Skip to main content

The Necessity of Enemy Perspectives: The Enemy Gets a Vote

September 21, 2018

The enemy gets a vote. The current Secretary of Defense and retired Marine Corps General James Mattis is fond of this observation. However, in many areas, and especially in cyber security, it rings true. The enemy does get a vote. Good network hygiene, and ensuring that you have the latest technology only goes so far. What is necessary, is opening up the view of the cyber security staff to the enemy’s perspective and gaining an understanding of their capabilities.

When preparing for potential operations, U.S. military commanders perform mission planning, tasking their intelligence section to conduct Intelligence Preparation of the Battlefield (IPB). This allows the commander the ability to plan and act by intent, with knowledge of the nature of the threats their forces will most likely encounter, while also establishing the means to develop intelligence requirements for continued operations. The Army field manual describes IPB as “a systemic, continuous process of analyzing the threat and environment in a specific geographic area.” Within the realm of cyber security, we can convert this to describe the efforts of threat intelligence as a systemic, continuous process of analyzing the threat against a specific organization and its assets, as each organization faces differing threats based off of its industry, asset types and controls. The key is in gaining visibility into what the enemy sees within this battlespace.

This is the role that threat intelligence plays in an enterprise. It should be used as the connective tissue between network defenders and what they can anticipate defending against, based on not only vulnerabilities and malicious code, but also what is known about the enemy. Intelligence analysts need to “flip the map” and look at the organization from the eyes of an attacker, helping to illuminate the adversary and their capabilities.

Above, I briefly described the U.S. military’s process of IPB. In this process, the adversary’s order of battle, units, formations, and equipment of their military infrastructure are analyzed to understand their capabilities and how they “match up against” the capabilities of the U.S. military. Globalsecurity.org provides us with nine factors to consider when reviewing enemy order of battle and capabilities:

  • Composition
  • Disposition
  • Strength
  • Tactics
  • Training&
  • Logistics
  • Combat Effectiveness
  • Electronic Technical Data
  • Miscellaneous

While not all of these factors can be accounted for when analyzing potential threat actors, there are several that should be considered or acclimated for our purposes, such as:

  • Composition and Strength: Can we determine if the threat actor is a group or individual and if a group, do we have an association with like groups?
  • Tactics: do we have intelligence on historical courses of action or Tactics, Techniques, and Procedures (TTPs)?
  • Logistics: What does their infrastructure look like? Do they have command and control servers or; potential nation-state sponsorship or funding?
  • Effectiveness: Are there previously or historically-identified successful attacks? How effective were they, and have they been known to have targeted us in the past?

Understanding threat actor capabilities is necessary to gain the advantage and rapidly respond with countermeasures to these threats. Consumers of intelligence (CISOs, security directors and network defenders) need to task their threat intelligence sections with providing well-analyzed information on known threat actors that would have the intent and capability to attempt exploitation or conduct an attack against their organization. It should be provided in a manner that is easily consumable and leads to control evaluations and therefore a better security posture.

The enemy may always get a vote, but the outcome can be in an organization’s favor, the better they know their enemy and can anticipate its moves.


    Danny Pickens

By: Danny Pickens

Senior Director, Theat Management Operations

See More

Related Blogs

September 18, 2018

Intelligence Bulletin – India Hiring Proxy

On June 4, 2018, Optiv gTIC Human Intelligence (HUMINT) cell contacted an India-based individual providing interview-proxy services for job applicants...

See Details

August 28, 2018

Security Operations Efficiency is Not Gained Through a Patchwork of Expensive Security Tools

Cloud, mobile, social media, IoT and big data have profoundly expanded the attack surface in the latest cyber super cycle, and it’s no surprise organi...

See Details

February 17, 2017

Actionability Doesn’t Mean I Have to do More Work!

“Actionability” is something we are starting to hear more and more from industry sales and marketing, but often doesn’t translate into reality for var...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.