quickly remediating insecure conditions or containing the spread of anomalous or malicious activity prior to metastasis.

In contrast to the specialized communities traditionally associated with cyber intelligence (e.g., information security and threat intelligence), CCI is broadly based. CCI stakeholders include executive management, business operations, human resources, systems engineering, development, finance, and legal. This stakeholder breadth is demanded by CCI’s bifurcated nature, which analyzes human behaviors and codifies them in security policies and then mitigates risk through technology implementations that identify and address vulnerabilities.

CCI’s inward, mitigation-based focus is agnostic to the external threat environment. Security is assured by recognizing, reporting, and remediating internal exposures and vulnerabilities that give rise to risk, not by reacting to outside actors. As a result, CCI creates an environment able to capitalize on the knowledge and wisdom generated by traditional cyber intelligence.

So, maybe we don’t get to be James Bond. But there’s a lot to be said for being James Angleton.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andregironda
50%
50%
andregironda,
User Rank: Strategist
2/5/2015 | 1:32:24 PM
Totally confused
You are talking about internal intelligence, not counterintelligence.

Counterintelligence is offensively taking over enemy command and control through sting and dangle operations.

But wait -- there's more! I do like your definition and perhaps it fits correctly, but this dilemma certainly has me being pulled in multiple directions.

Did you just come up with this out of thin air or are you pulling this new CCI definition from somewhere? Searching for Cyber-CI only produces the offensive definition, not the internal intelligence one.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2015 | 11:37:38 AM
James Bond v James Angleton
Angleton (chief of the Central Intelligence Agency's Counterintelligence Staff from 1954 to 1975) sounds pretty much like a cool, spooky spy to me!  Definitely a good role model for CCI!

 
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.