- The Integrated Security Approach (ISA) is on the rise, as organizations push to create early warning systems for a more robust defense
- Cyber intelligence is the backbone of an integrated security strategy and must be collected at the Strategic, Operational and Tactical levels.
A sharp detective can learn a lot from an autopsy, including a cause of death and the possibility of foul play among other insights. The same can be said about the approach that many organizations take to cyber intrusions. Many organizations focus on the post-mortum of a cyber attack in order to better understand their vulnerabilities and mitigate any damage. But what about preventing the next attack?
An increasing number of organizations are keen not to just limit and assess the damage when they’re hacked; they want a means of knowing as much as possible about potential foes so that they might be able to prevent intrusions before they occur. That’s why the idea of a more holistic, integrated approach to cyber security is currently taking shape.
Some organizations are recognizing the value of an integrated security approach that goes beyond a post-mortem Kill Chain analysis and emphasizes the critical role of cyber intelligence.
Towards an Integrated Security Approach
As organizations struggle to cope with the evolving nature of cyber threats, it’s becoming apparent that they need to create a clear picture of what’s happening both in the digital, and physical, worlds. It’s now imperative to work with national governments as well to integrate digital and real-world defense tactics to limit damage and prevent attacks. In large part, it’s because malicious actors and nation-state attackers often don’t distinguish between the physical and digital spheres. An increasing number of cyber-attacks are designed to have severe real-world consequences, such as a power outage or military system malfunction.
Thus, organizations and governments are considering implementing comprehensive, integrated defense concepts that encompass both cyberspace and the physical world. This philosophy has come to be known as the Integrated Security Approach (ISA). What the ISA framework does is provide key ideas for a holistic view on cyber defense and prevention. The main goal being to generate early warnings or “alarms,” preferably prior to an attack ever being launched. These alarms are meant to generate a relevant warning message that translates the early stage threat detection data into actionable cyber (and real world) actions.
However, the main challenge of a so-called ISA is fusing all incoming information on a consistent basis, to create a high correlation between prediction and actionable prevention. The quantity, variance, and rate of information that comes pouring in through networks present the biggest challenge in ferreting out the real threats quickly and accurately.
The Key Role of Cyber Intelligence in an ISA
An effective ISA requires frameworks, strategies and systems that are tailored to an organization’s strategic posture. This goes for both private, and public, entities. An ISA is your cyber security game plan, but to draw one up, you need to know as much as possible about the adversary. This is what makes cyber intelligence the bedrock of any good ISA. m
What is Cyber Intelligence?
There are three basic levels of cyber intelligence that any ISA relies on to detect threats, and recommend the most appropriate responses. Although these may sound “militaristic” in nature, they are now just as applicable to corporate and private entities seeking to combat cyber-crime:
Strategic. The Intelligence and National Security Alliance (INSA) roughly defines strategic cyber intelligence as determining the high-level goals or objectives of the organizations seeking malicious actions. Are they a terrorist group, nation state, or foreign corporation? Who are the leaders at the highest level, and what ends will cyber-attacks serve to further?
Operational. Cyber intelligence at the operational level entails finding and figuring out what capabilities, systems and resources that the cyber attacker will require to carry out the attack to further their strategic goals. What potential avenues will they attempt to enter the network? What might be their technical, legal, or financial vulnerabilities that could be used against them when they decide to execute a malicious action?
Tactical. Knowledge at the tactical level is about the “hand to hand combat” that will likely take place during an attack. Specifically, what kinds of programs and malware will they use and where exactly will they use them in your system. Intelligence at this level focuses on the ordered arrangement, and real-time maneuvering, of cyber combat elements during the attack.
While there is no officially accepted definition for “cyber intelligence,” it’s generally accepted that it included the collection and analysis of information that produces timely, contextual, and relevant information to key supported decision makers. It can be thought of as a complex and undefined, yet multifaceted, approach to framing thought-processes around reacting to (and preventing) adversarial cyber activity. The need for a broad perspective to get the “lay of the land” as it relates to threats illustrates an increasing need for cyber intelligence analysts to know far more than just the functionality of networks. Analysts need to have a grasp of the human element of their adversary. What they intend, how they plan, their coordination and execution. What motivates them towards action (or inaction)?
To support their organization’s strategic goals, some analysts will need to brush up on the intricacies of current (and past) geopolitical events to put things into proper context. They’ll need to have some perspective on the competitive business landscape, international politics, domestic politics, and in some cases the agendas of niche interest groups. How these all factors influence potential adversaries, whether it be a criminal organization, nation state or business competitor, are critical to analysts determining their organization’s risk and exposure to cyber-attacks.
Concurrently, there’s an ongoing emphasis being placed on tactical cyber intelligence to support the “on the network” fight. However, the cost has been the dearth of discussion about integrating strategic and operational level intelligence into ISAs. When it comes to cyber intel at these levels, high-quality geopolitical risk analysis becomes more important than ever. You need to be able to understand not just the capabilities of potential adversaries, but their goals and intent. Assessing both capabilities and intent can be a daunting task, because most adversaries are intelligent, agile, and constantly morphing as they see new countermeasures arising.
Emphasizing an integrated approach to cybersecurity can be extremely useful to organizations, both public and private. Organizations that have an ISA approach implemented can monitor for an “alarm” that will initiate a proactive analysis that could be a key difference-maker in a cybersecurity strategy.
Author: Josh Rittenberg
Josh Rittenberg is the Founder and Editor of Breach Memo. He is an attorney in New York City who first became interested in emerging threats while working as an analyst at the Center for Strategic and International Studies (CSIS) Transnational Threats Program in Washington, DC. He has been published by NPR, The American Lawyer, Corporate Counsel, and the CSIS Transnational Threats Update. The views expressed in this blog are his personally and not those of any other person, organization, or other entity.