For those unfamiliar with the term “strategic corporal”, it sprung out of the conflicts in Afghanistan and Iraq. The concept is simple: a lowly corporal on the frontlines, through their actions, can have a strategic, often negative effect. This was somewhat radical, considering the last four decades had been predominantly dominated with the Cold War, where the lowly corporal was almost dispensable!
Now, indulge me for a second as I continue to rattle on about war studies theory. Along with people realising the importance of the strategic corporal, came a lot of emphasis on setting him or her up for success. Cultural training, language courses, body armour, the best kit available etc. get thrown at the previously “less important” tactical level. As well as this, more and more intelligence assets were re-aligned from the strategic (i.e. the executive) level, and sent to support the tactical war fighter.
You’re probably still wondering what this has to do with information security and cyber threat intelligence. Well, I see it as two-fold:
- A user at the tactical level can have a strategic impact;
- Security staff on the frontline requires support to be effective.
Examples of strategic impacts at the tactical level are plentiful within information security: Edward Snowden, Bradley Manning, the tactical operational security errors which led detectives to the identity of Dread Pirate Roberts, the former head of the Silk Road marketplace – not to mention countless instances of misconfigured devices and infrastructure which can allow attacks to sail through an organisations defences unhindered.
To assist at this tactical level, information security has recognized the importance of the strategic corporal. On the defenders side, we have analysts who are being bombarded with indicators and noise. Alerts build up in incident queues, SIEMs flash endlessly. Invariably this leads to exhaustion and alert fatigue. In a way, infosec has identified that the tactical level – and the strategic corporal – is where most the support is needed, and fired as much information as possible into it. In our attempt to equip the strategic corporal with effective feeds to conduct their mission, we are instead drowning them. Whilst doing this, we are risk neglecting the operational and strategic levels, which, although may not seem as important as the tactical level, are key to successful security.
Now when I say security staff on the frontlines require more support to be effective – despite just saying they’re overwhelmed – is that they require tools to reduce that noise into signal. Here at Digital Shadows (now ReliaQuest) we’ve developed the concept of cyber situational awareness, where the focus is to illuminate incidents beyond an organisation’s boundary with zero false positives. Providing clients with relevant, clear and objective assessments, and enabling the strategic corporal to focus on doing their job.