By Bob Gourley
Lessons learned from US agents who operate in enemy territory have been captured for years and transformed into a code of conduct popularly known as “Moscow Rules.” These rules of human intelligence tradecraft exist for a reason. Real-world experience has proven their effectiveness when agents must operate in the presence of adversaries.
The rules are not just for intelligence agents overseas. They also bring lessons for organizations seeking to defend themselves from persistent penetrations. When your network has been compromised your every defensive action can be in the presence of adversaries. The following is a modified list of the old Moscow Rules designed to help the CISO under fire.
Consider these as ”Moscow Rules for Cyber Operations”
- Do not trust your gut. Your gut is not used to the manmade creations of cyberspace. Instrument, measure, monitor and seek to confirm everything.
- Do not trust any single source of information. Seek multiple sources, especially sources from outside your organization.
- Immediately review the community produced Consensus Audit Guidelines and ensure you are optimizing on all 20 of these SANS-coordinated, CISO-tested practices.
- Design your cyber defense monitoring system to bring all sources together for “big data” analysis. This includes structured network and computer derived information and also unstructured feeds from advisory reporting, vulnerability reports, social media and specialized cyber intelligence feeds.
- Backup everything of importance to your mission, and keep unalterable logs. This will save you, again and again.
- Understand your actions are being observed. Your adversary is watching you watch them; you are never completely alone.
- Every device in your system is potentially under opposition control. Your VOIP phone, your Telepresence system, your laptop, tablet and even cell phone, are all potentially compromised. Architect your enterprise to ensure penetrated systems are detected, isolated and their comms grounded.
- Understand your boundaries. Establish rules at every gate.
- Protect your most important information, but seek to lull your adversary into a sense of complacency.
- Don’t harass the opposition. You want to enhance your defenses and keep them out. You do not want to embolden/encourage hatred. You want them to go away.
- There is no limit to a human being’s ability to rationalize the truth. This goes for your cyber defender team and the adversaries and should inform your plans.
- Pick the time and place for action. Move fast to protect your most important info. Take actions to keep your adversary off balance. Build plans in well thought out ways to raise all other info defenses on your schedule.
- Keep your options open. Understand your adversary is a thinking, creative entity that will react and surprise you. The team you push out of your system may be replaced by a much more sophisticated team.
- Training and education of your workforce is important, but it will fail you. Even with all the training in the world your workforce will eventually be deceived by creative, determined adversaires. Know that right now a user somewhere in your organization is doing something they should not be.
- Be careful about outside consultants. The cyber defense field, unfortunately, attracts charlatans who assert that they have special knowledge of how to defend. The only way to vet experienced cyber defenders is to have either observed their past performance first-hand or to get first-hand reports by those you trust.
- Understand the human tendency to forget about the threat as soon as the current attack has been mitigated. Do not fall victim to this cyber threat amnesia. When not under visible attack, study, prepare, and test your own defenses.