Thursday, September 20, 2018

Cyber IPB: Use Offense to Inform Defense. Find Flaws Before the Bad Guys Do.


December 2001
Author: Steven P. Winterfeld, SANS 
https://cyber-defense.sans.org/resources/papers/gsec/cyber-ipb-103147

Summary: 

“The United State is in the best possible position to win on the digital battlefield, but the revers is also true; the US is the most vulnerable country in the world to cyber attack.”
In this article, Steven Winterfeld of SANS addresses the need for the US military to apply Intelligence Preparation of the Battlefield to the cyber space.  The four main segments of the IPB process that Winterfeld defines as important include: defining the battlefield environment, defining the battlefield effects, evaluating the threat of the enemy, and determining threat courses of action.  In cyberspace, threats come from a range of sources with different boundaries, protocols, and liberties than that of traditional military operations.   Winterfeld explains the different types of threats brought on by the emergence of cyber warfare.  These threats include asymmetrical threats and asynchronous threats.  Asymmetrical threats include those that use dissimilar weapons to offset a superior military.  We’ve recently seen asymmetrical threats from countries such as Iran.  Asynchronous threats are that’s that don’t require orchestration or timing but rely more on circumstance and personality.  We’ve recently fallen victim to asynchronous attacks by the influence of Russian hackers on our 2016 Presidential Elections.  

To help mitigate these threats, Winterfeld suggests adapting the traditional military IPB to suit cyberspace environment.  He explains that the processes are the same in conventional war as they are in cyber war.  The difference lies in understanding the nuances of the battlefield.  In cyberspace, defining the battlefield environment process includes: identifying the classification of the network, understanding the baseline activity of the network, exploring the architecture of the database, operating systems and services, and identifying intelligence gaps.  In cyber space, defining the battlefield effects process includes: analyzing the confidentiality, integrity, and availability of information in services and networks as well as identifying current security, auditing procedures and backup systems.  In cyber space, evaluating the threat process includes: locating all assets, identifying the most likely COAs and most dangerous COAs by establishing threat capabilities.  Evaluating and prioritizing each threat COA is important in creating policy and doctrines involving rules of engagement for information assurance, computer network defense, and computer network attack.

Critique: 

Although this recommendation by SANS is a bit dated (2002), the idea has never been more relevant than today, where asynchronous warfare, specifically in cyber space, is the de facto method of aggression.  What makes this issue even more urgent is that although this recommendation came out in 2002, there is no literature in either the 2018 U.S. Department of Homeland Security Cybersecurity Strategy or the 2018 ODNI’s Worldwide Threat Assessment that indicates the use of IPB in cyber space.  SANS and George Washington and a slew of other famous people have said “the best defense is a good offense.” I would agree that adapting the IPB process to suit cyberspace will only help increase the robustness of our nation’s cyber defense strategy by “finding the flaws before the bad guys do.”  

Aside from these four main segments being important in uncovering potential chinks in our defense’s armor, the findings produced by the IPB could have the potential to influence policy: identifying the possible threats will allow policymakers for form a conversation around retaliatory actions in cyberspace as well as what kinds of actions in cyber space constitute punishment and to what degree. IPB It’s also important to note that the process of formulating an IPB or IPOE in any asynchronous game, although unconventional, will only increase understanding of the environment in which one is performing in by, at the very least, becoming acclimated to the surroundings and at best to form almost a tree of possible actions and subsequent outcomes of the actions.  Winterfeld writes that the bottom line is “IPB must be timely, accurate, usable, complete, and relevant to be useful.” There is not a more relevant time than now to create a usable IPB for cyberspace. 

7 comments:

  1. This is a cool concept-- thanks for sharing it! To add to your point about a tree-like map of possible actions and weak points, that also allows for a mental model pointing analysts in the direction of where our collections efforts ought to focus. I think IPB is an excellent way to orient yourself in an environment with which you might not have a deep understanding or familiarity. Do you think the practical terminology e.g. go, slow-go, no-go, key terrain, etc. would have to change for us to move IPB into cyberspace? I wonder if the concept transfers smoothly, but in practice the traditional understanding leads to some disconnect.

    ReplyDelete
    Replies
    1. Good question. I'd need to have a better understanding of networks to understand how that terminology would fit into cyber IPBs, but my initial guess would be that they would have at least some tangential relevance to identifying areas that need patched/updated.

      Delete
  2. You mention an important point about IPB driving policy regarding retaliation to cyber attacks. I think it is important for analysts and decision makers to understand how the enemy views the United States not just from a cyber defense standpoint, but from a retaliatory stance. The enemy's understanding of how the U.S. responds to a cyber attack/espionage, will likely play a role in their courses of action.

    ReplyDelete
    Replies
    1. Agreed - which ties in with my last post on consistency in game theory. I think it would strengthen US defense to have clear offensive responses in place.

      Delete
  3. Reading this article I find myself thinking that the one big issue with a Cyber IPB is that it requires intimate knowledge of how your adversaries networks are constructed, both digitally and physically (because there is an inherent non-digital element to computer networks that can give a decision advantage in warfare). In order to get that information, the system defenders would have to have access to the full depths of adversary networks which infers that defenders and attackers are coordinating their efforts. Penetrating networks can be difficult and eluding detection is especially problematic. I feel like this aspect, in my mind, adds complicating factors that will impact the development cyber IPBs. The difference here is that finding information about users is far easier so this aspect, identifying the structure of forces is a far easier task to accomplish.

    ReplyDelete
    Replies
    1. This article explains the benefits of creating cyber IPBs for your own network as a way to identify where breaches may occur.

      However, I think your interpretation as to how to conduct a cyber IPB with an offensive mindset can also be explored. Remaining undetected in cyber reconnaissance is tricky but, as we've seen, not impossible. Even when a nation state is caught conducting reconnaissance on an adversary (or ally), one can argue the penalties are well worth the information gained about adversarial networks to be included in an IPB.

      Delete
  4. Bryant, I really liked your post! The idea of using IPB in cyberspace is fascinating. My article talked about the struggle to use IPB in a unpredictable situation. I think the battlefield of cyberspace is very unpredictable. Is there a methodology that you think could be combined with IPB to make it more accurate in cyberspace?

    ReplyDelete