Reading through the British Army Military Doctrine manual the other day (as you do!) the concept of Fighting Power in the context of cyber warfare got me thinking. How could a traditional approach from a historically renowned army be applied to the cyber world? Cyber, or the internet - if we remove the hyped buzz word - has been described as the fifth military domain after land, sea, air and space, and is certainly at the forefront of the attacks reported in the media these days.
You may not think your business is under attack, or even that you are at war – but anyone who has suffered at the hands of ransomware, phishing attacks, denial of service attempts or experienced the painful consequences of a data breach, will understand.
Very resourceful and credible threat actors are actively deploying sophisticated methods to deliver targeted and repeated attacks on assets and organisations of high value to them. Maybe not against everyone, and maybe not against you, but your data assets certainly need to be well defined and the cyber risks against them understood.
Theatre of Operations
So how does this relate to what we should be delivering as part of our company blue team/Security Operations Centre (SOC) services? Either if you manage monitoring and logging in house, or outsource or utilise a hybrid model – it’s good to think about how you can make this as effective as possible. CREST has released its ‘Cyber Security Monitoring & Logging Guide’ for the industry which is a helpful start, but taking a few lessons from the British Army can do no harm, eh?
So, opening statement: ‘Cyber Fighting Power delivers our SOC with its ability to operate and execute; to detect offensive actions and engage in effective incident response against cyber-attacks.’
How does a SOC do this?
Well, it consists of 3 components:
- Conceptual component - the ideas behind how cyber warfare operates (offensive red teaming) and cyber incident response (defensive blue teaming).
- A moral component – the ability to get people to operate, investigate and defend.
- A physical component - the means and tools to operate and fight back.
A good SOC derives its effectiveness from harmonising all 3 components of Cyber Fighting Power, building on solid foundations, as simply and consistently as possible. The conceptual component is pre-eminent - the other 2 are derived from it - but all of them are essential. The key elements of these overlapping and mutually supporting components are highlighted in the diagram below (Ideas stolen from British Army Doctrine!).
1 Conceptual Component
The Conceptual Component is the aspect that needs to be understood within the very DNA of your team. The mission and purpose of the SOC. Why do they exist? What is driving their performance, capabilities and objectives? This explains the very reason why their existence is tangible and why investment and commitment to see them succeed is in place.
The 5 pillars are briefly explained below:
- Higher level doctrine (goals and mission) – The long term purpose of the SOC. This will explain the rationale and justification for all that is to follow. Why the function of a SOC is of such importance to you.
- Lower level doctrine (SOPs and work instructions) – The processes and ways of operating that take the mission and explain it in more robust detail with more granular information. This provides the ability to translate the long term mission into day to day actions.
- Understanding of offensive/defence actions – This is critical. If you do not understand ‘how’ the bad guys will come at you, and how they will attempt to bypass your defences, then you are at a loss from the start. Understanding offensive security is vital in providing a solid and capable detection and response service.
- Education and lessons – It’s all very well you knowing the above, but how will the new starter, or that first line analyst or incident manager run in the same direction? Education up and down, as well as sideways amongst shifts and peers is acutely important.
- Innovation and R&D – One thing we cannot do is stand still. You cannot depend tomorrow on what you have done today. Threat actors and vulnerabilities are constantly changing and adapting. Your SOC must be moving forwards else they will be left behind.
2 Physical Component
So how is the mission and goal of the SOC delivered? Through the physical components of the service.
There are 5 pillars as follows:
- Staff and workforce – Have you employed the right skills and the right diversity within the team? Have you got the analysts, the hunters, the attackers and the ‘think outside the box’ers? One size does not fit all. Diversity, working within the rigour of an organised and disciplined SOC, will help deliver a high performing team
- Technology – This needs to work to your advantage and not be a blocker in the mission. Does your technology enable you to gain the visibility, define the actions and react to the events within your environments effectively? Has automation been used to the best effect? Does it provide a timely and secure platform from which to integrate the right data and information? Can it present the right people with the right level of detail when required?
- Training – Not a one off exercise at new hire stage, but regular, on the job training. How can you keep current with the latest threats? Unannounced offensive simulations and tests will keep people on the ball. Detecting and preventing at all levels within the kill chain
- Resiliency and sustainability – Forensically, is your log data sound? Can it be replicated and retrieved when required? Is both the technology and the service resilient? Are you dependant on single key individuals, as well as technology or communications links?
- Capability development – How well defined is the development plan? Not just around growth numerically in the service but around technical capability, data storage and mining, trending and added value services? Where will the intelligence and innovative ideas come from that will enhance the current system?
3 Moral Component
The moral component may feel a little strange at first but this is vital is any high performing team. And a SOC, although attempts have been made to fully automate them, is still essentially reliant on humans to make them succeed.
- Motivation – If you’re a soldier or a security guard then your heightened awareness and ability to react is based partly on your training but also on your motivation to the cause and to survive. At 2am in a SOC with your fourth cup of coffee, the same effect can be lost! Motivating your staff to be vigilant and aware of the objectives is critical.
- Moral cohesion and team work – The SOC team is not an island. Team work within diverse skills sets is key to delivering full incident management from the initial indicator through the containment and recovery. Your SOC team needs to be 100% bought into the purpose, objectives and reasons why their role is vital.
- Ethical foundations – If you do not believe in what you are doing, if you are not passionate about security, if you do not want to see the success of the defenders of the networks you are looking over, then you will not be doing your job or team justice. Doing the right thing for the right reasons is key. Define and agree solid ethical foundations on which you expect the SOC to operate.
The British Army Doctrine is seen as their capstone to deliver a world class fighting force. Maybe within the cyber world we can adopt some of these principals in order to achieve a better level of capability in our battles against the sophisticated threat actors we encounter. We may not see them all yet within our environments, but that may be because we haven’t yet started to look properly. Once we do begin to turn over the stones we may need to get ourselves into a much better position to fight back.
To contact Nettitude's editor, please email firstname.lastname@example.org.