Security Experts:

Cyber Shaping Operations - How to Affect the Threat Before it Enters Your Area of Operations

Denying The Enemy’s Ability to Gather Information About An Enterprise Is Crucial to Its Security....

In previous columns, I have outlined how to define the cyber battlespace in context with an enterprise, how to focus on the threats, and how to array assets to find threats against an enterprise. In this column I will focus on how to shape the battlespace for success.

“A shaping operation is an operation at any echelon that creates and preserves conditions for the success of the decisive operation. Shaping operations establish conditions for the decisive operation through effects on the enemy, population (including local leaders), and terrain. Information engagement, for example, may reduce tensions between Army units and different ethnic groups through direct contact between Army leaders and local leaders. Shaping operations may occur throughout the operational area and involve any combination of forces and capabilities.” (US Army Field Manual 3-0)

Cyber OperationsThe most important aspect of shaping operations is setting conditions for success. In simpler terms, it is making sure that the enemy conforms with your plan not theirs. Shaping operations also require coordinating to employ capabilities that you do not own.

At the strategic level, shaping is considered phase one to any operational contingency normally to deter an enemy from taking actions. Better yet, this phase is designed to ensure mission accomplishment. In a peacetime or steady state environment, shaping operations focus on non-lethal activities to prevent escalation to combat activities. Many outreach programs can be successful here. These include medical and civil projects with local communities, education, job creation programs or even training local military to contend with threats to security and stability. At the strategic level, the ability to influence an enemy’s behavior is the key to success.

Demonstrations of military force capabilities can influence behavior, however, this is the best time to use Information Operations. Despite all the intellectual discord over the definition and redefinition of Information Operations in the military today, the bottom line is that Information Operations shapes the mind of the enemy by either painting a picture of the battlefield that is correct or incorrect. In either case that view will provide an advantage. The correct view like in Operation Desert Storm, the Iraqis had a clear picture for what was happening to its army and surrendered in droves to prevent their annihilation.

However, in World War II, the German Army in France was convinced that Patton was going to lead the invasion at Calais versus what actually transpired when the Allies landed at Normandy. The confluence of Operation Security: keeping your secrets secret; Messaging: telling the enemy the story you what them to believe; and Military Deception: creating the picture you want them to see; all lead to shaping the battlefield to provide a decisive edge over your enemy.

Using all the tools at your disposal, you set the conditions to attrit the enemy through the length and breadth of the battlespace. At the Operational or Tactical level, defense in depth is a very effective way to shape operations. Deep strikes against refuel points, logistic centers or assets such as artillery or aviation all contribute to influence the enemy’s behavior, affect his ability to retain the initiative, and provide great advantage over the enemy.

Shaping operations are not just special; they are time related as well. Forcing an enemy to go somewhere or denying terrain may not be as effective as affecting their timeline. And using Information Operation disciplines such as OPSEC and deception will degrade the enemy’s ability to understand friendly composition, disposition, strength and intent.

Shaping operations in cyberspace begin the moment a network entity goes into creation. Every aspect of that network or enterprise must be obfuscated from open source data collection. Denying the enemy’s ability to gather information about an enterprise is crucial to its security. The ability to understand what an enterprise looks like from outside of the networks they control is essential in this task. Similarly, related, networks need to be created within an enterprise that deceives a potential threat to where the business operating functions and key assets exist. The use of honey nets built on virtual machines is a technique. But the effort does not need to be elaborate. A naming convention within a network that does not use functional descriptions for systems like “Primary Domain Controller” can help hide key systems.

Many enterprise networks “layer” or segment their network topology to provide different security zones. These zones require different levels of access from both internal and external networks. And many different types of security are available. Deep packet inspectors, intrusion protection systems, firewalls, and even new malware protection systems all focus on the perimeter of a network and fight off the majority of threat activity. Proxies attempt to prevent direct network connections between hosts. Antivirus programs attempt to protect hosts from malware. And now host white listing programs attempt to allow only essential programs and services to operate.

Even if an enterprise can afford the expense of all that is necessary and has the workforce capable of supporting this level of security, there are no guarantees against enemy success. Each one of these capabilities can be complicated endeavors to correctly configure for an enterprise. And most small to mid sized network can’t afford to put them in place.

It is imperative that the threats at every level of a network environment are understood. Every level should not defend everything against ever threat. Each level should be focused on the most likely and most dangerous threats against an environment. It may also mean that portions of a network are considered “outside the wire” or untrusted. This way that section of an enterprise has the most freedom and flexibility for the user environment, yet its ability to access key business functionality is severely restricted. Providing the most basic services to this group will also mean that that they may be the most vulnerable. But it may be an acceptable level of risk. It may also push the threat in that direction versus against critical business systems.

The ability of a network operations or security team to shape their battlespace is limited only by their imagination and physics. However, beyond their area of operations, they are limited by much more. That is not to say they cannot affect their area of influence, but there are legal restrictions on their ability to conduct deep cyber operations. Outdated and over protective laws prohibit any aspect of self-defense from an offensive point of view. Most laws and regulations within the United States currently punish the people trying to defend their networks – Heaven help you if you are non compliant. These laws do nothing to deter the threat. If fact, our laws do not stop actions from foreigners whose country sanction their behavior. So under our current laws, what can an enterprise do?

First, security teams must have built an understanding of the threats most likely to come against it. They must have a firm understanding of their enterprise/network areas of interest and influence in cyberspace. The first and most important relation they must build is with assets outside of their domain. They must have a very close working relationship with or knowledge of upstream service providers to provide indicators and warnings of threat behavior within their area of influence. They must be able to understand the last hop location of any and all attempts or attacks against their infrastructure. They must be willing to sever business relationships with anyone who introduces unacceptable levels of risk because of poor security practices. And most importantly, they must hold accountable, those last hop victims systems to any attack against their infrastructure.

Shaping operations in cyberspace require a great deal of imagination, resourcefulness and determination to achieve. However, in a time of limited resources, any tactic, technique or procedure to get the most out of those resources should be considered, evaluated and with demonstrated success –adopted. The purpose of shaping operations is to set the conditions for success. In cyberspace, that could be as simple as ensuring that contractor support or capabilities are not the lowest bidder.

Matthew Stern
 is Senior Vice President, Strategy & Analysis
 at Lookingglass. Prior to joining Lookingglass, Stern served three years with General Dynamics Advanced Information System as Program Director for US-CERT. Previously, he served as Director of Cyber Accounts for General Dynamics Advanced Information Systems. He spent 22 years in the U.S. Army culminating with command of 2d Battalion, 1st Information Operations Command, overseeing the Army Computer Emergency Response Team (ACERT) and Regional Computer Emergency Response Teams (RCERTs). He holds a master’s degree in Information Systems and Computer Resource Management from Webster University and a bachelor’s degree in Political Science from Northern Illinois University.