This document discusses the concept of Cybersecurity Command, Control, Communications, Intelligence, Surveillance and Reconnaissance (CS C4ISR) and how applying military-inspired C4ISR concepts can help strengthen cybersecurity operations in the private sector and government agencies. It begins by defining the differences between cyberspace and cybersecurity, and examines how C4ISR is currently applied in the military domain versus how the key concepts of command and control, communications, computing, intelligence, surveillance and reconnaissance can be adapted for cybersecurity use. The document then analyzes each C4ISR element in detail and how private sector cybersecurity teams could implement similar functions. It argues that taking a more militarized approach to cyber

1. 1
Balancing Business Requirements to Security Solutions
Bill Ross
804-855-4988
bill.ross@infosecforce.com
“We must continue to fight and win in this enormous cyber war rampaging the world”
Bill Ross
INFOSECFORCE
Cyber Security Command, Control,
Communications, Intelligence, Surveillance and
Reconnaissance
CS C4ISR

2. 2
Contents
1 Introduction on the need for exceptional CS C4ISR within Cybersecurity. ........................... 4
1.1 Critical need for a CS C4ISR Discussion......................................................................... 4
2 Cyberspace versus Cybersecurity ........................................................................................... 5
2.1 Cyberspace and C4ISR..................................................................................................... 6
2.2 Most daunting task for ISR in Cyberspace....................................................................... 7
3 Command, Control, Communications, Computer, Intelligence, Surveillance, and
Reconnaissance (C4ISR)................................................................................................................. 7
4 C4ISR in the military and Cybersecurity (CS) C4ISR in the Private Sector .......................... 8
4.1 Command and Control (C2)............................................................................................. 8
4.1.1 Private sector Cybersecurity and Command and Control......................................... 8
4.1.2 Military Command and Control reflection ............................................................. 10
4.2 Communications............................................................................................................. 10
4.2.1 Cybersecurity communications relevance .............................................................. 10
4.2.2 Military communication reflection ......................................................................... 11
4.3 Computer systems .......................................................................................................... 12
4.3.1 Cybersecurity computer reflection.......................................................................... 12
4.3.2 Military computer reflection................................................................................... 12
4.4 Intelligence..................................................................................................................... 14
4.4.1 Intelligence management cycle............................................................................... 14
4.4.2 FBI Intelligence Cycle ............................................................................................ 15
“ ................................................................................................................................................ 15
4.5 Surveillance.................................................................................................................... 16
4.5.1 Surveillance and Reconnaissance functions ........................................................... 16
4.5.2 Cybersecurity surveillance reflection...................................................................... 16
4.5.3 Military surveillance reflection............................................................................... 18
4.6 Reconnaissance .............................................................................................................. 18
4.6.1 Cybersecurity reconnaissance reflection................................................................. 18
4.6.2 Military reconnaissance reflection.......................................................................... 19
5 Cyber Defense in Depth and C4ISR .................................................................................... 20
6 C4ISR Defense in Depth core function descriptions ............................................................ 21
6.1 Predict attacks on an organization’s assets .................................................................... 21
6.2 Prevent attacks on an organization’s assets.................................................................... 21
6.3 Detect attacks on an organization’s assets ..................................................................... 22

3. 3
6.4 Respond to attacks on an organization’s assets.............................................................. 22
7 A C4ISR Control Framework .............................................................................................. 23
8 Summary............................................................................................................................... 25
Figure 1 Cyberspace domain and supporting cybersecurity.......................................................... 6
Figure 2 Cybersecurity Management and Requirements System and .......................................... 9
Figure 3 Rugged 901D Computer for Navy Shipboard Installation............................................... 12
Figure 4 The Intelligence Cycle .................................................................................................... 14
Figure 5 Depicts the FBI Intelligence Management Cycle ........................................................... 15
Figure 6 Defines the Defense in Depth approach to enterprise security .................................... 20
Table 1 Shows the integration of Controls, DID and Intelligence Management ......................... 25

4. 4
1 Introduction on the need for exceptional CS C4ISR within Cybersecurity.
Colleagues ….welcome toINFOSECFORCE’snewestpaper, CyberSecurityCommand,Control,
Communications, Intelligence,Surveillance andReconnaissance (CSC4ISR). Asyou will recall ourlast
paperwas “Cyberwarfare EscalationtoNuclearWarfare”
https://www.academia.edu/30591206/Cyber_Warfare_Escalation_to_Nuclear_Warfare and
https://www.slideshare.net/infosecforce/cyberwarfareescalationtonuclearwarfareexamination
These paperstake a longtime to compose. We do soby leveraginglotsof sourcesfromthose thinkers
that exceedourcapacity. We alwayssource theminthe documents. Pleasecontactme if youneed
clarificationonanythinginthe document. Phone andemailonthe cover.
1.1 Critical need for a CS C4ISR Discussion
As faras INFOSECFORCEcantell,apaperdirectlyassessing CSC4ISRdoesnotexist. Some paperssuch
as Col MatthewM. Hurley’s belowreference addressaspectsof CSC4ISR but,theydo notaddressthe
complete notionalCSC4ISRarchitecture framework. Thispaperwill provide astructureddescriptionof
CS C4ISR elements. Maywe stronglyrecommendthatorganizational SecurityOperationsimplementCS
C4ISR.
Thispaperis focusedonprivate sectorandNational,State,andLocal GovernmentAgencies. Itisnot
directedatthe Military. Likewise,itisfocusedon Cybersecurity andnotthe full Cyberspace operational
spectrum.
Nonetheless, organizationalCybersecurity (CS) Operations (SECOPS) have become increasingly
militaristicinthe lastdecade. Forexample,we have adoptedmilitaryconceptslikedefenseindepth,kill
chain,threatintelligence,threatdetection,vulnerability assessments,riskpostures,perimeterdefenses,
cyberwarfare,and etc. However,the CSCommunityhasnotbuilta CS C4ISR framework.
To expertly identify,prevent,predict,detect,respond,andrecoveragainstsecuritythreatsand
vulnerabilities, Cybersecurity professionalsinthe private sectorandgovernmentagencylevels should
manage theirCybersecurity operationswithasmuchmilitarythinkaspossible. The worldisina global
Cybersecurity WarfightingpostureasCyberthreatsandattacks are at timesoverwhelming. Attacks
have become highlyefficient. The “enemy”hashighlyskilledhackers. The enemyhastwomaingoals,
steal moneyandassetsandto execute NationState political andmilitaryobjectivesagainsttheir
opposition. The UnitedStatesgovernmentandmilitaryhave the highlyskilledresourcestoengage
these threats ona highlysophisticated nature but, eventheyare not alwayssuccessfulasthe enemy has
penetrated military sophisticatedpreventivemeasuresandsuccessfullyattackedhardtargetslike the
Pentagon.

