Lessons from U.S. Cyber Command
By Jonathan Reiber and Ben Opel
One of AttackIQ’s mottos is, "Think Bad. Do Good." Security planners throughout history have practiced that formulation. Put simply, it means to secure yourself, you need to think like the adversary. How will they target you? What can you do to defend yourself against their approach? It means taking on a “threat-informed” approach to security planning.
What does “threat-informed defense” mean in practice at the strategic and tactical level? In the years after September 11, 2001, for example, the United States built tight bonds between the intelligence community and military operators to understand and confront extremist groups. The result of this integration was that forward operating bases in Afghanistan came to look more like the headquarters and command centers of yesterday. Intelligence flowed from drone feeds on the battlefield, but also from analysts back home, and a tight feedback loop developed between those studying the adversary and the forces deployed downrange to defend the United States.
Long gone are the days when society perceived the Internet as some kind of utopia devoid of conflict. Yet security administrators have failed to adopt a threat-focused mindset. Historically, network defenders in the public and private sectors often focused their work on meeting baseline cybersecurity best-practices: correcting misconfigurations, administering patches, and deploying commercial cybersecurity products. They often outsourced the “think bad” part of the equation to adversary-focused “red” teams that would try to break past their network defenses.
understand the adversary’s approach;
identify your valuable data and defense capabilities;
build tight bonds between teams to focus on known threats and test your defenses.
Organizationally, it’s also important to appoint a leader to manage “threat-informed defense” across the organization.
How did U.S. Cyber Command (USCYBERCOM) adopt a “threat-informed defense approach, and what lessons does it offer the rest of the world? U.S. Cyber Command is responsible for planning the majority of U.S. military missions in cyberspace. It emerged from the U.S. National Security Agency (NSA) in 2008-9 because of that agency’s role as a military intelligence organization and historic focus on signals intelligence and cryptanalysis. But the NSA needed to focus on intelligence, and the military needed an operational force that could integrate with other military components under the President and Secretary of Defense to defend the United States.
What does this mean in practice? At a strategic level, in advance of the 2018 U.S. Congressional elections, staff at the NSA and USCYBERCOM formed a Russia-focused “small group” to defend the country against Russian government election interference. As General Paul Nakasone, the USCYBERCOM, reported to Congress in late 2019, "The tight links between USCYBERCOM and NSA created a mutually beneficial, intelligence-operations cycle that let us rapidly find and follow leads, discover new information, and create opportunities to act in conjunction with partners.” Intelligence flowed into the defensive planning cycle; the organizations remained separate, but the leader can direct them to operate together.
As the U.S. military took on an increasing operational role in cyberspace, defenders focused on adversary tactics, techniques, and procedures. Today the defensively-minded Cyber Protection Teams in the Cyber Mission Force of U.S. Cyber Command are often the premier students of the adversary. In 2015, when Russian government attackers broke into Pentagon networks, Cyber Protection Teams on the National Mission Force were well-positioned to help remove them. They understood the Russian government’s tactics better than anyone.
So what does this approach mean for security teams tactically? The good news is that integrating an adversary mindset requires organizational effort but not necessarily new team members. Adopting a threat-informed defense approach is more of a methodology, analogous to the Cyber Protection Team mindset and the Russia Small Group that General Nakasone outlined.
It does mean that organizations need to shift away from the traditional blue/red organizational paradigm and towards “purple teams.” Defensive teams were named “blue” historically as they focused on protecting the network terrain. In addition to these blue teams, organizations devoted resources to “red” teams or penetration teams to adopt an adversarial approach and test the blue team’s defenses. Blue teams were naturally larger given their ever responsibilities and, over time, compliance requirements. Red teams were smaller and testing occurred periodically and not at the requisite scale to validate the blue team’s defense effectiveness. If blue teams fail to orient towards the most important and likely threats, security resources are wasted. Absent effective testing, security controls are likely to fail when the adversary attacks, granting the adversary easy passage to an organization’s crown jewel data assets.
They understand the most dangerous threats they face and which are most likely to impact their operations. What tactics, techniques, and procedures will the adversary deploy? Teams can prepare for known adversary threats using MITRE ATT&CK.
They understand their organizational mission, center of gravity, and critical vulnerabilities. What will the adversary seek to hold at risk? What are their “crown jewel” applications? How will the adversary seek to engage those assets?
They understand and trust their security controls architecture and teams. Have security controls been tested and validated against known threats? Is everyone working together?
To be threat informed, teams should be familiar with the overarching threat landscape, their defense capabilities, and their organization. They should be able to self-iterate their security posture. They can clear low-effort attacks, validate security controls, and challenge advanced threats by defending themselves against known adversary tactics, techniques and procedures. By becoming threat-informed and deploying automated adversary emulations, whether in the U.S. military or the health sector, security teams force the adversary to change their game -- making it that much harder to achieve their objectives.
Jonathan Reiber is Senior Director of Cybersecurity Strategy and Policy at AttackIQ and formerly Chief Strategy Officer for Cyber Policy in the Office of the U.S. Secretary of Defense. You can follow him on Twitter @jonathanreiber. Ben Opel is a Purple Team instructor at AttackIQ Academy and a transitioning Captain in the U.S. Marine Corps; his course on purple teaming will soon be available on demand through AttackIQ Academy.
The views expressed in this post do not necessarily reflect the views of the U.S. Marine Corps or the U.S. Department of Defense.