A Military Perspective on Cyber Security

“Not a Paradigm Shift, Tactical Approach”

Joey Hernandez CISSP, MBCIjhernandez@iSCSP.org

Topic

• Background• The Change• Center of Gravity Rings• Principles of War• Contested Commons• Your Turn

About Me

• Former Intelligence and Cyber Operations Analyst with a broad background in all domains of Network Operations.

• College Professor in the areas of Criminal Justice & Information Security

• Background in assessments covering NIST, FIPS, & ISO standards

• Background in International CERT operations & current Director of Operations for the iSCSP

Background

Elevated age in cyber warfare– Malware has become focused

• SCADA Systems (Stuxnet)– Malware performs Operational Preparation of the Environment (OPE)

• Conficker (Millions still infected)– Ransomeware

• Data is being held hostage

The advanced capability of the threat has increased the risk.

Understanding the risk allows employment of defensive measures to mitigate the risk – “Risk will always be present”

The Change

• Combined capabilities have helped attackers create weapon systems– Soldier +Rifle + Bullets =(This is a weapon systems)

• Cyber– State Sponsored, Script Kiddies, Paid Staff– Laptop, Desktop, Mobile devices– Metasploit, Backtrak, PoisonIvy, Mpack, other RAT

• Hacker + Laptop + Metasploit = Weapon System

• Attackers, Adversaries, Cyber terrorist are now employing TTP

Wardens Rings

• The focus is to attack Centers of Gravity – The Estonian attacks– Utilized TTP

• Rings – Leadership (Defaced Ministry of Defense,

Finance, etc)

– Organic/System Essentials– Infrastructure (DDoS against ISP and Wardialing to

lock up POTS network)

– Population (News Media)

– Fielded Military Forces

Leadership

System Essentials

Infrastructure

Population

Fielded Forces

Cyber • Population attacks cascade

the rings

• System essential attacks on services eg. Supply Chain, Food, FedEx ; feeds the rings in both direction

• Infrastructure attacks feed the rings both directions

• Leadership focus elevates the nature of the actions“Defense measures must ensure protection of systems first and population foremost”

Population

System Essentials

Infrastructure

Leadership

Countering Principles of War

• Raising perceptions of attacks guarantee an elevated perspective.

• Proactive approaches to providing defense-in- depth reduces risk to all Centers of Gravity

• NOT immediately achievable, requires buy-in

Principle 1

Objective: Direct every operation towards a clearly defined, decisive, and attainable objective.

• Security– Create policy & Directives that are concise, fed from

leadership and enhances current capabilities.• Defense– Institutionalize SOP creating a path to obtainable

objectives

Principle 2

Offensive: Seize, retain, and exploit the initiative

• Cyber Security personnel must have all tools required to respond to incidents or events when presented enabling decisive results

• Immediate knowledge of events through proactive– Proactive research– International teams of trust– Reverse engineering of “current” malicious code– Pentesting with seized exploits ensure preparedness– Exercise routinely against new threats

• Exploitation allows establishing opstempo for defensive and counter operations.

Principle 3

Economy of Force: Allocate minimum essential combat power to secondary efforts.

• Cyber Security staff should only be allocated tasks relating to protection of grid and its associated systems

• Minimize external tasks not associated to Cyber Security• “Employ” others to do: password resets, maintenance, and

support• Discriminate whenever possible!• Indentify and prioritize cyber assets and assign coverage

accordingly

Principle 4

Mass: Concentrate combat power at the decisive place and time.– Sustain with technology, resolve with Mass – Use Crisis action teams,

leverage distributed knowledge– “Get there first with the most”.– The dynamic nature of Cyber Space allows you to employ mass

globally with centralized control– Convene and delegate– Ensure communication is continuous– If possible (Make possible) Disarm the attacker– Block/Mitigate adversaries ability to maneuver, virtual arm bar– Remain focused on protection

Principle 5

Surprise: Strike the enemy at a time, place, or manner for which they are unprepared.

• Always expect it!• Trust but verify – If the network is quiet lower thresholds, to

find hidden traffic• Utilize time to influence out of the box operating procedures

and TTP to develop • Always expect it!

Principle 6

Maneuver: Place the enemy in a position of disadvantage through flexible application of combat power

• Gain an advantage in positioning by training, certifying defense crews

• Exercising as a team places the adversary in a position of disadvantage

• Train as a group to flexibly protect, respond, and mitigate attacks

• Leverage internal and external trusted SME capabilities

Principle 7

Unity of Command: For every objective, ensure unity of effort under one responsible commander.

• A single leader should provide direction and coordination for crews ensuring clear and concise objectives.

• Alignment facilitates communication for mission/common objective

• Each task presented should have ownership and custodial characteristics for members of the crew

• Ideas & Solutions – Preferred collective– Collective not required

Principle 8

Security: Never permit the enemy to acquire an unexpected advantage.

• Protect and preserve defense measures, procedures and capabilities from the eyes of the adversary.

• Protect Information, through PEOPLE vetting“Minimize the chance of future Wiki Leaks”

• Security exertion minimizes attack vectors• Understand the capabilities and limiting factors of your

people – “provides for a clearer situational awareness”

Principle 9

Simplicity: Prepare clear, uncomplicated plans concise orders to ensure thorough understanding.

• Concise Plans and Orders minimize the chance for mistakes. • Degree of operational simplicity results from from experience,

training, empowerment and institutionalization of processes.• Simplicity in Cyber Operations - is an Art of Balance• Open lines of communication Local & Global support

simplicity and information sharing

Contested Commons

• It is Global medium: Maritime, Air, Space, Cyber• Relied upon for business globalization• More nations, organizations, economies at risk• Rapid capability development, sluggish legal and

global agreement on how to “Address Cyber Attacks”

• Russia & China created No CY Zones • Some believe there is “No Cyber War”– Ask Estonia, Brazil, Canada, South Africa, Malaysia

Your Turn

• Train & Exercise your crews as a team• Open lines of communication• Think strategically, act locally• Be proactive, make quick fixes, and best practice

into TTP• Be paranoid, suspicious and know your adversaries• Build your trusted crisis network• Plan for events• Clear the fog