By Tim Dudman
Like enterprise networks, modern defence systems make extensive use of computing infrastructure which puts them at significant risk of attack. While cyber protection teams defend these platforms, the existing tools available to help with this suffer two main drawbacks.
Firstly, traditional approaches to cyber security are reactive – relying on blacklists, malware signatures or anomaly detection methods to respond to known threats. This means cyber analysts can at best respond to an attack occurring in real time, or at worst forensically after the attack.
Secondly, the tools provided don’t have a common visual language that can easily express operational concepts, making it difficult for cyber analysts to convey cyber situational awareness to commanders. This leads to a disjoint between traditional military planning and cyber operations.
How can we address these gaps?
For decades, traditional cybersecurity has been experiencing a steadily accelerating arms race where offensive groups seek to exploit vulnerabilities and, in response, defenders seek to patch or mitigate them.
This game of cat and mouse has resulted in a huge amount of threat intelligence being compiled by analysts about the groups responsible – all based on real-world observations. These include a diverse range of insights such as the attack patterns used to exploit system weaknesses, the tactics and techniques employed by adversaries, and mitigation strategies. As modern defence systems are increasingly based on COTS (Commercial Off-The-Shelf) technologies, this enterprise cyber threat intelligence is becoming ever more applicable to forming a proactive cyber defence strategy.
Even before this cyber arms race, coalition forces have been using a common symbology for describing military operations. NATO Joint Military Symbology provides common symbols for map marking used across land, air, sea, and space, designed to enhance joint interoperability through the visual representation of key terrain, red and blue unit movements, and tactical tasks.
However, it has historically overlooked the cyber domain, leading to a lack of shared understanding and a common operational picture that is missing key elements. Recently however, extensions that would allow cyber teams to convey mission-relevant information to commanders unfamiliar with the technical details of cyberspace have been proposed. If successfully implemented in cyber operational doctrine, this new symbology could facilitate a common operational picture that represents all domains.
Joint Military Symbology for Cyberspace Operations
With knowledge of the gaps in cyber operational capability, the abundance of threat intelligence, and proposed new cyber joint symbology comes the opportunity to develop applications that help cyber protection teams perform their role more effectively. Facilitated by increased computing power and technologies that can handle the growth in data, applications can be developed that allow cyber analysts to automatically forecast cyber attacks before they happen – enabling them to be proactive rather than reactive – and brief commanders using a shared visual language.
Current research and development
The methods used to predict cyber attacks can be actor-centric, system-centric, or trend-centric. An analytical approach that combines all three of these methods gives the broadest capability – exploiting patterns of known threat actor past behaviour, identifying weaknesses in mission-critical systems, and using knowledge of recent attacks to predict relevant future attacks and prioritise mitigations.
Riskaware has been developing its CyberAware Predict capability, which uses scan-based network attack surface predictions in an interactive operational graphics dashboard, as part of the Dstl Defence and Security Accelerator (DASA) Predictive Cyber Analytics competition. This work has also led to a collaboration with the University of Southampton to incorporate real-time alerts and predictions about the next steps of an evolving attack.
This combined capability is currently undergoing testing in a virtualised military environment as part of an effort to increase technology readiness level – a key stage in preparing a defence application for operational use. Once complete, the capability will allow cyber protection teams to rapidly observe and predict cyber attacks on key cyber terrain, determine and prioritise mitigation strategies, and present clear courses of action to commanders using cyber joint symbology.
Looking beyond the defence sector, this same approach is additionally applicable to enterprise networks; where business criticality would be considered in place of mission criticality, and symbology would be tailored for enterprise use. With this capability in place, businesses too can stay one step ahead of those who would seek to compromise their networks.
Find out more about the CyberAware platform here.