INSA Releases Framework for Cyber Indications & Warning

Paper recommends ways organizations can better warn of pending cyber attacks

ARLINGTON, VA (Monday, October 15, 2018) – In a new report released today to recognize National Cybersecurity Awareness Month, the Intelligence and National Security Alliance (INSA) proposed an Indications and Warning (I&W) framework that organizations can use to identify the most likely sources of cyber attacks and proactively execute countermeasures against them.

INSA found that many organizations maintain too narrow a focus on known threats and attack techniques, which prevents them from effectively prioritizing cybersecurity resources, acquiring equipment and data needed to mount effective cyber defenses, and successfully responding to actual cyber attacks.  Effective cyber I&W is further hindered by a shortage of personnel with training in both cybersecurity and intelligence analysis.

“It’s difficult for an organization to purchase equipment, hire personnel, and develop plans to defend against every possible way it can be attacked in cyberspace,” said Kevin Zerrusen, Managing Director in Technology Risk at Goldman Sachs and the Chair of INSA’s Cyber Council.  “The cyber I&W framework proposed by INSA can help organizations proactively anticipate and prepare for the most likely threat scenarios they may face.”

Drawing on I&W methodologies and structured analytic techniques employed by the Intelligence Community, the suggested cyber I&W framework calls for “decomposing,” or breaking down, an anticipated scenario in cyberspace into indicators that can be continuously monitored to warn if and when the scenario transpires.

“The Intelligence Community has formal methodologies for providing warning of both likely and unanticipated events,” said Maj. Gen. Jim Keffer, USAF (ret.), Director for Cyber at Lockheed Martin and the Vice Chair of INSA’s Cyber Council.  “This report provides a framework for providing proactive defense against an anticipated cyber attack.  The framework decomposes anticipated attack scenarios into indicators that can be continuously monitored to warn of, and react to, an attack.”

The framework consists of seven steps:

1. Identify and prioritize assets to be protected;
2. Develop a refined understanding of the most likely threats;
3. Using structured analytic techniques, forecast likely attack scenarios;
4. Decompose scenarios into indicators of likely adversary actions;
5. Plan and exercise countermeasures to likely adversary actions;
6. Collect intelligence on indicators and adversary plans and intentions; and
7. Execute proactive measures to counter anticipated attack vectors.

The report’s insights were drawn from surveys and interviews of senior cybersecurity experts from government, industry, and academia.