A Model for Cyber Security Capabilities

Cyber security can be defined as 'the analysis,

warning, information sharing, vulnerability
reduction, risk management and recovery efforts
to detect, protect against and mitigate the impact
of threats that leverage the cyber domain.
Though, cyber security has been identified as one
of the Top 'Most !ikely' risks to global
development, according to this definition, cyber
security is not necessarily a new concept.
Security is and always has been an integral part of any network. "owever, today's
networks have become more critical, underpinning many of the nation's most vital
services. #tilities, energy, financial, healthcare, government, and military systems
all rely on the network to operate effectively. These networks come under regular
attack from an increasing range of sophisticated cyber threats, including$
Advanced, persistent threats %A&T'
Malicious Software %Malware'
"armful email attachments and phishing
Malicious web sites
(enial of service attacks %(oS'
Mobile device e)ploits
Cyber attacks are a global threat where the speed of attack propagation is
measured in seconds and there is no limit to the distance between attacker and
victim. Many traditional attacks are still prevalent with malware such as the
endemic conficker worm and cyber criminals who use social engineering
techni*ues such as phishing and spear+phishing. "owever, more recent attacks
such as the (oS attack on ,stonia, -hostnet, .lame, Shamoon, and the Stu)net
worm are believed to incorporate a state+sponsored element. ,ven where there is
no direct link between nation states and cyber criminals, there is always the danger
that these criminals may be conscripted at short notice.
/f all of the threat categories above, A&T represents the greatest level of concern
to national infrastructure and strategic interests. A&T is defined as an attack where
the adversary attempts to gain access, maintain foothold, and modify data to
disrupt systems or perform data e)filtration through covert channels. A&Ts are
typically performed in several stages and over long periods of time in order to
avoid being detected by traditional security mechanisms.
Cyber threats originate from a variety of actors ranging from foreign nation states
to hacktivists and re*uire specific cyber security counter+measures. Such
measures should incorporate technical, policy, and process related controls and be
designed to protect information and systems directly accessible from the 0nternet,
as well as those that are isolated. The e)perience of the Stu)net outbreak clearly
highlights the fact that 1ust because a system is not 0nternet accessible, it can still
be infiltrated by a motivated attacker.
The Cyber Attack Chain
There are a number of frameworks available for understanding and analy2ing the
landscape of cyber security threats and responses. A good approach for describing
common threat patterns, regardless of the adversary, their goals, or method of
attack, is represented by the 3intrusion kill chain3 model proposed by !ockheed
Martin. This model, derived from #.S. (o( targeting doctrine, describes cyber
attacks as a progressive campaign, encompassing a series of distinct intrusion
phases.
The concept of operations derived from the 3intrusion kill chain3 model illustrates
that a defender can neutrali2e cyber threats using countermeasures designed to
disrupt the different phases of the attack chain. A disruption at any phase in the
chain will stop the overall attack. .urthermore, as separate attacks are correlated,
common patterns emerge that aid threat analysts in developing the intelligence
necessary to mitigate future attacks.
Threat Countermeasures
The different phases of the 3intrusion kill chain3 provide a basis for defining an
appropriate set of attack countermeasures. These countermeasures fall into four
general categories$ &rotect, (etect, 4eact, and Survive. The diagram in figure
illustrates how each group of countermeasures aligns with the different phases of
the 3intrusion kill chain3.
&age 5 of 6
7889:5; http$88www.cisco.com8web8A&8partners8cyber<security<blog<tab.html
&rotection countermeasures serve two important purposes in helping defeat the
reconnaissance, packaging, and delivery attack phases. .irst, they help eliminate
disclosure of information that an adversary can use in developing an attack
strategy. Second, they help eliminate and protect against weaknesses and
vulnerabilities in the infrastructure. &rotection countermeasures re*uire
capabilities that deliver trust, authentication, integrity, confidentiality, and access
control. Modern protection services harness integrated, infrastructure+based
identity management and policy enforcement capabilities that dynamically enforce
which users can access what information under what conditions.