5. 5
2 Cyberspace versus Cybersecurity
Giventhe nature of this paper’sdiscussion,we needtotake amomenttodefine the difference between
CybersecurityandCyberspace. We alsobriefly reflectonthe difference in Cyberspace C4ISRstandards
and CS C4ISR concepts.
“ Numerousprivate sector,government,andmilitaryorganizationsuse the term“cyber”asa
synonymforonlyCybersecurity . Cyberdoesnotequal Cybersecurity . Infact,whenusing the generic
term“cyber” one should thinkmore aboutCyberspace. Iam veryimpressedwithARCYBERandhow
theyapproach Cyberspace doctrine. Pleasesee below anexcerptARCYBER Cyberspace doctrine.
Likewise,since Icouldnotfinda graphicshowingthe interrelationship of Cyberspace components,I
createdthe last graphicthat doesso. The reason Cybersecurity isindashedlinesisthat Cybersecurity
isnot consideredaCyberspace core “fire function”in Cyberspace. Itisa supportingcomponentto
Cyberspace similartoa logisticsfunction.
Source: https://www.academia.edu/26547082/Cyber_Space_Security
“ The termcyber ismostuseful aspart of the compoundword Cyberspace andCyberspace issimplythe
man-made domaincreatedwhenwe connectall of the computers,switches,routers,fiberopticcables,
wirelessdevices,satellitesandothercomponentsthatallow ustomove large amountsof data at very
fastspeeds. Aswiththe physical domains—land,maritime,air,space—weconductavarietyof activities
inCyberspace tobenefitindividuals,commercial entitiesandgovernments.The keydifferencebetween
Cyberspace andthe physical domainsisthat Cyberspace isman-made andconstantlychanging.That
characteristicoffersbothopportunitiesandrisk. “
Source: “http://armedforcesjournal.com/Cyberspace-what-is-it-where-is-it-and-who-cares/
“Army doctrine for Cyberspace Operationsincludes:Offensive Cyberspace OperationsandDefensive
Cyberspace Operations denythe Adversarythe FREEDOMof Actioninthe Domain, CyberEffects,
Cyberspace Defense,ComputerNetworkDefense,CyberElectromagneticActivities,CyberTargeting,
CyberProtectionTeams.
Doctrine doesnotinclude Cybersecurity.

6. 6
Figure 1 Cyberspace domain and supporting cybersecurity
Source: https://www.academia.edu/26547082/Cyber_Space_Security
2.1 Cyberspace and C4ISR
“ Unlike ISRoperationsinthe natural domains,those in Cyberspace have yettobe formallydefinedin
jointor service doctrine.Despitewide reference to“CYBINT,”itsrelationshiptosignalsintelligence and
open-source intelligence,andevencallstoestablishmore granulardisciplinessuchas“SkypeINT”or
“VoIPINT,”currentthinkingonthe subjectremainsimmature.
For itspart, ISR forcyber isperhapsbestdefinedbyAirForce PolicyDirective 10-17, Cyberspace
Operations,whichtasksAirForce ISRto “ensure [the] abilitytoprovide collaborative analysis,fused
intelligence,andcross-domain,integrated,andautomatedISRPCPAD(planningandcollecting,
collection,processingandexploitation,analysisandproduction,dissemination) capabilitiestoenable
Cyberspace operations.”Thisdefinitionsuggeststhe criticalityof all-source intelligence duringthe
planningandexecutionof Cyberspace operations.Operatingin Cyberspace demandsmore thanjustISR
fromcyber; anyintelligencediscipline cansupplyinformationof crucial intelligence value to Cyberspace
operations. As notedbyMaj Gen RobertP. Otto,commanderof the AirForce ISR Agency,“Whenwe
say ‘ISRfor Cyber,’we are referringtothe ISR conductedtosupportCyberspace superiority”—
regardlessof the source,method,ormedium.
Cyberspace’sworldwide pervasiveness,whencombinedwiththe speedof cybereffects,confersanew
and dauntingdimensiontothe notionof “global reach.”Physical cybernodesinhabiteachof the natural
CYBERSPACE
A global domain within the
information environment consisting
of the interdependent network of
information technology
infrastructures, including the
Internet, telecommunications
networks, computer systems, and
embedded processors and
controllers. (JP 1-02)
Intelligence community
Research, unique solutions,
IARPA level work, situational
awareness, build Cyber
Intelligence Operations Center,
work flow, collects intelligence
collection systems and
programs, intelligence
production activities,
InformationOperations
integrated employment of
electronic warfare(EW), computer
network operations (CNO),
psychological operations (PSYOP),
military deception (MILDEC), and
operations security (OPSEC), in
concert with specified supporting
and related capabilities.
Signal Commands
Network Operations
(information assurance,
information dissemination
management, and network
management) and management
of the electromagnetic
spectrum.
ElectronicWarfare
The integrated planning,
employment, and assessmentof
military capabilities to achieve
desired effects across the
electromagnetic domain in support
of operational objectives.
CyberSecurity
All organizational actions required
to ensure freedom from danger
and risk to the security of
information in all its forms
(electronic, physical), and the
security of the systems and
networks
CyberOffense Operations
Offensiveoperations to destroy,
disrupt, or neutralizeadversary
cyberspacecapabilities both before
and after their use againstfriendly
forces, but as closeto their source
as possible
CyberDefense Operations
All defensive countermeasures
designed to detect, identify,
intercept, and destroy or negate
harmful activities attempting to
penetrate or attack through
cyberspace. DCC missions are
designed to preserve friendly
network

7. 7
domains—in,around,andabove everycontinentandsea. Cyberspace crisscrossesthe globe,both
drawingpeople togethertoanunprecedenteddegreeandgivingourfoesheretofore unimagined
avenuesof attack. In the past, war fightershave alwaysenjoyeddiscretetheatersinwhichtooperate.
In Cyberspace,however,hostile actionsmayoriginateinorbe routedthroughliterallyanylocation
where anInternet-enableddevice canfunction. Furthermore, Cyberspace’sglobalnature hasrendered
traditional bordersbetweensovereignentitiesessentiallymeaningless.35Because of asavvyadversary’s
abilitytolaunchintrusionsorattacksacross multiple frontierswithnearimpunity,“Geographyis
completelyirrelevant.
2.2 Most daunting task for ISR in Cyberspace
These characteristicsof Cyberspace contributeto“the mostvexingquestionof all”forISRprofessionals:
attributionof intrusionsandattacks. AsAirForce Space Commandacknowledges,“The abilitytohide
the true (originating) source of anattack makesitdifficulttoidentifythe attacker.Furthermore,the
designof the Internetlendsitselftoanonymity.” One factorthatcomplicatesattribution—the large
numberof online actors—isreflectedbythe difficultyof tryingto uncoveraninsiderthreatwithinthe
DOD. If each userrepresentedanode andeache-mail message alink,one wouldhave toanalyze
755,230,064,000 linksbetween237,387,616 nodesina single year—atallythatdoesnotinclude
Internetsearches,file accessions,orothertypesof theoreticallyobservablecyberactivity.”
Source: For and from Cyberspace ConceptualizingCyberIntelligence,Surveillance,and
Reconnaissance Col Matthew M. Hurley,USAF,ovember–December2012 Air & Space Power Journal |
3 Command, Control, Communications, Computer, Intelligence, Surveillance, and
Reconnaissance (C4ISR)
In the military, C4ISRisa broad termthat refersto“systems,proceduresandtechniquesusedtocollect
and disseminate information”.Eachof these isa fieldof expertise untoitself,buttheywork
synergisticallytoprovide warfightersanddecision-makerswithactionable informationtohelpthemdo
theirjobs.
While C4ISRis a powerful force multiplier,itisnot a stand alone functionandC4ISRsupportsvarious
levelsof the militaryandgovernment. C4ISRoperateswithinsome sortof ITor businessmanagement
framework. C4ISRcan supportstrategicdecisions,operational planning,and tactical execution. There
are boundlessC4ISRexecutionandsupportingassets. C4ISRsupportcanrange fromspiesinthe field,
national reconnaissancesatellite assets,tomini birdsizeddrones. Inthe militaryC4ISRassetsandthe
informationanddatacollectionthattheyprovide mustoperate withinaspecificstrategic,operational
and tactical frameworktoprovide efficientprocessesandahighdegree of data and information
integritythatisprocessedinrelationshiptothe missionthatissupported. Similarly,C4ISRoperates
withinasimilarcontextwhensupportingnationalintelligenceandnational policyobjectives. The key
objective withinanyC4ISRprocessis“the mission”C4ISRsupports.

