Iron Rain: What Defines a Cyber Insurgency?

“A fool pulls the leaves. A brute chops the trunk. A sage digs the roots.” – Pierce Brown

The western world is currently grappling with a cyber insurgency.  The widespread adoption of the “kill-chain” coupled with the use of memory resident malware has fueled the cyber-attack wild fire.  The security architectures mandated by regulators and standard bodies are collapsing. History does repeat itself. One should study the evolution of insurgencies to better grasp the nature of cybersecurity in 2018.

In the Red Rising Trilogy, Pierce Brown introduces a military tactic that could only work in a world where humans live on multiple planets and asteroids. We won’t spoil the book completely (go read the series, it’s awesome) but for the purposes of this blog an Iron Rain can be defined as a mass invasion tactic. Enemy fleets gather outside the atmosphere of a planet and use pods or other drop ships to launch an unbelievably overwhelming military force on a planets populace.

It’s overwhelming. It’s instant and if you miss-react you are doomed to fall to the Iron Rain. Just like with cyberattacks. It must be stated that attacks are not stand alone and in many cases they are simply part of a larger “Iron Rain” effort. If you follow the strategy behind most nation state attacks you quickly start to realise that these efforts resemble insurgency tactics more than they do standard military ones.

What defines a cyber insurgency?

The Department of Defense Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms (Washington, DC: U.S. Government Printing Office [GPO], 12 April 2001), defines an insurgency as “an organised movement aimed at the overthrow of a constituted government through the use of subversion and armed conflict.”

In cyber terms “an organised movement aimed at the disruption of cyber systems and through subversion and armed cyber conflict.”

The goals of the cyber insurgency may vary however the following conditions must exist for a cyber insurgency:

  1. You must have a common entity or authority against whom your actions are directed.
  2. You must have the tools of cyber insurrections themselves: and the systems to launch attacks against the entities.
  3. The cyber insurgents must be willing to use cyber force against their targets. This element distinguishes a cyber insurrection from intelligence gathering purposes.

As a former U.S. Marine we were taught to think differently. We were taught to think like the enemy and take it to them when needed. The Marines have a history of doing more with way less we take pride in it. Just like InfoSec teams. Over the last few years it has become apparent that our enemies are emboldened and becoming more aggressive. We must shift thinking and tactics to begin to turn the tide. Just like every battlefield Marine. Intel changes, things move fast and people’s lives are at risk.

It is fundamental that cybersecurity professionals take a page from the annals of irregular or low intensity warfare to better understand how to combat this threat.  This article is meant to begin an open discussion on how we as defenders can best modernise our strategies of cybersecurity. Much of the strategic tenants below are derived from The Marine Corps Counter Insurgency Manual or FM 3-24 MCWP 3-33.5 and adapted to the world of cyber.

To effectively discuss cyber insurgencies we must discuss the idea of irregular warfare.

Low intensity warfare or irregular warfare is a violent struggle among state and non-state actors for legitimacy and influence over the relevant populations. Irregular warfare favours indirect approaches, though it may employ the full range of evasion and other capacities in order to erode an adversary’s prevention, detection, and response capabilities.

When counter insurgents attempt to defeat an insurgency, they perform a range of diverse methods. Leaders must effectively arrange these diverse methods in time and cyberspace to accomplish strategic objectives. The various combinations of these methods with different levels of resourcing provide each team with a wide range of strategic options to defeat an insurgency.

“Effective cyber counterinsurgency operations require an understanding of not only  available cyber security capabilities but also the capabilities of the adversary.”

The tasks counter insurgents perform in countering an insurgency are not unique. It is the organisation of these tasks in time and space that is unique. For example, financial organisations may employ strategy to align and shape efforts, resources, and tasks to support strategic goals and prepare for specific attacks on their institution. In support of this goal, good strategies would normally emphasize security cooperation activities, building partner capacity and sharing threat intelligence.

Business leaders and security leaders must have a dialogue to decide the optimal strategy to meet the security needs of the organisation the team is supporting. Different capabilities provide different choices that offer different costs and risks.

Unified action is essential for all types of involvement in any counterinsurgency. Unified action is the synchronisation, coordination, and/or integration of the activities of entities with cyber security operations to achieve unity of effort. Your organisation must have a unified approach to cyber operations.

We must begin to think collectively as an organisation. The time for siloed decisions is over. The time for unified action is here and we must unify our strategies to combat the ongoing cyber insurgency. On 19th July, we will be releasing the Cb Quarterly Incident Response Threat Report (QIRTR) where we survey dozens of our IR and MDR partners per ground truth in cyber.  The results will be interest to you and your organisation. Stay tuned!