“IN PREPARING FOR BATTLE, I HAVE ALWAYS FOUND THAT PLANS ARE USELESS, BUT PLANNING IS

INDISPENSABLE.”

― DWIGHT D. EISENHOWER

In cyber security, the strategic goals are often clear but the methods to achieve them are anything but.

This white paper introduces Damrod’s Cyber Strategic Framework, which applies military analysis to cyber

security challenges. Aimed at security teams implementing high-level goals in the real world, this paper

focuses on effects-based planning that integrates disparate elements of IT and security into a cohesive

package. Defending a network is about more than technology. Analysis and leadership are critical

elements of an effective cyber defense. Reading this paper will leave security teams better equipped to

develop the tactics and implement the actions that make strategy a reality.

1

EXECUTIVE SUMMARY

Solutions to the challenges of cyber security will not come from technology alone.

Technology has no small part to play in winning this contest, but it must be deployed

intelligently as part of a coherent strategy that counters and defeats the opposition.

Strategy does not appear without effort. It is the product of rigorous analysis. Likewise,

the implementation of a strategy is not a given, and requires leadership to flourish.

This paper focuses on implementing strategy through realistic and realizable actions. It

introduces a four-part model:

➢ Strategy – A comprehensive way to achieve an end

➢ Effects – What the strategy aims to realize

➢ Tactics – The people, procedures, and technologies that achieve the effects

➢ Actions – The detailed steps that turn tactics into reality

This model is viewed through Damrod’s Cyber Strategic Framework, which guides

decision making and provides graphical representations of conflict and defense.

A thorough understanding of what a security team is protecting, against what threat, and

with what resources, improves the quality of the defense and promotes return on the

investment by focusing on achieving specific effects.

Making strategy a reality is the translation of the abstract to the material. It is a process

where ideas become deeds. This requires clear communication and direct engagement

with people. As concept becomes reality, the number of people involved increases. It

becomes vitally important that everyone knows what they are doing, and for what

purpose.

Cyber attacks are increasing in scale, frequency, and damage. As the consequences of

attack rise, so too must the quality of the defense. However, addressing every risk is

beyond the ability of any organization. Damrod helps security teams to direct resources

where they will have the greatest impact and empowers them to implement a winning

strategy.

Learn more at www.damrod.co.uk, or

read the white paper – Winning Cyber

Conflict.

Prepared by Griff James

G.James@Damrod.co.uk

2

CONTENTS

Executive Summary ................................................. 1

Introduction .......................................................... 3

1. Strategy ............................................................ 4

1.1 Understand the Terrain ..................................... 4

1.2 Understand the Attacker’s Intent .......................... 6

1.3 Determine the Attackers’ Courses of Action ............. 7

2. Effects ............................................................. 9

2.1 Effects Planning .............................................. 9

2.2 Effects Summary ............................................. 9

3. Tactics ............................................................ 11

3.1 Plan Resources for the Effects ............................ 11

3.2 Refine the Resources ....................................... 11

3.3 Assess the Defenses ......................................... 13

4. Actions ............................................................ 13

Concluding Thoughts ............................................... 14

Annex A .............................................................. 15

Table of Figures

Figure 1: Strategy to Action ....................................... 3

Figure 2: Cyber Geographic Framework .......................... 5

Figure 3: Example of Cyber Terrain .............................. 6

Figure 4: Attackers' Intent ......................................... 7

Figure 5: Attackers’ Course of Action ............................ 8

Figure 6: Effects Planning .......................................... 9

Figure 7: One Page Summary ..................................... 10

Figure 8: Resource Planning ...................................... 11

Figure 9: Resource Refinement ................................... 12

Figure 10: Cleared Resource Refinement ....................... 12

ABOUT DAMROD

Damrod Analysis is founded

on the idea that cyber

security must transition to

cyber defense. The threats

and risks of the modern

world are ill-served by a

philosophy that puts minimal

compliance above

independent analysis.

Too often a regulatory

checklist defines the cyber

security of an organization.

Damrod Analysis treats cyber

as conflict, and provides the

tools to win.

