February 21, 2012
Last week I read an article on wired.com’s Danger Room blog about the elite US military Special Forces command, JSOC. The units within the Joint Special Operations Command (Delta Force and Seal Team 6) are responsible for the most clandestine and sensitive US military operations, including the Bin Laden raid into Pakistan last year. JSOC is very similar to elite Special Forces (SF) units across the globe including: the Russian Spetnaz, British SAS, French Naval Commandos, and the Israeli Shayetet 13. These SF units are capable of addressing asymmetric threats that traditional military units aren’t prepared to handle.
In the article, Spencer Ackerman interviews Marc Ambinder, one of the authors of The Command about JSOC. The article piqued my interest and I just finished reading the eBook. Like almost everything I do, I considered the information security implications as I read it. Today’s infosec threat landscape is dominated by unconventional threats that are difficult to address. How can we leverage the techniques utilized by SF to deal with the cyber threats we face today? I realize that we have an international audience, and my point isn’t to focus on US policy, but rather to take a deeper look at the unique capabilities of SF units and what lessons we can apply in our roles as S&R professionals.
SF units are force multipliers that increase the effectiveness and efficiency of overall military operations. They provide strategic advantage and are capable of completing missions that would require a significantly larger traditional force. Sound enticing? We could use some of that. Infosec organizations are faced with many constraints and must accomplish more with less. S&R professionals need to look for force multiplier opportunities within their organizations. Here are some examples of infosec force multipliers:
- SaaS & Managed Services – Outsourcing tactical capabilities that aren’t strategic to your information security organization can serve as a force multiplier. You can leverage the expertise of third parties, while focusing your effort and resources on accomplishing the mission of your business.
- Intelligence – Without actionable intelligence many SF missions would fail or perhaps not occur at all. In the book, Ambinder uses the term “persistent surveillance,” and there is a direct corollary for enterprises. “Persistent surveillance” = Network Analysis and Visibility. We all know that our preventive controls will fail, and NAV provides situational awareness of our environment that is our best strategy for detecting asymmetric threats to the organization.
- Fusion Centers – Military organizations are large bureaucracies that often don’t move quickly enough to respond to the constantly changing threat landscape. “Institutional friction” is the term used to describe this in the book. As a result, JSOC has created Fusion Centers that have representation across the spectrum of the government, intelligence, and the military. These Fusion Centers share intelligence and enable JSOC to quickly cut through the bureaucracy to make decisions. Enterprises should have their own equivalent of Fusion Centers; cross-functional teams with leadership support that enable the business to make appropriate decisions in a timely manner.
- Education & Training – SF units operate at an extremely high level of operational readiness, and must be prepared for the latest threats. When they aren’t deployed these units are constantly doing real world training to stay sharp and add new capabilities. Of course we don’t share SF's unlimited black budgets, but your organization must focus on educating and training your team as well. To stay abreast of the latest hacking techniques, send your team members to annual information security conferences such as Black Hat, Derbycon, or Toorcon. Also budget for indepth technical education on strategic security skillsets such as application security and IAM. Since budget is a challenge, you should also take advantage of free training at OWASP and B-Sides events.
What force multipliers do you use in your organization?