8. 8
While the above C4ISRdescriptionmightsounddauntingwhenconsideringC4ISRapplicationoutside
the militaryandgovernment,itreallyisnot. Itishopedthatmost private sectororganizationshave an
exceptionalCybersecurity ManagementSystem(CSMS) establishedformanagingthe strategic,
operational,andtactical CSbusinessneedsof anorganization. A solidCSMSbasedon core SANSor
National Institute of Standards(NIST) controlswill provide the operational andCSbusinessmanagement
frameworkthatthe C4ISR plancan operate within.
4 C4ISR in the military and Cybersecurity (CS) C4ISR in the Private Sector
The belowparagraphsdefine the core componentsof C4ISRandhow theycan applyto the private
sectorCS C4ISR. The firstpart of the descriptionrelatestoaclassicmilitarydefinitionof the C4ISRand
the secondpart isthe interpretationof the descriptionasitwill relate tothe private sector.
4.1 Command and Control (C2)
4.1.1 Private sector Cybersecurity and Command and Control
As one can see bythe variousC2 definitionsbythe UnitedStatesandothercountry’smilitary seen
below thatC2 is live ammoandC2 isan extremelypartof the commandstructure andthe supporting
battle managementrequirements.
Likewise,giventhatthe Cybersecurity teaminmostorganizationsisthe closestthingthatcompanies
have workingforthemisorientedto a warfightingorat the veryleasta police levelof protection within
the organization. The CSteam,especiallythe CSengineersandThreatManagementsystem
administrators, alertteamsandetcthat workinthe organizationCyberIntelligence OperationsCenter
(CIOC) have vitallyimportantmissionsof definingriskmanagementgovernance, superbCybersecurity
architectures,andincidentdetectionandresponse.
The core componentsof C2 are “authorityanddirection”. Private SectorCS programshave often
sufferedproblemswithhavingthe properauthorityanddirection. We have seenmultiplevariationsof
governance.
The belowlistdefinesthe required C2Cybersecurity functionsthata private sectororgovernment
agencyshouldhave:
 Identificationof all companyvital dataand businessprocessesthatCSwill protect
 Deepunderstandingof all businessprocessesand datarequiringexceptional protection.
 Strongleadershiptalentasthe Chief InformationSecurityOfficer(CISO) andwithinall the CS
Directors
 An exceptional relationship withthe CEOandCFO
 Reportsdirectlytothe CEO or the CTO
 Exceptional InformationSecurityManagementSystem(ISMS) framework thatincorporatesthe
belowISMS baseline concepts. Integrate thisISMSwithkeyfunctionsof the NIST Cybersecurity
framework(CSF) andSANStop20 controls
 An exceptional CIOCequippedwithstate of the art toolsand highlyskilledstaff

9. 9
 Measurable performance metricsthatthe CSOand Directorsuse to rigorouslymanage the CS
program
 A well defined securitycurrentandfunctional CSarchitecture and aclear4 yearroadmap CS
objective architecture toachieve constantimprovement
 Brilliantthreatandvulnerabilitymanagement processthathasexactauditschedules
 AN integratedriskposture managementsystemtiedtoboththe companiesbusinessgoalsand
CS goals.
 Definedholisticriskposture definitionwithactive measures
 Bi annual CStable top exercisesthatincludesbusinessandCStechnicianandexecutives
 Rigorousannual self assessmentprogram
 Extremely architectedandimplementedauthentication,authorization,andauditprogram
 Biannual andmonthlyupdatesCSTraining programendorsedbythe CEO
4.1.1.1 Information Security Management System
An informationsecuritymanagementsystem(ISMS) isasetof policiesandproceduresforsystematically
managingan organization'ssensitive data.The goal of an ISMS isto minimize risk andensure business
continuity bypro-activelylimitingthe impactof a securitybreach.
An ISMS typicallyaddressesemployeebehaviorandprocessesaswell asdataand technology.Itcanbe
targetedtowardsa particulartype of data, such as customerdata,or it can be implementedina
comprehensive waythatbecomespartof the company'sculture.
Figure 2 Cybersecurity Management and Requirements System and
Source: Aliencoders.org

10. 10
4.1.1.2 C2 Irony in Cybersecurity
While the CSindustrydoesnotoftendiscussC2 as a managementprocessto tightlymanage the CS
organization,one doesoftenhereabout“botnet”C2.
For example,avalidusage of the termisto say that attackersuse "commandand control infrastructure"
to issue "commandandcontrol instructions"totheirvictims. Advancedanalysisof commandand
control methodologiescanbe usedtoidentifyattackers,associate attacks,anddisruptongoing
maliciousactivity.”
4.1.2 Military Command and Control reflection
Command and control or C2 isa "setof organizational andtechnical attributesandprocesses...[that]
employshuman,physical,andinformation resourcestosolve problemsandaccomplishmissions"to
achieve the goalsof an organizationorenterprise,accordingtoa 2015 definitionby military
scientists MariusVassiliou, DavidS.Alberts andJonathanR.Agre,[1][2]
The termoftenreferstoa military
system.
Versionsof the UnitedStatesArmy Field Manual3-0 circulatedcirca1999, define C2in
a military organizationasthe exerciseof authority anddirectionbyaproperlydesignated commanding
officeroverassignedandattached forces inthe accomplishmentof amission.[3][4]
A 1988 NATOdefinition,command andcontrol isthe exerciseof authorityanddirectionbyaproperly
designatedindividualoverassignedresourcesinthe accomplishmentof acommongoal. An Australian
Defence Force definition,similartothat of NATO,emphasisesthatC2isthe systemempowering
designatedpersonnel toexercise lawful authorityanddirectionoverassignedforcesforthe
accomplishmentof missionsandtasks.[6]
The US Departmentof DefenseDictionary of Military and Associated Terms definescommandand
control as: "The exercise of authorityanddirectionbyaproperlydesignatedcommanderoverassigned
and attachedforcesinthe accomplishmentof the mission.AlsocalledC2.Source:JP1".
Source: https://en.wikipedia.org/wiki/Command_and_control
4.2 Communications
4.2.1 Cybersecurity communications relevance
CS isabsolutelydeeplyembedded inall formsof communication. Besidesaccesscontrol,
communication isalmostthe total absorptionof CS’smissionandrelevance. CS protectsthe network(a
vast entanglementof software,technology,andbusiness processes) thatacompanyor agencyusesto
execute itsmission. CSmustprotectthe confidentiality,integrityandavailability(CIA) of the corporate
communications. CIA isthe CSfundamental jobuponwhichnumerous CScontrolsare predicated.
Thus,CS must have exceptional networkembeddedCStoolsandprocedures toensure CIA excellence.
Often,CSisaccountable to manage the corporate or agencyencryption program. Encryptionisa core
businessenablerthat provide internal andexternal communicationnonrepudiationcapabilities.

