Henry Horton, CISM Partner, CyberSecurity

1. WELCOMECyberSecurity and Global Affairs WorkshopEnhancing Situational Awareness Through Cyber Intelligence Henry Horton, CISM Partner, CyberSecurity

2. The Challenge Cyber Security represents an evolution of security Computer security = 1970’s IT Security = 1980’s IA = 1990’s CyberSec = 2000’s Characterized by advances in information warfare (state sponsored), a focus on intent (criminal activity) and the need for situational awareness. An organization’s Information Technology (IT) supports the mission or business of the enterprise. Information Assurance (IA e.g. confidentiality, integrity, availability) facilitates the IT to carry out this task. Cyber Security advances IA to include all things digital and its data connected through Cyberspace. Security is a function of business. Cyberspace is a the new Battle Space (e.g. air, land, sea, space)

3. Cyber Superiority Cyber operations historically been built around traditional threat analysis, malware identification, monitoring, engineering and response. These mechanisms only allow analysts to perform reactive functions and forensics with some predictive analysis based upon state of the art of network behavior analysis and anomalies detection representing a “post-launch” attack analysis or malware detection capability. The concept of Cyber Superiority reflects the need of a nation to exercise absolute control and authority over the cyberspace within its territory or jurisdiction Dominance in cyberspace requires the need to maintain a strength of readiness to prevent potential adversaries from interference. This facilitates the transformation of current information operations (IO): information warfare (IW) and information assurance (IA) strategies to include political assertions and cyber intelligence to maintain national cyber sovereignty and superiority.

4. Cyber Intelligence (CYINT) The ongoing need for Situational Awareness of internal and external security threats is critical for understanding what is challenging an enterprise so to protect the organization. Being able to have early warning of ‘what’s coming’, ‘to see over the horizon’, so to tweak and tune defenses is desired by CISOs. CyberIntelligence can facilitate Information Warfare, allow for refinement of defenses, shorten sense and respond times, provide data for enhanced metrics, save critical funds and staffing vice “fighting through” and clean-up

5. CYINT As with any battle space (e.g. air, land, sea, space), intelligence is critical to predict, provide forewarning, take proactive offensive measures and defensive countermeasures to deter, detect, delay, defend and defeat threats in order to mitigate risk to friendly forces or the organization. CYINT moves the questions “upstream” of any potential disruptive incident for proper tasking to HUMINT, SIGINT, ELINT, MASINT, and OSINT for collection, closer examination, confirmation and analysis. CYINT must include an “Order of Battle” that can leverage traditional analysis of indicators such as an analysis of signatures of malware design, software development organizations, academics and instruction design where software engineers are trained, exploitation of the knowledge base, biographic analysis, court case analysis, patent filings, technical writings and open source writings to perform threat analysis actions. By understanding the intent of actors, their behaviors, their technical training, logistics and their “delivery” technologies and methods can help enhance situational awareness to become more proactive and predictive.

6. CYINT: So What Do We Know We know the state of the art and what information that provides We know how Hackers attack We know some behaviors of malware We rapidly can know what is the impact of malware But what is missing? Indicators Source; domain, state-sponsored, individual criminal Intent Order of Battle; ISR Construct Configuration of malware When will the next attack occur Where will the next attack occur Who is the target Impact and Outcome Metrics Who is the perpetrator

7. CYINT Improves Capabilities

8. Who is Attacking Me Over The Horizon A A A A Where’s The Attacking Server F F F F Situational Awareness at boundary and back into the org Level of Confidence Level of Confidence B B B B Reactive & Manual Reactive & Manual Present Day Present Day C C C C D D D D E E E E F F F F Response Time Response Time B B C C D D E E A A B B C C D D E E A A Strategic Strategic Integrated Integrated Tools Tools - - based based CYINT CYINT Dynamic IA Dynamic IA CYINT Answers

9. One Model • Learning from the Anti-Virus Community, we know software/code has signatures • We know that programmers are taught either in academic settings or training centers. In some cases, like protéges, some will adopt the signatures of their mentors • By moving into the upstream into the cloud we can detect the malware, capturing the code/script and conducting forensics to understand its behaviors and signatures • We already have server and IP source information but the intent is to get as specific as we can so to determine if it is State Sponsored or an Individual • Need to develop Indicators list for I&W • Develop and Overlay with an Intell/Surveillance/Recon CONOPS • In the analysis of code, geographic source, signatures etc so to task HUMINT, MASINT, SIGINT etc to potential source targets for IW activities, tweak for defense or attack

10. Idea Conducting cyber warfare needs to be done in real-time, similar to a multi-seat military aircraft or a tank operations; it’s hard to determine who the operator is when all the parts make up the whole during the mission. This requires that requires collaboration that often blurs the lines between CYINT analyst and operator skills; however, organizational charters will delineate roles in support of the mission. Collaboration will require real-time connections and shared common operational views Threats are envisioned to be categorized (e.g. nation/state, non-state, military, hackers, etc.). Analysts will seek to determine, in advance, who will attack, why, when, where, and how using a range of skills focused on specific threats. These skills are broken into basic threat assessment (who, why, when, where) and technical assessment (how) orchestrated around effective intelligence cycles applied against standard ISR sources. The technical assessments sources come from monitoring cyber activity directly on the network as well as through SIGINT, ELINT and MASINT.

11. Vision Protect and Defend Networks Provide for Ehanced Situational Awareness , Assure our infrastructures, systems, and data are secure from exploitation, theft and disaster Mission Enhance Situational Awareness/ Sense Defend Enterprise Systems Enhance Response Protect Information: Human Capital Develop Cyber Intelligence: Collection and Analysis Goals Objectives Strategies EXAMPLE Action Plans Cyber Security Strategic Framework Creating a Roadmap

12. Specific Steps • Create Cyber Security Policy and Program • Develop Objectives and Strategies in each Swimlane • Coordinate with LE, Mil, Industry to develop Indicators • Overlay ISR constructs • Stand up Analytical Cell; Seek collaborative agreements from monitoring sources, industry and governments • Configure Distribution of Intelligence • Integrate and Enhance Situational Awareness Capabilities to look upstream and over the horizon

13. Questions Henry Horton, CISM Public Service-NA Security and Cyber Security Initiative 703.675.9498 Henry.H.Horton@accenture.com Alastair MacWillson Global Managing Director, Security Alastair.MacWillson@accenture.com Tel: +44 207 844 3599

14. Information Assurance Program How To Get There! Where You Want To Be! Where You Are! InformationAssuranceProgramRecommendations CurrentIT Program

15. One Model