Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Training: Developing the Next Generation of Cyber Analysts


Published on

Part of the solution involves identifying and recruiting top thinkers into the field of cybersecurity, but the more immediate challenge is ensuring that cyber professionals have access to the training and information they need to keep their cyber intelligence analysis skills relevant and effective. Due to the rapidly evolving nature of the threat, education and training must be continuous, and this document focuses on strategies and best practices for developing a cyber force that maintains America’s position as a global leader in the information age.

Published in: Business, Technology
  • Be the first to comment

Cyber Training: Developing the Next Generation of Cyber Analysts

  1. 1. Cyber TrainingDeveloping the Next Generation of Cyber AnalystsReady for what’s next.
  2. 2. Table of ContentsThe Crisis Moment .............................................................1The Cyber Skills Gap ..........................................................1Developing a World-Class Cyber Workforce .........................2 Emulating the Medical Model........................................2 Aligning Training with Mission Goals ..............................2 Keeping Pace in the Tech Race ......................................5 Connecting the Dots in Cyber Space..............................6Conclusion.........................................................................8About Booz Allen ................................................................9Principal Offices ................................................ Back Cover
  3. 3. Cyber Training:Developing the Next Generation of Cyber AnalystsThe Crisis Moment More sophisticated, complex, and powerful than any piece of malware to date, Stuxnet is essentially a “cyberYou’re a government technology leader responsible for missile” and a chilling reminder of the digital threatsprotecting the systems that power critical infrastructure that nations face in the information age. Our enemiesacross your entire jurisdiction—but you’ve never seen are less hindered by borders, cost, and availabilityanything like this. of weapons than at any point in our history. Previous methods of attack—like bombs or missiles—could onlyA piece of malware has infected a power plant that be executed by a select few. By contrast, cyber attacksdelivers electricity to millions of citizens, and it’s not only require a certain amount of expertise and access tointerested in stealing information or spying—it’s built a computer, and the anonymity of the cyber environmentto inflict physical damage. This super worm has taken lowers the risk of retaliation. Our national securitycontrol of the plant’s automated factory control system experts used to worry about rogue individual hackers,and is now calling the shots. Service interruptions have but now they are facing threats from malware developersalready begun, but you’re more worried about the safety who are supported by governments and other politicalof your citizens. If it’s capable of crossing the digital organizations capable of devoting significant resourcesdivide and manipulating actual plant processes, what to the creation of more intricate cyber weaponry.else is it capable of? The bad news is that as the threat evolves, the stakesThe malware has infected the plant’s IT infrastructure get higher. The world’s citizens are increasingly reliantwithout any action by internal personnel—nobody on IT systems to deliver essential services like energy,downloaded a rogue link. You’ve got your best communications, and healthcare. Critical infrastructurecybersecurity experts conducting analysis, but time is networks are more connected than ever before, and werunning short. Do they possess the necessary cyber share vast amounts of information online. As our societyskills required for an effective response? becomes more dependent on information technology, cybersecurity becomes absolutely essential, and theThe Cyber Skills Gap United States needs more cybersecurity professionalsIt would be comforting if the example above was with the skills required to defend our citizens againsthypothetical, but the description mirrors the Stuxnet these emerging super worm that was discovered in 2010. Part of the solution involves identifying and recruitingStuxnet marks a transformative leap in cyber warfare, top thinkers into the field of cybersecurity, but theas a weapon capable of destroying physical assets. It is more immediate challenge is ensuring that cyberknown to have infected tens of thousands of computers professionals have access to the training andacross the globe, seeking out targeted industrial information they need to keep their cyber intelligencesystems. In November of that same year, Iran’s analysis skills relevant and effective. Due to the rapidlypresident confirmed that the worm halted activities evolving nature of the threat, education and trainingcritical to the country’s uranium enrichment program.1 must be continuous, and this document focuses on1 Ashford, Warwick, “Iran confirms Stuxnet hit uranium enrichment centrifuges.”, November 30, 2010, Stuxnet-hit-uranium-enrichment-centrifuges.htm (accessed 11 Feb. 2011) 1
