Кибер разузнаване - оперативно ниво за действие

INTELLIGENCE AND NATIONAL SECURITY ALLIANCE CYBER INTELLIGENCE (INSA) TASK FORCE - USA

OCTOBER 2014
 www.insaonline.org | 703.224.4672

OPERATIONAL CYBER INTELLIGENCE

THE THIRD WHITE PAPER IN THE “LEVELS OF CYBER INTELLIGENCE” SERIES 

While much attention has been paid to cyber attacks against organizations of all sizes and from across all sectors, there has been less discussion of how organizations can strengthen their risk management processes in such a diverse and evolving threat climate. Operational cyber intelligence encompasses an understanding of both tactical means – how cyber threats function to disrupt and/or degrade an organization’s networks and cyber capabilities – and the broader strategic motivations of potential adversaries. This intelligence can inform senior leadership and help executives and managers develop strategic plans and policies that allow an organization to operate while navigating countless cyber threats. 
Specifically, this white paper examines: 

• How operational cyber intelligence seeks to protect the enterprise by facilitating predictive analysis and a more comprehensive understanding of specific threats;
 • Business and mission considerations for operational cyber intelligence; and 
• Workforce and skill sets necessary to support the cyber intelligence role. 

While tactical cyber intelligence is directed at efforts to detect and respond to adversaries already operating within an organization’s network, operational cyber intelligence protects the enterprise by facilitating predictive analysis of specific threat actors before they gain access. The ultimate goal of a cyber intelligence program is to reduce risk to an organization’s critical information, intellectual property and ability to successfully conduct its mission. 

Operational cyber intelligence does this by: 
1. Defining the operating environment.
2. Describing the impact of the operating environment. 
3. Evaluating the adversary. 
4. Determining adversaries’ potential courses of action. 

Operational cyber intelligence provides a thread that links the probability and impact of a cyber attack with its strategic-level implications. The result is a coherent framework for analysis and prioritization of potential threats and vulnerabilities given an organization’s threat environment. 

Operational Cyber Intelligence is the third in the INSA white paper series on levels of cyber intelligence. The series began with the overview paper, Operational Levels of Cyber Intelligence, in September 2013, followed by Strategic Cyber Intelligence in March 2014. The next installment on tactical cyber intelligence will be published in early 2015.

Връзка за достъп до целия документ:
http://www.insaonline.org/i/d/a/Resources/OCI_wp.aspx

Кибер разузнаване - стратегическо ниво за действие

INTELLIGENCE AND NATIONAL SECURITY ALLIANCE CYBER INTELLIGENCE (INSA) TASK FORCE - USA

MARCH 2014
 www.insaonline.org | 703.224.4672

STRATEGIC CYBER INTELLIGENCE

CYBER INTELLIGENCE TASK FORCE WHITE PAPER SYNOPSIS 

The Intelligence and National Security Alliance (INSA) Cyber Intelligence Task Force defined the strategic, operational, and tactical levels of Cyber Intelligence in its white paper The Operational Levels of Cyber Intelligence. While much attention has been directed towards the tactical, on-the-network cyber domain, this paper contends that not enough resources have been devoted to strategic cyber intelligence. The fundamental purpose of this white paper is to promote thought and dialogue on the importance of cyber intelligence, and specifically strategic cyber intelligence, to senior leaders’ risk-informed decision making, ultimately leading to improved strategy, policy, architecture, and investment. 

The paper discusses the: 
• Nexus between strategic cyber intelligence and risk management in relation to strategic cyber intelligence consumer and producer roles and responsibilities. 
• Role of strategic cyber intelligence analysis based upon the National Institute of Standards and Technology (NIST) risk assessment methods: vulnerability-based, threat-based, and impact-based. 
• Inextricable linkage between intelligence production and information sharing. 

Strategic Cyber Intelligence offers senior leaders an accurate assessment of how to direct cyber-related expenses in line with an organization’s risk heuristic. Leveraging Strategic Cyber Intelligence to address strategic information requirements allows an organization to: 
• Effectively assess, explain, and quantify risk to senior management and other key stakeholders. 
• Collaborate in a more meaningful manner with members of law enforcement, defense organizations, the intelligence community, and the information security community on interests at large. 
• Demonstrate an appropriate standard of diligence to auditors, regulators, and stakeholders.
 • Reduce the exposure of the business to regulatory or legal sanctions. 
• Demonstrate responsible security resource expenditure by defending not just what is important to the firm but what is relevant to the threat. 

The ultimate goal of a such a program is to reduce risk to an organization’s critical mission and assets. It enables senior leadership to make informed decisions and proactively defend the enterprise. To succeed in the cyber domain in 2014 and beyond, strategic cyber intelligence will play a crucial role in defending private companies and government sectors by providing the necessary intelligence to prevent potential incidents that could cripple our security as well as our economy.

Връзка за достъп да целия документ:
http://www.insaonline.org/i/d/a/Resources/StrategicCyber.aspx

Кибер разузнаване - нива за действия

INTELLIGENCE AND NATIONAL SECURITY ALLIANCE CYBER INTELLIGENCE (INSA) TASK FORCE - USA

SEPTEMBER 2013

 www.insaonline.org | 703.224.4672

OPERATIONAL LEVELS OF CYBER INTELLIGENCE

CYBER INTELLIGENCE WHITE PAPER SYNOPSIS 

The purpose of the INSA white paper, Operational Levels of Cyber Intelligence, is to explore cyber intelligence as a disciplined methodology with understandable frames of reference that address both the human and technical aspects of the cyber domain. All operations in cyberspace begin with a human being; therefore, cyber intelligence should not be limited to an understanding of network operations and activities. Rather, it is an analytic discipline relying on information collected from traditional intelligence sources intended to inform decision makers on issues pertaining to operations at all levels in the cyber domain. Embracing these concepts helps one understand the steps required to develop malicious cyber actions and points toward a process that can assist network defenders in understanding the kill chain process used to deter, neutralize or defeat malicious network activity. 

