Download

Full Document

FormatFile SizeNotes
PDF file 6.4 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback114 pages $22.50 $18.00 20% Web Discount

Research Questions

  1. How can organizations proactively protect themselves against cyber threats?
  2. What are the current frameworks in use to protect organizations against cyber threats?
  3. How can SWARM improve on previously existing frameworks to proactively defend against cyber threats?
  4. How is SWARM applied in practice?

In the first two decades of the 21st century, the coevolutionary adaptation of cyber threat actors and technology has been akin to an escalatory arms race between cyber offense and cyber defense. Paradigm-shifting technology advancement, transparent unclassified reporting on cyber incidents, and the proliferation of open-source hacking tools in the context of complex geopolitical dynamics further exacerbate the cyber defense challenge. Although the integration of such practices as cyber threat modeling, information-sharing, and threat-hunting into defensive strategies has become more common in recent years, the cyber defense community needs to continue to push the envelope to become more resilient and, ideally, get ahead of the threats facing organizations.

This research endeavors to contribute to the community via the formulation of a process-based model called the Scalable Warning and Resilience Model (SWARM), which focuses on cyber threats from state-sponsored actors but without the assumption of access to classified information or assets. SWARM prioritizes threat detection, facilitates better prediction of cyber incidents, and enhances network resilience by combining processes that seek to help organizations anticipate and defend against attackers. The model tailors data collection, cyber threat intelligence, and penetration testing to the particular type of intrusion sets most likely to target one's network.

This proposed model adapts the concept of applying both resilience and indications and warning (I&W) frameworks to information environments while also incorporating a combination of tailored threat modeling and emulation. This report also includes a case study—based on cyber incidents that occurred at the RAND Corporation—that demonstrates how the model has the potential to produce promising results for defenders by proactively protecting their systems through early warning of cyber incidents before they occur.

Key Findings

The variety of cyber threats that organizations face necessitates a tailored and targeted approach to cyber security

  • The current wide spectrum of actors, methods, and scenarios that can pose a risk to U.S. and allied interests is reflected in a broader definition of threats in cyberspace.
  • Current cyber defenses primarily focus on identifying and managing cyber threats after the cyber adversary has already breached the networks, not beforehand.
  • I&W frameworks—that have been developed by the U.S. intelligence community and are intended to be analytical processes providing ways of monitoring, reporting on, and detecting developments related to threats—can be effectively applied to cyberspace and can increase cyber defenders' ability to anticipate threats before those threats breach the networks of an organization.

SWARM is a four-step threat-centric process that facilitates the prioritization of threats while enhancing resilience and predictive power

  • SWARM is adaptable across organizations and helps defenders prioritize state-sponsored threats to their information environment.
  • SWARM is designed to increase predictive power by providing advance warning for cyber incidents through early and more-comprehensive indicators, both technical and nontechnical.
  • SWARM intends to enhance network resilience against targeted cyber incidents.

Table of Contents

  • Chapter One

    Introduction, Research Methodology, and Historical Evolution of Concepts

  • Chapter Two

    Indications and Warning Frameworks

  • Chapter Three

    RAND's Scalable Warning and Resilience Model at a Glance

  • Chapter Four

    SWARM Step One: Identify Relevant Cyber Adversaries

  • Chapter Five

    SWARM Step Two: Focus All-Source Intelligence Collection

  • Chapter Six

    SWARM Step Three: Apply a Threat Model

  • Chapter Seven

    SWARM Step Four: Adversary Emulation

  • Chapter Eight

    Case Study: Applying SWARM to Predict Phishing Campaigns from the North Korea–Nexus Kimsuky Threat Actor

  • Chapter Nine

    Conclusion

This research was sponsored by the Office of the Secretary of Defense and conducted within the Cyber and Intelligence Policy Center of the RAND National Security Research Division (NSRD).

This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.