IN PREPARING FOR BATTLE, I HAVE ALWAYS FOUND THAT …
Transcript of IN PREPARING FOR BATTLE, I HAVE ALWAYS FOUND THAT …
“IN PREPARING FOR BATTLE, I HAVE ALWAYS FOUND THAT PLANS ARE USELESS, BUT PLANNING IS
INDISPENSABLE.”
― DWIGHT D. EISENHOWER
In cyber security, the strategic goals are often clear but the methods to achieve them are anything but.
This white paper introduces Damrod’s Cyber Strategic Framework, which applies military analysis to cyber
security challenges. Aimed at security teams implementing high-level goals in the real world, this paper
focuses on effects-based planning that integrates disparate elements of IT and security into a cohesive
package. Defending a network is about more than technology. Analysis and leadership are critical
elements of an effective cyber defense. Reading this paper will leave security teams better equipped to
develop the tactics and implement the actions that make strategy a reality.
1
EXECUTIVE SUMMARY
Solutions to the challenges of cyber security will not come from technology alone.
Technology has no small part to play in winning this contest, but it must be deployed
intelligently as part of a coherent strategy that counters and defeats the opposition.
Strategy does not appear without effort. It is the product of rigorous analysis. Likewise,
the implementation of a strategy is not a given, and requires leadership to flourish.
This paper focuses on implementing strategy through realistic and realizable actions. It
introduces a four-part model:
➢ Strategy – A comprehensive way to achieve an end
➢ Effects – What the strategy aims to realize
➢ Tactics – The people, procedures, and technologies that achieve the effects
➢ Actions – The detailed steps that turn tactics into reality
This model is viewed through Damrod’s Cyber Strategic Framework, which guides
decision making and provides graphical representations of conflict and defense.
A thorough understanding of what a security team is protecting, against what threat, and
with what resources, improves the quality of the defense and promotes return on the
investment by focusing on achieving specific effects.
Making strategy a reality is the translation of the abstract to the material. It is a process
where ideas become deeds. This requires clear communication and direct engagement
with people. As concept becomes reality, the number of people involved increases. It
becomes vitally important that everyone knows what they are doing, and for what
purpose.
Cyber attacks are increasing in scale, frequency, and damage. As the consequences of
attack rise, so too must the quality of the defense. However, addressing every risk is
beyond the ability of any organization. Damrod helps security teams to direct resources
where they will have the greatest impact and empowers them to implement a winning
strategy.
Learn more at www.damrod.co.uk, or
read the white paper – Winning Cyber
Conflict.
Prepared by Griff James
2
CONTENTS
Executive Summary ................................................. 1
Introduction .......................................................... 3
1. Strategy ............................................................ 4
1.1 Understand the Terrain ..................................... 4
1.2 Understand the Attacker’s Intent .......................... 6
1.3 Determine the Attackers’ Courses of Action ............. 7
2. Effects ............................................................. 9
2.1 Effects Planning .............................................. 9
2.2 Effects Summary ............................................. 9
3. Tactics ............................................................ 11
3.1 Plan Resources for the Effects ............................ 11
3.2 Refine the Resources ....................................... 11
3.3 Assess the Defenses ......................................... 13
4. Actions ............................................................ 13
Concluding Thoughts ............................................... 14
Annex A .............................................................. 15
Table of Figures
Figure 1: Strategy to Action ....................................... 3
Figure 2: Cyber Geographic Framework .......................... 5
Figure 3: Example of Cyber Terrain .............................. 6
Figure 4: Attackers' Intent ......................................... 7
Figure 5: Attackers’ Course of Action ............................ 8
Figure 6: Effects Planning .......................................... 9
Figure 7: One Page Summary ..................................... 10
Figure 8: Resource Planning ...................................... 11
Figure 9: Resource Refinement ................................... 12
Figure 10: Cleared Resource Refinement ....................... 12
ABOUT DAMROD
Damrod Analysis is founded
on the idea that cyber
security must transition to
cyber defense. The threats
and risks of the modern
world are ill-served by a
philosophy that puts minimal
compliance above
independent analysis.
