During the American Colonial period, population centers were secured with fixed defenses such as walls and watchtowers. The downside of this approach was that not everyone could live inside the walls; the enclosed compounds simply were not large enough. Those who typically lived outside the walls — such as farmers and traders — needed protection, as they were instrumental to the group’s survival. In today’s business world, you could equate components of the supply chain with the “outsiders” while the “insiders” are those inside your own defenses and support the organization such as human resources, finance and governance groups.
A common method of securing the townships was to organize Ranger units. These small, handpicked units operated outside the safety of the walls, often under the direction of the Governor. Contemporary military units primarily were focused on protecting the settlement by manning the walls and watchtowers and were under military control.
Ranger missions were typically conducted to determine if an attack was forthcoming. A specialty of Ranger units has been (and remains today) conducting intelligence-gathering operations. Similar techniques can be used in the cyber realm of today where a small group, operating outside the firewalls, can scout for signs of impending attack and possibly take steps to mitigate that attack. Knowing an attack is inbound can also allow you to re-align your defenses.
Network security today has similar defensive problems; there are clusters of relatively secure islands spread across expanses of “no man’s land.” It would be impractical to bring everyone into the same security zone (and would be against security best practices). However, small units conducting “active reconnaissance” between secure locations could be invaluable for heading off attacks and learning more about how the enemy operates. The more we know about his operational techniques, the better we can configure our defenses to make them more resilient.
Colonial Ranger units usually were funded by the governor of the territory; although, occasionally, a benefactor raised a privately funded unit. No matter how they were funded, Ranger units served the entire region. Throughout history, support for Ranger units has waxed and waned, the primary concern cited was cost.
The truth is that these units were not expensive; they were often supplied with only food, blankets and minimal pay. However, they were such a deviation from “normal” forces that they were politically sensitive. Furthermore, most commanders had no idea of how to incorporate such irregular forces. These same issues could be of concern to a cyber Ranger team and must be considered carefully for the team to have the best chance of success.
Like the Colonial Ranger units, cyber Ranger units likely would be paid for by a benefactor, probably an entity that has many “secure townships” to defend. Cyber Ranger units should be small, at least four analysts and probably not more than a single 12-person team. This team could be organized similar to a Special Forces team wherein each member has a primary and secondary specialty. This approach would provide the most flexibility, and of course, it could be the most expensive. A team, regardless of size, should include specialists in advanced networking, forensics, access control, and law enforcement/defensive technique integration. Additional specialties might include malware/viruses and physical/social engineering. This structure gives the manager flexibility in assigning teams to solve a problem efficiently.
While typical reconnaissance might take place from behind the safety of the firewalls, active reconnaissance often is conducted outside the safety of your environment. It is not the intention of this paper to describe how to conduct the reconnaissance or where but rather to point out the merits and potential benefits of doing so. To better understand where to focus these specialized assets, you should conduct a thorough review of the environment.
Once you complete an analysis of the environment and the adversary, you can begin to protect your assets more effectively. You can conduct active reconnaissance techniques to determine the intent of the adversary, to identify where an attack is coming from, or to gauge the possibility of an attack. It is important to understand the goals of the effort to ensure assets are properly trained, tasked and emplaced.
Active reconnaissance of course has some drawbacks such as the cost monetarily but also in terms of personnel usage and time. It calls for certain prerequisites such as masking your originating network and any affiliation with the supporting company, and maintaining operational security. Despite these drawbacks, conducting active reconnaissance might just bring your security out of the Colonial period and into the present.