Cisco Blogs

Objective – Net Superiority

July 18, 2011 - 0 Comments

I’ve had some recent discussions with colleagues in the armed forces regarding cyber security and how they consider “cyber” to be the fourth warfighting domain along with land, air, and sea. They describe how cyber has its own terrain made up of computing resources. As I further thought through this concept I saw a striking resemblance between the network and air warfare. To elaborate on this thought I must first set the context around the concept of air supremacy.

There are probably many different variations of the definition of air supremacy but let’s just use “the degree of air superiority wherein the opposing air force is incapable of effective interference” for the purpose of this blog.  I borrowed this definition from NATO.  There are two key words in the definition, “degree” and “effective.” Prior to achieving supremacy one must first move from parity, through superiority to eventually supremacy. Air parity is the lowest degree in which a force can control the skies above friendly units. In other words, prevention of opposing air assets from overwhelming land, air, and sea units.

The next degree is air superiority. Air superiority is achieved when a force has the upper hand over an opposing air force. Air superiority enables operations to take place at any time or location without prohibitive interference from opposing forces. In order to achieve air supremacy one must first establish parity and then move into superiority.  Once air supremacy is achieved the ability to disrupt and effect opposing force’s land and sea operations is realized and the opposing force is incapable of effective interference.

Now let’s transition back to the cyber realm. If computing resources are elements of terrain in cyber space then the network serves as the transport by which an opposing force (malicious actors) can maneuver and conduct logistics.  Just as most modern conflicts leverage the air and sea to transport their fighting forces malicious actors leverage the network to deploy their forces in the form of malware. In the modern world of computer network defense there are essentially two terms that come to mind: detection and prevention.

Prevention equates somewhat to supremacy in which the opposing force is incapable of effective interference. While air supremacy has been demonstrated in recent conflicts it has not been achievable in cyber space due to the dynamism of the threat and environment.  I am not insinuating that prevention technologies are not worthwhile, I’m simply stating that to date they have not allowed us to claim supremacy. This is due to the fact that we can only prevent tactics, techniques, and procedures that we are aware of and not all exploits and malware are known before they’ve  presented themselves and claimed some degree of their objectives. Furthermore, the dynamism in which some malware operates is not conducive to consistent and accurate prevention.

Detection is the ability to sense the presence of anomalies or questionable events. These anomalies or events could be benign or malicious, but the ability to successfully detect the presence of these anomalies and events is key to achieving parity. A network that is capable of sensing and detecting threats can inform prevention mechanisms. This is like radar assets that detect opposing air assets and informs air commanders of their presence so that operations can be conducted against those opposing air assets to minimize their effect and prevent them from achieving their mission objectives.

You may say that we can achieve the same results through host-based mechanisms, but back to the aspect of terrain – I draw similarities between hosts and urban environments. It’s not that we can’t defend and detect threats on a host, but host defense is much like urban warfare. It’s complex, full of hiding spots and has many variables. Malicious code that has successfully achieved the initial objective of infecting a host is like an opposing force that has established defensive positions within an urban setting.  Removal of that force is often a surgical and time-consuming process. Successful host defense requires a strong element of prevention therefore most anti-virus software is in a reactionary mode. As with other signature-based prevention technologies this is much more aligned with the concepts of parity than superiority or supremacy.  In an ideal scenario it would be much more effective to detect and intercept a force on their way to an objective than to wait for them to arrive.

Just like instrumentation of the air is necessary to detect opposing forces, instrumentation of the network is critical to detect threats against cyber terrain elements. Network technologies like Flexible NetFlow (FnF), Application Visibility and Control (AVC) and IP Service Level Agreements (IP SLA) can provide early warning indicators of the presence of risk, possibly in the form of malicious actors. These technologies provide valuable telemetry information of the network and increase the value of each network node by enabling a distributed sensor grid. Leveraging the network’s ability to generate this information along with other technology that can collect and process the information into meaningful context can greatly assist in detecting and disrupting malicious actors from operating uncontested and limiting their effectiveness.

Detection of these threats is key to establishing a degree of net parity. Once detected and understood, countermeasures can then be applied to prevention systems. The faster threats are detected, controlled and turned into prevention mechanisms the more realistic network superiority becomes. While network supremacy is the ultimate degree of control in the terrain of cyber space, achieving some degree of net superiority is more realistic and should be our goal, even if it seems slightly out of reach. We simply can’t settle for parity.

How real do you think network superiority is and what do you think the network needs to deliver in order to impede malicious actors’ ability to interfere with your organization’s operations?  What are your recommendations for achieving objective – Net Superiority?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.