Defence of domestic or deployed military missions from cyber threats will require a significant investment to overcome challenges in terms of tools, personnel, time, and cultural change. This truth is largely understood across the defence community, prompting investment into military cyber capabilities as senior leadership across the 5 Eyes countries comes to realise the potential impacts and general challenges involved in countering cyber-delivered effects or cyber-enabled espionage. The increasingly large volumes of financial and personnel resources being allocated to defensive cyber operations and IT security (DCO/ITS) capabilities engenders hope amongst long-time cyber operators who understand that an insufficient investment would likely lead to the loss of sustained cyber-superiority within one’s own systems.
While the levels of investment and support inspire hope, the potential to narrowly focus on capabilities that can be directly defined as being “hard cyber” presents risks by causing artificial separation between supporting and operational functions in terms of funding, requirements, and authorities. Any internal resource reallocation taken from Information Technology (IT) service delivery organizations to create “new” cyber investment could reduce available support from these organizations. The allocation of funding to cyber operations capabilities without accounting for the resulting pressures upon support functions could also lead to sustainability issues. Creating authority and responsibility silos could also degrade how DCO/ITS and support functions make integrated plans. This article will discuss key elements of the relationship between DCO/ITS capabilities and how IT systems are managed, and provide perspectives on how they can be leveraged together to significantly advance an organization’s overall cyber operational capability.
Understanding the interdependency
How a network is managed, specifically its technical management capabilities, has a significant impact on the range of mechanical options available to cyber defence and security personnel. Deploying purpose-built defensive cyber operations (DCO) capabilities is required, but it is not the simple acquisition, deployment, and use of those technologies that will win the cyber fight, just as simply having tanks does not win the tactical fight. From a technology perspective, many advanced cyber defence tools need specific types of services, configurations, and accounts to allow them to function effectively. In terms of process, change and configuration management needs to account for potential actions being initiated for defence or security purposes. Finally, DCO/ITS capabilities can be used to enable ISS and product managers to more effectively monitor and manage the health and hygiene of an IT system, which directly benefits any related defence or security efforts.
A network’s maturity state for cyber defence and system management are highly linked
Cyber capabilities are dependent upon the maturity of a range of processes and technical configurations within an IT system. There are many examples of this type of dependency: deploying security patches within a network uses that system’s mechanisms to deploy any generic patch; effective network monitoring should use context information from endpoints and networking devices to inform and enrich information; deploying custom tools to devices during an incident relies upon the IT system’s underlying ability to remotely install, manage, and configure programs; and, restoring a hacked device to a safe and trusted state leverages tools to deploy new hosts and to manage endpoint configuration. What the defender can do in any given situation is limited or enabled by the options that the underlying system provides. Increases in the type and quality of information can improve intrusion detection activities, just as granular endpoint configuration management can improve the dexterity of actions aimed at blocking an attack or eradicating malicious code.
Understanding this critical dependency, the capabilities to manage network infrastructure, users, program, endpoints, and data should be recognized as providing two types of value to any organization. The first is the efficiencies that are gained for the management of the system, which by itself is of significant value. The second is the increased cyber operational capability that is generated. The converse is also important to understand, particularly when deploying ad hoc networks or scaled down networks in support of deployed operations. Losing management capabilities in a system or deciding not to build in specific management features has effects beyond the ISS organization and could impact the degree to which cyber operations can be successful.
Within any deployed military system, DCO/ITS capability requirements must be accounted for in management and configuration tools and processes, as they will either limit or enable available response options.
All configuration changes on a system should use the same change mechanisms
For many types of cyber events that require a response, time and human resources are limited. High-threat security patches need to be pushed out and installed across disparate networks before the vulnerability they are patching can be exploited. Devices that have been compromised need to be quarantined, investigated, and restored. Changes to how networking infrastructure moves data within a system may be required to defeat an ongoing attack. In all of these cases, the responses to an attack require making a change to the system, where the efficacy of that change will affect how successful it is.
The need to take timely action commonly leads to the idea of giving DCO/ITS teams the access and authorization to implement changes directly, particularly where ISS organizations are not resourced to provide timely support. For a single incident and a small set of changes, the potential risks may not be obvious, as their impacts are likely predictable and therefore seem manageable. If scaled over time and across an enterprise with potentially multiple DCO/ITS teams, significant system stability risks will arise after multiple system changes cause variations between what the configuration should be and what it actually is. The knowledge level of the DCO/ITS individual conducting the action may be insufficient to understand its broader system-level impacts. Solutions developed without the support of ISS or a related product manager are less likely to be the most effective method to achieve a particular goal.
While there is no doubt that actions need to be taken in response to current or potential incidents, there are alternatives to providing DCO/ITS teams with the ability to change configurations. ISS and engineering teams should be resourced to provide timely support, which has the added benefit of increasing the resources available to provide general support for that system. For those cases where required actions have very tight timelines, pre-established sets of actions can be designed and prepared by the correct support personnel to create a library of pre-authorized actions. Lastly, the process for authorizing changes within a system should be adapted to account for and facilitate DCO/ITS actions within the existing change management framework while accounting for highly limited timelines.