11. 11
Likewise, manyCSteams are now managingthe grownblockchaincommunicationanddata protection
requirements. Blockchainis rapidlygrowingasanessential businesscommunicationsrequirements.
Anotherparallel seeninthe belowmilitarycommunicationsdescriptionof communicationsisthe
conceptalertmeasurementsystems. NumerousCStoolssuchasintrusionprotection/prevention,
SecurityIncidentandEventManagementSystems (SIEM),incorrectaccessprotection,NetworkAccess
Control (NAC) management,syslogs,andetccan be configuredtoalerton control and policyviolations.
Like radar in the military,these systems alertonactive orinboundthreats. Aswe improve the use of big
data and heuristicmodeling,itislikelyCS professionalswillreceive “predictive”alertsaswell.
4.2.2 Military communication reflection
The adventof distinctivesignalsledtothe formationof the signal corps,agroup specializedinthe
tactics of militarycommunications.The signal corpsevolved intoadistinctive occupationwhere
the signalerbecame ahighlytechnical jobdealingwithall availablecommunicationsmethodsincluding
civil ones.
In the modernworld,mostnationsattempttominimizethe riskof warcausedby miscommunicationor
inadequate communication.Asaresult,militarycommunicationisintenseandcomplicated,andoften
motivatesthe developmentof advancedtechnologyforremote systemssuchassatellitesandaircraft,
bothmannedand unmanned,aswell ascomputers.Computersandtheirvariedapplicationshave
revolutionizedmilitarycomms.Althoughmilitarycommunicationisdesignedforwarfare,italso
supportsintelligence-gatheringandcommunicationbetween adversaries,andthussometimesprevents
war.
There are six categoriesof militarycomms:the alertmeasurementsystems,cryptography,militaryradio
systems,nuclearcommandcontrol,the signal corps,andnetwork-centricwarfare.
The alert measurementsystemsare variousstatesof alertnessorreadinessforthe armedforcesused
aroundthe worldduringastate of war, act of terrorismora militaryattackagainsta state.Theyare
knownbydifferentacronyms,suchasDEFCON,or defense readinesscondition, usedbythe U.S.Armed
Forces.
Cryptography isthe studyof methodsof convertingmessagesintodisguised,unreadable information,
unlessone knowsof the methodof decryption.Thismilitarycommsmethodensuresthatthe messages
reach the correct hands.Cryptographyisalsousedtoprotect digital cash,signatures,digital rights
management,intellectual propertyrightsandsecure electroniccommerce.Itisalsousedincomputing,
telecommunicationsandinfrastructure.
Source: https://en.wikipedia.org/wiki/Military_communications
Drums,horns,flags,and ridersonhorsebackwere some of the earlymethodsthe militaryusedtosend
messagesoverdistances.Inthe middle 20thcentury radioequipmentcame todominate the field
Many modernpiecesof militarycommunicationsequipmentare builttobothencryptand
decode transmissions andsurvive roughtreatmentinhostileclimates.Theyuse different frequencies to
sendsignalstootherradiosand to satellites.

12. 12
Militarycommunications - or"comms"- are activities,equipment,techniques,andtacticsusedbythe
militaryinsome of the mosthostile areasof the earthand in challengingenvironmentssuchas
battlefields,on land,underwaterandalsoinair.Militarycommsinclude command,control and
communicationsandintelligence andwere knownasthe C3I model before computerswere fully
integrated.The U.S.Armyexpandedthe modeltoC4I whenitrecognizedthe vital role playedby
automatedcomputerequipmenttosendandreceive large,bulkyamountsof data.
Source: C4ISTAR
4.3 Computer systems
4.3.1 Cybersecurity computer reflection
While the below militarydescriptionof the differencebetweencommercial andmilitarysystemsmakes
sense,private sectorsalsoevaluate the acquisitionandprotectionof CSinthe same way that the
militarydoestoinclude:.
 Cost
 Intendedenvironment
 Long termavailability
 Architecture
 Feature set
Identifying,predicting,preventing,detecting,respondingandrecoveryfromcomputersystemsattacks
while guaranteeingcomputersystemsCIA throughasophisticatedCSMSisthe essence of whatCS does
for computerswithinC4ISR.
4.3.2 Military computer reflection
Figure 3 Rugged 901D Computer for Navy Shipboard Installation
Typicallyamilitarycomputerismuchmore robustthan an industrial computerenclosure.Most
electronicswillbe protectedwithalayerof conformal coating.There willbe more structure insideto
supportthe components,the plug-incardswill be individuallysupportedandsecuredtoassure theydo
not popout of theirsockets,the processorand heatsink will be secured,memorywill be gluedintotheir
sockets,andso forth.Thisis to assure nothingmovesduringthe shockevents.
There are several differentiatorsbetweenmilitarycomputersandtypical office orconsumercomputers:

