Levels of Threat Intelligence

Similar documents
Joint Publication 2-0. Joint Intelligence

Joint Communications System

After the Attack. The Transformation of EMC Security Operations

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Hearing before the House Permanent Select Committee on Intelligence. Homeland Security and Intelligence: Next Steps in Evolving the Mission

LESSON SEVEN CAMPAIGN PLANNING FOR MILITARY OPERATIONS OTHER THAN WAR MQS MANUAL TASKS: OVERVIEW

Joint Publication 3-0. Doctrine for Joint Operations

Cyber Security Solutions Integrated. Proactive. Resilient.

CHAPTER 3 TOWARD A THEORY OF STRATEGY: ART LYKKE AND THE U.S. ARMY WAR COLLEGE STRATEGY MODEL. Harry R. Yarger

Description of the Joint Strategic Planning System (JSPS)

Threat Intelligence Buyer s Guide

AF C2 Capability Modernization Leveraging Architectures to Achieve Warfighting Integration

Hybrid Warfare & Cyber Defence

SECURITY / INTELLIGENCE / CONSULTING

The virtual battle. by Mark Smith. Special to INSCOM 4 INSCOM JOURNAL

Cyberspace Operations

Cyber Security Operations Centre Reveal Their Secrets - Protect Our Own Defence Signals Directorate

Roles and Responsibilities of Cyber Intelligence for Cyber Operations in Cyberspace

Joint Publication 5-0. Joint Operation Planning

White Paper: Cyber Hawk or Digital Dove

Joint Publication Joint Doctrine for Campaign Planning

FEDERAL RÉSUMÉ. Client Name PROFILE SUMMARY

Flexible, Life-Cycle Support for Unique Mission Requirements

Director of Intelligence Proposed Research Topics

DoD Strategy for Defending Networks, Systems, and Data

Intelligence Driven Security

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

GAO DEFENSE DEPARTMENT CYBER EFFORTS. More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

A Leader Development Strategy for a 21 st Century Army

CHAPTER 20 CRYPTOLOGIC TECHNICIAN (CT) NAVPERS K CH-63

Joint Concept for Command and Control of the Joint Aerial Layer Network 20 March 2015

DEPARTMENT OF THE NAVY HEADQUARTERS UNITED STATES MARINE CORPS 3000 MARINE CORPS PENTAGON WASHINGTON, DC

Developing Cyber Threat Intelligence or not failing in battle.

ADP50 MAY201 HEADQUARTERS,DEPARTMENTOFTHEARMY

INTERNATIONAL RELATIONS COMPREHENSIVE EXAMINATION WINTER 2015

DEFENSE INFORMATION SYSTEMS AGENCY STRATEGIC PLAN UNITED IN SERVICE TO OUR NATION

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL. (U) SIGINT Strategy February 2012

DOD DIRECTIVE CLIMATE CHANGE ADAPTATION AND RESILIENCE


Department of Defense INSTRUCTION

CAE GESI Command & Staff Training

COJUMA s. Legal Considerations for Defense Support to Civil Authorities. U.S. Southern Command Miami, Florida Draft

Organizational Structure What Works

Establishing a State Cyber Crimes Unit White Paper

A Primer on Cyber Threat Intelligence

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

Who s got the grease pencil?! What Cyber Security can Learn from the Outer Air Battle

A Community Position paper on. Law of CyberWar. Paul Shaw. 12 October Author note

Obtaining Enterprise Cybersituational

CENTRE FOR STRATEGIC CYBERSPACE + SECURITY SCIENCE LEADERSHIP. RESEARCH. DEFENCE.

Department of Defense DIRECTIVE

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

The Balanced Scorecard. Background Discussion

Covert Operations: Kill Chain Actions using Security Analytics

APT-28. APT28 Targets Financial markets: zero day hashes released. 1 root9b.com

CYBER PANEL MEMBERS. Mr. Hart is a member of the United States Air Force Senior Executive Service with over fifteen years service as an SES.

Integrating Continuity of Operations (COOP) into the Enterprise Architecture

Army Planning and Orders Production

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 8 R-1 Line #50

BlacKnight. Cyber Security international A BUSINESS / MARKETING PRESENTATION

Joint Publication Space Operations

JOINT STATEMENT COMMISSION ON WARTIME CONTRACTING

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

Trends Concerning Cyberspace

Cybersecurity: Mission integration to protect your assets

Advanced Threat Protection with Dell SecureWorks Security Services

Army Doctrine Update

AT A HEARING ENTITLED THREATS TO THE HOMELAND

Combating Spear-phishing:

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Predictive Cyber Defense A Strategic Thought Paper

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

How to Use Cyber Threat Intelligence in my Workflows?

Above My Pay Grade: Incident Response at the National Level

Department of Defense DIRECTIVE

The Role of the Emergency Manager: Has It Changed Since ?