(etection countermeasures provide visibility into infrastructure systems and
operations, helping reveal indicators of potential threats and attacks. (eep
inspection and conte)tuali2ation of activities occurring across the delivery,
e)ploitation, installation, and command and control phases provides a high+level of
situational awareness that enables defensive actions. /ne of the difficulties in
detecting A&Ts is their tendency to employ covert infiltration techni*ues that
e)ploit 2ero+day vulnerabilities. Sophisticated detection countermeasures analy2e
data across multiple sources to uncover the anomalous behaviors that indicate
malicious activity.
4eaction countermeasures provide the ability to block, manage, and redirect
attacks. !everaging detection countermeasures, baseline security capabilities can
intercept and remove active threats. More advanced security capabilities can
minimi2e the impact of attacks on infrastructure systems and, in some cases, fool
adversaries into thinking the attack is progressing successfully. =y permitting
attacks to continue in a controlled, sandbo)ed environment, analysts can gain a
better understanding of the nature, methods, and goals of the attack.
Survival countermeasures provide a level of resilience and continuity of operations
should the infrastructure succumb to a successful attack. 0n many cases, cyber
attacks are not a matter of 3if3 but 3when and how bad3. =y building capabilities
for fault tolerance and agility into the infrastructure, a defender can mitigate and
minimi2e the worst effects of loss or disruption.
Cyber Security Capabilities
As a cohesive, comprehensive approach to modeling cyber threats, the 3cyber
attack chain3 and respective countermeasures provide a foundation for defining
and implementing cyber security capabilities. ,ven though a disruption in any one
phase can block the overall attack, a resilient, defense in depth approach re*uires
a spectrum of capabilities that implement countermeasures along the entire chain.
This ensures that a fault in one or more countermeasure does not necessarily
e)pose a vulnerability in the infrastructure. Additionally, a continuum of mutually
reinforcing defense capabilities deters adversaries by increasing the cost and
comple)ity of conducting a cyber attack campaign.
The diagram in figure defines the spectrum of cyber capabilities necessary to
disrupt and defeat cyber attacks. These capabilities fall into four general
categories$ ,nforce, Secure, (efend, and (eter. =eginning with enforcement, each
subse*uent capability builds on and e)tends services delivered by the preceding
capability. 0n this way, the capability spectrum represents a maturity model for
improving cyber defenses over time.
,nforcement capabilities represent baseline control over the access and usage of
the infrastructure and its resources. Core services within the enforcement
capability include the ability to identify and authenticate users and devices,
differentiate and control infrastructure access, and manage and implement usage
policies.
Security capabilities e)tend enforcement services, providing the ability to prepare
for, detect, and respond to cyber threats. Core services within the security
capability include the ability to identify and mitigate risk, filter out known or easily
identifiable attacks, and employ automated attack responses. Security services
also reduce the overall number of threats that demand human intervention,
freeing up analysts to focus on more sophisticated and targeted attacks.
(efensive capabilities represent the reali2ation of comprehensive cyber security
operations. Combining people, process, and technology, defensive capabilities
enable organi2ations to proactively manage and control threats. Core services
within the defensive capability include the ability to maintain infrastructural
&age 9 of 6
7889:5; http$88www.cisco.com8web8A&8partners8cyber<security<blog<tab.html
resilience, generate situational awareness, and operationali2e intelligence as an
effective tool for better detecting threats and mitigating future attacks.
0n the domain of nation states, deterrence represents the ape) of cyber security
capability. The culmination of infrastructural and operational capabilities in cyber
defense become a tool for e)ercising government policy. (eterrence capabilities
enable more effective law enforcement, enable nations to restrain the behavior of
adversaries through treaties and conventions, and provide a basis for deploying
proactive threat defense as a component of overall government action.
The cyber security capability spectrum provides guidance in defining, selecting,
and implementing the appropriate organi2ational structures, operations, and
technologies necessary to defend against cyber attacks. As a conceptual
approach, it complements e)isting industry frameworks and methodologies.
.undamentally, the cyber security capability spectrum serves as a basis for
reali2ing sustainable operations that evolve and adapt to the ever changing cyber
threat landscape.
Sincerely,
Joshua R. McCloud
Cisco's Cyber Security Expert
Copyright > 9:59 Cisco. All 4ights 4eserved.
&age 6 of 6
7889:5; http$88www.cisco.com8web8A&8partners8cyber<security<blog<tab.html