Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Cyber Intelligence Conceptual Framework Comprehensive analysis. Better decisions. SEI Cyber Intelligence Research Consortium

advertisement 
Cyber Intelligence
Conceptual Framework
Comprehensive analysis. Better decisions.
SEI Cyber Intelligence Research Consortium
About
Contact Us
The SEI Emerging Technology Center helps the government stay on the edge of technology.
The world is innovating software and information technologies very rapidly and the Center
assists the government by identifying, demonstrating, extending and applying emerging
software technologies to meet critical government mission needs. We focus on promoting
government awareness and knowledge of emerging technologies and their application, and
shaping and leveraging academic and industrial research.
Software Engineering Institute
1
4500 Fifth Avenue, Pittsburgh, PA 15213-2612
Phone: 412.268.5800 | 888.201.4479
Web:
www.sei.cmu.edu/goto/cyber-intel
Email: cyber-intel@sei.cmu.edu
2
Environmental
Context
The Cyber Intelligence Conceptual Framework
Overview
Cyber intelligence is the acquisition
and analysis of information to
identify, track, and predict cyber
capabilities, intentions, and activities
to offer courses of action that
enhance decision making. For an
analyst to put this definition into
practice, we developed a nonlinear,
interactive conceptual framework
to distinguish and organize our
recommendations for success.
It consists of six components:
Analytical Acumen, Environmental
Context, Data Gathering,
Microanalysis, Macroanalysis, and
Reporting and Feedback.
Background
The conceptual framework
evolved from lessons learned
from conceptual models used in
traditional intelligence analysis,
risk management, decision
making, and cybersecurity. We
combined this information with
knowledge gained from our initial
work in cyber intelligence to form
a framework that balances the
rigor, agility, and creativity needed
to conduct comprehensive analysis
in the complex and ever-changing
cyber domain. We use the term
“comprehensive analysis” to
emphasize that our approach
involves using the art and science of
intelligence work to analyze a cyber
issue in context, from the way it
functions to its strategic impact on a
target, and everything in between.
The Conceptual Framework
For an analyst to effectively
analyze a cyber issue in context,
our framework consists of six
components:
•Analytical Acumen: facilitates
timely, actionable, and accurate
intelligence on a cyber issue
•Environmental Context: provides
scope for the analytical effort
•Data Gathering: acquires and
aligns data for analysis
•Microanalysis: assesses the
functional implications of the
cyber issue
•Macroanalysis: assesses the
strategic implications of the cyber
issue
•Reporting and Feedback: offers
courses of action to enhance
decision making
Reporting &
Feedback
Environmental
Context
Reporting &
Feedback
Data
Gathering
Analytical
Acumen
Microanalysis
Data
Gathering
Analytical
Acumen
Macroanalysis
Analytical Acumen facilitates timely,
actionable, and accurate intelligence on
a cyber issue. As previously described,
this component is the framework’s
center of gravity. It conceptualizes an
analyst’s interactions with the other
components to enable the development
and dissemination of intelligence to
help decision makers and practitioners
make better judgments and quicker
decisions.
Creating and communicating cyber
intelligence is an art and a science. It
is an art because no analyst produces
intelligence the same way. Personal
instincts, biases, experiences, and a
host of other influences impact the
Microanalysis
creativity and imagination that shapes
how an analyst addresses a cyber
issue. An analyst will seek technology,
conceptual frameworks, information
collection methods, and other outlets
to best channel their creativity and
imagination into intelligence—the
science of their work.
We refer to the art and science
of intelligence work as analytical
tradecraft. How an analyst leverages
their tradecraft determines their
analytical effectiveness and efficiency.
A cyber intelligence analyst should
use the components of our conceptual
framework as a guide to maximize the
use of their analytical tradecraft to best
conduct comprehensive analysis and
put cyber issues in context.
Within their operating environment, an
analyst comes across a cyber issue
in many ways: personal research of
internal and external information,
informal questions from peers or
leadership, or official requests for
information. In the context of our
conceptual framework, a cyber issue
can emanate from any component,
but Analytical Acumen facilitates the
ingestion, digestion, and emission of
intelligence.
Environmental
Context
Reporting &
Feedback
Data
Gathering
Analytical
Acumen
Environmental
Context
Reporting &
Feedback
Macroanalysis
3
The Analytical Acumen component
is the framework’s center of
gravity. It conceptualizes an
analyst’s interactions with the
other components to facilitate the
development and dissemination
of intelligence that helps decision
makers and practitioners make
better judgments and quicker
decisions. Analytical Acumen
interacts with the other components
in numerous ways, depending on
the cyber issue being analyzed.
