I just finished my most recent stint as the IO SME for a Joint Public Affairs Contingency Course. As a part of the operational play I had to devise an influence campaign to try and stop a BN CDR from attacking the capitol city as ordered by his BDE CDR.
I must admit I wasn’t the best map-reader in the Army. I always tried to pair myself up with someone who was good at it. However it was clear to me that even before I could even develop my own MISO CONOP I had to understand the military operation. This meant assessing the convoy route, determining how long the convoy would be allowed to travel before being attacked from the air, etc. This analysis complemented the media analysis of how to reach the unit’s leadership.
Many people feel the same way about the cyber realm. In developing a graduate course for American Military University (AMU), “Cyber & The Intelligence Cycle” I have one lesson which is a practical exercise. I thought it would be appropriate to provide some insight into cyber attack and defense along the lines of a class military piece on small unit tactics. My version is a couple of pages and can be found below.
Duffer’s Drift (found at: http://www.globalsecurity.org/military/library/policy/usmc/fmfrp/12-33/fmfrp12-33.pdf) is regarded as a classic in the realm of small unit tactics. It is set in the Boer War and describes dreams that a LT has while being charged with the defense of a key piece of terrain. You can find a copy of the book on Amazon at: http://amzn.to/2nBB0j8 (which is also the photo source).
In this version I’ve brought it up to date and analogized the small unit infantry tactics to the cyber world of today.
There is a USMC authored Rand version for Information Operations Practitioners which is 50 pages worth and can be found at: http://bit.ly/2oL1XRI
“Do not put off defense” can be interpreted to mean employ an active, layered defense or defense in depth means to employ a number of complementary security products and services in your defense. These include multi-factor authentication, firewalls, intrusion prevention systems, etc.
“Locals” we can define to be contractors, visitors, temporary employees and similar stakeholders. In the defense context the principles relating to ‘locals’ means that you treat everyone as a security risk who must adhere to the same policies and procedures as employees and who must be subject to the same sort of cybersecurity technology products and services as others. Security needs to be uniform across all personnel seeking to access the organization’s information technology resources.
“Tents” in the cyber context means insure that all devices and networks have at least a minimum amount of security to avoid casual use by unauthorized personnel and to discourage would be cyber trespassers.
The second dream makes a strong case for cyber concealment and deception. Techniques here can include honey-pots and sandboxes. Honeypots and sandboxes are technical means whereby systems and/or networks are set up that are totally isolated from actual systems and networks. They are designed as decoys to attract, study, and entrap attackers. Both of these induce the attacker into an area where they can do no harm.
As to locals in this dream – the implication is that the organization treats the employees well so that they don’t covet the contractor’s position. Contractors should not be given favorable treatment to include the need to cover shifts beyond the normal day shift/week day work schedule.
The third dream makes the case for stringent ‘local’ management. This may also alluded to the 21st century enchantment with Social Media and that family members might unwittingly be security risks or even targets. Executives and those in sensitive positions need to take special care to insure that the organization’s sensitive data, prototypes, plans, etc. are not accidently exposed on social media by family members. This bid for OPSEC means that family members should be aware of the dangers of social media and should have clear guidelines as to what they cannot do.
Comments with respect to trenches can be taken to mean that there is a need for advanced security architecture. Architecture should also consider how organizations should maintain security in the face of advances in smartphones, tablets, etc. Systems should be designed with cyber security as a core foundational element rather than as an add-on feature after the systems or applications are fielded.
There are several key points contained in the 4th dream. First of all, the dream correctly realizes that cyber is everywhere. This is especially critical given the growth of the Internet of Things (IoT) as the 21st century version of Supervisory and Data Acquisition (SCADA) systems. Advice about guarding your rear could easily be interpreted as watch out for intentional (created by bots perhaps) or unintentional backdoors. Today’s software is highly complex and contains tens of thousands of lines of code. Product flaws, whether or known or unknown, can offer inviting entry points for attackers.
Huddling the men could be interpreted as meaning - don’t put all your sensitive data in one spot. This principle is a driving force behind cloud architectures software as a service. Data Centers are giving way to web services for a variety of reasons with cost reduction being a primary consideration and advanced security such as provided by Amazon Web Services (AWS) being another. Not that AWS is impregnable. They make it clear that the client bears a heavy responsibility for security as well.
Concealment needs to be addressed physically and logically. Physically it is not a good practice to make it easy to find your data center. Data centers should be concealed to add to their security and they should be buffered with appropriate physical security measures.
Interestingly enough the 4th Dream makes a case for penetration testing – “Look from the enemy’s view.” As a practical matter, penetration testing should be holistic. While employing white hat (good guy) hackers to test your IT security postures is a good idea, Human Intelligence (HUMINT) operatives should be considered to test resistance to social engineering and other people based efforts.
Makes a case for deception. Read industry expert Bruce Schneier’s brief summary at: https://www.schneier.com/blog/archives/2014/08/us_air_force_is.html.
Use everything you have learned in all the other dreams to come up with the best possible cyber defense in your own situation.