13. 13
 Cost
 Intendedenvironment
 Long termavailability
 Architecture
 Feature set
Cost – Militarycomputersare generallymuchmore expensive thanoffice/consumercomputers.
Consumercomputersfrommanufacturerssuchas Dell are manufacturedinveryhighquantitieswhich
leadstolowercostsdue to economyof scale.Militaryprograms,onthe otherhand,can require small
numbersof systemsleadingtohighercosts.Militarycomputerswilltypicallyalsobe constructedof
more robustmaterialswithmore internal structure,more coolingfans,amore robustpowersupply,and
so forth.
IntendedEnvironment– An office orconsumercomputerisintendedforuse inaverycontrolledshirt-
sleeve environmentwithmoderatetemperaturesandhumidityandminimaldust.A militarycomputer
can be designedtooperate inveryadverse environmentswithextremesof temperature suchas -20C to
+65C operating,5%to 95% humiditylevels,andhighdustloadinginthe airas well asotherinsultstothe
hardware.Theymaybe requiredtooperate inhighsaltenvironmentssuchasona shipor designedfor
highshockand vibrationsuchas on a shipor submarine.Militarycomputersmaybe intendedfor
installationonaircraftinwhichcase theyneedtobe crash worthyand able to operate athighaltitudes
if in unpressurizedaircraft.The same computermaybe requiredtooperate inAfghanistanaswell asin
Alaskawithnochange in the design.
Long Term Availability– Militaryprogramslastyearsand identical replacementhardware maybe
requiredoverthe life of the program.Consumercomputersare oftendrivenbythe latestandgreatest
to realize the highestpossible performance,suchasrequiredtoplaygames.The motherboardina
consumergrade computermayhave an availabilitymeasuredinmonthsinsteadof yearsordecades.In
a consumerlevel computer,overthe lifetime of the productavailability,itisnotunheardof for all the
componentssuchas the motherboard,drives,BIOS,videoboard,etc.,tobe differentfromcomputerto
computer.That isnot acceptable inamilitarycomputerforwhichsupportingdocumentshave been
createdand systems testedandapproved.
Architecture – There are manytypesof computerarchitecture.The mostcommonthat people knowof
isthe PCas createdby IBM. Many militarycomputersystemsare builtaroundalternative plug-inbus
structuressuchas VMEbusor Compact PCI.A militarycomputermaynotprovide forplug-incardsand
be in a dedicatedformfactorfora specificapplicationsuchasinstallationona UAV such as the Global
Hawk.
Feature Set – A militarycomputermayhave featuresnotfound ona consumergrade computersuch
as Circularconnectors,hotswappowersupplies,hotswapfans,customfrontpanel featuressuchasLCD
displays,andsoforth.
Source: https://en.wikipedia.org/wiki/Military_computers

14. 14
4.4 Intelligence
CS intelligence andthreatmanagementare relativelynew conceptstothe private sectorandeven
governmentagencies. Whenthe CSindustrystartedtoembrace the ideaof CS Intelligence the CStool
companyoftenmisidentifiedcollectinginformationasintelligence> CStool companieshave become
betterat definingCSintelligence but,theyhave alongjourneyof intelligence competenceand
excellence ahead.
Overall the private sectorandmilitaryintelligence cycle withinaC4ISR environmentare the same. The
processisseenbelow.
Intelligenceisaterm referringtoinformationitself thatpertainstothe mission,orgoalsandobjectives
of the organizationcarryingoutthe mission.
The traditional Intelligence cycle isthe fundamentalcycle of intelligence processinginacivilianor
military intelligence agency orinlawenforcementasa closed pathconsistingof repeatingnodes.The
stagesof the intelligence cycle include the issuance of requirementsbydecisionmakers,collection,
processing,analysis,andpublicationof intelligence.[1]
The circuitiscompletedwhendecisionmakers
provide feedbackandrevisedrequirements.The intelligencecycle isalsocalledthe Intelligence Process
by the U.S. Departmentof Defense (DoD) andthe uniformedservices.[2]
The intelligence cycle isan
effectivewayof processinginformationandturningitintorelevant andactionable intelligence.[3]
Figure 4 The Intelligence Cycle
4.4.1 Intelligence management cycle
DoD and governmentagencieshave historicallyuse the Intelligence collectioncycle model todrive and
frame itsintelligencecollectionplaninpeacetimeandwartime. The private sectorcanand shoulduse
thissimple butpowerfulframeworktodrive itssecurityintelligence operationsfromthe CIOC.
I have adoptedthe FBI’sintelligence cycle againstwhichtomodel apossibleprivate sectorintelligence
collectionplan.
Source: https://en.wikipedia.org/wiki/Intelligence_cycle

15. 15
4.4.2 FBI Intelligence Cycle
Figure 5 Depicts the FBI Intelligence ManagementCycle
Source: http://www.fbi.gov/about-us/intelligence/intelligence-cycle
The CISO and the CSOOmust use the Intelligence Cycle tomanage theirinformationcollectionprocess
and intelligence collectioncycle tosupportthe below tenantsof the organization’sDefense inDepth
Strategy.
NOTE: The below definitions are extracted from the FBI Intelligence Cycle. I have modified the
instructions to align the FBI Intelligence Cycle to the CIOC requirements. If you want to see
original FBI writings, please go to the above FBI web site for same.
“ Requirementsare identified information needs—whatwe mustknow tosafeguard the organization.
Intelligencerequirements are established bythe CISOaccordingtoguidance received fromthe CIO.
Requirements are developed basedoncritical information requiredtoprotectthe organization from
national security andcriminal threats. The security teamandtechnical teammanagersparticipateinthe
formulation of organizational intelligence requirements.
Planningand Direction ismanagementof the entire effort, fromidentifyingthe needforinformation to
deliveringanintelligence producttoa consumer. Itinvolves implementation planstosatisfy
requirements leviedonthe organization, aswell asidentifyingspecificcollectionrequirements basedon
the organization’s needs. Planninganddirection alsoisresponsive tothe endof the cycle, because
currentand finished intelligence, whichsupports decision-making, generatesnew requirements.

16. 16
Collection isthe gatheringof raw information basedonrequirements. Activities suchassecurity product
technical means, interviews, technical reconnaissance, humansource operation, andliaison
relationships resultinthe collection of intelligence.
Processingand Exploitationinvolves convertingthe vastamountof information collectedintoaform
usable byanalysts. Thisisdone througha variety of methods includingdecryption, language
translations, anddatareduction. Processingincludes the enteringof raw dataintodatabaseswhere it
can be exploited foruse inthe analysis process.
Analysisand Productionis the conversion of raw information intointelligence atthe CIOC. It includes
integrating, evaluating, andanalyzingavailable data, andpreparingintelligence products. The
information’s reliability, validity, andrelevance isevaluated andweighed. The information islogically
integrated, putincontext, andusedtoproduce intelligence. Thisincludes both"raw"andfinished
intelligence. Raw intelligence isoftenreferredtoas"the dots"—individual piecesof information
disseminated individually. Finishedintelligence reports"connectthe dots"byputtinginformation in
contextanddrawingconclusions aboutitsimplications.
Dissemination—the laststep—isthe distributionof raw or finished intelligence tothe consumers whose
needsinitiated the intelligencerequirements. The FBIdisseminates information inthree standard
formats:IntelligenceInformation Reports(IIRs), FBI Intelligence Bulletins, andFBIIntelligence
Assessments. FBIintelligence products are provided daily tothe attorney general, the president, andto
customers throughoutthe FBI and inotheragencies. These FBIintelligence customers make decisions—
operational, strategic, andpolicy—basedonthe information. These decisions mayleadtothe levyingof
more requirements, thuscontinuingthe FBI intelligencecycle. “
Source: http://www.fbi.gov/about-us/intelligence/intelligence-cycle
4.5 Surveillance
4.5.1 Surveillance and Reconnaissance functions
Oftenpeople confuse the conceptsof surveillance and reconnaissance.
 Surveillance is the systematic observation of aerospace, surface or subsurface areas, places,
persons, or things, by visual, aural, electronic, photographic or other means.
 Reconnaissance is a mission undertaken to obtain by visual observation or other detection
methods, information about the activities and resources of an enemy or potential enemy, or to
secure data concerning the meteorological, hydrographic, or geographic characteristics of a
particular area.
4.5.2 Cybersecurity surveillance reflection
Private sectorCybersecuritysurveillance challengesare mostlydefensive.

