Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/4/2015
10:30 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Shifting Paradigms: The Case for Cyber Counter-Intelligence

Cyber Counter-Intelligence and traditional information security share many aspects. But CCI picks up where infosec ends -- with an emphasis on governance, automation, timeliness, and reporting.

It’s early morning, sometime between 1:30 and 3:00 AM, and you, our intrepid cyber defender, can’t sleep.

You’re contemplative rather than restless or uncomfortable. It’s times like this that you become brutally, soul-searchingly honest with yourself. You admit, for example, that you’re not really pushing yourself as hard as you could at the gym. Or that your latest mobile phone upgrade was the result of clever rationalization. And that your demand for larger volumes of threat intelligence is driven more by the sexy-cool factor than by architecturally validated cyber defense requirements.

Wait. What?

Exercise and personal electronics notwithstanding, contemporary cybersecurity practice is biased toward externally focused intelligence collection and analysis. Cyber intelligence, in the words of Chris Reilley, a former US intelligence community analyst and cyber warrior who spent more than a decade inside the US intelligence community, is:

The collection, analysis, and dissemination of cyber-related information to satisfy identified requirements and deliver relevant and timely cyberspace situational awareness to decision-makers to enable understanding and mitigation of strategic and functional risks. It includes adversary tactics, techniques, procedures (TTPs), global attack trends, impact and countermeasure assessments, environmental footprints, threat models and predictive analysis.

The bias toward intelligence derives in part from the human tendency toward binary (us vs. them) characterizations. We’re wired to want to perceive problems as corporeal and thus defensible. We’re also wired to want to be James Bond (cue the James Bond theme and dig out the Walther PPK). We may see the word “intelligence,” but what we hear is “spooky spy stuff.” Spooky spy stuff is cool. Who wouldn’t want to be cool?

This inclination doesn’t mean that threat intelligence is unnecessary or unimportant. It means that threat intelligence often becomes an end in and of itself to the detriment of effective cybersecurity. Stripped to its essentials, cybersecurity is about mitigating risks inherent to operating in a hostile environment such that goals and objectives are met with minimal disruption. An organization only has the mechanisms they control to mitigate risk. As a result, effective cybersecurity is fundamentally introspective in nature. Knowing oneself (or one’s network) is the first step toward both health and security.

Unfortunately, terms like “introspection” neither fire the imagination nor stir passions like the word “intelligence.” As both optics and passion are important, let’s recast “introspective analysis” as “cyber counter-intelligence” (CCI). And, as with cyber intelligence, a clear and comprehensive definition is required:

The collection and real-time maintenance of information related to the presence and configuration of all data stores, devices and entry points within an organization’s or network’s control, including hardware, firmware and software installation, versioning and updating, the presence and status of endpoint and network security tools, and baseline operational and usage parameters. It includes tools and mechanisms to review, process and display the information in a meaningful and timely manner to entities authorized to initiate response procedures.

CCI then, is not only about knowing what information and devices an organization owns and controls, but also what state they are in and when they are being operated in an uncharacteristic or anomalous manner. Additionally, CCI includes mechanisms for reporting, dashboarding, and alerting.

If these sound like the elements of a traditional information security program, they should. CCI and information security share many aspects, with CCI picking up where traditional information security ends, emphasizing governance, automation, timeliness, and reporting.

Effective CCI begins with the establishment of an organizational security governance posture. This includes defining security policies which cover areas such as access control, encryption, and data protection, permissible configurations, baselines for traffic amounts and types, and frequencies for patching and updating. The policies must reflect the needs of both business and security stakeholders and they must be both accessible and actionable.

Security policies are implemented as rule sets, which drive automated workflows and reporting and ensure timely knowledge of questionable or unacceptable conditions. Additionally, automation enables rapid incident response, quickly remediating insecure conditions or containing the spread of anomalous or malicious activity prior to metastasis.

In contrast to the specialized communities traditionally associated with cyber intelligence (e.g., information security and threat intelligence), CCI is broadly based. CCI stakeholders include executive management, business operations, human resources, systems engineering, development, finance, and legal. This stakeholder breadth is demanded by CCI’s bifurcated nature, which analyzes human behaviors and codifies them in security policies and then mitigates risk through technology implementations that identify and address vulnerabilities.

CCI’s inward, mitigation-based focus is agnostic to the external threat environment. Security is assured by recognizing, reporting, and remediating internal exposures and vulnerabilities that give rise to risk, not by reacting to outside actors. As a result, CCI creates an environment able to capitalize on the knowledge and wisdom generated by traditional cyber intelligence.

So, maybe we don’t get to be James Bond. But there’s a lot to be said for being James Angleton.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
andregironda
50%
50%
andregironda,
User Rank: Strategist
2/5/2015 | 1:32:24 PM
Totally confused
You are talking about internal intelligence, not counterintelligence.

Counterintelligence is offensively taking over enemy command and control through sting and dangle operations.

But wait -- there's more! I do like your definition and perhaps it fits correctly, but this dilemma certainly has me being pulled in multiple directions.

Did you just come up with this out of thin air or are you pulling this new CCI definition from somewhere? Searching for Cyber-CI only produces the offensive definition, not the internal intelligence one.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2015 | 11:37:38 AM
James Bond v James Angleton
Angleton (chief of the Central Intelligence Agency's Counterintelligence Staff from 1954 to 1975) sounds pretty much like a cool, spooky spy to me!  Definitely a good role model for CCI!

 
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...