Too often a regulatory
checklist defines the cyber
security of an organization.
Damrod Analysis treats cyber
as conflict, and provides the
tools to win.
3
INTRODUCTION
We all have an intuitive understanding of the difference between strategy and tactics:
tactics govern day-to-day actions, strategy is longer term.
It is implicit that tactics fall under strategy. The challenge rests in ensuring that the
tactics carry out the goals.
The key to getting the big things to go the right way is to make sure all the small things
align. To do that you need a system that connects the largest to the smallest.
This paper introduces a four-step framework for turning strategy into action. Under the
framework, Strategy identifies Effects, Effects define Tactics, and Tactics produce
Actions.
The framework is a derivation of the British Army’s Combat Estimate process, a helpful
foundation because the Army is adept at connecting the tactical execution of small tasks
to the larger purpose of strategic intent.
Figure 1: Strategy to Action
Strategy in cyber security is often simplistic: ‘don’t get breached’.
A more nuanced interpretation may see the role of cyber security as protecting the
confidentiality, availability, and integrity of data and systems.
This is a good starting point in preparing a cyber defense. Beyond this basic premise,
defenders should not lose sight of the value they must contribute and the functionality
they must demonstrate:
• Value: A cyber security strategy is only valuable in the context of the utility that
data and systems provide to the wider organization.
• Functionality: If the security strategy grows so strict as to stifle the company’s
ability to operate, then cyber security is acting counter to the interests of the
organization.
To balance defense, threats, and business needs, cyber defenders must understand what
they are defending, against what, and with what resources.
Damrod’s Cyber Strategic Framework provides a repeatable, easily communicated, and
technically accurate system to lead teams from strategic vision to daily action.
Strategy Effects Tactics Actions
4
1. STRATEGY
Strategy is about setting the conditions of success and shaping the future. It is a clear
statement of intent that gets refined through analysis, effort, and leadership.
Cyber defense is not solely about preventing breaches or blocking attacks. While it exists
within the construct of information technology, it extends beyond.
To set the conditions of success, strategists need to understand the characteristics of the
terrain, assess the attackers’ intent and determine the attackers’ potential courses of
action.
Within these parameters, an organization can create a common purpose for all its cyber
defense programs so as to better maintain the confidentiality, availability, and integrity of
its systems and data.
1.1 UNDERSTAND THE TERRAIN
Central in any conflict is an understanding of the terrain.
While cyber does have a physical component, the majority
of interactions occur at an intangible level. A physical
map or network diagram provides insufficient context for
decision making.
To give a frame of reference for cyber, a modified military
Geographic Framework is helpful. Widely used by NATO
forces to understand physical battles, the Geographic
Framework divides conflict into Deep, Close, and Rear
categories. In land conflict, the Deep is where an
opponent’s force operates. Close is where the conflict
occurs, where opposing factions meet in a contest of wills.
The Rear is the region over which the defender prepares
for battle.
On a map, the Deep, Close, and Rear will be separated by
distance measured in kilometres. While physical distance
has little impact on cyber conflict, the addition of a
degree-of-control gradient to the Geographic Framework is
valuable.
In cyber terms, Deep is synonymous with the deep web and
darknet, while Close is the internet and common
interactions within cyberspace. There is an interplay in
the Close between cyber and physical assets. The Rear is
analogous to an organization’s own networks and
databases.
By organizing the cyber terrain based on Deep, Close, and Rear, linked to a defender’s
degree of control, the Cyber Geographic Framework allows for visual orientation, much
like North or distance markers on a map.
Knowledge of the terrain
provides a decisive
advantage in anticipating
where and when a contest will
occur. Three key takeaways
from a military terrain
analysis are: • the avenues
of approach • the key terrain
• the vital ground.
