Jon Watada is the director for cyber solutions at Lockheed Martin's Information Systems & Global Solutions business, serving the federal, commercial, global, defense and intelligence communities.
Do you remember the short lived 3-D poster craze of the mid 1990's where posters contained computer generated hidden 3-D images that you can only see after staring at it for several minutes and focusing your eyes either in front or beyond the actual image itself? When you first examine the poster, the image appears to be a random scattering of colors and shapes. However, if you were able to unfocus your eyes in just the right way, you were rewarded with a 3-dimensional image. I still remember the elation felt by those who could see the revealed 3-D image and the frustration of those who couldn't.
Today, many cyber analysts have a similar feeling of frustration from looking at computer-generated cyber data. On the surface, internally produced data logs and alerts appear to be a random jumble of data but if they are able to stare long enough at all of the data at once, there is the promise that they could be rewarded with a hidden image of cyber anomalies and patterns of attack in the enterprise that no one ever knew existed.
So why is the need to continually analyze large amounts of cyber data so important to protect your enterprise? The bottom line is that there are specific cyber groups, countries or organizations who want your data or want to harm your organization. These groups are not curious hackers. These groups range from foreign military or intelligence organizations, to organized crime, to ideological extremists, to disreputable corporations. These groups operate in a highly organized and systematic manner to acquire your data or harm your enterprise for financial, political, military, or ideological reasons. Each group tends to use similar classes of hacker tools and similar techniques to access your data. Analyzing and displaying the entire collection of discreet cyber events across your enterprise as a unified picture helps your cyber analysts discover previously hidden patterns of cyberattacks.
So now the question is how do we help your cyber analysts see the hidden image? The broad landscape of seemingly unrelated pieces of information needs to be organized in such a way that our human brains can begin to make sense of the data and begin to see the hidden images and patterns. One such model used today is the Cyber Kill Chain.
The Cyber Kill Chain helps your analysts classify intrusions into your systems into seven distinct phases that illustrate how successful your adversary was in penetrating your enterprise. The seven phases of the Cyber Kill Chain are reconnaissance, weaponization, delivery, exploitation, installation, command/control, and actions on objectives. As the intruder moves from one phase to the next, he is getting closer to acquiring your data or harming your enterprise.
Enhancing your perimeter-focused defense is just one of the several layers needed to increase the security of your enterprise. A Cyber Heat Map helps your cyber analysts identify patterns of attack by linking individual intrusions of your enterprise to form a picture of a broader, systematic and coordinated set of activities (this assumes your analysts kept or created a baseline based on your historical data.) By analyzing these systematic activities against your enterprise over a series of days, months or years, your analysts can discover time-phased patterns of attacks; patterns that can help them identify their adversary and enable them to anticipate the timing and methods of future attacks.
The Cyber Kill Chain and Cyber Heat Map are just two models that help your analyst see the "hidden image" within your cyber data and shorten the timeline to detect or anticipate attacks and protect your enterprise. There are a growing number of commercial and custom analytic tools that, if implemented and used correctly, provide your cyber analysts with the ability to begin to automate responses to intrusions or anomalies within your enterprise.