  4. 4. strategies and best practices for developing a cyber enemy, and understand the cyber tactics that an enemyforce that maintains America’s position as a global may employ to achieve its ends.leader in the information age. Emulating the Medical Model The medical profession can serve as a helpful guideDeveloping a World-Class Cyber Workforce in building a comprehensive, well-rounded cyber force.The United States must begin developing a different Medicine, like cybersecurity, is a rapidly changing,kind of cyber analyst. Current cyber training is typically complex field. Every day, new viruses are discovered,focused on the technical skills required to identify new treatments are developed, and practitioners mustand respond to cyber threats. While those skills are consistently incorporate the latest thinking into patientessential, they are only effective when implemented care. The medical profession also strives to be proactivewithin the broader context of intelligence analysis. It’s rather than reactive, focusing research on prevention asnot enough to know how to take down a network, or well as prescription.prevent an intrusion. Today’s cyber analyst must be able The world of cyber is very similar, as analysts areto “connect the dots”—anticipating where threats could constantly challenged by new technology, (e.g.,potentially originate from and understanding the broader, worms), new vulnerabilities, and emerging enemies.strategic implications of a cyber response. While It’s unreasonable to expect a single cyber analystnecessary, technical skills alone are insufficient without to be trained to respond to the incredible variety ofthe analytical skills required to develop a holistic threat threats that exist, but at the same time, there arepicture and a proactive cyber strategy. some foundational skills that all cyber pros shouldIt really comes down to understanding what our enemies possess. The goal is a cyber force comprised of generalwant, and how they think. The United States needs practitioners, specialists, and emergency responders.cyber professionals capable of anticipating attacks The medical model shows that creating an effectivebased on the attacker’s motivation and culture. So force in a constantly evolving field requires continuouswhat do our enemies want? Ideas are a highly sought training. Doctors, surgeons, and nurses are requiredafter commodity in the digital age. Some attackers to stay up to date on current treatment methods, andare attempting to steal trade secrets for economic much of this is done through rigorous qualifications,gain. Others want to gain access to national security accreditations, and certifications that have beeninformation. Still others are looking to bring down established within the profession. The cyber communitynetworks and halt critical infrastructure processes can achieve the same results using a similar model, butas a show of intimidation or terrorism. Defending our the challenge lies in identifying the skills analysts mustcountry’s most critical assets requires a force of possess to ensure training initiatives align with currentall-source intelligence analysts that also possess the mission goals.skills and competencies to operate within modern cyberwarfare. We need professionals who can recognize why Aligning Training with Mission Goalsan agency, network, or data set would be a target to an Too often, our top cyber certifications focus solely on technical competencies, and don’t incorporate the 2 Center for Strategic and International Studies, CSIS Commission on Cybersecurity for the 44th Presidency, A Human Capital Crisis in Cybersecurity, November 2010, HumanCapital_Web.pdf2
  5. 5. “There are about 1,000 security peoplein the US who have the specializedsecurity skills to operate effectively incyberspace. We need 10,000 to 30,000.” – Jim Gosler, Sandia Fellow, NSA Visiting Scientist5 3
  6. 6. 4
  7. 7. structured analytical training techniques that produce structured analytical techniques designed to developcyber analysts capable of “big picture” thinking. We necessary critical thinking skills. We understand thatneed to reexamine the processes we use to teach our government needs a new type of cyber analyst—onecyber professionals how to think. capable of taking technical intelligence and merging it with traditional intelligence to produce a holistic threatThere have been many independent attempts by picture. Booz Allen is currently guiding several federalwell-meaning organizations within the government to agencies through this process—building critical thinkingestablish training standards, position descriptions, and skills through 23 distinct analytical techniques thatcertifications around cyber, but these disparate attempts incorporate immersive, active learning exercises. Duringlack uniformity and have led to confusion. In fact, the the process of building both technical and analyticalCenter for Strategic and International Studies (CSIS) general practitioner skills, we also offer specialistCommission on Cybersecurity for the 44th Presidency courses focused on developing regional expertise.found that not only is the current system inadequate, it’s Analysts use these courses to develop an understandingalso dangerous.3 Organizations are spending resources of the historical, cultural, and religious influences thaton training initiatives that