Avenues of approach are
potential lines of attack. Key
terrain is ground that will
make the mission easier, or
the opponent’s mission harder.
Vital ground is terrain that, if
lost, results in mission failure.
From a cyber perspective,
there are clear avenues of
approach. Key terrain
consists of networks and
applications. Databases or
other important pieces of the
IT infrastructure are vital
ground.
TERRAIN ANALYSIS
5
Figure 2: Cyber Geographic Framework
Instead of hills, rivers, or roads, cyber has prominent
features like networks, databases, and applications. There
is no constraint on what constitutes a cyber terrain
feature, provided that the cyber terrain is:
➢ representative of an element relevant to cyber; and,
➢ something of interest to attackers or defenders.
Some prominent examples of cyber terrain are:
• Perimeters
• Networks
• Applications
• Hardware
• Databases
• People
These broad terms can be further split based on additional
criteria, such as being internal or externally facing, or
cloud, or legacy. So long as some analysis has gone into
the planning, it is a valid observation of the cyber terrain.
Mapping the cyber terrain
provides a definitive and
graphical representation of
organizational assets. The
cyber terrain analysis is an
abstract exercise that
organizes assets into distinct
categories represented as
terrain features. A feature
may have sub-categories.
Hardware, for example, may
include the registry of every
machine in the organization.
However, there is no need to
show that level of detail when
planning. Still, it is important
that fidelity is maintained.
Drilling into any terrain
feature should provide a
connection to any individual
cyber asset or user.
DEFINITION AND VISIBILITY
6
Figure 3: Example of Cyber Terrain
1.2 UNDERSTAND THE ATTACKER’S INTENT
Knowing the ground gives insight into where conflict is likely to occur. By mapping
features onto the Geographic Framework, a visual representation of risk emerges. The
further ‘North’ an aspect of the terrain, the more it is subject to hostile action.
Determining what aspects are likely to be attacked is the first step in planning the
defense. Before delving into specifics of the attack, the defender must consider what
attackers are going to be after, and generally how they might achieve their aims.
In the simple example below, the attackers’ goal is to exploit users for financial gain. To
do this, they will:
1. FIND vulnerabilities in the perimeter.
2. INFILTRATE through networks, applications, and hardware.
3. EXPLOIT the users.
Attack is the secret of defense; defense is the
planning of an attack.
Chang Yu, commenting on Sun Tzu’s “The Art of War”
7
Figure 4: Attacker’s Intent
Organizations subject to multiple threats must devise multiple Attacker overlays to
understand the differing intents and objectives of attackers.
1.3 DETERMINE THE ATTACKER’S COURSES OF ACTION
Many of the threat actors within cyber have distinct Tactics, Techniques and Procedures
(TTPs). A useful carryover from military analysis, TTPs are collections of hard won
evidence that paint a picture of what an adversary is likely to do. As attackers become
more sophisticated they often follow set play books. Conversely, simple attackers are
likely to use well known attacks—another known play book.
Broadly speaking there are four threat actors, each with different aims.
Detailed assessment of these actors is a matter for specialist threat intelligence firms, but
a basic understanding of the four main types, and how they hybridize, provides a good
basis for understanding likely courses of action.
8
Awareness of an attacker’s known TTPs can help refine a security team’s assessment of
the specific actions that the attacker may take against the organization to achieve its
objectives.
The analysis focuses on two questions:
• Most Likely Course of Action (MLCoA): What is attacker most likely to do?
• Most Dangerous Course of Action (MDCoA): What is the most dangerous thing the
attacker can do?
Defenders should plan against both MLCoAs and MDCoAs. According to a military axiom,
any plan that handles both the most likely and the most dangerous is probably a good
plan.
In the simple example provided in Figure 5, the MLCoA, shown as a solid red line, has the
attackers use automated tools to find vulnerabilities before infiltrating through the
externally facing network to distribute malware onto local hardware. This malware will
deploy ransomware, targeting internally facing workers.
