Posted on by Resilience Management Model (RMM)in
What differentiates cybersecurity from other domains in information technology (IT)? Cybersecurity must account for an adversary. It is the intentions, capabilities, prevailing attack patterns of these adversaries that form the basis of risk management and the development of requirements for cybersecurity programs. In this blog post, the first in a series, I present strategies for enabling resilience practitioners to organize and articulate their intelligence needs, as well as relevant organizational information, establish a collaborative relationship with their intelligence providers, organize and assess intelligence, and act upon intelligence via frameworks such as the CERT® Resilience Management Model (CERT-RMM), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro methodology, the NIST Risk Management Framework, Agile, and the Project Management Body of Knowledge (PMBOK). Subsequent postings in this blog series, we discuss how these common resilience, risk, and project-management frameworks can be leveraged to integrate threat intelligence into improving the operational resilience of organizations.
Requirements definition has long been foundational to IT, whether it involves developing user stories in Agile, quality attributes for a system architecture, or requirements for project planning. Our work in planning and managing operational resilience focuses on three attributes of the threat actor: intentions, attack capabilities, and prevailing attack patterns . These three factors form the basis for determining what actions take priority, while balancing the organization's services, reputation, and bottom line. But how does an operational resilience practitioner take the cacophony of threat intelligence and inject it into established frameworks for resilience, risk, and project management? How does one operationalize cyber intelligence?
The resilience, risk, and project-management frameworks that we discuss through this series of blog posts contain numerous touchpoints, where intelligence needs can be identified and products consumed in a structured, pragmatic way, without giving in to the dreaded triad of fear, uncertainty, and doubt. The United States military does just this on a continuous basis as part of its Military Decision-Making Process (MDMP) and Intelligence Preparation of the Battlefield (IPB) process. While historically applied to kinetic military operations, MDMP and IPB have both become staples in cyber-related planning in the military and can be adapted to management techniques in civilian spheres, as well.
Threat actors come in a variety of forms. CERT-RMM defines a threat actor as "a situation, entity, individual, group, or action that has the potential to exploit a threat." CERT-RMM further defines a threat as "the combination of a vulnerability, a threat actor, a motive (if the threat actor is a person or persons), and the potential to produce a harmful outcome for the organization." Threats can come from physical sources, such as weather (e.g., floods and earthquakes) and human hazards to facilities, such as terrorists and civil unrest, or they can be the logical threats we normally associate with cybersecurity, such as nation-state actors, criminal elements, hacktivists, cyber-terrorists, and insider threats.
To gain a better understanding of how IPB is currently leveraged in cyber operations, I spoke with an active military intelligence professional. During our discussions, he stressed the need for a routine, collaborative relationship between operational resilience practitioners and those who perform threat intelligence for them. A relationship of trust, he stressed, must develop, whereby the intelligence analyst understands how the operational resilience practitioner thinks and prioritizes, and the resilience practitioner must come to trust the intelligence products delivered and provide feedback.
IPB is a time-tested process to support adversarial operations, having been successfully used by the U.S. military for decades for a wide variety of operations, including major combat operations, force protection, and peacekeeping, as well as defensive and offensive cyber operations. It is also adaptable to various situations where the available analysis time either may be abundant or constrained. For our purposes, however, its limitations are twofold. First, the terminology is decidedly military and may not be accessible to those without a military planning background. Second, there is an opportunity for a deeper treatment of operational-resilience considerations. The remainder of this post discusses how intelligence preparation for operational resilience can be performed to meet those ends.
Voice of the Organization
Having introduced the idea of leveraging intelligence to seamlessly support operational resilience, risk, and project management, we will now discuss how the operational resilience practitioner can establish an understanding of what must be defended, a concept I have termed the Voice of the Organization. When considering the Voice of the Organization, the operational resilience practitioner must not only consider the assets (i.e., people, information, technology, and facilities), but the services that the organization relies on (e.g., customer relationship management, payroll, human resources management) to meet the organization's mission. To accomplish this requires not only open channels of communication with technical service providers, but for leaders of business functions within the organization to understand how these services support the organization's strategic objectives.
When I was the chief of systems security for an Army agency in the Pentagon, my division developed what I titled a "threat interest matrix." This matrix catalogued the following information:
Next, I asked each of the organizations and system owners to validate this information and provide feedback. The benefits were twofold. First, it ensured that our analysis was correct and complete. But just as important, it enabled key non-IT leaders to see the linkage between their system assets and the functions they performed. Once this matrix was validated, it provided an operational resilience context to all risk management decisions and communications from that point forward. We were able to not only quote standards and regulations, but advise on what the operational impact might be of a breakdown in system resilience. The military cyber professional I interviewed also cited an assessment of the organization's functions, data, and systems as the most important piece of information he uses when performing the analysis, production, and dissemination of cyber intelligence products. This information enables him to focus on the threat intelligence most relevant to his customer base with limited intelligence resources.