3

INTRODUCTION

We all have an intuitive understanding of the difference between strategy and tactics:

tactics govern day-to-day actions, strategy is longer term.

It is implicit that tactics fall under strategy. The challenge rests in ensuring that the

tactics carry out the goals.

The key to getting the big things to go the right way is to make sure all the small things

align. To do that you need a system that connects the largest to the smallest.

This paper introduces a four-step framework for turning strategy into action. Under the

framework, Strategy identifies Effects, Effects define Tactics, and Tactics produce

Actions.

The framework is a derivation of the British Army’s Combat Estimate process, a helpful

foundation because the Army is adept at connecting the tactical execution of small tasks

to the larger purpose of strategic intent.

Figure 1: Strategy to Action

Strategy in cyber security is often simplistic: ‘don’t get breached’.

A more nuanced interpretation may see the role of cyber security as protecting the

confidentiality, availability, and integrity of data and systems.

This is a good starting point in preparing a cyber defense. Beyond this basic premise,

defenders should not lose sight of the value they must contribute and the functionality

they must demonstrate:

• Value: A cyber security strategy is only valuable in the context of the utility that

data and systems provide to the wider organization.

• Functionality: If the security strategy grows so strict as to stifle the company’s

ability to operate, then cyber security is acting counter to the interests of the

organization.

To balance defense, threats, and business needs, cyber defenders must understand what

they are defending, against what, and with what resources.

Damrod’s Cyber Strategic Framework provides a repeatable, easily communicated, and

technically accurate system to lead teams from strategic vision to daily action.

Strategy Effects Tactics Actions

4

1. STRATEGY

Strategy is about setting the conditions of success and shaping the future. It is a clear

statement of intent that gets refined through analysis, effort, and leadership.

Cyber defense is not solely about preventing breaches or blocking attacks. While it exists

within the construct of information technology, it extends beyond.

To set the conditions of success, strategists need to understand the characteristics of the

terrain, assess the attackers’ intent and determine the attackers’ potential courses of

action.

Within these parameters, an organization can create a common purpose for all its cyber

defense programs so as to better maintain the confidentiality, availability, and integrity of

its systems and data.

1.1 UNDERSTAND THE TERRAIN

Central in any conflict is an understanding of the terrain.

While cyber does have a physical component, the majority

of interactions occur at an intangible level. A physical

map or network diagram provides insufficient context for

decision making.

To give a frame of reference for cyber, a modified military

Geographic Framework is helpful. Widely used by NATO

forces to understand physical battles, the Geographic

Framework divides conflict into Deep, Close, and Rear

categories. In land conflict, the Deep is where an

opponent’s force operates. Close is where the conflict

occurs, where opposing factions meet in a contest of wills.

The Rear is the region over which the defender prepares

for battle.

On a map, the Deep, Close, and Rear will be separated by

distance measured in kilometres. While physical distance

has little impact on cyber conflict, the addition of a

degree-of-control gradient to the Geographic Framework is

valuable.

In cyber terms, Deep is synonymous with the deep web and

darknet, while Close is the internet and common

interactions within cyberspace. There is an interplay in

the Close between cyber and physical assets. The Rear is

analogous to an organization’s own networks and

databases.

By organizing the cyber terrain based on Deep, Close, and Rear, linked to a defender’s

degree of control, the Cyber Geographic Framework allows for visual orientation, much

like North or distance markers on a map.

Knowledge of the terrain

provides a decisive

advantage in anticipating

where and when a contest will

occur. Three key takeaways

from a military terrain

analysis are: • the avenues

of approach • the key terrain

• the vital ground.

Avenues of approach are

potential lines of attack. Key

terrain is ground that will

make the mission easier, or

the opponent’s mission harder.

Vital ground is terrain that, if

lost, results in mission failure.

From a cyber perspective,

there are clear avenues of

approach. Key terrain

consists of networks and

applications. Databases or

other important pieces of the

IT infrastructure are vital

ground.

TERRAIN ANALYSIS

5

Figure 2: Cyber Geographic Framework

Instead of hills, rivers, or roads, cyber has prominent

features like networks, databases, and applications. There

is no constraint on what constitutes a cyber terrain

feature, provided that the cyber terrain is:

➢ representative of an element relevant to cyber; and,

➢ something of interest to attackers or defenders.

