The modern cybersecurity landscape has often been compared to a battlefield, with adversaries and defenders alike using military-style strategy and tactics.
With nation-states increasingly engaged in cyber attacks, the military analogy isn't just a metaphor, it's becoming a reality for how cybersecurity actually works. Among the most well known institutions in the U.S. for studying military practices and strategy is the United States Military Academy at West Point, where Greg Conti spent over a decade researching and training military personnel on cybersecurity strategy.
Since 2016, Conti has worked at IronNet Cybersecurity, a company led by former National Security Agency chief General Keith Alexander, helping to train and educate non-military personnel in understanding the modern cybersecurity landscape. In a video interview with eSecurity Planet, Conti provides insight into how military concepts apply to cybersecurity and how enterprises can use that knowledge to defend themselves.
Lesson #1: There is a need for military-style strategy and tactics
Conti said that in the early days of cybersecurity, the stakes were not as high as they are now. Now, companies can suffer extreme harm and nations can be put at risk from cyber attacks.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
One of the most commonly used concepts by cybersecurity vendors and researchers it the idea of kill chain, which defines the order of operations used by an attacker to execute an action. The basic idea is that if a defender can disrupt the chain, they can 'kill' the operation. Conti said that while kill-chain is a useful concept, there are in fact, hundreds of military concepts that can be applied to cybersecurity.
Another core military technique that has value in the cyber domain is targeting.
"In the old days, it was just field artillery and canons," Conti said. "Now it's how do you look across the entire internet and determine what might be targeted."
Prioritizing the target landscape and understanding effects-based operations are also key. Conti said military strategy isn't just about blowing things up, it's about looking at what effect a given action should have.
Lesson #2: Putting a wall around something doesn't secure it
Centuries of thought have gone into considering how the physical battlefield operates. Conti noted that while having a perimeter sometimes works, there are lessons that have been learned from counter-insurgency military operations that also apply to cybersecurity.
The equivalent to putting a wall around something in the physical world is using some form of firewall or perimeter-based security for IT.
"There is no perimeter in counter-insurgency; you have to win over hearts and minds to win the battle," he said.
Lesson #3: To defend, you need to think like an attacker
The idea of thinking like an attacker is not a new concept for cybersecurity and why security conferences often include demonstrations and instruction on hacking concepts. That said, in Conti's view there is now a need to also think like nation-state attackers.
"Even if you're a defender, you can then get into the mind of the organization that is attempting to break into you network, industry sector or country," he said.
Lesson #4: Red team penetration testing is a tactical operation
Tactical military operations in the physical world involve soldiers with guns. In the cyber domain, tactical operations can be conducted by people on keyboards. A red team penetration test in Conti's view is one type of tactical operation.
"One of the unique attributes that differs from traditional military fighting on a battlefield is that our companies are on the defense all the time," Conti said. "So at some point we're going to have to figure out how to bring the government's authority to use legal force to bear to deter attackers."
Lesson #5: Attribution requires intelligence
A core element of military operations that has carried over to cybersecurity is the need for attribution to determine root cause and origin for a given attack. To do attribution correctly requires intelligence, which is something that the U.S. government has enabled to be able to track back attacks.
Conti said individual companies can also do attribution to a lesser degree than the government. Companies can use the assets they have available, in combination with threat intelligence feeds.
Lesson #6: There are armies acting in cyberspace today
The idea of applying military strategy and tactics to cybersecurity isn't just about providing a better understanding of what is going on, it's also about dealing with the reality that there are literally armies operating in cyberspace today.
In Conti's view, organizations of all sizes are a target of nation-state adversaries. As such, he suggests that organizations need to understand the attack landscape and build appropriate defenses. Conti also suggests that organizations work and partner with other companies in their own sector to make everyone safer.
Watch the full video interview with Greg Conti below:
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.