One special exception to strong DCO/ITS and ISS coordination on actions exists. The overall process must account for the rare possibility where, with only the amount of coordination and planning that is available, a suitably informed operational commander can take a near-term set of immediate actions in the face of adversary cyber attacks threatening lives or a mission. With deliberate planning and preparation, the need to take this kind of action should be minimized and used only as a last resort.
Within any deployed military system, decisions regarding the management of the system should be made through a collaborative and mutually supportive consultation process with DCO/ITS capability and operational planners.
Security and defence tools should be used by in-service support teams to support general network health and hygiene.
Defining a technical tool as being ISS or DCO/ITS ‘tools’ is not useful as this pre-supposes how they will be used and can limit the extent to which useful tools are leveraged within a system. Yet in most organizations, the idea of providing ISS teams access to a DCO/ITS ‘tool’ like a network intrusion detection system (NIDS) may seem odd. Someone may ask, “Why would ISS need to monitor for intrusions?” Framed this way, that question would appear to be reasonable. Instead, the question should be framed around what the tool does mechanically and how it can be used, such as: “Why would ISS need a way to understand traffic to and from devices that they manage, or why would they need to detect traffic anomalies?” As the entity responsible for the configuration and health of the network, ISS could use NIDS to monitor for deviations from expected network traffic in and out of server farms, verify traffic across protected network boundaries, replay network communications to troubleshoot a problem, or monitor for anomalies that are based on accidental configuration changes. If ISS were given access to the entire Security Incident Event Manager (SIEM), they could set up monitoring for privileged accounts, policy compliance, and other best practices so that they themselves can recognize issues and take action. Any proactive actions taken in this way allows DCO/ITS teams to focus elsewhere.
Using a NIDS and/or the SIEM to support network health and hygiene could be extremely valuable as they could: (1) reduce the effort required to monitor some elements of network health and hygiene; (2) reduce the response time for resolving non-security incidents; and, (3) ensure that the NIDS/SIEM is constantly tuned to the operating environment. Tuning is enormously important for the efficiency and effectiveness of any monitoring tools. NIDS/SIEM implementations that are not tuned to the network are highly ineffective as they generate false positives while real attacks become further buried by a sea of low-value noise.
In the case of vulnerability management (VM), the examination of how ISS could use DCO/ITS tools leads to the realization that VM, as a function, should actually be the responsibility of ISS rather than DCO/ITS. Fundamentally, a vulnerability is a configuration issue, as it is a condition derived from what is installed on a system and how it is configured. The vast majority of the solutions to IT vulnerabilities require that someone with knowledge of and sufficient permissions on a system make a configuration change. As a result, VM should be seen organizationally as a subset of configuration management that is conducted by in-service support organizations and system life-cycle product managers, and whose timelines can be influenced or directed by DCO/ITS teams. As long as DCO/ITS organizations maintain an oversight role, have access to the VM status information, and can drive timelines when a vulnerability needs to be mitigated faster than normal, the bulk of the daily use of VM tools is better put to use by ISS gathering information on devices they manage and working to fix them.
There are many other examples where this approach can be applied. Endpoint detection and response tools, normally used to identify and track malicious actions, can be used to provide independent monitoring of the health of other enterprise management tools, such as Microsoft’s System Center Configuration Manager (SCCM), or to investigate outages on a device caused by misconfigured programs. Tools like a host intrusion prevention system could be set up to monitor for known problematic user or program actions and automatically block them. Some endpoint security tools can even manage software that was deployed without organic remote management features, reducing ISS support overhead.
Organizations responsible for ISS should take full advantage of the DCO/ITS tools on their networks to support their own tasks and to help maintain the tuning of those tools in relation to the network.
Enterprise Program Considerations
Maximizing the value of any security investment requires that an organization has a concept of where that value should come from and the means to affect business processes and activities required to implement it. Any organization that invests heavily into cyber security and defence capabilities should have a concept for how ISS and DCO/ITS are synchronized. To accomplish this, it would likely be necessary to: (1) eliminate the idea of tool/capability ownership and replace it with a needs-to-capabilities approach; (2) establish bi-direction supporting/supported relationships between DCO/ITS teams and ISS; (3) develop a capability inventory of DCO/ITS and ISS focused on what actions can be taken by a given tool; and, (4) develop business processes across the security, cyber, and ISS community to tune cyber defence infrastructure to the environment.
For the past decade, Nicholas Scheurkogel has led key cyber intelligence capabilities at the Department of National Defence (DND) including strategic cyber assessment, tactical support to cyber defence teams, and intelligence operations. Since 2006, he was the go-to cyber threat expert at DND and beyond. He is currently Director, Cyber Intelligence at Cytelligence.