C⁴ISR: What we can learn from the military

C⁴ISR stands for command and control, communications, computers, intelligence, surveillance, and reconnaissance.

Since 2005 I have been building or reorganizing SOC’s (Security Operation Centers) and establishing CSIRT’s (Cyber ​​Security Incident Teams), among others for Saudi Telekom and Saudi Aramco (during my time in Saudi Arabia) and at RadarServices GmbH in Vienna as Global SOC Manager, with up to 30 SOC employees in 24×7 operation or Follow the Sun (at 3 locations in the world with 8h difference each) principle. What surprised me again and again is, how little these SOC’s were organized and it came to ineffectiveness, loss of information and safety-critical incidents that were not recognized.

In order to optimize these SOCs, I first tried to find a proven methodology for how a SOC works, but there was none, so I created over the years my own. Since I was lucky to build up a SOC in Vienna from Scratch, I could implement my methodologies developed in Saudi Arabia also here and so these problems were avoided.

Surely you agree with me in the following points:

1. We are in a cyberwar attacking targets that need to be defended.
2. We are dealing with asymmetric warfare, where a single attacker can bypass an entire IT security department and stay in the system for months.

I then looked at the military and their strategies, because after all, they have been practicing attack and defence with all facets (espionage, information gathering, development of weapons, strategies, etc.) for millennia. But these, too, have been surprised by the asymmetric warfare (for example, Afghanistan), in which individuals or just a few aggressors were able to bind, if not eliminate, a larger number of soldiers.

The magic word in this context is C⁴ISR (command and control, communications, computers, intelligence, surveillance, and reconnaissance), whose concept I would like to use. Translated, these mean (analogy to our tasks in italics):

• Command and Control, or “C2,” does not have a strict, generally accepted definition, but governments and military officials around the world agree that C2 can be broadly described as exercising authority in a given environment in pursuit of a mission, in the simplest case, the orders and decisions come from here.
  • In our case, the decision makers below the CISO who are operationally controlling SOC and CSIRT.
• Communication is another generic term that refers to the sharing and transmission of information.
  • The exchange of information with all those involved in the SOC and CSIRT activities. This is not just internal communication, but also includes external sources or recipients.
• Computer systems are an integral part of modern warfare as well as in business and government. Simply put, no other component of C4ISR works effectively in the 21st century without effective computer systems.
  • Use of computer systems and IT security assets for the tasks of SOC and CSIRT to protect the computer systems of the own organization.
• Intelligence is a term that refers to information itself that relates to the mission or goals of the organization that is performing the mission.
  • These are i.e. feeds that use the IT security assets to more clearly identify certain activities. Representatives are Cyber ​​Threat Intelligence (CTI) feeds and IOC (Indicator of Compromise) feeds, which are constantly updated and loaded into IT security assets.
• Surveillance is the monitoring and observation of activities and behaviours to gain intelligence. This can be done in many different ways, including interception of electronic communications, video and audio surveillance, and gathering of human intelligence.
  • These are e.g. the events that were collected by the IT security assets and evaluated against the feeds.
• Reconnaissance differs from surveillance (although the terms are often mistakenly used synonymously) because it involves the sending of personnel or equipment (such as drones) to areas beyond the control of users for the purpose of gathering information.
  • This is, for example, the research and investigations in depth by analysts from information sources such as a cyber threat intelligence search engine, knowledge bases but also in depth analysis in the darknet, in the hacker scene, using honeypots etc.
• Ultimately, C4ISR is about increasing situational awareness, providing decision makers with the information they need as quickly as possible, and using the right materials, equipment, and systems to make it happen. All components of C4ISR MUST cooperate to be successful. It is the foundation of every mission, and a mistake in one link in the chain can have serious, even fatal consequences.
  • Analogous to our requirements, it is important to pass on the information quickly to other departments in order to eliminate the problem. Otherwise, the point 100% applies to us, even deadly consequences if you think of robots in production.

The deployment of C4ISR requires sensors, computers, and communication systems that collect information about (land, air, sea, and space, and cyberspace). Then this information is processed, analyzed, used and delivered to those who need it.

I explain how to do this in one of the next articles of this blog because I’ve been able to translate my experiences into an infinitely scalable methodology that is now being successfully applied by a number of companies and I would like to share with you.