As we analyzed the example in the previous chapter, it becomes apparent that there is inherently a problem with the outcomes of research when it is done by people with the wrong context, knowledge experience, or backgrounds. In this chapter, we will explore what sort of people make the right choice when theoretical cybersecurity work, thought, and innovation are necessary. First though, we need to address the taxonomical issue that is plaguing the cybersecurity industry and is at least in part responsible for more widespread issues. If we can understand what the problems are with the way we classify professionals in cybersecurity, we can better find the right people to employ in theoretical exploration of new concepts.
A Case of Identity Crisis
What is cybersecurity? Who is a cybersecurity professional? Those are tough questions; I will cede to a major manifester for some defensible definition.
Cybersecurity means prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability integrity, authentication, confidentiality, and non-repudiation.
This document and others related to it as well as to cybersecurity rolled out across the United States. This led to a lot of things, such as the formation of U.S. CYBERCOM, it also led to an immense amount of federal funding getting tied to the terms cyber and cybersecurity. Anecdotally, what happened next was that contracts started having such terms in them and so did requests for proposals, proposals themselves, and the products, services, and people associated with such documents. In furtherance of this, the Department of Defense (DoD), in March of 2014, formally changed any use of the term Information Assurance to cybersecurity. I only pick on the DoD specifically because we will use their taxonomy as a point of understanding before working toward our own. So, I guess in the abstract, we can blame the US government and money associated with its budgets and contracts for the diluted and overextended nature of the term cybersecurity.
Let us look at a couple example job titles that are great at illustrating how this has played out, cybersecurity analyst and cybersecurity engineer. If you were to do a job search on these terms on any popular site, you would find they can mean quite different things in different places.
Cybersecurity Analyst
Intelligence Analysis
Network Analysis
Vulnerability Analysis
Security Operations Center (SOC) Analyst
Risk Analyst
Compliance Auditor
Compliance Manager
Hunt Team Operator
Red Team Operator
Penetration Tester
Forensics Analyst
Now, if we just used those terms, we would readily understand a good deal about the job functions associated with that given analyst role. Instead, since there is so much money behind the term cybersecurity in government, academia, and industry, we use a singular term that significantly muddies the water.
Cybersecurity Engineer
Cloud Administrator
Network Administrator
Systems Administrator
Domain Administrator
Firewall Administrator
Security Operations Center (SOC) Analyst
Compliance Auditor
Compliance Manager
Hunt Team Operator
Red Team Operator
Penetration Tester
As with the cybersecurity analyst, the term cybersecurity and engineer have both been made so ambiguous as to become almost completely useless in describing something. Yet, the money in the industry has driven the terminology.
Comparison
Now, let’s just compare those two, already ultra-ambiguous terms and we can see that they even share many of the same types of job functions. These are not the only job titles that have grown tremendous ambiguity thanks to where cybersecurity terminology has led us, but they are certainly the most illustrative of the problem.
Comparison of Roles and Responsibilities
Roles | Title: Cybersecurity analyst | Title: Cybersecurity engineer |
---|---|---|
Intelligence analysis | YES | NO |
Network Analysis | YES | NO |
Vulnerability Analysis | YES | NO |
SOC Analyst | YES | YES |
Risk Analyst | YES | NO |
Compliance Auditor | YES | YES |
Compliance Manager | YES | YES |
Hunt Team Operator | YES | YES |
Red Team Operator | YES | YES |
Penetration Tester | YES | YES |
Forensics Analyst | YES | NO |
Cloud Administrator | NO | YES |
Network Administrator | NO | YES |
Systems Administrator | NO | YES |
Domain Administrator | NO | YES |
Firewall Administrator | NO | YES |
Taxonomy of the Profession
As I mentioned, we will not have in out taxonomy that will be leverage for the rest of this book the analyze, collect and operate roles in the same way or at all as they are a foreign intelligence gathering, act of war type of activity that specifically falls under US Code Title 10 and Title 50.
