June 15, 2013 By Peter Allor 3 min read

Okay, so being a retired Army Officer, I try to relate issues around technology to other former military members in Cyber Security in terms we understand.   Interestingly, I find that even those who were not in the military easily relate to the analogies, so lets give this a whirl.

Quick Reaction Force

You are moving a large segment of supplies to a forward base.  En route you are attacked.  You immediately react and protect your supplies.  Since the attack seems to be coming from all directions, you seek information that portrays the level of attacker strength, its true direction, and intent of the attack to discover feints and diversions.

You seem to be on the verge of being overrun.  You ask for the quick reaction force to come to your assistance, defeat the attackers, and assist in recovery of the scattered supplies while also reinforcing your defensive measures.

We all have seen this played out in various scenarios, whether from a first person ‘been there’ perspective, or from numerous depictions in books, TV shows, and/or movies.  But have you noticed that this is a scenario that fits within cyber space domain? Only, the quick reaction force is named an ‘incident response team’.

Both the initial defender and the incident responders fight through the attack and re-establish the ‘defensive lines’.  Normally, it is the incident responder who goes through the plethora of data sets (or, in the physical world, collected intelligence information from multitudes of sources) to ascertain the who, how and what-were-they-after questions.  Was it a feint, or was it a direct or indirect attack to achieve a strategic goal, be it intellectual property, money or data?

So the elements are essentially the same in coming to some conclusion about the attack.  The main difference is how the attack was perpetrated and the responders’ accumulation of information regarding the intrusion.

Big Data Security Analytics

In today’s networked environment, this historical analysis is brought about through big data security analytics.  The time frame of the attack starts with the attacker’s reconnaissance of your positions through your adjustment of the new and improved defenses, sometimes extending from multiple months to years.  But for security data analytics to be effective, they need to be part of our security architecture.

We need that quick reaction force to be immediate.  Not relegated to doing historical reviews long after the events have happened.  I mean, I like history and all, but the key overcoming a large-scale attack is in making it part of your quick reaction force.  This is your tactical and operationally focused response.

So when we are talking about large sets of data over an extended period, we are then focusing on the Strategic set of data. This is the long-term and intelligence focused research, focusing on the intent and the type of group attacking.

Hence, I would suggest that there are two sets of defenders for the cyber domain, just as you would see in the physical example above: one focused on current and on-going defensive operations and one investigating incident events over time for long-term campaigns.  But while these two defender sets are looking at essentially the same data, the time frame of reference and the correlation of data are by definition different due to their focus.

All organizations are concerned about the tactical/operational attacks, as they are compromising and stealing from our organizations. We must do this level of analysis and tie it into our response.

From Reactive to Proactive Defense

Some would ask, why then do I care about the past data?  Well, you are probably going to repeat the problem in a similar situation; After all, if the attacker was successful the first time, why change something that is not broken from his perspective?

You are now presented with a question of how to prevent and deter the next attack using this same ‘avenue of approach’. This historical data review allows the incident response team to correlate network events as part of a particular incident or string the events to fully understand the attack profile. It is the variety and volume of data that makes the analysis challenging, yet fruitful for future defenses, not to mention forensic analysis for the all important damage assessment.

The massive volume of data available in today’s networks presents both a challenge and opportunity. If you can tame the big data at your disposal, it can be instrumental in your quick reaction force.  Many times attackers will refrain (and in some form are deterred) from attacking due to the initial and follow-on responses of your Quick Reaction Force and its ability to counter an attack while discovering the attacker’s true intentions.

This is where we move from a reactive defense — waiting for something to happen — to a proactive defense that deters strikes from happening in the first place.

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today