YOU do not think of cyber security adversarial-y. You know you need a firewall. You know you need to lock down permissions by group. You think you know why, you have no idea why! But that’s why I’m here.
So you think you know what tactics are because you’ve played Call of Duty…just to be sure. A tactic is a way of orienting and organizing forces against an adversary to achieve a specific goal. Tactics are by their nature adversarial and do not exist in a vacuum.
The military does an excellent job teaching tactics and the civilian world often misses out on the importance of such concepts especially in the cyber security realm. The purpose of this blog series will be to encourage the reader to think of cyber security from an adversarial point of view. Cyber security engineers, analysts, and operators should consider all actions on the network as tactics taken to counter an adversary. All players in the field of cyber security have a goal; achieving your goal while thwarting the adversary is what matters at the end of the day.
I’m Matthew Durham and what you will read from me may differ from some other cybersecurity professionals as my military training and Air Force background provide what I hope is a valuable lens from which to view our cyber problem set. Most of what I use to analyze these problems is based around Air Force doctrine, tactics development, and how the Air Force structured its’ cyber mission force after flying squadrons. What you will be reading in this and subsequent blogs will discuss tactics with an emphasis on the 5 points of mission planning:
- Mission Goal
- Status of Forces
- Initial Tactical Engagement
- Countering an Adversary’s response
To introduce these concepts consider a military engagement between an F-15 and an F-16. While reading through this scenario, consider how it applies to your organizations cyber security planning.
Scenario: An F-16 has been tasked with bombing a facility guarded by an F-15.
Off the bat we’ve established a goal for each aircraft. The F-16 will attempt to bomb a facility while the F-15 will attempt to guard the facility from being bombed.
Status of Forces
Next, we will analyze the current status of forces. The F-16 is a very maneuverable aircraft with a single engine and single pilot. The F-15 is a twin-engine aircraft that has a pilot and a weapons officer. The F-16 can safely assume that the F-15 will be equipped with air to air missiles and a gun to prevent him from engaging the facility. The F-16 will bring its own air to air missiles to the fight, gun, and a bomb to drop on the facility. The F-16, as the aggressor, also has the element of surprise on his side.
|F-16||gun, air to air missiles, bomb||surprise, maneuverability|
|F-15||gun, air to air missiles||range, thrust|
Initial Tactical Engagement
After we’ve established the current status of forces, we will move on to describe our tactical engagement of our adversary and how we will achieve our goal. The F-16 is not tasked with shooting down the F-15 even though doing so would make its job easier. The F-16 could fly close to the ground to the ground to avoid the F-15’s radar, bomb the facility, and attempt to escape without being engaged by the F-15. This is risky but feasible. The F-16 will minimize this risk by sticking close to the mountain range which will block the F-15’s radar.
The F-15 will position itself in a circular pattern above the facility and scan with its radar to detect an incoming adversaries and engage them to protect the facility. This provides the F-15 with a 360 degree detection pattern around the facility.
|Initial Tactical Plan|
|F-16||Fly close to the ground to avoid the F-15’s radar and get close enough to bomb the facility|
|F-15||Fly in a circular pattern to ensure it can detect adversaries in 360 degrees around the facility|
Countering an Adversary’s Response
No good plan is developed without taking into account an adversary’s response. The F-16 will create a backup plan to engage the F-15 if it looks like the F-15 is about to endanger the F-16s goal. The F-16 has the upper hand in maneuverability and will win an engagement with an F-15 if it can get close enough. This plan of action is reserved only for if the F-15 endangers the goal, as the destruction of the F-15 is not strictly necessary to complete the mission.
The F-15 has realized that an adversary that comes in close to the mountain range may be missed by its’ radar and will conduct targeted scans of the area in order to detect any adversary that may take advantage of terrain in this matter.
|Counter Adversary Response|
|F-16||Engage F-15 at close range and overcome with increased maneuverability|
|F-15||Conduct targeted scans of likely avenues of approach from adversary|
In this scenario, we will end with the F-16 approaching the facility and being forced to engage with the F-15 in air to air combat. Luckily enough for the F-16 it was able to use the element of surprise to get in close enough to defeat the F-15 with its increased maneuverability and move on to destroy the facility.
|Goal||Status of Forces||Initial Tactical Plan||Counter Adversary Response|
|F-16||Bomb Facility||gun, air to air missiles, bomb||surprise, maneuverability||Fly close to the ground to avoid the F-15’s radar and get close enough to bomb the facility||Engage F-15 at close range and overcome with increased maneuverability|
|F-15||Guard Facility||gun, air to air missiles||range, thrust||Fly in a circular pattern to ensure it can detect adversaries in 360 degrees around the facility||Conduct targeted scans of likely avenues of approach from adversary|
This scenario serves to illustrate the purpose of adversary based thinking. Neither aircraft wasted resources on an action that wasn’t designed to achieve their end goal and counter the adversary. The final planning document for each aircraft looks like this.
A key component of the Air force’s tactics program is to debrief the end result of any mission. There is always room for improvement in any engagement. These debriefs are conducted with a ‘leave your ego at the door’ style. Problems are addressed directly at individuals and members must have a thick skin and willingness to improve to take such direct criticism.
A debrief for the F-16 pilot may examine the failure to evade the F-15’s radar. During the debrief, members would examine how effectively the F-16 flew to the ground and what led to detection of the aircraft. A root cause analysis may show that the terrain was not well suited for low flight, that the pilot incorrectly executed the tactic, or that the F-15’s radar is simply good enough to detect the aircraft no matter what. Future mission planning may choose to address this root cause by planning ahead of time to engage the F-15.
A debrief for the F-15 pilot will address the mission failure. Root cause analysis will be used to pinpoint the problem and may turn up issues such as the pilot was bored and failed in his vigilance while protecting the facility or the radar of the F-15 was not good enough to detect the F-16 so close to the ground. Future mission planning may choose to put a ground radar on the facility with a link to the F-15 to increase the range at which it can detect and engage threats.
Cyber security is an established business and as experts in this field you must frame security from an adversarial point of view. All too often, we let threats take us by surprise. As a community we’ve been around long enough that it should be and unless you are in denial, it is embarrassing. You know the spectrum of threats from script kiddies to state sponsored zero days. You know the devastation that can be wrought on your businesses by a successful breach. Putting the latest and greatest network security devices in place without a firm knowledge of how they engage your adversary or how your adversary will counter them is no longer an option. Together we will become smarter about employing hardware and software by framing it against an adversary. With this mindset I expect to make you a better security engineer who leverages your existing capabilities against emerging threats and better empower managers to understand and procure technologies with the knowledge of how and what that technology will do to protect their organization and allow you to exact your will on your companies’ adversaries and achieve your goals while denying this ability to those adversaries. Excited yet? I know I am!