A Military Perspective on Cyber

Security
Not a Paradigm Shift, Tactical Approach
Joey Hernandez CISSP, MBCI
jhernandez@iSCSP.org
Topic
Background
The Change
Center of Gravity Rings
Principles of War
Contested Commons
Your Turn
About Me
Former Intelligence and Cyber Operations
Analyst with a broad background in all
domains of Network Operations.
College Professor in the areas of Criminal
Justice & Information Security
Background in assessments covering NIST,
FIPS, & ISO standards
Background in International CERT operations
& current Director of Operations for the iSCSP



Background
Elevated age in cyber warfare
Malware has become focused
SCADA Systems (Stuxnet)
Malware performs Operational Preparation of the Environment (OPE)
Conficker (Millions still infected)
Ransomeware
Data is being held hostage
The advanced capability of the threat has increased the
risk.
Understanding the risk allows employment of defensive
measures to mitigate the risk Risk will always be
present


The Change
Combined capabilities have helped attackers create
weapon systems
Soldier +Rifle + Bullets =(This is a weapon systems)
Cyber
State Sponsored, Script Kiddies, Paid Staff
Laptop, Desktop, Mobile devices
Metasploit, Backtrak, PoisonIvy, Mpack, other RAT

Hacker + Laptop + Metasploit = Weapon System

Attackers, Adversaries, Cyber terrorist are now
employing TTP

Wardens Rings
The focus is to attack Centers
of Gravity
The Estonian attacks
Utilized TTP
Rings
Leadership (Defaced Ministry of
Defense, Finance, etc)
Organic/System Essentials
Infrastructure (DDoS against ISP and
Wardialing to lock up POTS network)
Population (News Media)
Fielded Military Forces
Leadership
System
Essentials
Infrastructure
Population
Fielded Forces
Cyber
Population attacks cascade
the rings

System essential attacks on
services eg. Supply Chain,
Food, FedEx ; feeds the rings
in both direction

Infrastructure attacks feed
the rings both directions

Leadership focus elevates the
nature of the actions
Defense measures must ensure protection of systems first and population foremost
Population
System
Essentials
Infrastructure
Leadership
Countering Principles of War
Raising perceptions of attacks guarantee an
elevated perspective.
Proactive approaches to providing defense-in-
depth reduces risk to all Centers of Gravity
NOT immediately achievable, requires buy-in

Principle 1
Objective: Direct every operation towards a clearly defined,
decisive, and attainable objective.

Security
Create policy & Directives that are concise, fed from
leadership and enhances current capabilities.
Defense
Institutionalize SOP creating a path to obtainable
objectives

Principle 2
Offensive: Seize, retain, and exploit the initiative

Cyber Security personnel must have all tools required to
respond to incidents or events when presented enabling
decisive results
Immediate knowledge of events through proactive
Proactive research
International teams of trust
Reverse engineering of current malicious code
Pentesting with seized exploits ensure preparedness
Exercise routinely against new threats
Exploitation allows establishing opstempo for defensive and
counter operations.


Principle 3
Economy of Force: Allocate minimum essential combat power to
secondary efforts.

Cyber Security staff should only be allocated tasks relating to
protection of grid and its associated systems
Minimize external tasks not associated to Cyber Security
Employ others to do: password resets, maintenance, and
support
Discriminate whenever possible!
Indentify and prioritize cyber assets and assign coverage
accordingly
Principle 4
Mass: Concentrate combat power at the decisive place and
time.
Sustain with technology, resolve with Mass Use Crisis action teams,
leverage distributed knowledge
Get there first with the most.
The dynamic nature of Cyber Space allows you to employ mass
globally with centralized control
Convene and delegate
Ensure communication is continuous
If possible (Make possible) Disarm the attacker
Block/Mitigate adversaries ability to maneuver, virtual arm bar
Remain focused on protection


Principle 5
Surprise: Strike the enemy at a time, place, or manner for which
they are unprepared.

Always expect it!
Trust but verify If the network is quiet lower thresholds, to
find hidden traffic
Utilize time to influence out of the box operating procedures
and TTP to develop
Always expect it!
Principle 6
Maneuver: Place the enemy in a position of disadvantage
through flexible application of combat power

Gain an advantage in positioning by training, certifying
defense crews
Exercising as a team places the adversary in a position of
disadvantage
Train as a group to flexibly protect, respond, and mitigate
attacks
Leverage internal and external trusted SME capabilities
Principle 7
Unity of Command: For every objective, ensure unity of effort
under one responsible commander.

A single leader should provide direction and coordination for
crews ensuring clear and concise objectives.
Alignment facilitates communication for mission/common
objective
Each task presented should have ownership and custodial
characteristics for members of the crew
Ideas & Solutions
Preferred collective
Collective not required


Principle 8
Security: Never permit the enemy to acquire an unexpected
advantage.

Protect and preserve defense measures, procedures and
capabilities from the eyes of the adversary.
Protect Information, through PEOPLE vetting
Minimize the chance of future Wiki Leaks
Security exertion minimizes attack vectors
Understand the capabilities and limiting factors of your
people provides for a clearer situational awareness
Principle 9
Simplicity: Prepare clear, uncomplicated plans concise orders to
ensure thorough understanding.

Concise Plans and Orders minimize the chance for mistakes.
Degree of operational simplicity results from from experience,
training, empowerment and institutionalization of processes.
Simplicity in Cyber Operations - is an Art of Balance
Open lines of communication Local & Global support
simplicity and information sharing
Contested Commons
It is Global medium: Maritime, Air, Space, Cyber
Relied upon for business globalization
More nations, organizations, economies at risk
Rapid capability development, sluggish legal and
global agreement on how to Address Cyber
Attacks
Russia & China created No CY Zones
Some believe there is No Cyber War
Ask Estonia, Brazil, Canada, South Africa, Malaysia




Your Turn
Train & Exercise your crews as a team
Open lines of communication
Think strategically, act locally
Be proactive, make quick fixes, and best practice
into TTP
Be paranoid, suspicious and know your
adversaries
Build your trusted crisis network
Plan for events
Clear the fog