Further, I think this a good point to address one function that will be missing from our taxonomy and that is programmers, coders, or developers. These functions do have security considerations to their own craft such as secure coding in general and DevSecOps specifically. These are activities though that fall under the craft of those individuals and is not in my mind a cybersecurity function. Further, security issues that are potentially introduced via poor practices of such professionals already have cybersecurity functions associated with the identification and mitigation of such cybersecurity risk.
Our Taxonomy
If in the end you decide that you like the DoD taxonomy or some other taxonomy better or find them more accurate, that is of course fine and well. For the purpose of follow-on discussion though, you will want to refer to the one we will outline in this chapter as further work builds on the foundational point being made and less the specificity of one given category of roles and responsibilities over another.
Types of Cybersecurity
Detect
Net flow and other SOC-related analysis
Intrusion detection system analysis
Behavior analytics analysis
Investigate
Threat hunting operations
Forensics analysis
Blue team type analysis such as nmap scanning
Create
Router administrator
Network designer
Firewall administrator
Operate
Helpdesk technician
Domain administrator
Website administrator
Architect
Network architect
Cloud architect
Software solution architect
Audit
Compliance engineer/manager
Compliance auditors
Independent verification and validation teams
Analyze
Threat intelligence
Open source intelligence analyst
Vulnerability analyst
Exploitation or targeting analyst
Emulate
Web application penetration tester
Network penetration tester
Red team operator
Functional Subsets
Data Functions
Job roles that have a data function are those that require data about the system, from the system to be performed. Both detective and investigative job roles require a cybersecurity professional to be versed in analyzing information that systems produce. Though the data may be collected somewhat passively in the case of detect roles and active for investigative roles, the perspective that such information is analyzed from is very similar.
System Functions
While there is a difference in job roles that are customer- or user-facing and those that are not, the job roles that perform system functions rely on similar actions by cybersecurity professionals. Diagnosis of issues may differ when users or customers are involved, but configuring, setting up, and fixing systems are done by similarly experienced roles requiring a similar skillset. Job roles in the system’s functional domain require understanding of command line syntax, underlying infrastructure, and overall configuration of the devices that make up a system.
Framework Functions
Architecture roles create frameworks, and auditing roles evaluate, verify, and validate them. In either case, there is a need to have an in-depth understanding of what a framework is intended to accomplish, why it has been put in place, and how it is intended to function. As such, both types of cybersecurity job roles can be lumped into a framework function group.
Antagonist Functions
Antagonist functions are those that require an antagonistic or adversarial perspective and understanding to best perform the cybersecurity role. This is obviously the case with emulation roles such as red teaming or penetration testing. It is also required when performing intelligence analysis of an organization or system. This is because instead of making analysis of system-created or system-collected data, the assessment and analysis focus on information related to the scoping and targeting of an organization with the specific fact that motivation is antagonistic in nature.
Actional Subsets
Reactive
The majority of cybersecurity roles are reactive in that they require information from existing attacks to inform security functions. Even threat hunting, which is often referred to as generally proactive, requires knowledge of actors, associations, or other attributions to inform hunt activity.
Proactive
Emulate job roles are mostly proactive as they rely on individuals to attack a system as a malicious actor would. This attempt to discover misconfigurations and new exploitation efforts make it proactive. In the same way that threat hunting is not truly proactive, there are times when unsophisticated penetration testing can also be viewed this way. When performed by less skilled individuals or with certain motivations in respect to time and scope, scanning and exploitation of only known capabilities is also arguably not proactive. The reason the proactive domain extends partially into the analyze role is that there are times where intelligence assessments made about threats or systems can provide truly proactive information to guide cybersecurity efforts.
Analogy
Detective
Our shopping mall industry detective work, where data is gathered from systems in the shopping mall, could include many types of detective data analytics that support shopping mall operations. These analytics could be based on detecting data from things like security cameras, HVAC systems, power usage, and others that can allow shopping mall operators to tailor the usage of these systems to optimize longevity of business operations.
Investigative
For an investigative analogy in the shopping mall business, we will put pest control professionals in this role as they go through and look for things like termites and other pests that might impact the structural integrity of the mall or impact business operations.
Create
For the create role, we will refer to those that built the shopping malls including carpenters, plumbers, electricians, and others.
