Nearly every organization and government entity around the world has a media arm to promote its activities. Today’s terrorist organizations are no exception. Top targets such as Al-Qaeda, ISIS and Al-shabaab all have elaborate media mechanisms to promote and recruit for their organizations.
In my role as an Army Officer at US Central Command, I was privileged to support the fight against radical terror and particularly the effort to stop ISIS from creating and publishing videos of their gruesome acts. We also fought to put a stop to magazines that promoted radicalism and the spread of information on how to create IEDs and counter coalition tactics.
Our efforts centered on identifying the Islamic terrorist media apparatus from producers, disseminators and leaders and putting ‘pressure’ to all the places that would impact their operations.
This same pressure model can be used to fight cyber terrorists and criminals. By adopting an end-to-end look across the kill chain or lifecycle of a cyber attack, actions can be taken at specific stages to have the greatest impact in degrading the attacker’s ability to be successful in their objectives or get to the next phase of the kill chain. Organizations must build a “’pressure’ model based on their infrastructure, their tools, their goals and business requirements.
To build this pressure model, you have to look at what can be done to identify attacker recon efforts and degrade or deter the attackers recon operations as well as what can be done to keep them from moving further along the kill chain. Even if the ‘pressure’ placed during recon is not enough, then the organization must move to put pressure on the attacker’s ability to build tools against your specific infrastructure.
This may require purpose placed defense, active hunting, active intelligence collection identifying and stopping delivery of tools or malware and so on for every step of the attackers kill chain, from reconnaissance, design and build, delivery, installation, exploitation, command and control, all the way to combatting their final intended actions of theft, denial of service or ransom. Place enough “pressure” along each step, and attackers will lose interest or at least move on to weaker and less resource intensive targets.
Kudelski Security built its Cyber Fusion Center around the concept of putting pressure at each stage of the kill chain. We take a nonlinear approach to the traditional phases of the kill chain which enables us to identify patterns and disrupt adversary movements throughout the stages of an attack. This results in reduced time to detection, contextualization of the threat and minimizing of the overall impact when an attacker does penetrate border defense.
It starts with information gathering. We collect, enrich and analyze threat data within the context of the environment. This gives our analysts insight on threats and the tactics, techniques, and procedures of adversaries.
Armed with this intelligence, we can help configure and managed defenses to thwart attackers’ advances throughout the kill chain. Should an attacker reach their intended target, virtual tripwires and decoys can stop them from achieving their objectives.
Mark is a retired U.S. Army Lieutenant Colonel, where he previously, held positions as the Deputy Director of the US Central Command (USCENTCOM) Joint Cyber Center, the Deputy Director for the National Security Agency/Central Security Service Threat Operations Center’s (NTOC) Counter Cyber Operations Office, and the Chief of Current Operations and Chief of Enterprise Services for what is now the Army’s Cyber Center. Mark has a MS from the University of Colorado in Telecommunications Engineering and a BS from Worcester Polytechnic Institute.
Latest posts by Mark Mattei (see all)
- Why Fusion is Necessary - March 19, 2018
- Think Like the Enemy: Leveraging OPSEC to Stop Social Engineering Exploits - October 19, 2017
- The Cyber Pressure Model - June 6, 2017