aren’t improving analysts’ impact the way our enemies think, what they value, andabilities to address threats, and these credentials are how they might engage in cyber warfare.creating a false sense of security within the industry. In support of these efforts, Booz Allen is using itsThese are extremely distressing findings for the cyber Cyber University to increase the cyber talent poolcommunity and a clear indication that analysts need for government agencies. The Cyber University hasaccess to more effective training methods that leverage evolved into boot camps, advanced training andbest practices based on current industry research. mentoring programs, and technical certifications whereThat’s where Booz Allen Hamilton comes in. cyber professionals can acquire new competencies. Booz Allen’s own consultants have the opportunity toFor decades, Booz Allen has engaged in defining cyber learn about new tools and strategies, allowing themroles and competencies with government agencies to stay ahead of emerging cyber trends, threats, andlike the Office of Personnel Management (OPM), Office innovations and to better serve clients. Our training,of the Director of National Intelligence (ODNI), and education and performance support (TEPS) communityDepartment of Homeland Security (DHS). We know the of practice includes over 1,400 learning professionals,challenges that our cyber clients are facing, we know the providing learning and education support servicescompetency gaps, and we know how to conduct cyber worldwide. We leverage their knowledge of the latesttraining that gets results. tools, technologies, and skills to meet current and futureTo guide organizations through the process of government mission requirements.becoming “cyber ready” we’ve developed the Cyber Keeping Pace in the Tech RacePeople Readiness Suite, which is a modular approach The cybersecurity landscape has changed rapidlyfor building a next-generation cyber workforce. Our over the past decade, and the obsolescence curve ismethodology combines the latest technical training with3 Center for Strategic and International Studies, CSIS Commission on Cybersecurity for the 44th Presidency, A Human Capital Crisis in Cybersecurity, November 2010, Evans_HumanCapital_Web.pdf 5
  8. 8. unrelenting. Threats have evolved through technology assurance roles within the defense industry. Today’sinnovation, and cyber professionals are being challenged COTS solutions are scalable, customizable, focused onto keep pace. Security experts used to worry about cutting-edge cyber topics, and offer great value whenviruses taking down systems or monitoring networks to training large teams. They are particularly effective forobtain valuable information. Now cyber analysts must developing those foundational, general practitionerprepare for the next generation of super worms like technical skills that all analysts need to have. COTSStuxnet, capable of controlling and manipulating physical solutions work on the technical front because technicaltechnology processes. skills are more cut and dry, and easier to test. The real challenge lies in developing highly-complex problemWhen new threats like Stuxnet emerge, the cyber solving abilities and threat detection techniques,community will be forced to act quickly. “Just-in-time” because the United States needs cyber analysts, nottraining will be replaced by “just-invented” training just technical security experts.created in response to a specific emerging threat. Togo back to our medical analogy, teams of emergency Connecting the Dots in Cyber Spaceresponders will need to be created to quickly Our clients are finding that their analysts need a richerunderstand these increasingly complex attacks. But, skill set. They need professionals with advancedthere are still general practitioner technical skills and networking skills who can also conduct an all-sourcepreviously identified threat detection techniques in intelligence analysis. They need people capable ofwhich all analysts will need to be proficient in. building contextual connections within highly complexRegardless of functional area, mission or title, information environments and making timely, informedcompetencies in network architecture, network security, decisions based on that data. They need analystsinformation assurance, and Web technology will serve with critical thinking skills who understand the wayas foundational knowledge across cyber roles. our enemies are attacking systems and possess theSpecialists in digital forensics, cloud computing, ability to write credible reports based on those findings.hacking methodology, and secure coding will also They need people capable of leading interagencycontinue to be in high demand. For updating, refreshing, collaboration efforts and facilitating information sharingand building these technical security skills, existing best practices. We’ve reached a tipping point within thecommercial-off-the-shelf (COTS) training offerings can be cyber community—we need a different kind of analyst.extremely effective. So how do we create the twenty-first century cyber pro?The SysAdmin, Audit, Network, Security (SANS) Institute, It all starts with learning how to think, and establishing aa leading provider of information security training, culture that values analytical reasoning and the ability tocertification, and research provides high quality, off-the- see things from alternative perspectives.shelf technical certification solutions that have proven It sounds so fundamental, but thinking analyticallysuccessful in the past. And for technical training, why is a skill that can be taught, learned, and improvedreinvent the wheel? Some of these courses are currently with practice.4 In the world of intelligence, the key tobeing used to satisfy requirements within DoD Directive success is processing information as accurately as8570, which identifies key training for information 4 Heuer Jr., Richards, J., The Psychology of Intelligence Analysis, Center for the Study of Intelligence, Pherson Associates, 1999.6