Some prominent examples of cyber terrain are:

• Perimeters

• Networks

• Applications

• Hardware

• Databases

• People

These broad terms can be further split based on additional

criteria, such as being internal or externally facing, or

cloud, or legacy. So long as some analysis has gone into

the planning, it is a valid observation of the cyber terrain.

Mapping the cyber terrain

provides a definitive and

graphical representation of

organizational assets. The

cyber terrain analysis is an

abstract exercise that

organizes assets into distinct

categories represented as

terrain features. A feature

may have sub-categories.

Hardware, for example, may

include the registry of every

machine in the organization.

However, there is no need to

show that level of detail when

planning. Still, it is important

that fidelity is maintained.

Drilling into any terrain

feature should provide a

connection to any individual

cyber asset or user.

DEFINITION AND VISIBILITY

6

Figure 3: Example of Cyber Terrain

1.2 UNDERSTAND THE ATTACKER’S INTENT

Knowing the ground gives insight into where conflict is likely to occur. By mapping

features onto the Geographic Framework, a visual representation of risk emerges. The

further ‘North’ an aspect of the terrain, the more it is subject to hostile action.

Determining what aspects are likely to be attacked is the first step in planning the

defense. Before delving into specifics of the attack, the defender must consider what

attackers are going to be after, and generally how they might achieve their aims.

In the simple example below, the attackers’ goal is to exploit users for financial gain. To

do this, they will:

1. FIND vulnerabilities in the perimeter.

2. INFILTRATE through networks, applications, and hardware.

3. EXPLOIT the users.

Attack is the secret of defense; defense is the

planning of an attack.

Chang Yu, commenting on Sun Tzu’s “The Art of War”

7

Figure 4: Attacker’s Intent

Organizations subject to multiple threats must devise multiple Attacker overlays to

understand the differing intents and objectives of attackers.

1.3 DETERMINE THE ATTACKER’S COURSES OF ACTION

Many of the threat actors within cyber have distinct Tactics, Techniques and Procedures

(TTPs). A useful carryover from military analysis, TTPs are collections of hard won

evidence that paint a picture of what an adversary is likely to do. As attackers become

more sophisticated they often follow set play books. Conversely, simple attackers are

likely to use well known attacks—another known play book.

Broadly speaking there are four threat actors, each with different aims.

Detailed assessment of these actors is a matter for specialist threat intelligence firms, but

a basic understanding of the four main types, and how they hybridize, provides a good

basis for understanding likely courses of action.

8

Awareness of an attacker’s known TTPs can help refine a security team’s assessment of

the specific actions that the attacker may take against the organization to achieve its

objectives.

The analysis focuses on two questions:

• Most Likely Course of Action (MLCoA): What is attacker most likely to do?

• Most Dangerous Course of Action (MDCoA): What is the most dangerous thing the

attacker can do?

Defenders should plan against both MLCoAs and MDCoAs. According to a military axiom,

any plan that handles both the most likely and the most dangerous is probably a good

plan.

In the simple example provided in Figure 5, the MLCoA, shown as a solid red line, has the

attackers use automated tools to find vulnerabilities before infiltrating through the

externally facing network to distribute malware onto local hardware. This malware will

deploy ransomware, targeting internally facing workers.

The MDCoA, shown as a dotted red line, is a spear-phishing campaign targeting externally

facing users who typically receive high volumes of emails from unknown sources. This

course of action relies on users making a mistake, and installing malware directly onto

their PC, which would then spread through the internal networks.

Figure 5: Attacker’s Course of Action

Overlaying the MLCoAs from multiple threat actors creates a busy but valuable graphic.

Aspects of the terrain where many red lines intersect should become a priority for the

defense.

9

2. EFFECTS

With an understanding of the What and How of an attack, the defense can be planned.

A common desire is to start discussing technologies and policies, a defender’s TTPs, that

can block the attack. This is a mistake. To do so limits options to pre-existing notions and

favours the status quo. It is better to first determine which Effects need to be achieved.