The MDCoA, shown as a dotted red line, is a spear-phishing campaign targeting externally
facing users who typically receive high volumes of emails from unknown sources. This
course of action relies on users making a mistake, and installing malware directly onto
their PC, which would then spread through the internal networks.
Figure 5: Attacker’s Course of Action
Overlaying the MLCoAs from multiple threat actors creates a busy but valuable graphic.
Aspects of the terrain where many red lines intersect should become a priority for the
defense.
9
2. EFFECTS
With an understanding of the What and How of an attack, the defense can be planned.
A common desire is to start discussing technologies and policies, a defender’s TTPs, that
can block the attack. This is a mistake. To do so limits options to pre-existing notions and
favours the status quo. It is better to first determine which Effects need to be achieved.
Effects are changes that impact on the Attacker or on the terrain.
2.1 EFFECTS PLANNING
Begin the Effects planning by selecting areas of focus.
For example:
1. The perimeter – how might attackers get in?
2. Externally facing networks – how could the attack get in and spread?
3. Hardware – how can malware be stopped?
4. Externally facing persons – how can users be protected from spear phishing?
Note that each area of focus has a question attached. The question helps define the
purpose for each area of focus, as detailed in Figure 6.
Figure 6: Effects Planning
2.2 EFFECTS SUMMARY
Picking a key word from the purpose of each focus provides the ‘Effect’. An Effect should
always contribute to the Strategy.
10
Originating with the military, Effects based planning aids
commanders in translating higher level intent into a practical plan.
Effects describe what the defender is trying to achieve at a tactical
level, as established by the Strategy.
The meanings of Effect verbs in the military are very specific, often
set at NATO level to reduce confusion during international
operations. As this is an emergent field within cyber, it is only
important that each team understand what the Effects mean within
their specific context.
In the example, the four focus points have produced four Effects:
➢ Detect
➢ Prevent
➢ Protect
➢ Protect
Each Effect has an intended Outcome, and a draft Action. These
will be refined in the Action phase; however, it is valuable to
summarize what the Effect aims to achieve early in planning.
The Main Effort is the decisive Effect, which other Effects support.
Figure 7: One Page Summary
Key performance indicators
can be assigned to the
Effects.
Internal projects and third
party vendors should report
on how well they have
delivered the Effect.
The the absence of attack or
breach may demonstrate that
the Protect or Prevent Effect
was successful. The value
driver then becomes how to
deliver that Effect most
efficiently.
MEASURING PERFOMANCE
11
3. TACTICS
3.1 PLAN RESOURCES FOR THE EFFECTS
Once the security team is satisfied that the planned Effects will realize the overall
Strategy, the assessment can move into the Tactical phase. For many, this is the most
interesting aspect, as it calls for the allocation of specific resources to achieve desired
Effects.
High-level considerations include:
➢ Is the resource in-house or external?
➢ Is it custom-built or off-the-shelf?
➢ How many ways are there to realize the same Effect?
As possible resources are discussed, they are mapped to the Effects Overlay without
further consideration.1 The goal of this stage is to record many ways of realizing the
Effects. There should be far more technologies, vendors, policies, and projects on the
Effects Overlay than your organization can support.
Figure 8: Resource Planning
3.2 REFINE THE RESOURCES
Refining the Resource Plan requires filtering the unrestricted generation of ideas through
the pragmatic lens of reality. Recalling the likely constraints identified during the
Strategy stage, begin stripping the Resource Plan back to a manageable size.
1 Annex A contains a table of the resource graphics. A Graphics Pack can be downloaded from Damrod.co.uk
12
Consider elements like budget, timescale, sequencing, people, and organizational
priorities.
When assigning resources, refer to the Threat Integration Overlay to confirm that the Most
Likely and Most Dangerous threats are addressed. It is normal to have new ideas at this
stage. Plans will be refined throughout the process. If there is uncertainty in the value of
a resource, mark it for further review. Removing the Threat overlay cleans up the
graphic.