  9. 9. possible in order to make informed strategic decisions. Exhibit 1 | Analytical Techniques for ImprovedTo do this, cyber analysts must understand the science The Science of Decision-Making Analysisof analysis, while recognizing the limitations of the Group Exerciseshuman mind.5 Between past experiences, education, Key Devil’s Advocacy Assumptions Checkand cultural values, we all bring certain biases and List and review the key working Challenging a single strongly held view ormental constructs to the process of evaluating complex assumptions on which fundamental judgments rest consensus by building the best possible case for an alternative explanationproblems. This becomes a challenge for intelligence Quality ofanalysts when these existing biases lead to premature Information Check Team A/Team Bor incorrect assumptions. We tend to perceive what we Evaluates the completeness and Use of separate analytic teams that soundness of information sourcesexpect to perceive, which can hinder our ability to get at contrast two or more strongly held viewsthe truth. For analysts, this process is made even more Deception Detection Red Team Analysiscomplicated by the fact that there is often organizational Systemic use of checklists to determine Models the behavior of an individualpressure to be “consistent” with interpretations. So when deception actually may be present or group by trying to replicate how an and how to avoid being deceived adversary would think about an issueanalysts are encouraged, both internally and externally,to maintain original analyses, even in the face of newevidence. We know these things about the way the Anticipate Potential Actionshuman mind works, and it’s important to teach Source: Booz Allen Hamiltonanalytical techniques that counterbalance theseinherent weaknesses.6 truly understand motivation, analysts must thoroughly understand the cultures that shape enemy thinking.Unfortunately, this is where COTS offerings fall short.Analytical skills are best developed through interactive, To help build regional cyber specialists, Booz Allen hasimmersive training experiences. In other words, you created customized training courses that examine thecan’t learn this stuff from a book. At Booz Allen, we’ve history, government, education, geography, religion, andfound success in a number of group exercises and “war existing military theories that shape thinking in strategicgames” that force analysts to question the fundamental regions across the globe. To understand Pakistan,basis of their interpretations. Some examples are listed analysts need more than information on Pakistan, theyin Exhibit 1. need to understand the mental models, mind-sets, biases, and analytical assumptions that PakistaniThe Red Team Analysis and Deception Detection citizens bring to complex global issues. An analyst canexercises bring up another key challenge that cyber only anticipate potential actions when he or she is ableanalysts face—understanding the motivations of our to view the world as a potential enemy does.enemies. It’s common for all people to project theirown cultural values onto other societies in order to These complex analytical skills can’t be measuredmake sense of them. Unfortunately, in the intelligence through a multiple choice test. Critical thinking isgathering world, this can result in misperceptions and enhanced by placing analysts in real-world scenariosmisunderstandings. Foreign behaviors can often appear involving rapidly changing threat data that demands airrational through an American lens, and in order to5,6 Heuer Jr., Richards, J., The Psychology of Intelligence Analysis, Center for the Study of Intelligence, Pherson Associates, 1999. 7
  10. 10. nuanced response. There are many emerging tactics All training tactics must be constantly evaluated forthat have been proven to achieve significant results, effectiveness and their ability to demonstrably improveincluding simulations, war games, social media skills that support mission goals, but it’s clear thattools, collaboration, case study reenactments, and the cyber community must place more emphasis onboard games. But, threat analysis is only one part analytical skills such as critical thinking, problemof the process. These exercises must also simulate solving, stakeholder management, and communications.the management and strategic implementation As analytical training evolves and matures, meaningfulof communications strategies between relevant certifications and more relevant university degreestakeholders. Today’s cyber leaders not only have to programs must be developed