June 15, 2013 By Peter Allor 3 min read

Okay, so being a retired Army Officer, I try to relate issues around technology to other former military members in Cyber Security in terms we understand.   Interestingly, I find that even those who were not in the military easily relate to the analogies, so lets give this a whirl.

Quick Reaction Force

You are moving a large segment of supplies to a forward base.  En route you are attacked.  You immediately react and protect your supplies.  Since the attack seems to be coming from all directions, you seek information that portrays the level of attacker strength, its true direction, and intent of the attack to discover feints and diversions.

You seem to be on the verge of being overrun.  You ask for the quick reaction force to come to your assistance, defeat the attackers, and assist in recovery of the scattered supplies while also reinforcing your defensive measures.

We all have seen this played out in various scenarios, whether from a first person ‘been there’ perspective, or from numerous depictions in books, TV shows, and/or movies.  But have you noticed that this is a scenario that fits within cyber space domain? Only, the quick reaction force is named an ‘incident response team’.

Both the initial defender and the incident responders fight through the attack and re-establish the ‘defensive lines’.  Normally, it is the incident responder who goes through the plethora of data sets (or, in the physical world, collected intelligence information from multitudes of sources) to ascertain the who, how and what-were-they-after questions.  Was it a feint, or was it a direct or indirect attack to achieve a strategic goal, be it intellectual property, money or data?

So the elements are essentially the same in coming to some conclusion about the attack.  The main difference is how the attack was perpetrated and the responders’ accumulation of information regarding the intrusion.

Big Data Security Analytics

In today’s networked environment, this historical analysis is brought about through big data security analytics.  The time frame of the attack starts with the attacker’s reconnaissance of your positions through your adjustment of the new and improved defenses, sometimes extending from multiple months to years.  But for security data analytics to be effective, they need to be part of our security architecture.

We need that quick reaction force to be immediate.  Not relegated to doing historical reviews long after the events have happened.  I mean, I like history and all, but the key overcoming a large-scale attack is in making it part of your quick reaction force.  This is your tactical and operationally focused response.

So when we are talking about large sets of data over an extended period, we are then focusing on the Strategic set of data. This is the long-term and intelligence focused research, focusing on the intent and the type of group attacking.

Hence, I would suggest that there are two sets of defenders for the cyber domain, just as you would see in the physical example above: one focused on current and on-going defensive operations and one investigating incident events over time for long-term campaigns.  But while these two defender sets are looking at essentially the same data, the time frame of reference and the correlation of data are by definition different due to their focus.

All organizations are concerned about the tactical/operational attacks, as they are compromising and stealing from our organizations. We must do this level of analysis and tie it into our response.

From Reactive to Proactive Defense

Some would ask, why then do I care about the past data?  Well, you are probably going to repeat the problem in a similar situation; After all, if the attacker was successful the first time, why change something that is not broken from his perspective?

You are now presented with a question of how to prevent and deter the next attack using this same ‘avenue of approach’. This historical data review allows the incident response team to correlate network events as part of a particular incident or string the events to fully understand the attack profile. It is the variety and volume of data that makes the analysis challenging, yet fruitful for future defenses, not to mention forensic analysis for the all important damage assessment.

The massive volume of data available in today’s networks presents both a challenge and opportunity. If you can tame the big data at your disposal, it can be instrumental in your quick reaction force.  Many times attackers will refrain (and in some form are deterred) from attacking due to the initial and follow-on responses of your Quick Reaction Force and its ability to counter an attack while discovering the attacker’s true intentions.

This is where we move from a reactive defense — waiting for something to happen — to a proactive defense that deters strikes from happening in the first place.

More from Government

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today