A Framework for Cyber Indications and Warning

A Framework for Cyber Indications and Warning

As part of its observance of 2018’s National Cybersecurity Awareness Month, the Intelligence and National Security Alliance (INSA) has proposed an Indications and Warning (I&W) framework that organizations can use to identify the most likely sources of cyber attacks and proactively execute countermeasures against them.

INSA found that many organizations maintain too narrow a focus on known threats and attack techniques, which prevents them from effectively prioritizing cybersecurity resources, acquiring equipment and data needed to mount effective cyber defenses, and successfully responding to actual cyber attacks.  Effective cyber I&W is further hindered by a shortage of personnel with training in both cybersecurity and intelligence analysis.

Drawing on I&W methodologies and structured analytic techniques employed by the Intelligence Community, the INSA cyber I&W framework calls for “decomposing,” or breaking down, an anticipated scenario in cyberspace into indicators that can be continuously monitored to warn if and when the scenario transpires. 

The framework consists of seven steps:

  1. Identify and prioritize assets to be protected;
  2. Develop a refined understanding of the most likely threats;
  3. Using structured analytic techniques, forecast likely attack scenarios;
  4. Decompose scenarios into indicators of likely adversary actions;
  5. Plan and exercise countermeasures to likely adversary actions;
  6. Collect intelligence on indicators and adversary plans and intentions; and
  7. Execute proactive measures to counter anticipated attack vectors.

The report’s insights were drawn from surveys and interviews of senior cybersecurity experts from government, industry, and academia.

Download this Paper (PDF)

Peggy O'Connor

Related Articles


Please enter your username or email address. You will receive a link to create a new password via email.