17. 17
The “hacker enemy”employeessignificanttime andresourcesto studyingandassessingmultiplepoints
of attack againstan organization. Duringthisperiodthatenemywill oftenunderstandand
organization’sattacksurface betterthanthe Cybersecurity teamthatisdefendingit. Itis likelythat
whena focusedattackis plannedbythe enemyagainstanorganizationthatthe targetenumeration
happensatnumerous technical andorganizational levels. The enemyoftenpenetratesanenvironment
and remainsdeeplyhiddenwithinthe technicalinfrastructure and establishescommandandcontrol bot
netsto continuouslyreporton the enemy’sultimate objective be itstealingmoney, stealingdata,total
denial of service attack, embeddingransomware andetcandetc. An excellentexample of how deeply
embeddedanattackcan be isseenwithin ”OperationCobaltKitty”:
OperationCobaltKitty,the APTtargetedaglobal corporationbasedinAsiawiththe goal of stealing
proprietarybusinessinformation.The threatactortargetedthe company’stop-level managementby
usingspear-phishingattacksas the initial penetrationvector,ultimatelycompromisingthe computersof
vice presidents,seniordirectorsandotherkeypersonnel inthe operational departments.During
OperationCobaltKitty,the attackerscompromisedmore than40 PCs andservers,includingthe domain
controller,fileservers,Webapplicationserveranddatabase server.
Forensicartifactsrevealedthatthe attackerspersistedonthe networkforatleasta year before
Cybereasonwasdeployed.The adversaryprovedveryadaptiveandrespondedtocompany’ssecurity
measuresbyperiodicallychangingtools,techniquesandprocedures(TTPs),allowingthemtopersiston
the networkforsuch an extensive periodof time.Over80payloadsandnumerousdomainswere
observedinthisoperation - all of whichwere undetectedbytraditional securityproductsdeployedin
the company’senvironmentatthe time of the attack.
The attackers arsenal consistedof modifiedpublicly-available toolsaswell assix undocumentedcustom-
builttools,whichCybereasonconsidersthe threatactor’ssignature tools.Amongthese toolsare two
backdoorsthat exploitedDLLsideloadingattackin Microsoft,Google andKasperskyapplications.In
addition,theydevelopedanovel andstealthybackdoor thattargetsMicrosoftOutlook forcommand-
and-control channel anddataexfiltration.”
Source: https://www.cybereason.com/blog/operation-cobalt-kitty-apt
4.5.2.1 Fighting offensive surveillance operations by the enemy
Defeatingsurveillance andultimate offensive attacksrequiresexceptional CSskill sets,processesand
procedures. The belowlist provides some waystopreventanddetectphysical and virtual surveillance
on itstechnical andphysical assets.
 Implementahighlyresilientdefenseindepthprogram thataggressivelyidentifies,detects,
prevents,predicts,respondsfromcyberattacks
 Implementthe bestSIEMthatyour organizationcanafford
 Hire the BEST CS leaders,architects,engineers, analysts,threatanalysts
 Implementaggressive metricsCSbusinessmeasurement

18. 18
 Understandthe businessprocess,procedures, customers,andarchitecture
 Have aggressive CSprogramfor internal organizationandall thirdpartypartnersandservice
providers. Thirdpartyrelationshipsoftenare the attack vectorintoyourorganization. Thisis
whathappenedinthe targetattack
 Systematicallymanage yourCS ISMS to itsmaximumefficiency
 Aggressivelymanage the organization’sCSmaturity growthprocess
4.5.3 Military surveillance reflection
Surveillance isthe monitoringof behavior,activities,orotherchanginginformationforthe purpose of
influencing,managing,directing,orprotectingpeople.[2]
Thiscaninclude observationfromadistance by
meansof electronicequipment(suchas closed-circuittelevision (CCTV) cameras)[3]
orinterceptionof
electronically transmittedinformation(suchas Internettrafficorphone calls).Itcan alsoinclude simple
no- or relativelylow-technologymethodssuchashumanintelligence agentsandpostal interception.
The word surveillancecomesfrom a Frenchphrase for "watchingover"(surmeans"fromabove"
and veiller means"towatch") and is incontrast to more recentdevelopmentssuchas sousveillance.
Surveillance isusedbygovernmentsforintelligence gathering,preventionof crime,the protectionof a
process,person,grouporobject,or the investigationof crime.Itisalsousedby criminal organisation’s
to planand commitcrimes,suchas robberyandkidnapping,bybusinessestogatherintelligence,and
by private investigators.
Surveillance canbe viewedasaviolationof privacy,andas suchis oftenopposedbyvarious civil
libertiesgroupsandactivists.[7][8]
Liberal democracies have lawswhichrestrictdomesticgovernmentand
private use of surveillance,usuallylimitingittocircumstanceswhere publicsafetyisat
risk. Authoritarian governmentseldomhave anydomesticrestrictions,andinternational espionage is
commonamong all typesof countries.
4.6 Reconnaissance
4.6.1 Cybersecurity reconnaissance reflection
Giventhatthe act of reconnaissance isoftenequatedtoactive operational measures,one mightwonder
hownon militaryprivate sectorandgovernmentagenciescan conductCybersecurity reconnaissance.
There are wayshowever,tosomewhatreverse engineerreconnaissance toadegree andblenditwith
your company’sthreatassessmentandthreatintelligence program. Forexample,if acompanyhasa
certaintype of data to protect like personablyidentifiable information(PII)orfinancial datathe
companycan undertake these measuresobtaininformationthatwill provide apossiblecourse of action
to defendandprotectitsdata assets
 Joingovernmentsupportagenciesthatwill provide status,predictive,andthreatdatato you
 Joinrelative InformationSharingandAnalysisCenters(ISAC) suchasthe Financial ServicesISAC.
(FS-ISAC). Whenattacksoccur, earlywarningandexpertadvice canmeanthe difference
betweenbusinesscontinuityandwidespreadbusinesscatastrophe.FS=ISACworldwide receive
timelynotificationandauthoritativeinformationspecificallydesignedtohelpprotectcritical
systemsandassetsfromphysical and Cybersecurity threats.
 Create threatintelligence teams

