The mission of the Department of Defense (DoD) is perhaps the most daunting of any government agency. To be charged with protecting not only the physical security of the nation and its interests but also its information architecture and assets in the digital age, is a weighty responsibility.
While the DoD has been victorious in land, sea, and air battles since its inception, the challenges posed by protecting and defending an ever-evolving definition of cyberspace and an ever-increasing amount of information, from ever-more aggressive adversaries is creating some unique challenges. Instead of choosing to go it alone, the DoD has reached out to private sector partners that specialize in cyber defense to devise a battle plan that will enable them to lead the charge and rise victorious in this new theater of warfare.
As Dmitri Alperovitch, CTO of CrowdStrike noted in his Congressional testimony on this matter, “[t]he Department of Defense (DoD) faces a similar challenge to that of the private sector. The very same threat actors targeting private industry today, to steal intellectual property and sometimes carry out destructive attacks, are trying to break into DoD networks to conduct espionage and degrade our warfighting capabilities.”
Three Steps to Combatting the Enemy
So, what did Alperovitch recommend the DoD do to begin to form a battle plan to combat nation-state threats from the likes of Russia, North Korea, Iran, and China?
According to Alperovitch the DoD needs to pivot from cyber hygiene – activities like patching, building an asset inventory, or implementing controls – to focus on threat hunting. Hunting adversaries stops foreign intelligence and military organizations from breaking into networks. “[G] ood cyber hygiene will not stop determined GRU or PLA cyber actors – just as having locks on the door of your house would not stop Navy Seals from getting in if they have a mission to do so,” he shared with members of Congress.
Hunting is a specific activity for Alperovitch. “Hunting is assuming that adversaries are in your network and proactively searching for them by looking across your assets for indicators of malicious activity. Simply investigating alerts generated by security tools is not hunting,” he emphasized. While threat hunting might sound labor-intensive, there are tools that not only hunt for adversaries on a 24×7 basis but, do so across the millions of machine around the world. This is something Alperovitch cast as ‘low hanging fruit’ for the DoD since it can be ramped up without an enormous personnel mobilization effort.
While “the cloud” is often held up as the panacea for organizations looking to modernize their IT infrastructure, in this instance, it really is. Alperovitch shared examples from the financial services and other private sector organizations whose legacy infrastructure and complex operating environments rival those of the Department of Defense and, yet, are making significant progress in combatting threats by using cloud-enabled technologies.
Alperovitch noted that “cloud-enabled technologies work because they flip the asymmetry between offense and defense. Modern security approaches take advantage of cloud resources by recording all computer security-related events in massive cloud-based data stores and perform advanced analytics and forensics on that data to uncover subtle adversary activity. Tracking trillions of events provides rich context for identifying suspicious patterns. What is more, once a threat is identified in one part of the network, cloud-based security technologies allow instantaneous distribution of protection against it, across the entire ecosystem. With millions of endpoints under management, DoD can leverage cloud systems to turn its scale into a strength, rather than a challenge.”
To win the battle in cyberspace speed is the critical factor; the only way to beat an adversary is by being faster than them. As part of his work at CrowdStrike Alperovitch developed a model called the 1-10-60 rule. In short, the rule outlines the timeframe that an organization needs to meet to detect, investigate, and remediate a threat. “The very best private-sector companies we work with [at CrowdStrike] strive to detect an intrusion on average within 1 minute, investigate it within 10 minutes, and isolate it, or remediate the problem, within 1 hour.”
Alperovitch assured the nation’s legislative and military leaders that while this might sound impossible it is, in fact, a routine response for the best private sector organizations. What’s also important about the 1-10-60 approach is that it doesn’t rely on preventing the initial compromise, but on preventing the adversary from establishing a beachhead within the network and therefore, from, achieving their objective. And for Alperovitch, this is in fact, a better definition of preventing the breach.
In the end the Department of Defense has no option but to prevail in its new mission to secure, protect, and defend its new generation of prime assets. While there are definitely obstacles to be overcome, in the form of talent recruitment, legacy infrastructure, and an unyielding adversary base, Alperovitch is confident that it’s more than equal to the challenge. By focusing on concepts – threat hunting and the 1-10-60 rule – over purely technology-based solution, he has provided a framework that can transcend the evolution of tools and solutions and to adapt to whatever threat environment defines the future. And, as the CrowdStrike CTO noted at the end of his testimony, “[t]he result will be strong accountability and better defense.”