The National Counterintelligence Strategy of the United States

FM 2-0 INTELLIGENCE MAY DISTRIBUTION RESTRICTION: Approved for public release, distribution is unlimited HEADQUARTERS DEPARTMENT OF THE ARMY

Cyber intelligence exchange in business environment : a battle for trust and data

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

CyberReady Solutions. Integrated Threat Intelligence and Cyber Operations MONTH DD, YYYY SEPTEMBER 8, 2014

Joint Publication 4-0. Joint Logistics

Software Reprogramming Policy for Electronic Warfare and Target Sensing Systems

U.S. Army Research, Development and Engineering Command. Cyber Security CRA Overview

Transcription:

Levels of Threat Intelligence SANS CTI Summit 2016 2016-02-03 Michael Cloppert LM-CIRT

The Struggle is Real My challenge: Convey academic concepts to detail-oriented, technically proficient practitioners who might be skeptical that simple concepts can subconsciously and profoundly influence cognition. Bias is a natural heuristic a short-cut, or simplification, our brains use to interpret our environment. These ideas are basic; their imprecision is deliberate. They are controlled biases, where the degree to which they improve our understanding of adversaries is the primary measure of success. 2

Levels of Threat Intelligence - Overview Concept: Degrees of abstraction, like those in established intelligence disciplines, clarify how we think about our own. Joint Publication 2-0 Background / motivation A FOR578 student asked about the JP 2-0 I felt stupid and read it I thought meh I read it again My brain did a thing and felt funny I did some research My thinking about CTI became much more clear Joint Intelligence 22 October 2013 The military did something smart 3

Who Dis Iz? Hints: Was a BAMF Was Prussian (that means German, -ish) Wrote a book on war Not Sun Tzu, though I see the resemblance Literally, titled On War Military theoretician, ideas survived emergence of: Mechanized warfare Air combat Chemical, biological, nuclear weapons Carl von Clausewitz 4

So what? Dude s been around awhile his theories are quite old! 5

Growing Pains in CTI The primary purpose of any theory is to clarify concepts and ideas that have become entangled. - Carl von Clausewitz Intel-driven CND has grown tremendously Our intelligence corpus Our models and their dependencies, relationships Our capabilities Our workflows We now have a spectrum of all of these The spectrum has caused mis-communications, confusion, conflict Our domain is so complex, we have experienced entanglement We need a simpler way to think about this complexity 6

von Clausewitz: Relevant Theory Introduced concepts of tactical and strategic levels of war Alluded to application of strategy as operations Provided basis for levels of war used through today: Tactical Operational Strategic Established intelligence studies borrow from / mimic this Intelligence, defined every sort of information about the enemy and his country the basis, in short, of our own plans and operations von Clausewitz, On War http://www.clausewitz.com/readings/echevarria/apstrat1.htm 7

And? Despite being over 200 years old, theories have withstood major changes in capabilities and remain relevant if these theories are applicable to us, they will stay applicable to us! 8

JP 2-0: Joint Intelligence 2013 publication written under orders from CJCS Dempsey Guidance for conducting intelligence activities across the range of military operations Defines Tactical, Operational, Strategic intelligence levels Is collective paradigm for intelligence within U.S. military Joint Publication 2-0 Joint Intelligence 22 October 2013 LET S STEAL i mean BORROW IT! 9

JP 2-0: Caveats, Considerations Document is much more than this presentation Provides other applicable concepts Will you be attending vol. 4? ;-) Other stuff, maybe? Provides insight into how your country s military operates at high level Our focus is one concept at a time 10

JP 2-0: Intelligence and the Levels of War Strategic Consumers POTUS NSC Congress SECDEF CCDRs Assessments Effects on national security of US, allies Operational Tactical 11

JP 2-0: Intelligence and the Levels of War Strategic Operational CCDRs, JFCs Consumers Effects Product Type POTUS, NSC, Congress, etc US, allied nat l security Anticipatory Capability selection, collection prioritization Interpretive Tactical Commanders, planners, operators Battle plans & execution, engagements Observational 12

of intelligence operations. JP 2-0: Every level matters! capabilities and intentions of adversaries that could affect the national security and US or allied interests. Operational intelligence is primarily used by CCDRs and subordinate joint force commanders (JFCs) and their component commanders. Tactical intelligence is used by commanders, planners, and operators for planning and conducting battles, engagements, and special missions. Perspective Principles of Joint Intelligence (OE: Operational Environment) Intelligence analysts should strive to understand all relevant aspects of the OE. This understanding should include not only the adversary s disposition, but also the sociocultural nuances of individuals and groups in the OE. Synchronization (Synchronize Intelligence with Plans and Operations) Intelligence should be synchronized with operations and plans in order to provide answers to intelligence requirements in time to influence the decision they are intended to support. 13

Intel-driven CND / Cyber Threat Intelligence Levels Consumers Effects Product Strategic Executives, BAISOs Operational CIS, CIRT, customers, some peers Business strategy risk calculus Investment priorities, capabilities, comprehensive intel, data access Nation-state Threat Assessments Campaign analysis Tactical CIRT, partners Mitigations, detections, IR KC completion In our domain, we can generally think of the levels thusly: Strategic Operational Tactical Nation-state Campaign Intrusion 14

Intelligence and Command Intelligence flows up 1. Intrusion 2. Campaign 3. Nation-state Command flows down 1. Business decisions, needs Strategic Operational 2. Collection, processing, assessment capabilities 3. Alerts, workflows Tactical 15

Implications to IR Teams Org responsibilities, products Part of team mission statements Illustrates value of analysis at every level Answers some questions about relevance Work may be prioritized independently per level Avoids some aforementioned conflicts Analyst perspectives better understood Provides another facet of staffing levels Many of us are tactical Some are operational Few are strategic 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information