The Three Levels of Cyber Activities:

• Strategic: The guidance and determination of objectives by the highest organizational entity and its use of the organization’s resources toward the achievement of these objectives. Intelligence must be included in the calculus so that strategic-level decision makers can understand the threats that may inhibit or prevent obtaining their strategic objectives. 

• Operational: This level affords opportunity to design defenses, based upon intelligence, against the threats actively, or most likely to, target an organization’s network and data. The more informed CISOs and CIOs are on the objectives and capabilities of malicious actors, the better they are able to posture their enterprise to defend against threats. 

• Tactical: Activities at this level focus on the ordered arrangement and maneuver of elements in relation to each other and to the enemy to achieve objectives. Typical tactical actions are primarily conducted in the Network Operations Center or Security Operations Center and operate best when informed by intelligence. Pre-coordination and advanced warning alone may make the difference between critical web support services being available or not.

 Conclusions:

 • Defining the cyber “lay of the land” in manageable levels—strategic, operational, and tactical—and integrating sound intelligence methodology into the equation, makes it easier for organizations to address the challenge of cyber security. 

• Supporting the three-level spectrum of requirements also necessitates cyber intelligence analysts understand the human element: adversaries’ intentions, how they plan, coordinate and execute and what motivates them towards action or inaction. 

• While the movement of malicious files occurs in milliseconds, or at the “speed of cyber,” the human-enabled activities necessary to execute malicious cyber operations take careful planning and an investment of time. A kill chain is a sequence of activities and overall operations that a threat vector must traverse in order to cause an effect. Thus, defenders need to expand their understanding of the kill chain beyond merely the network activity. 

• Once an adversary is identified and understood, the challenge is to provide decision makers at every level with the information needed and the tactics necessary to collect, integrate and make accessible the intelligence required to act against malicious network activity.

Връзка за достъп до целия документ:

http://www.insaonline.org/i/d/a/Resources/CyberIntel_WP.aspx

Управление на сменяеми носители на данни / информация

Guidance
10 Steps: Removable Media Controls

From: UK CESG, Department for Business, Innovation & Skills, Cabinet Office and Centre for the Protection of National Infrastructure
First published: 5 September 2012
Last updated: 16 January 2015 

1.Summary
Failure to control or manage the use of removable media can lead to material financial loss, the theft of information, the introduction of malware and the erosion of business reputation. It is good practice to carry out a risk benefit analysis of the use of removable media and apply appropriate and proportionate security controls, in the context of their business and risk appetite.

2.What is the risk?
The use of removable media to store or transfer significant amounts of personal and commercially sensitive information is an everyday business process. However, if organisations fail to control and manage the import and export of information from their Information and Communications Technologies (ICT) using removable media they could be exposed to the following risks:

Loss of information
The physical design of removable media can result in it being misplaced or stolen, potentially compromising the confidentiality and availability of the information stored on it
Introduction of malware
The uncontrolled use of removable media will increase the risk from malware if the media can be used on multiple ICT systems
Information leakage
Some media types retain information after user deletion; this could lead to an unauthorised transfer of information between systems
Reputational damage
A loss of sensitive data often attracts media attention which could erode customer confidence in the business
Financial loss
If sensitive information is lost or compromised the organisation could be subjected to financial penalties

3.How can the risk be managed?
Removable media should only be used to store or transfer information as a last resort, under normal circumstances information should be stored on corporate systems and exchanged using appropriately protected and approved information exchange connections.

3.1Produce corporate policies
Develop and implement policies, processes and solutions to control the use of removable media for the import and export of information.

3.2Limit the use of removable media
Where the use of removable media is unavoidable the business should limit the media types that can be used together with the users, systems and types of information that can be stored or transferred on removable media.

3.3Scan all media for malware
Protect all host systems (clients and servers) with an anti-virus solution that will actively scan for malware when any type of removable media is introduced. The removable media policy should also ensure that any media brought into the organisation is scanned for malicious content by a standalone media scanner before any data transfer takes place.

3.4Audit media holdings regularly
All removable media should be formally issued by the organisation to individuals who will be accountable for its secure use and return for destruction or reuse. Records of holdings and use should be made available for audit purposes.

3.5Encrypt the information held on the media
Where removable media has to be used, the information should be encrypted. The type of encryption should be proportionate to the value of the information and the risks posed to it.

3.6Lock down access to media drives
The secure baseline build should deny access to media drives (including USB drives) by default and only allow access to approved authorised devices.

3.7Monitor systems
The monitoring strategy should include the capability to detect and react to the unauthorised use of removable media within an acceptable time frame.

3.8Actively manage the reuse and disposal of removable media
Where removable media is to be reused or destroyed then appropriate steps should be taken to ensure that previously stored information will not be accessible. The processes will be dependent on the value of the information and the risks posed to it and could range from an approved overwriting process to the physical destruction of the media by an approved third party.

3.9Educate users and maintain their awareness
Ensure that all users are aware of the risks posed to the organisation from the use of removable media and their personal security responsibility for following the corporate removable media security policy.