Open in app

Sign in

Write

Sign in

Formalizing Cyber Threat Intelligence Planning: Part IV

SecureSet
Command Line
Published in
7 min readOct 12, 2018

--

Part 4 of 10: Intelligence Preparation of the Environment (IPE): Step 2 by Chris Ruel, Full-Time Instructor at SecureSet Denver campus.

The “environment” is a space in which both sides will contend. The analyst must identify the opportunities and limitations that the environment offers to both friendly and adversarial operations. The assessment focuses on the general capabilities of each side (a detailed Course Of Action or “COA” comes later, during Step 4 of the IPE process). Step 2.b — Describe the Effects, can be further broken down into sub-steps:

1. Analyze the Environment

i. Aspects of Terrain

ii. Terrain Classification and Overlay

iii. Known Adversaries

iv. Other Aspects of the Environment

2. Describe the Effects

i. Effects on Friendly

ii. Effects on Adversary

  1. Analyze the Environment (Terrain Analysis): Noted in this article by the NATO Cooperative Cyber Defence Centre of Excellence, the term terrain is almost always used to describe physical locations that can be easily pointed to on a map.” The pictures below show the same area (Alpine National Park, Australia). Which is more useful for analysis and planning? What provides more information?

Your network is no different. The physical terrain in a home office network, for example, may look something like this:

But the digital terrain (the one you really care about) looks more like this

Sample Home Network

The terrain map of the network includes a lot of metadata that adds depth to the analysis. Visualizing the network in this way, makes exposures and vulnerabilities stand out.

i. Aspects of the Terrain: Let’s consider the network according to 5 particular features:

  • Observation: What can the adversary/you see and how do you see it? Think about what is visible through OSINT (Open Source Intelligence) and Recon. How much detail can they get mapping your network? How is user/visitor activity logged, monitored, or analyzed?
  • Concealment and Cover: Concealment is protection from observation (think TOR). Cover is protection from effects (firewall or a reverse proxy). Where can the adversary hide? Where can you hide? What protects either of you?
  • Obstacles: What is in the adversary’s way (e.g. credentials, firewall, air gap)? What is in your way (policies, permissions, hardware and software limitations)? An obstacle can be considered anything that hinders movement or progress toward a desired objective end state.
  • Cyber Key Terrain (C-KT): The critical information systems within the environment that enable an actor to:
    a. Retain freedom of maneuverability in cyberspace
    b. Enable other operational activities
    c. Deny freedom of action to adversaries

C-KT can consist of interdependent networks, critical infrastructures as well as the nodes on those networks, and the system data that support them. A root or Sys-Admin account could also be considered C-KT.

  • Avenues of Approach: Attack vectors. The ways an adversary can get to a target. Logical connections (HTTP, SSL, APIs, etc.) are generally more important than physical ones (routers, switches, cables). Phishing attacks, which could ultimately lead to a logical connection via exploit, would also fall under an Avenue of Approach.

ii. Terrain Classification and Overlay: For simplicity, let’s classify terrain by mobility, or by the ability to move or be moved freely and easily. Mobility is synonymous with access, and the greater an adversary’s access, the greater threat they present. Cyber terrain can be thought of as:

  • Unrestricted (Green): Easy access without any work to enhance mobility. Connecting to an open wifi network.
  • Restricted (Amber): Hinders movement to some degree or slows progress. Using a tool like Aircrack-ng or Wi-Fi Crack to crack simple passwords.
  • Severely Restricted (Red): Slows or stops movement to significant degree. This includes hardened and air-gapped networks. Mobility enhancement is required. This can be done with spear-phishing attacks, physical access to hardware, or insider misconduct.

