Creating a Cyber Defense Team

Sunday, November 07, 2010

Richard Stiennon


Success depends on sound deductions from a mass of intelligence” -Winston Churchill

New threats and new measures to counter them call for a reorganization of IT security teams so that they can focus on defending the organization from targeted attacks.

It is only ten years since most enterprises established separate security teams to address vulnerabilities and deploy and maintain patches and virus signature updates as well as configure and maintain firewalls.

To ensure that policies were created and enforced most organizations also created the position of Chief Information Security Officer (CISO) who enacted those policies and became responsible for ensuring that the organization was in compliance with standards and regulations.

The rise of targeted attacks must be met by similar organizational enhancements. The terminology and titles are not important but the roles and responsibilities described here are required to mount an effective cyber defense.

It is interesting to note that the Cheong Wa Dae (Korean President's “Blue House”) has instituted a special Cyber Defense Team in reaction to concerted attacks on the computers of the G20 Summit Committee in Seoul.

“Since June, the government has been running a special cyber defense team to prevent attacks against major private and public computer networks. “ - The Chosunilbo

Countering targeted attacks calls for new measures. One of those measures is creation of specialized teams that are not bogged down in the day to day tasks of blocking viruses and cleaning up machines. Here is my proposal for such an organization.

Team Lead: Cyber Defense Commander

The title may evoke a too martial image. Perhaps cyber defense team lead, or director of cyber defense, will be a better fit. But the idea of one-throat-to-choke in establishing a leadership role is an effective way to motivate a team and its leadership with the seriousness of its task.

They must be instilled with the idea that they are targeted, under attack daily, and engaged in a battle to protect the organization from a malicious adversary. The cyber defense team replaces the traditional computer emergency response team (CERT) and will probably incorporate most of the same people.

The cyber defense commander is responsible for establishing the cyber defense team, assigning and directing roles, making sure the correct tools and defenses are deployed, putting in place controls and audit processes, and reporting to upper management on the results of those processes, and audits.

The cyber defense commander would also be the primary point of contact for communicating to law enforcement and intelligence agencies when the inevitable situation arises that requires outside help or communication.

A large organization with divisions spread around the globe or separate large business units may well have cyber defense teams deployed in each division with their own leaders who report up to the cyber defense commander. (Call them lieutenants if you must but I am not going to take the military command structure that far.)

The cyber defense team should have three primary roles: an outward looking role, an operational role, and an inward looking role. Each of those roles is described next:

Cyber Defense Analysts

Cyber defense analysts are the intelligence gatherers. They study the threatscape with an eye towards emerging threats to the organization. Most organizations assume that because they have so many people in IT security that someone is looking out for the latest attack methodologies or tools, and even keeping tabs on the various groups that engage in cyber attacks.

Unfortunately the operational aspects of IT security are too consuming to allow this type of outward looking focus. IT security practitioners are very inquisitive and attempt to keep up with the huge volume of information available to them at conferences, from vendors, and in the news. But their activities are ad-hoc and mostly voluntary.

Would TJX have succumbed to an attack that entered through a WiFi access point in a store in Minneapolis if they had had someone staying abreast of the news who would have seen the exact same methodologies used against a Lowe’s store in Southfield, Michigan four years before?

A team of cyber analysts working at a mining or oil and gas exploration company would have been alert to the news that the three largest such firms in the US (Marathon Oil, ExxonMobil, and ConocoPhillips) were compromised in 2008.

They would have had contacts within the community who would have given them a heads up. They would then have seen the 2009 attacks against BHP Billiton, Rio Tinto and Fortescue Metals Group, the major natural resources companies in Australia and analyzed those attacks for similarities. They would have raised a red flag that their own organization could be targeted as well and increased the vigilance of the internal teams.

Cyber defense analysts assume the role played by counter intelligence agents inside most governments. They gain an understanding of the attackers and their tradecraft and advise those responsible for defending against them. As members of a cyber defense team these analysts will be responsible for:

1. Understanding the state of the art in attack methodologies. They should research and understand the successful and attempted attacks against similar organizations. They do this through monitoring news reports, security research reports from the vendors including McAfee Labs, Versign’s iDefense team, Verizon’s Threat Report, F-Secure’s Mikko Hypponen, Symantec's threat report, Sourcefire's VRT, Fortinet Research, Infowar Monitor, IBM X-Force, as well as independent researchers such as Dancho Danchev, Brian Krebs, Nart Villineuve, and hundreds of others.

2. Getting to know potential attackers and monitoring their activity. Is the organization a target for industrial espionage from competitors or state sponsored spies? Could a particular fanatic group, be it PETA, Greenpeace, Islamic Jihad, or a religious faction, be targeting the enterprise?

3. Monitoring known attack sources and distributing the IP addresses of those sources internally for purposes of blocking and alerting.

4. Communicating the threat level to the rest of the cyber defense team.

5. Assisting in evaluating technology for internal deployment.

This post is an excerpt from Cyber Defense: Countering Targeted Attacks (Government Institutes, 2011).

Cross-posted from Threat Chaos

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Security Strategies Cyber Security Advanced Persistent Threats
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.