modern cyber battlefield - application of coin principals to today's kinetic cyber environment

12/02/2016

1

COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.

MODERN CYBER BATTLEFIELD

APPLICATION OF KEY COUNTERINSURGENCY PRINCIPALS TO

TODAY’S KINETIC CYBER ENVIRONMENT

Presented by Chuck McGregor CISSP, CISM VP Security Operations, Parsons

COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.2

ABOUT ME

• USMC officer

• Deployed to Afghanistan and Iraq in advisor and company command capacities in COIN environments/missions

• US Marine Special Operations Command Reserve Chief of Staff

• Cyber Director at Parsons Corp.

12/02/2016

2


KNOW THY ENEMY…- Sun Tzu

…AND KNOW THY SELF


COUNTERINSURGENCY OPERATIONS JP3-24

The twenty-first century is typified by a volatile international environment,

persistent conflict, and increasing state fragility. Long-standing external and internal tensions tend to exacerbate or create core grievances within some states, resulting in political strife, instability, or even insurgency.

Moreover, some transnational terrorists/extremists with radical political and religious ideologies may intrude in weak or poorly governed states to form a wider, more networked threat.

12/02/2016

3


SETTING THE STAGE

• The challenges we face are dynamic

• We need new ways to view our cyber adversaries

• Correlations of the cyber battlefield to dynamic counterinsurgency landscapes

• New ways to view and prepare the cyber battle space

• Let’s try something different…

A view of our adversaries

• Nation-state sponsors

• Criminal organizations

• Hacktivists

• Proxy agents

• Competitors

• Insiders

66 COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.6

INSURGENCY ANALYSIS

Before we determine where to focus, let’s analyze insurgencies…

12/02/2016

4


UNDERSTANDING INSURGENCY

• Organized

• Complexity

• Contemporary conflict

• Leadership/narrative

• Protracted struggle

Modern cyber adversary motives

• Ideological

• Socio-economic influence

• Commercial/defense

objectives

• Criminal/funding objectives


RECOGNIZING INSURGENT VULNERABILITIES

• Need for secrecy

• Need to establish a base of

operations

• Need for financial resources

• Internal divisions

• Need to maintain momentum

• Informants within the insurgency

Cyber exploitation mindset

• Strong unity of command

• Adjacent unit coordination

• Financial resources

• Our own people

…Our campaign plan

12/02/2016

5


FOCUS AREA #1 PLANNING

Focus Area #1

Your counterinsurgency campaign plan


FOCUS AREA #1 – COIN CAMPAIGN PLANNING

• Unity of effort

• Intelligence-driven operations

(Intel prep of the battlefield)

• Economy of force

• Component contributions

• Operational environment

shaping

Cyber campaign planning

corollaries…

• Organize your security practices

• Peer-industry integration points

• Bottom-up threat intelligence -

unleash

• Support the analyst effort – invest

• Technology force multipliers

12/02/2016

6


SMALL WARS MANUAL

UNITED STATES MARINE CORPS, 1940

In small wars, caution must be exercised, and instead of striving to

generate the maximum power with the forces available, the goal is to gain decisive results with the least application of force. In small wars, tolerance, sympathy, and kindness should be the keynote of our relationship with the

mass of the population. Small wars involve a wide range of activities including diplomacy, contacts with the civil population and warfare of the most difficult kind.


FOCUS AREA #2 TACTICAL GUERILLA FIGHT

Focus Area #2

The tactical guerilla fight

12/02/2016

7


FOCUS AREA #2 – GUERILLA TACTICS

• Attacking the will

• Deception

• Engagement selection

• Supply chain disruption

• Attacks to infrastructure

• Financial conversion

• Prolonged fight

Tactical cyber actions…

• Fight his strategy, not his forces

• Map short term actions to long term vision

• Maintain intelligence emphasis

• Be prepared for setbacks

• Empower the lowest levels

• Rank is nothing – talent is eveything

• Keep the initiative

• Be there


GUERILLA TACTICS AND THE CYBER KILL CHAIN

Initial

Compromise

Establish

Foothold

Escalate

Privileges

Internal

Recon

Move

Laterally

Maintain

Presence

Complete

Mission

(Action on

Objectives)

Guerilla

Tactics

Cyber

Tactics

“Cyber Kill Chain” is a registered trademark of Lockheed Martin

• Patient observation

• Develop intimacy • Target development and prioritization

• Final planning

• Asymmetric positioning

• Destroy/disruption• Objective

advance• Evade and egress

• External attack surface sizing

• Social Engineering

• External Compromise

• Custom Malware

• Payload Insert

• App Exploitation

• Delivery• Credential

Theft• Password

Cracking• “Pass-the-

Hash”

• Exploitation• Critical

System Recon• System, Active

Directory, User Enumeration

• Installation• Net Use

Commands• Reverse Shell

Access

• Backdoor Variants

• VPN Subversion

• Sleeper Malware

• C2 Nodes

• Staging Servers• Data

Consolidation• Data Theft• Destroy

12/02/2016

8


KEY TAKEAWAYS

• Take a new look at we fight on the cyber battlefield

• Leverage what we’ve learned in COIN – the similarities prompt consideration

• Integrating COIN planning elements into your cyber campaign plan to keep adversary off balance

• Ensure intelligence-driven operations

• Adopting a COIN mindset can give your front line an edge in the guerrilla fight

• Empower your lowest levels


THANK YOU

[email protected]@chuck_mcg

12/02/2016

9


REFERENCESFM 3-24 Counterinsurgency

JP 3-24 Counterinsurgency Operations

FMFRP 12-15 USMC Small Wars Manual (1940)

“28 Articles - Fundamentals of Company-Level Counterinsurgency”, David Kilcullen (2006)

“Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention”, Tony Sager, SANS Institute (2014)

“10 Strategies of a World-Class Security Operations Center”, Carson Zimmerman, MITRE (2014)

EXIM APPROVED Parsons #458 7 OCT 16.