Figure 9: Resource Refinement
Figure 10: Cleared Resource Refinement
13
3.3 ASSESS THE DEFENSES
The Tactical picture is nearly complete. Resources have been assigned to Effects, which in
turn are confirmed against the Strategic goals. Although assessing the validity of a
defense is never simple, there are six core principles.
Contained within the mnemonic DAMROD, the strength of a defense is predicated on:
➢ Depth: Layered defenses that absorb an attacker’s momentum
➢ All Around Defense: Attacks considered from all angles
➢ Mutual Support: Explicit interconnection of defenses
➢ Reserves: Uncommitted resources to respond to the unexpected
➢ Offensive Spirit: Defender thinks like the attackers and how to beat them
➢ Deception: Defense confuses and delays attackers with artificial weaknesses
In the example provided in Figure 10, Depth is achieved as both the Most Likely and Most
Dangerous threats must defeat five layers of security. All Around Defense is met, as the
defense considers both technical attacks through the network, and human-borne attacks
via phishing. Dynamic Application Security Testing (DAST) can be added to protect against
additional vectors. Mutual Support is met as the defenses are sequenced and designed to
work in concert (but note that the real test of mutual support occurs during the Action
phase, discussed below). Reserves exist in the form of an Incident Response Team (IRT).
The Offensive Spirit is met as the defender has thought like the attackers and taken steps
to counter them. And finally, Deception may be met through the deployment of a
Deception-based technology as part of the DETECT Effect.
Broadly speaking, this is a reasonable defense for most organizations. It is unrealistic to
expect every defense to strongly achieve all six principles. However, reflecting on the
DAMROD principles of defense provides tried and tested criteria to assess the robustness of
a defense.
4. ACTIONS
Analysis and planning are irrelevant unless translated into reality. Practically speaking,
this means projects, checklists, and short-term goals. The value in Effects-based
planning, and in putting together a One Page Summary particularly, is that they provide a
vision for teams and individual contributors to link their work to a wider objective.
The Actions phase further perfects Resource Refinement, assigning people and dollar
values against the Tactics that achieve the Effects.
Depending on the size of the organization and team, there may be several stages of Action
planning. Tables and lists are helpful at this late stage to split the plan into manageable
pieces.
General frameworks like PRINCE2, PMP, or even Agile and Kanban are effective
frameworks to plan actions.
14
CONCLUDING THOUGHTS
Bringing Strategy to life is a challenge in any profession. It is especially difficult against
an opponent that is actively trying to defeat you. Cyber is a domain of conflict, and to
win, the defenders must treat it that way.
Sequencing the planning of cyber defense into the four key phases of Strategy, Effects,
Tactics, and Actions breaks down a complex problem into practical portions.
➢ Strategy to give direction by understanding the terrain and the threat
➢ Effects to create change by countering the threat and defending the terrain
➢ Tactics to achieve the change through people, policy, and technology
➢ Actions to make the plan reality by putting resources to task
Damrod’s Cyber Strategic Framework provides a visual workspace where the concrete and
the abstract interact in a common language.
There are overwhelming numbers of cyber products, practices, and vendors. Effects based
planning allows organizations to purchase only the solutions they need, with a clear intent
on their deployment, boosting return on investment and value for money.
An effective defense requires more than the layering of technology or passing adherence
to a generic standard. Due consideration must be given to the risks and consequences of
failure. Only with an understanding of how and why attackers move through systems can
defenses be adequately designed. Assessment against the principles of DAMROD
encourages the interconnectivity of the defenses, ensuring that different teams and
technologies work in unison to provide real protection against complex threats.
Technology will always be a part of cyber defense. However, it is the analysis and
leadership of humans that ensures technology is correctly applied to cyber conflict. In
that event, the cyber defender must Plan to Win.
15
ANNEX A