19. 19
 Ensure your securityincidenteventmanagement(SIEM) toolsare properlyconfiguredand
correlatedtoshowtrendanalysesof the type andoriginof the attacks againstyour
organization. SIEMscan showregions,typesof attacks,regionswhere the attacksare hitting
and theirbasicgeographicorigin. Forexample,bytrackingthe activitiesof the newgroup
called Silence, a organizations threat management team can see what Silence has done and
if their attack profiles might exploit vulnerabilities within a company’s network. Movingdown
one more stepKasperskyLabresearchersdetectedNukeBot –a new malware designedtosteal
the credentialsof onlinebankingcustomers. BytrackingNukebotacrossthe worldinmultiple
reportsand withinthe automatedSIEMone can derive reconnaissance like information thatwill
enable aCybersecurity teamtouse the informationwithinitsintelligence cycle ordefensein
depthfunctiontopredict,prevent,anddetectattacks …… these are some of the core applicable
resultsthatreconnaissance canprovide.
Source https://media.kasperskycontenthub.com/wp-
content/uploads/sites/43/2018/03/07162608/Kaspersky_Lab_financial_cyberthreats_in_2017.p
df
 Create an intelligence cycle andfuse the collecteddataintoreportsthatdefine real and
potential threatsandvulnerabilities.
 Organize a defenseindepthoperationas seenbelow
4.6.2 Military reconnaissance reflection
Reconnaissance isdistinctfromSurveillance (althoughthe termsare oftenmistakenlyused
interchangeably) because itinvolvesthe actof sendingpersonnel orequipment(suchasdrones) into
areas outside friendlycontrol forthe purpose of gatheringIntelligence.
C4ISR isultimatelyaboutincreasingSituationalAwareness,givingdecision-makersthe informationthey
needasfast as possible,andusingthe rightmaterials,equipment,andsystemstomake thathappen.All
the componentsof C4ISR MUST worktogethersmoothlytoachieve missionsuccess.Itisthe bedrockof
any mission,andafaultinany linkinthe chaincan have serious,evendeadlyconsequences.
Intelligence,surveillance,andreconnaissance,atactical enablingoperation,isabroad categoryof
activitiesdesignedtosupportthe battalion'sintelligence development,planning,anddecision-making.
Intelligence,the productgainedbyanalyzingcombatinformationforitsrelevance tothe unit'smission,
has alwaysbeencritical tosuccessfullyaccomplishingthe mission.Reconnaissance isacombined-arms
maneuveroperationthatemploysthe battalion'sreconnaissance assetstoobserve namedareasof
interestandtargetareasof interest,byvisual orotherdetectionmethods,inordertocollectcombat
information.Surveillance involvesthe systematicobservationof aparticularnamedarea of interestby
visual,electronic,photographic,orothermeans.The combatinformationcollected bythe battalion
reconnaissance platoonandotherassetsisanalyzedandevaluatedbydifferentechelonsinorderto
become intelligence.The goal of ISRoperationsistoanswerthe battalioncommander'scritical
intelligence requirementsandotherinformationrequirementstoenable timelyandeffectivedecision-
making.The SBCT infantrybattalionreconnaissance platoonisthe eyesandearsof the battalion
commanderandprovideshimwithanorganicreconnaissance capability.

20. 20
5 Cyber Defense in Depth and C4ISR
For numerousyears,Iemphasizedthatwe shouldnotuse fear,uncertaintyanddoubt(FUD) to achieve
our organizational securityobjectives. My beliefisthatone shouldmake alogical businesscase based
on metrics,returnoninvestmentandexpectedresultstoacquire new staff andincrease oursecurity
tool budget. I have shiftedmyparadigmabitand have begunstressingthe consequencesof the lackof
cyberwarfare mobilizationandthreatmanagementinthe private sectorinparticular. Global
organizationsneedtoembrace andacceptthat there isan undeclaredcyberwarbeingwagedagainst
industryandgovernmentandthatwe must define ourprivate sectorandgovernmentagencies’
strategy,doctrine,andtacticsto fightthe cyberwar.
Matt Rosenquist,Intel
Figure 6 Defines the Defense in Depth approach to enterprise security
Private andgovernmentsectorsare,attimes,beingclobberedbyaninvisible enemythatseemstoown
numerousgovernment,privatenetworks andbusinessapplications. InformationSecurityTeamsacross
the globe are fightingthe goodfightandwinand lose inthisbattle. Cyberwaris almostthe perfect
terroriststructure of compartmentalizationof multipleglobal cellsdedicatedtoverysimilargoalsand
objectivesbuttheyhave noorlimitedcrosscommunicationandplanning. One reasontheydonotneed
thiscoordinationisthatthere isa target rich environmentthatall cybermiscreantsattackandachieve
theirgoalsof nationstate espionage,SCADA terroristattacks,identitytheft,financialtheftandetc.
Everyyear,thousandsof articlesandconferencesacrossthe globe addressthe tacticsandproceduresto
addressthischallenge andwhenone readsthe literature andattendsthe meetings,one knowsthatthe
mostfundamental andmissingpiece toorchestratinganddefininga Cybersecurity arsenal isacohesive,
risked-basedmethodologythatneedstodefineandimplementsolutionstothe sometimeschaotic
response tothreats. A primary solutiontomanagingthiscybertheaterof waris to create a central
organizational cybercommandandcontrol battle space managementelementandthatisthe Cyber
CIOC.
IT Strategy
Defense in Depth
Information Security
Strategy
Information
Security
Strategy
Prediction: Proactive measures to identify attackers,
their objectives and their methods prior to materialization
of viable attacks.
Enables and maximizes Prevention activities.
Prevention: Securing the computing environment
with current tools, patches, updates
and best-known-methods in a timely manner.
Represents the bulk of cost effective security capabilities
and facilitates better Detection.
Detection: Visibility to key areas and activities.
Effective monitoring to identify issues,
breaches, and attacks. Drives immediate
interdiction by Response capabilities
Response: Efficient management of efforts to
contain, repair, and recover as needed to return the
environment to normal operations. Reduces losses by
rapidly addressing issues and feeds intelligence into
Prediction and Prevention areas
Prevention
Prevents or
deters attacks so
no loss is
experienced
Prediction
Predict the
most likely
attacks,
targets, and
methods
Detection
Detect attacks
not prevented to
allow for rapid
and thorough
response
Response
Respond rapidly
to security
incidents to
minimize losses
and return to a
normal state

21. 21
6 C4ISR Defense in Depth core function descriptions
More specifically,asmentioned above,the CIOCisthe cyberbattle managementfunctionthatmanages
the multiple attackvectorsagainstanorganization’svital assetsthroughthe CIOCmanagementof the
organization’sDIDposture. Specificactionsbehaviorsrequiredforthe defense indepthconceptand
functional managementinclude:
6.1 Predict attacks on an organization’s assets
 Seriousconsiderationof the resultsof the ongoingintelligence reportsgeneratedbythe
CIOCintelligence analysesandreportteam.
 Analysesof internal vulnerabilities,risksandexposuresandthe likelihoodthatspecific
exposurescanbe realizedagainstthe organizationdue unmitigatedexposures.
 ReviewSIEMand all otherawarenessdashboardsthatyoumighthave at leasttwice a
day
 Constantanalysesof the typesof attacks thathappeneverydayon the organizationthat
mightprovide indicationsandwarnings(I&W) of site enumeration
 The introductionof newtechnologiesthatcouldcause adisruptionof currentprocesses
and procedures.Cloudadoptioncouldbe consideredadisruptivetechnologythatcould
presentnewexposuresnonmitigatedexposure.
 Highvigilance toCyberOpenSource Intelligence (COSI) informationandintelligence
sourcesto include multipleinformationsecuritymagazines,blogs,threatreports
 Get feedbackfromotherteamslike networkengineeringonpossible Indicationsand
warningsyoucan integrate intoyouPredictionStrategy
 Membershipincore informationsharingorganizationslikeFS-ISAC
 MembershipinINFRAGUARDandsimilarorganizations
 Relationshipswithlocal law enforcement
6.2 Prevent attacks on an organization’s assets
 Define andbuildanstate of the art securityarchitecture thatisalignedwithan
organizationsriskprofile
 Buildexcellentsecurityarchitecture documents
 Tune all toolssuch as firewalls,accesscontrol functions,loggingandalertingsystemsfor
maximumefficiencyandregularlytestsame
 Write processand proceduresforall majorproceduressuchas patchmanagement,
vulnerabilitymanagement,Intelligencedevelopment,incidentresponse andetc.
 Ensure that securityisaggressivelybuiltintothe enterprise architecture and
requirementsdocuments
 Base securitymanagementonITgovernance suchas ITIL
 Define securitystandardsandpolicies
 Ensure the basic securityblockingandtacklingisdone beforeimplementing
advancedtoolsandprocedures
 Use change control for all thingsthatcouldaffectthe IT environment
 Hardenall platformsandapplicationsagainstattack