Operate
For the operate role, we will have those professionals in the shopping mall industry that interface with the customers and users of the mall. This could be repairmen, retail staff of shops in the mall, cleaning crews, and others that keep the mall operational.
Architects
Here architects will be those structural architects who designed the mall. We don’t have the same need to separate these architects from broader architects as shopping mall operations architecture is not a thing.
Auditors
Shopping mall operations also have auditors who ensure that mall policies are kept up as well as other regulations and standards are followed. This could include things like workplace safety standards auditing by an organization like OSHA or a fire marshal making sure that stores are not over capacity.
Intelligence Creators
Just as intelligencer assessments can inform cybersecurity activities, shopping malls can have business-related intelligence. Business intelligence can be about where to place what types of stores in the mall based on purchasing habits for instance.
Adversary Emulation
Adversary emulation for a shopping mall is a little less likely than this job role is in cybersecurity; however, a shopping mall operator could certainly hire physical penetration testers to see how easy it is to do things like shoplift or break into the mall given its security system and cameras.
So, What’s the Point?
The thesis of this chapter is that we need to identify the right type of people to perform theoretical cybersecurity efforts for the betterment of the industry and to improve the body of work. The reason for this shopping mall taxonomy is to illustrate the importance and relevance of our suggested theoretical cybersecurity professionals. In shopping mall operations, individuals would need varied and lengthy experience across several job roles to realistically provide contextual and defensible theoretical improvements to shopping malls.
Someone with time spent as a retail professional and as a builder of malls or as a business intelligence professional would have a wealth of perspective and experience to draw from. The importance of this context, as discussed in Chapter 1, is that it allows for theoretical ideas to be framed by reality, in this case the reality of operating a shopping mall. The opposite is also true that experience in only one facet of shopping mall operations would not make someone reasonably capable of coming up with theoretical shopping mall ideas.
The Tradecraft Concepts
The same concepts are true of cybersecurity as well, that variance and depth of experience across the body of work is necessary to produce professionals with the appropriate context to explore theoretical cybersecurity. Our shopping mall analogy is useful to make at least two points regarding cybersecurity professionals. First, to further my point about developers not being cybersecurity professionals. In the same way that the developers of a point-of-sale machine do not need to have in-depth knowledge of shopping mall operations, neither do developers of code need in-depth knowledge of cybersecurity. Second, our scientists from Chapter 1, who came up with the moving target idea without good cybersecurity context, are a lot like the scientists who design better nails through metallurgy or plastic flooring through chemistry but would not be expected to conduct experiments toward shopping mall operations.
This isn’t to say that things like better nails and better flooring through scientific experimentation aren’t necessary and beneficial because they are. The point is that they do not perform experiments on their areas of expertise in chemistry or metallurgy and call it a shopping mall experiment. This is essentially what happened with our Chapter 1 example. Scientists who are experienced in something such as computer science performed a computer science experiment and billed it as a result that proved a cybersecurity concept.
So how do we avoid this? How do we insure that the people carrying out theoretical exploration in the field of cybersecurity are doing so with the right context and experience behind their efforts to result in true cybersecurity innovation?
What we propose is a sort of tradecraft structure where individuals in the functional areas we outlined in our earlier taxonomy represent four domains of cybersecurity apprenticeship. In a specific functional area, we could say that two years make an apprentice, six years make a journeyman, and ten years make a master. Years of experience could also count as years in completing a relevant bachelor’s or master’s degree. These timelines are similar to other trades such as electricians and plumbers. We can then levy this system to create apprentices, journeymen, and masters within the broader body of cybersecurity.
Summary
To wrap up, we have established a trade structure for the cybersecurity tradecraft. The semantics of our system bear hashing out at scale and the years of experience and other requirements could certainly be put up for debate. The takeaway is that we should establish some structure that produces a minimum qualification for professionals in cybersecurity to be considered journeymen or masters of the trade and not of specific functional domains. If we can do that as a field, we will have a pool of professionals who could be entrusted to take the lead and provide direction for further theoretical cybersecurity.