Sunday, May 20, 2012

Comparing IEDs and Digital Threats

Two weeks ago Vago Muradian from This Week in Defense News interviewed Army Lt Gen Michael Barbero, commander of the Joint IED Defeat Organization. I was struck by the similarities between the problems his command handles regarding improvised explosive devices (IEDs) and those involving digital security professionals.

In fact, you may be aware that papers and approaches like Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D. were inspired by the desire to move "left of boom" regarding IEDs.

In this post I will highlight elements from the interview which will likely resonate with those working digital security problems.

  • The threat "shares information globally," and engages in an "arms race" with defenders, sometimes by "sitting in front of a computer" devising the latest tools and techniques.
  • The adversary can introduce changes to tools and techniques in weeks and months, not years or decades as was the case with conventional or strategic weapons.
  • For a "meagre expenditure," the adversary can impose "huge costs on defenders."
  • The goal of the security program (i.e., JIEDDO) is to provide commanders freedom of maneuver to conduct operations (business) in an IED environment.
  • "If you're worrying about the device, you're playing defense." Don't focus only on the device, put pressure on the networks (of adversaries who design, build, and operate the weapons.)
  • Intelligence plays a key role in defeating adversaries. Winning involves applying "lethal pressure, "along with government techniques. "It takes a network to defeat a network."
  • Defeating the device attracts the most attention and funding, but training users and attacking the network must also be pursued. Training involves ensuring that operators are using countermeasures effectively and appropriately.
  • JIEDDO shares threat intelligence in unclassified form so industry partners can devise countermeasures. The unclassified documents are backed by a classified appendix that describes how troops deploy countermeasures in operational settings.
I find the first four minutes of that interview, then comments about unclassified intel sharing at the seven minute mark, to be fascinating. It's clear to me that "malware" is the equivalent to IEDs in this context. Sure enough, just as in the IED world, defeating malware attracts a log of "attention and funding," but training users and "attacking the network" are just as, if not more, important.

If you'd like to see examples of the IEDs encountered in the field and some US countermeasures, check out the first segment.

No comments: