Lessons learned from US agents who operate in enemy territory have been captured for years and transformed into a code of conduct popularly known as "Moscow Rules." Those old rules existed for a reason. Real-world experience proved their effectiveness when agents had to operate in the presence of adversaries.
Since modern cyber defenders are also frequently required to operate in the presence of adversaries there are lessons from these old Moscow Rules relevant to cyber defense.
With that as an introduction, the following is a modified list of the old Moscow Rules designed to help the cyber defender under fire.
Consider these as "Moscow Rules for Cyber Operations"
- Do not trust your gut. Your gut is not used to the manmade creations of cyberspace. Instrument, measure, monitor and seek to confirm everything.
- Do not trust any single source of information. Seek multiple sources, especially sources from outside your organization.
- Design your cyber defense monitoring system to bring all sources together for "big data" analysis. This includes structured network and computer derived information and also unstructured feeds from advisory reporting, vulnerability reports, social media and specialized cyber intelligence feeds.
- Backup everything of importance to your mission, and keep unalterable logs. This will save you, again and again.
- Understand your actions are being observed. Your adversary is watching you watch them; you are never completely alone.
- Every device in your system is potentially under opposition control. Your VOIP phone, your Telepresence system, your laptop, tablet and even cell phone, are all potentially compromised. Architect your enterprise to ensure penetrated systems are detected, isolated and their comms grounded.
- Even in the complex heterogenous world of modern enterprise IT you can find boundaries and control points. Know where they are and how to leverage them to your advantage. Establish rules at every gate.
- Protect your most important data, knowing that its loss could destroy your business. Other things need to be protected, but you likely can't afford to treat everything the same.
- Don't harass the opposition. You want to enhance your defenses and keep them out. You do not want to embolden/encourage hatred. You want them to go away. More than likely you are not good enough at defending your own enterprise to even think of doing anything offensive. Save that for the government.
- Keep your options open. Understand your adversary is a thinking, creative entity that will react and surprise you. The team you push out of your system may be replaced by a much more sophisticated team.
- Know your tradecraft and make sure your entire team does as well (many exemplars and best tradecraft practices are available, a favorite of mine is the community produced Consensus Audit Guidelines).
- Training and education of your workforce is important, but it will fail you. Even with all the training in the world your workforce will eventually be deceived by creative, determined adversaires. Know that right now a user somewhere in your organization is doing something they should not be.
- Be careful about outside consultants. The cyber defense field, unfortunately, attracts charlatans who assert that they have special knowledge of how to defend. The only way to vet experienced cyber defenders is to have either observed their past performance first-hand or to get first-hand reports by those you trust.
- Pick the time and place for action. Move fast to protect your most important info. Take actions to keep your adversary off balance. Build plans in well thought out ways to raise all other info defenses on your schedule.
- Understand the human tendency to forget about the threat as soon as the current attack has been mitigated. Do not fall victim to this cyber threat amnesia. When not under visible attack, study, prepare, and test your own defenses.
Have you had responsibilities for defending an enterprise in the face of adversaries? Does the list above resonate with you, or is any part of it out of whack with your experiences? I would appreciate your thoughts.
Latest posts by Bob Gourley (see all)
- FireHost is Now Armor: featuring an advanced linking intelligence, defense and control focused on customer outcomes - September 1, 2015
- Two Factor Failure: With complexity comes new vulnerabilities - August 31, 2015
- Integrate (26-30 Sep 2015 in Santa Clara) is the largest conference 100% focused on integrating technologies - August 29, 2015