to reinforce best capable of identifying threats, but also leading andorchestrating coordinated responses to cyber events. Exhibit 2 | Developing a Next Generation Cyber AnalystOur clients are looking for customized analytical training Cyber Technical IMPROVED SKILLS Trainingexercises that prepare cyber personnel to deal with Support Mission Goals Regional Expertisepractical, current, real-world situations. Booz Allen works Training/Studiesclosely with agency training departments to create All Source Analytic and Critical Thinking Trainingexercises that prepare analysts for today’s securitythreats, but academia plays a strong role here, as well. University EducationOne example comes from the Center for InformationSystems Security Studies and Research (CISR) at the TRAININGNaval Postgraduate School (NPS). NPS has developed Tactics“CyberCIEGE,”7 a cutting-edge 3D video game in whichplayers construct a networked computing system and Source: Booz Allen Hamiltondefend it against a variety of attacks.Simulations like CyberCIEGE are part of the next wave Conclusionof learning solutions in the cyber community, and the The information age has redefined the way we thinkemergence of social media has a role to play, as well. about warfare. In this new cyber environment, theAnalysts need to communicate with other analysts that United States requires leaders that possess both thehave experienced complex cyber threat situations and analytical skills of a traditional intelligence analyst, andexchange valuable intelligence on best practices. Chat the technical skills of a cybersecurity expert. Buildingrooms, forums, and Wikis are all tools that can rapidly a cyber force with this unique skill set will require anexpand the collective knowledge base of the entire cyber evolution in training methodology, and the creation ofcommunity. There is no replacement for experience, a culture that values critical thinking. The challenge iswhich is why Booz Allen training consultants base great and the stakes have never been higher, so let usexercises on real-world events and map decisions to work with you to build your team of next-generationactual consequences. cyber analysts.8
  11. 11. About Booz Allen HamiltonBooz Allen Hamilton has been at the forefront of Booz Allen is headquartered in McLean, Virginia,strategy and technology consulting for nearly a century. employs more than 25,000 people, and has annualToday, the firm is a major provider of professional revenues of over $5 billion. Fortune has namedservices primarily to US government agencies in Booz Allen one of its “100 Best Companies to Work For”the defense, intelligence, and civil sectors, as well for six consecutive years. Working Mother has rankedas to corporations, institutions, and not-for-profit the firm among its “100 Best Companies for Workingorganizations. Booz Allen offers clients deep Mothers” annually since 1999. More information isfunctional knowledge spanning strategy and available at, technology, engineering and operations, To see how Booz Allen can help your cybersecurityand analytics—which it combines with specialized workforce effort, please contact one of our consultants:expertise in clients’ mission and domain areas to helpsolve their toughest problems. Michael Parmentier PrincipalThe firm’s management consulting heritage is the parmentier_michael@bah.combasis for its unique collaborative culture and operating 703/984-0081model, enabling Booz Allen to anticipate needs andopportunities, rapidly deploy talent and resources, and Lee Ann Timreckdeliver enduring results. By combining a consultant’s Principalproblem-solving orientation with deep technical timreck_lee_ann@bah.comknowledge and strong execution, Booz Allen helps 703/984-0096clients achieve success in their most critical missions— Grey Burkhartas evidenced by the firm’s many client relationships that Senior Associatespan decades. Booz Allen helps shape thinking and burkhart_grey@bah.comprepare for future developments in areas of national 703/377-6822importance, including cybersecurity, homeland security,healthcare, and information technology. 9
  12. 12. Principal Offices ALABAMA HAWAII NEBRASKA San Antonio Huntsville Honolulu Omaha 210/244-4200 256/922-2760 808/545-6800 402/522-2800 VIRGINIA CALIFORNIA ILLINOIS NEW JERSEY Alexandria Los Angeles O’Fallon Eatontown 703/822-8920 310/297-2100 618/622-2330 732/935-5100 Arlington San Diego 703/526-2400 KANSAS NEW YORK 619/725-6500 Leavenworth Rome Chantilly San Francisco 913/682-5300 315/338-7750 703/633-3100 415/391-1900 Charlottesville MARYLAND OHIO 434/973-2722 COLORADO Aberdeen Dayton Colorado Springs 410/297-2500 937/781-2800 Falls Church 719/387-2000 703/845-3900 Annapolis Junction OKLAHOMA Denver 301/543-4400 Herndon Oklahoma City 303/694-4159 703/984-1000 Lexington Park 405/610-6523 301/862-3110 McLean FLORIDA PENNSYLVANIA 703/902-5000 Pensacola Linthicum Philadelphia 850/469-8898 410/684-6500 Norfolk 267/330-7900 757/893-6100 Sarasota Rockville 941/309-5390 301/838-3600 SOUTH CAROLINA Stafford Charleston 540/288-5000 Tampa MICHIGAN 843/529-4800 813/281-4900 Troy WASHINGTON, DC 248/680-3500 TEXAS 202/548-3061 GEORGIA Houston Atlanta 713/650-4100 404/659-3600 The most complete, recent list of offices and their addresses and telephone numbers can be found on©2011 Booz Allen Hamilton Inc.