Sometimes a repeatable process
can be introduced or a technology
integrated to augment these
interactions, but enough flexibility
must be built into the process or
technology to account for a cyber
issue’s propensity to change quickly
and often. Our framework attempts
to account for all these possibilities
by visually projecting a nonlinear,
interactive approach to performing
cyber intelligence.
Analytical
Acumen
Macroanalysis
Microanalysis
Environmental
Context
Data
Gathering
Environmental Context provides scope
An analyst
Analytical can better understand the
Acumen
for the analytical effort. Ideally, one of
state of the operating environment by
the first steps an analyst will take is to
considering the internal and external
assess the cyber issue as it relates to
factors affecting it. We suggest
the operating environment. For example, examining the internal and external
if the issue involves employees
factors relating to the network and the
Microanalysis
Macroanalysis
downloading corrupt software from the
organization at large. Examples for the
internet, and the analyst knows the
network include topsight (infrastructure,
organization’s computer network does
access points, system vulnerabilities,
not connect to the internet, the analyst
identification of critical data) and cyber
can quickly report the limited threat
footprint (physical assets, data storage,
this situation poses without performing
web and mobile presence). For the
more extensive analysis. If the network
organization at large, factors include
does connect to the internet, then the
business operations (risk management,
analyst begins to put the cyber issue
physical security, and compliance),
in context to determine what other
organizational dynamics (mission,
information is needed to assess and
objectives, stakeholders, culture), and
report the potential threat’s impact on
external interests (brand reputation,
the organization.
market space, geopolitical issues, and
partnerships).
While considering Environmental
Context is important at the onset of
analysis, it should occur throughout
the analytical effort because issues in
the cyber domain change quickly and
often. This component also highlights
the importance of both technical
and nontechnical factors in cyber
intelligence. Deciphering the functional
details of a cyber issue is vital to
putting it in context, but so too are
many factors that have nothing to do
with technical expertise.
4
Macroanalysis
Reporting &
Feedback
Microanalysis
Data
Gathering
Analytical
Acumen
Environmental
Context
Data
Gathering
Macroanalysis
Reporting &
Feedback
Data
Gathering
Macroanalysis
Microanalysis
Analytical
Acumen
Data Gathering conceptualizes how
in the Microanalysis and Macroanalysis
an analyst acquires and aligns data
components and soliciting feedback from
Microanalysis
Macroanalysis
for analysis. Knowledge gained from
fellow practitioners and decision makers,
Analytical Acumen and Environmental
an aspect of the Reporting and Feedback
Context enables someone to ask the
component. Information gleaned from
right questions to get the right data
the Environmental Context component
through technological means. By using
also contributes because knowing the
the analytical tradecraft described in
scope of the analytical effort prevents
Analytical Acumen, an analyst has the
an analyst from having too little data to
opportunity to utilize their own cognitive
support analysis or too much data, which
abilities and those of others (the art),
could overwhelm the analyst and obscure
as well as intelligence repositories
the necessary information.
(the science) to appropriately gather
Environmental
With this knowledge, the analyst
Context
data. This can occur by accessing
leverages tools and technologies to
preexisting analytical work represented
Environmental
Context
Reporting &
Feedback
Data
Gathering
Analytical
Acumen
Macroanalysis
Reporting &
Feedback
Microanalysis
identify the data sources, collect the
data, and aggregate it for analysis. The
data should come from multiple internal
and external sources, when possible, and
be updated when necessary. Examples
of internal sources are network logs,
physical access logs, user demographics,
risk management analysis, and business
intelligence. External data sources
include third-party intelligence providers,
information-sharing partnerships, open
source intelligence, and social media.
Macroanalysis represents the
assessment of the strategic
implications of a cyber issue. Working
through our framework’s Analytical
Acumen component, an analyst
performing Macroanalysis incorporates
the intelligence produced during
Microanalysis with the scope of
Environmental Context and capabilities
from Data Gathering. These interactions
enable the analyst to add perspective,
context, and depth to the cyber issue.
There are numerous ways to add
perspective, context, and depth. The
analyst can conduct trend analysis of
multiple cyber issues or use several
Microanalysis products to correlate
Data
Gathering
activities and pursue attribution. The
analyst also might put Microanalysis
in the context of risk management
or business intelligence to provide
technical insight for decisions involving
acquisitions, brand reputation, and
marketing. Other analytical activities
examine how a cyber issue will affect
and be affected by cultures, economics,
geopolitics, social media, and/or global
cyber trends.
