INTELLIGENCE AND NATIONAL SECURITY ALLIANCE CYBER INTELLIGENCE (INSA) TASK FORCE - USA
SEPTEMBER 2013
www.insaonline.org | 703.224.4672
OPERATIONAL LEVELS OF CYBER INTELLIGENCE
CYBER INTELLIGENCE WHITE PAPER SYNOPSIS
The purpose of the INSA white paper, Operational Levels of Cyber Intelligence, is to explore cyber intelligence as a disciplined methodology with understandable frames of reference that address both the human and technical aspects of the cyber domain. All operations in cyberspace begin with a human being; therefore, cyber intelligence should not be limited to an understanding of network operations and activities. Rather, it is an analytic discipline relying on information collected from traditional intelligence sources intended to inform decision makers on issues pertaining to operations at all levels in the cyber domain. Embracing these concepts helps one understand the steps required to develop malicious cyber actions and points toward a process that can assist network defenders in understanding the kill chain process used to deter, neutralize or defeat malicious network activity.
The Three Levels of Cyber Activities:
• Strategic: The guidance and determination of objectives by the highest organizational entity and its use of the organization’s resources toward the achievement of these objectives. Intelligence must be included in the calculus so that strategic-level decision makers can understand the threats that may inhibit or prevent obtaining their strategic objectives.
• Operational: This level affords opportunity to design defenses, based upon intelligence, against the threats actively, or most likely to, target an organization’s network and data. The more informed CISOs and CIOs are on the objectives and capabilities of malicious actors, the better they are able to posture their enterprise to defend against threats.
• Tactical: Activities at this level focus on the ordered arrangement and maneuver of elements in relation to each other and to the enemy to achieve objectives. Typical tactical actions are primarily conducted in the Network Operations Center or Security Operations Center and operate best when informed by intelligence. Pre-coordination and advanced warning alone may make the difference between critical web support services being available or not.
Conclusions:
• Defining the cyber “lay of the land” in manageable levels—strategic, operational, and tactical—and integrating sound intelligence methodology into the equation, makes it easier for organizations to address the challenge of cyber security.
• Supporting the three-level spectrum of requirements also necessitates cyber intelligence analysts understand the human element: adversaries’ intentions, how they plan, coordinate and execute and what motivates them towards action or inaction.
• While the movement of malicious files occurs in milliseconds, or at the “speed of cyber,” the human-enabled activities necessary to execute malicious cyber operations take careful planning and an investment of time. A kill chain is a sequence of activities and overall operations that a threat vector must traverse in order to cause an effect. Thus, defenders need to expand their understanding of the kill chain beyond merely the network activity.
• Once an adversary is identified and understood, the challenge is to provide decision makers at every level with the information needed and the tactics necessary to collect, integrate and make accessible the intelligence required to act against malicious network activity.
Връзка за достъп до целия документ:
http://www.insaonline.org/i/d/a/Resources/CyberIntel_WP.aspx
Няма коментари:
Публикуване на коментар