Army Techniques Publication (ATP) 2-01.3, Intelligence Preparation of the Battlefield, lists the steps for performing IPB. Determining the Voice of the Organization is analogous to the first step of IPB, "Identify the limits of the commander's area of operations". The results of this step would fall into what author Stephen Covey called in his Seven Habits of Highly Effective People an organization's "circle of influence", or those considerations that the organization can affect, such as its portfolio of IT systems and programs, spending, hiring, purchasing, and training.
The Voice of the Environment
Having first discussed how the operational resilience practitioner can establish an understanding of what must be defended, we will now discuss achieving situational awareness of the environment, which I have termed "establishing the Voice of the Environment."
The next step in the IPB process is to "Identify the limits of the commander's area of interest." Considerations in this area fall into what Covey terms the organization's "circle of concern"; considerations that may affect the organization but which the organization does not directly affect. This includes the organization's stakeholders (such as a market or a serviced population), technological trends, such as migrating to cloud computing and mobile technologies, as well as socio-political trends.
The third step in IPB is to "Identify significant characteristics of the areas of operations and areas of interest for further analysis." It is at this step that the operational resilience practitioner communicates his or her requirement of intelligence needs to the intelligence analyst. Again, this is a continuous, collaborative communication. Just as the operational resilience practitioner is communicating his or her concerns and point of view, as the military cyber intelligence professional also pointed out, the intelligence analyst is likely to provide additional points of consideration for inclusion into resilience, risk, and project management. This step also involves assessing elements of the Voice of the Environment, such as
A continuous evaluation of the Voice of the Environment enables the operational resilience practitioner to provide a fuller context to intelligence analysts regarding their concerns.
Together, the operational resilience practitioner and intelligence analyst agree to "Initiate a process necessary to acquire information necessary to complete the IPB." Once a satisfactory level of awareness of the Voice of the Environment is complete, the cyber practitioner can decide the relevance of this information to the organization's resilience posture and what impacts it may create with respect to the Voice of the Environment.
The Voice of the Threat
Within the context of the Voice of the Organization and the Voice of the Environment, the intelligence analyst can perform analysis of the Voice of the Threat.
The Voice of the Threat refers to the intelligence needed or the understanding of the intentions, attack capabilities, and prevailing attack patterns of threat actors, i.e., the adversaries. Since the threat environment is diverse and ever changing, it is important to agree on a taxonomy for categories of threat actors. As the threat interest matrix discussed earlier in this blog indicated, different defended services and assets will have different threat actors who may take an interest in them. This is not to say that another category of threat actor may not stumble upon or target the service or asset. However, by being able to marshal analysis resources to counter the most likely and impactful threats, the operational resilience practitioner and intelligence analyst can decompose the problem into a manageable state.
There is a great deal of ambiguity with respect to intentions, motives, capabilities, and actions of individual threat actors. Effective threat actors maintain anonymity by keeping their physical and digital personae separate, have worldwide reach, and can create asymmetric effects. However, just as a myriad of consumers can create distinct patterns valuable to marketers, threat actors can create patterns, individually and categorically, which can lead to greater precision in decision making. This precision can enable the resilience practitioner to not only collect more data, but better quality data, and make greater sense of it. Understanding the limitations of intelligence is as important as the intelligence itself. While intelligence may not be perfect, when properly understood and applied, intelligence can enable the organization to make more effective decisions with respect to their limited operational resources.
IPB contains steps to "Describe Environmental Effects on Operations" [ATP 2-01, p. 4-1], "Evaluate the Threat" [ATP 2-01, p. 5-1], and "Determine Threat Courses of Action" [ATP 2-01, p. 6-1]. These steps answer the question, "So what?" or the relevance to the organization's operational resilience program. When intelligence on specific threat actors is not available, these steps can be performed categorically, providing an abstraction of related threat intelligence. Whenever possible, quantitative threat intelligence should be provided.
Qualitative information (i.e., the observations of the analyst) can be just as important. Quantitative and qualitative analysis should both be communicated and consumed within context. Correlation between quantitative data does not necessarily mean causation. The analyst should also provide his or her relative level of confidence in the assessment and as much context as possible within the bounds of classification and source protection. In the end, the assessment of the analyst must provide the decision maker the correct information to make a sound decision. Operational resilience and business-function leaders must make the risk-management decisions based on their priorities.
The next post in this series describes how intelligence analysts can leverage operational resilience measurement and decision-making best practices to integrate threat intelligence into improving the operational resilience of organizations, in much the same way the MDMP makes use of IPB to inform military operations.
We welcome your feedback in the comments section below.
For more information about the CERT-RMM Framework, please visit
For more information about CERT's OCTAVE Allegro Framework, please visit