22. 22
 Selectacontrol environmentsuchasSANSTop 20, FISMA, NIST800-53, ISO27000 series
 Implementasuperbpatchmanagementprocessthatsetsmetricforcurrentpatch
statusat 95 percent forall platforms,endpoints,databases,applications,network
devicesandetc
 Strictlylimitadministrative accessand manage withprivilegemanagementtools
 Monitoraccess inreal time
 Implementrobuststaticandintransitdata lossprotectionplans(DLP)
 Implementarobustsecure software developmentprogram.
 100 percent compliance togovernmentregulationandbusiness compliance
requirementslikePCI
 Conductregularinternal scansandpentestsusinganyone of the host vulnerability
assessmenttoolsforplatformandapplicationsexposures.
 Implementaongoingsecuritytrainingprogramthatisnot givenonce a year
 Investintrainingthe securitystaff
 Buildrobustsecuritymetricsbriefedbythe CIOCCSOOto executivesonce amonthtoC
level andonce a quarterto Board level executives.
 Lead yourstaff and all organizationpersonnel indataprotection
6.3 Detect attacks on an organization’s assets
 Preventincidentsfromhappeninginthe firstplace
 Ensure a 24 X 7 detectioncapabilityisavailable
 Deploystate of the art static and dynamicdetectiontoolsthatyourorganizationcan
fund
 Define real time detectionprocesses
 Ensure employeesare aware of how to reportsuspiciousendpoint,platformand
networkintrusions
 Extenddetectiontoall BYODand external systems
 Mange threatdetectioninall cloudbasedservices
 Define SLAsforrespondingtothreats
 Determine which securitysystemsshouldbe inyourDRand BC planning
 Ensure youhave managedout as manyfalse positivesandfalse negativesaspossible
 Use the CWE toolswheneverpossible http://cwe.mitre.org/. CWEistunedto
applicationsecuritybutitisan excellentbutcomplex framework.
6.4 Respond to attacks on an organization’s assets
 Determine whatthe company’sappetite forincidentresponse is. Isitwillingtoaccept
automatedshutdownof businessprocessesandnetworksegments.
 Determine if youwanttohire a DDOS threatmitigationservice like Prolexic
 Create and practice detailedincidentrepose process
 Define responsethresholdsbasedonthe attackareas and magnitude of same
 Ensure global partnersandexternal business customersare aware of incidentresponse
processes

23. 23
 Define escalationprocess
 Conducttable topexercisestotrainentire staff onincidentresponse andcybercrises
management
 Contract withexternal forensicsinvestigator
 Ensure two incidentmanagementlinesare established,one forexecutivesandone for
those doingthe workto manage and terminate the incident
 Developandtrainonthe RACIchart for incidentmanagement. Platformsecurity
incidentspossiblycouldbe managedbythe platformmanager.
 Train internal staff forforensicsinvestigationsandbuttoolslike EnCase
 Conductpriorplanningwithall technical andc level staff
 Knowobligationsandresponseproceduresforsuchlawsconcerningadata breech. Let
legal andmarketingworkthe customer notificationobligations.
 Ensure incidentresponseteamisaware of all threatintelligencegeneratedbythe SOC
 Ensure systemsare configuredtorespondtoattacks,is yourIPS setto denyattacks
 Oversee andbe aware of all preventive measuresthatshouldpreventincidentsfrom
happeninginthe firstplace
 Ensure that youhave properincidentclose outprocesses
Source: http://cwe.mitre.org/
7 A C4ISR Control Framework
The belowchart issimple. It showstothe bestof our abilitywhere CSC4ISRcan applywithinthe
intelligence cycle ormappedtothe SANSTop 20 Operational SecurityControls.
Intelligence
Cycle
Framework
Command Control Communication Computers Intel Surveillance Recce
Requirements X X X X X X X
Planningand
Direction
X X X X X X X
Collection X X X X
Processingand
exploitation
X X X X
Analysesand
production
X X X X
Dissemination X X X X X X
SANS 20 Critical
Controls
Command Control Communication Computers Intel Surveillance Recce
1: Inventoryof
Authorizedand
X X X X X X

24. 24
Unauthorized
Devices
2: Inventoryof
Authorizedand
Unauthorized
Software
X X X X X X
3: Secure
Configurations
for Hardware
and Software on
Mobile Devices,
Laptops,
Workstations,
and Servers
X X X X X X
4:Continuous
Vulnerability
Assessmentand
Remediation
X X X X X X X
5: Malware
Defenses
X X X X X X X
6: Application
Software
Security
X X X X X X
7: Wireless
Device Control
X X X X X X X
8: Data
Recovery
Capability
X X X
9: SecuritySkills
Assessmentand
Appropriate
Trainingto Fill
Gaps
X X X X X X X
10: Secure
Configurations
for Network
Devicessuchas
Firewalls,
Routers,and
Switches
X X X X X X

25. 25
11: Limitation
and Control of
NetworkPorts,
Protocols,and
Services
X X X X X X
12: Controlled
Use of
Administrative
Privileges
X X X X X X
13: Boundary
Defense
X X X X X X
14:
Maintenance,
Monitoring,and
Analysisof
AuditLogs
X X X X
15: Controlled
AccessBasedon
the Needto
Know
X X X X X
16: Account
Monitoringand
Control
X X X X X X
17: Data Loss
Prevention
X X X X X
18: Incident
Response and
Management
X X X X X X
19: Secure
Network
Engineering
X X X X X
20: Penetration
Testsand Red
Team Exercises
X X X X X X
Table 1 Shows the integration of Controls, DID and Intelligence Management
http://www.sans.org/critical-security-controls/guidelines.php
8 Summary
Colleagues

26. 26
Thank youfor readingmypaper. I hope ithelpsa little. We mustcontinue tofightandwininthis
enormouscyberwarrampagingthe world.
Bill Ross, SeaGirt, NJ21 July2018