Security Experts:

Cyber Recon and Surveillance - Confirm or Deny Cyber Threat Courses of Action

Scouts have been a part of military operations since the dawn of time. There is a great deal of romanticism around the image of the cavalry scouts of the Wild West, Jeb Stuart during the Civil War or images of Long Range Recon Patrols of Vietnam. Why were these groups of soldiers the elite military of their time? Because commanders needed their best to be their eyes and ears. They needed troops they could depend on implicitly and without question to find the enemy to confirm or deny their course of action. The methods that scouts use include reconnaissance and surveillance. In this column, I will describe the necessity for this same capability in cyber space.

Military ScoutFirst, we need to understand why reconnaissance and surveillance are so important. Scouts determine enemy strengths or weaknesses, gaps, and condition of the terrain that will affect maneuver (mud, rivers, mountains, swamps, etc.). Scouts provide insight into what enemy action and/or location in relationship to key terrain or operational objectives.

Reconnaissance is more about finding the unknown. For example, a commander may only have general information from intelligence about an enemy area of operations. He may task a unit to conduct reconnaissance to determine the specific location. This specific knowledge may be key to winning a battle. If one force determines the precise enemy location before the other, the finding force has a distinct advantage. Specific details about enemy location, disposition and strength are documented as Priority Intelligence Requirements (PIR). In order to fulfill that PIR, one or more Named Areas of Interest (NAI) are assigned as either a point location or an area to observe.

Closely related to reconnaissance is surveillance, which is a task that requires a systematic approach to observing people, places or things through a variety of techniques and technologies.

In many situations, a sensor becomes the best option for surveillance. For example, unmanned aerial vehicles (drones) flying high above Afghanistan have provided the means to provide day and night surveillance over known enemy routes, to detect the possibility of infiltration. There are also sensors that can detect a variety of different chemicals in the air or signals generated by the electro-magnetic spectrum to determine enemy location or intent.

How does this relate to cyber space? The words “recon” and “sensor” are common terminology used by cybersecurity practitioners today. We understand that recon is part of the hacker intrusion methodology. Nessus and NMap are tools of the hacker trade. It is how the threat actors learn about their areas of interest and determine their “High Payoff” or “High Value” Targets. So how does the cybersecurity community conduct recon? Right now, one could argue that a penetration test or Red Team evaluation of a network enterprise and its security could be classified as reconnaissance. This does tell the security team about where their network is a vulnerable and identifies possible attack vector. However, this falls short of providing perspective as to what a threat might specifically be doing to their network. It is good to know where a network is vulnerable. It is better to know what types of tools are available to take advantage of that vulnerability. It is even better to know whether that vulnerability will actually lead to a compromise. It is best to know when and where malicious activity proximate to your business sector or network neighborhood is taking place.

The cybersecurity world has been conducting surveillance using a variety of sensor types for years. These instruments include Intrusion Detection Systems, Protocol Analyzers, Deep Packet Inspection engines, and a variety of other systems. They concentrate on detection using signatures based on known bad threat or anomalous activity. In many cases, they are configured to cover a wide array of threats based on a generic set the covers what some determine to be important.

What is missing in the equation is the ability to conduct reconnaissance of threat activity outside the area of operations. Network defenders need the ability to detect threats before they enter their area of operations. There are methods to do this without breaking laws or putting oneself at risk. Blogs, forums, marketplaces, etc. used by the hacker community to exchange information about methodology serve as a great source. These sites often exchange information about potential targets and are abundant.

In order to make effective use of the network and security assets and information available to provide the best coverage of cyber terrain and threat actor activity, network defenders must synchronize their efforts.

An effective tool used by the military is a simple synchronization matrix. This matrix allows defenders to ensure they have no gaps in coverage related to threats to their enterprise. 

Cybersecurity Synchronization Tasks

Figure 1: An example of a synchronization matrix

A synchronization matrix for the network defender ensures coverage, redundancy, capacity and the ability to prioritize. For example, in Figure 1, the defense team has a PIR to ensure they can detect indicators of a disruption of Online Retail Services. The intent of the matrix is to make certain that the team can first identify the types of attack vectors that would most likely be used against them. In this case, they have determined that a DDoS against Web Services would be a likely scenario. They also have determined the asset and focus of the asset. This methodology would have to be in place for every type of attack vector and scenario related to the PIR. This methodology must be in sync with organization operational priorities.

Without Scouts to provide a commander with eyes and ears to see beyond his line of sight, military organizations fail to accomplish their missions. There is a direct correlation between General Robert E Lee’s loss at Gettysburg and the availability of General JEB Stuart’s cavalry to help him understand the battlefield and the enemy arrayed against. It is also true that General Stuart did not clearly understand his priorities or the task and purpose of his reconnaissance mission against Union forces.

The same can be said in the cyber domain. If any asset at the disposal of a network defense team is not focused to detect specific enemy activity that will affect vital business/organization operations, then it is not useful. Focus is the key to actionable and timely intelligence that initiates response actions before a compromise occurs.

More importantly, in today’s cybersecurity environment, focus provides the ability to find what is important in all the noise and this methodology of using reconnaissance and surveillance in a synchronized manner.

view counter
Matthew Stern
 is Senior Vice President, Strategy & Analysis
 at Lookingglass. Prior to joining Lookingglass, Stern served three years with General Dynamics Advanced Information System as Program Director for US-CERT. Previously, he served as Director of Cyber Accounts for General Dynamics Advanced Information Systems. He spent 22 years in the U.S. Army culminating with command of 2d Battalion, 1st Information Operations Command, overseeing the Army Computer Emergency Response Team (ACERT) and Regional Computer Emergency Response Teams (RCERTs). He holds a master’s degree in Information Systems and Computer Resource Management from Webster University and a bachelor’s degree in Political Science from Northern Illinois University.