Page 5 - index
P. 5
Producing Cyber Intelligence for Efficient Network Defenses
By Captain Jonathan Racicot
Having accurate information is critical for the success of any organization. For centuries, it has
been the key for achieving military victories, but not having it has led to defeats. For effective
operations, accurate information about your own forces and those of your adversary’s is
absolutely critical, but not all information is relevant. Strong facts processed with sound
analytical methods can extrapolate future events accurately, allowing better decision-making.
Inaccurate or false information, however, leads to defeat and even threatens the survival of the
organization. This process—intelligence production—drives not only military operations but also
diplomacy, economic negotiations, and now cyber defenses. Security vendors are releasing
waves of reports about threat actors along with databases of indicators. Organizations would be
wise to evaluate the relevancy of this constant flow of information to better assess the real
threats and shape optimal courses of actions (COAs). This is accomplished by using
intelligence—a process used by Western military forces to provide options for commanding
officers on land, at sea, and in the air. This process applies equally to the cyber environment
and constitutes a powerful tool for Chief Executive Officers (CEOs), Chief Information Officers
(CIOs), and system administrators concerned about securing critical components of their
infrastructure. This article presents an overview of the intelligence process and its application for
securing critical components of one’s information systems.
The Intelligence Cycle
“By ‘intelligence’ we mean every sort of information about the enemy and his country—the
basis, in short, of our own plans and operations.” — Carl von Clausewitz, On War, 1832
Raw data by itself has relatively limited utility. Domains, Internet Protocol (IP) addresses, and
malware signatures quickly become obsolete, while network alerts and traffic are only relevant
within a certain context. Combining historical data from an Intrusion Detection System (IDS),
events logs, and open source research into logically linked facts by a sound analysis produces
information that is the product distributed by most security vendors. Intelligence is the
extrapolation of this information by analysts for anticipating future circumstances, permitting the
development of possible COAs. By producing intelligence, analysts accomplish the following
objectives:
• Inform the decision-maker
• Describe the operational environment
• Identify, define, and nominate objectives
• Support the planning and execution of operations, i.e., cyber defense
• Counter adversary deception and surprise
• Support friendly deception efforts (more relevant in a military context)
• Assess the effectiveness of operations (mainly network defenses)
5 Cyber Warnings E-Magazine – August 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