It helps to overlay this on the network diagram to identify the more vulnerable parts of your network. Data stored on servers in China that you don’t have physical access to or control over, would be far less restricted terrain than an air-gapped intranet in an access controlled section of your office. Looking at this overlay will inform likely adversary avenues of approach.

iii. Known Adversaries: An important feature of any environment is knowing what adversaries tend to occupy that space. Your available time and resources will limit how many adversaries you can consider, so its best to focus on known threat actors that target your specific sector. For example, if I was a company looking to open a consumer packaged goods manufacturing facility in Vietnam, I would be more concerned with Advanced Persistent Threat (APT) 32, OceanLotus Group, than I would be APT 29, or a lone Brazilian cyber criminal. All that’s required at this stage is a list of known (or suspected) adversaries. For simplicity I would keep the initial list to less than five.

iv. Other Aspects of the Environment: As we mentioned in Part 1, your approach to security must be holistic. There are conditions beside the state of your hardware and software that can impact your security posture. Things like:

  • Political Considerations: In 2014 when Sony decided to release “The Interview”, a satire about North Korea and its leader, they ignored North Korea’s promise of a “decisive and merciless countermeasure.” Needless to say, things didn’t turn out well for Sony.
  • Security Culture: Are you working in a tech-savvy start-up figuring out how to change the world with blockchain, or are you doing IT for a 145 year old law firm where the boss still insists on printing off all of his emails to read them? Understanding this component will allow you to tailor your strategy.
  • Auditing Procedures: Knowing what auditors are looking for and where and how they are looking will identify blind spots in your defense.
  • Backups: How often are backups done? How are they executed and stored? What is the expected recovery time? Let’s say an adversary used ransomware to lock you out of your files and they want $100,000 to unlock them. It would take 72 hours to restore the system from back ups (which are stored off site on magnetic tape). During that time you would lose $500,000 in revenue. What do you do? Most likely you pay them off and write down the loss.

2. Describe the Effects: When an analyst describes the effects, they do so in general terms. Describing the Effects is the determination of how the environment affects both adversary and friendly COAs. This is to address the common fault of not explaining Why the aspects of terrain are important. Usually we think in terms of Offense and Defense or Attacking and Defending. Effects should be explained in these terms:

  • “The use of a firewall and reverse proxy server favor the defender because the threat consistently utilizes attacks from a known IP address and utilizes DDOS attacks.”
  • “The WLAN favors the attacker because it utilizes weaker encryption (WEP) and does not require a VPN which allows the attacker to see data transmitted in the clear.”
  • “Reliance on Windows 7 and Server 2012 favors the attacker as there are numerous vulnerabilities and patching is inconsistent across our enterprise.”

If done successfully, decision makers will be able to quickly choose and exploit/modify terrain that best supports their objectives and identifies threat COA. Failure could result in lost opportunities or the adversary exploiting the environment in unanticipated ways. In the next post we will Evaluate the Adversary. When combined with an understanding of the terrain, this will lead us into Determining Adversary COAs.

For further reading on this subject, you can take a look at some of the references that I used when writing this blogpost:

References:

  1. FM 3–38 — Cyber Electromagnetic Activities
  2. Joint Publication 3–12 ® — Cyberspace Operations
  3. ATP 2–01.3 — Intelligence Preparation of the Battlefield/Battlespace
  4. FM 34–130 — Intelligence Preparation of the Battlefield
  5. Key Terrain in Cyberspace: Seeking the High Ground

If you’re just joining us for this series, you can catch-up by reading Formalizing Cyber Threat Intelligence Planning: Part I, Part II and Part III.

Christopher Ruel is a Full-Time Instructor at the SecureSet Denver Campus. He teaches Cyber Threat Intelligence as well as Strategy and Analysis. Chris is an Army Special Forces Officer with years of operational experience overseas. He has also worked closely with the Intelligence Community in pursuit of US strategic objectives. He has earned a BA in history, as well as an MBA with a concentration in Business Analytics.

Cybersecurity
Leadership
Ethical Hacking
Information Security
Strategy

--

--

SecureSet
Command Line

Written by SecureSet

222 Followers

The #cybersecurity bootcamp with campuses in #Denver and #CoSprings. A @flatironschool. Educating the next generation of cybersecurity professionals.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams