RAND's Scalable Warning and Resilience Model (SWARM): Enhancing Defenders' Predictive Power in Cyberspace

Format:

Book

Author/Creator:

Lilly, Bilyana

Contributor:

Hodgson, Quentin E.

Moore, Adam S.

Weishoff, Daniel

Language:

English

Other Title:

RAND's Scalable Warning and Resilience Model

Place of Publication:

Santa Monica, Calif. RAND Corporation 2021

Summary:

In the first two decades of the 21st century, the coevolutionary adaptation of cyber threat actors and technology has been akin to an escalatory arms race between cyber offense and cyber defense. Paradigm-shifting technology advancement, transparent unclassified reporting on cyber incidents, and the proliferation of open-source hacking tools in the context of complex geopolitical dynamics further exacerbate the cyber defense challenge. Although the integration of such practices as cyber threat modeling, information-sharing, and threat-hunting into defensive strategies has become more common in recent years, the cyber defense community needs to continue to push the envelope to become more resilient and, ideally, get ahead of the threats facing organizations. This research endeavors to contribute to the community via the formulation of a process-based model called the Scalable Warning and Resilience Model (SWARM), which focuses on cyber threats from state-sponsored actors but without the assumption of access to classified information or assets. SWARM prioritizes threat detection, facilitates better prediction of cyber incidents, and enhances network resilience by combining processes that seek to help organizations anticipate and defend against attackers. The model tailors data collection, cyber threat intelligence, and penetration testing to the particular type of intrusion sets most likely to target one's network. This proposed model adapts the concept of applying both resilience and indications and warning (I&W) frameworks to information environments while also incorporating a combination of tailored threat modeling and emulation. This report also includes a case study—based on cyber incidents that occurred at the RAND Corporation—that demonstrates how the model has the potential to produce promising results for defenders by proactively protecting their systems through early warning of cyber incidents before they occur.