These scenarios demonstrate that
Macroanalysis enables more proactive
and predictive intelligence. The analyst
performing this work usually tries to
answer “who” and “why” questions:
who is responsible and why is it
Reporting &
Feedback
Analytical
Acumen
Data
Gathering
Analytical
Acumen
Macroanalysis
Microanalysis
Environmental
Context
Microanalysis
Macroanalysis
Environmental
Context
happening? The answers populate
threat actor profiles for tracking attack
likelihoods, provide global situational
awareness, and give information on
potential strategic impacts to decision
makers so that they can rely on cyber
intelligence just like they do business
intelligence or risk management.
Similar to Microanalysis, our conceptual
framework illustrates the analyst’s
communication of Macroanalysis, and
any resulting feedback to the analyst, in
the Reporting and Feedback component,
which interacts with Macroanalysis via
Analytical Acumen.
Reporting
and Feedback
Microanalysis
Reporting &
Feedback
Data
Gathering
Analytical
Acumen
Microanalysis represents the
assessment of the functional
implications of the cyber issue. When
performing such analysis, the analyst
seeks to evaluate and estimate how
the issue impacts the operating
environment based on the issue’s
technical complexities. Information
obtained through Analytical Acumen
and Data Gathering should be used
to extract relevant data and examine
the issue’s nature, ability, and quality.
The primary purpose of Microanalysis
is to answer “what” and “how”
questions: what is happening to the
network and how is it being done? The
analyst successfully answers these
5
questions using the power of their
analytical tradecraft and the continuous
interaction with the tools, technology,
and people gathering the data.
component. As a reminder, throughout
the entire process, Analytical Acumen
facilitates the interactions among these
components.
Knowing how the cyber issue functions,
the analyst uses multiple sources,
when possible, to validate the credibility
of the information and then puts
the issue into technical context by
applying knowledge to it. The analyst
can use what is now intelligence
to inform fellow practitioners and
decision makers of the cyber issue’s
functional implications. We describe
this communication and the feedback
that follows in the conceptual
framework’s Reporting and Feedback
Overall, Microanalysis usually occurs in
reaction to an actual cyber issue, not
the anticipation of one. This type of
analysis is especially useful for network
defense, cybersecurity, and incident
response purposes. It also informs
the individuals in an organization
that examine the issue’s strategic
implications and make business
decisions.
Reporting and Feedback conceptualizes
how to offer courses of action to enhance
decision making with cyber intelligence.
The conceptual framework is arranged
so that no matter the component where
the intelligence originates, Reporting and
Feedback represents the communication
of and subsequent responses to the
intelligence. An analyst should take into
account the audience’s background and
technical knowledge and tailor any verbal
or written analytical products accordingly.
This work usually is distributed to a
variety of fellow practitioners, relevant
stakeholders, and decision makers at
multiple levels of leadership, from firstline supervisors to C-level executives.
Microanalysis
Macroanalysis
These individuals then use the
intelligence to guide their response to
a cyber issue or adjust the overarching
direction of the organization.
Regardless of the intelligence being
produced, the reporting mechanism
is only as effective as its feedback
counterpart. Responses in the form of
casual observations or official requests
for information help to rationalize
what the analyst focuses on. Active
participation from all audiences not
only validates what an analyst does
on a daily basis, but also identifies
intelligence gaps for the analyst to fill,
concepts needing further explanation,
and opportunities for collaboration.
This spurs continued development of
analytical tradecraft, which improves an
analyst’s effectiveness and efficiency in
using cyber intelligence to help others
make better judgments and quicker
decisions.
6
Using the Conceptual Framework
We consider our conceptual framework to be a living
framework. It incorporates perspectives from government,
industry, and academia to distinguish and organize how we
think an analyst should approach cyber intelligence. As
these perspectives evolve, so too will the framework. If you
have any questions or suggestions, please contact us at
cyber-intel@sei.cmu.edu.
7
8
Related documents
Job Description: Research & Site Development Analyst Title
Job Description: Research & Site Development Analyst Title
Imran Ahmad Discusses the Potential Expansion of Canada's
Imran Ahmad Discusses the Potential Expansion of Canada's
View job description
View job description
Cabrillo College INSTITUTIONAL RESEARCH ANALYST DEFINITION
Cabrillo College INSTITUTIONAL RESEARCH ANALYST DEFINITION
Download
advertisement