Effects are changes that impact on the Attacker or on the terrain.

2.1 EFFECTS PLANNING

Begin the Effects planning by selecting areas of focus.

For example:

1. The perimeter – how might attackers get in?

2. Externally facing networks – how could the attack get in and spread?

3. Hardware – how can malware be stopped?

4. Externally facing persons – how can users be protected from spear phishing?

Note that each area of focus has a question attached. The question helps define the

purpose for each area of focus, as detailed in Figure 6.

Figure 6: Effects Planning

2.2 EFFECTS SUMMARY

Picking a key word from the purpose of each focus provides the ‘Effect’. An Effect should

always contribute to the Strategy.

10

Originating with the military, Effects based planning aids

commanders in translating higher level intent into a practical plan.

Effects describe what the defender is trying to achieve at a tactical

level, as established by the Strategy.

The meanings of Effect verbs in the military are very specific, often

set at NATO level to reduce confusion during international

operations. As this is an emergent field within cyber, it is only

important that each team understand what the Effects mean within

their specific context.

In the example, the four focus points have produced four Effects:

➢ Detect

➢ Prevent

➢ Protect

➢ Protect

Each Effect has an intended Outcome, and a draft Action. These

will be refined in the Action phase; however, it is valuable to

summarize what the Effect aims to achieve early in planning.

The Main Effort is the decisive Effect, which other Effects support.

Figure 7: One Page Summary

Key performance indicators

can be assigned to the

Effects.

Internal projects and third

party vendors should report

on how well they have

delivered the Effect.

The the absence of attack or

breach may demonstrate that

the Protect or Prevent Effect

was successful. The value

driver then becomes how to

deliver that Effect most

efficiently.

MEASURING PERFOMANCE

11

3. TACTICS

3.1 PLAN RESOURCES FOR THE EFFECTS

Once the security team is satisfied that the planned Effects will realize the overall

Strategy, the assessment can move into the Tactical phase. For many, this is the most

interesting aspect, as it calls for the allocation of specific resources to achieve desired

Effects.

High-level considerations include:

➢ Is the resource in-house or external?

➢ Is it custom-built or off-the-shelf?

➢ How many ways are there to realize the same Effect?

As possible resources are discussed, they are mapped to the Effects Overlay without

further consideration.1 The goal of this stage is to record many ways of realizing the

Effects. There should be far more technologies, vendors, policies, and projects on the

Effects Overlay than your organization can support.

Figure 8: Resource Planning

3.2 REFINE THE RESOURCES

Refining the Resource Plan requires filtering the unrestricted generation of ideas through

the pragmatic lens of reality. Recalling the likely constraints identified during the

Strategy stage, begin stripping the Resource Plan back to a manageable size.

1 Annex A contains a table of the resource graphics. A Graphics Pack can be downloaded from Damrod.co.uk

12

Consider elements like budget, timescale, sequencing, people, and organizational

priorities.

When assigning resources, refer to the Threat Integration Overlay to confirm that the Most

Likely and Most Dangerous threats are addressed. It is normal to have new ideas at this

stage. Plans will be refined throughout the process. If there is uncertainty in the value of

a resource, mark it for further review. Removing the Threat overlay cleans up the

graphic.

Figure 9: Resource Refinement

Figure 10: Cleared Resource Refinement

13

3.3 ASSESS THE DEFENSES

The Tactical picture is nearly complete. Resources have been assigned to Effects, which in

turn are confirmed against the Strategic goals. Although assessing the validity of a

defense is never simple, there are six core principles.

Contained within the mnemonic DAMROD, the strength of a defense is predicated on:

➢ Depth: Layered defenses that absorb an attacker’s momentum

➢ All Around Defense: Attacks considered from all angles

➢ Mutual Support: Explicit interconnection of defenses

➢ Reserves: Uncommitted resources to respond to the unexpected

➢ Offensive Spirit: Defender thinks like the attackers and how to beat them

➢ Deception: Defense confuses and delays attackers with artificial weaknesses

In the example provided in Figure 10, Depth is achieved as both the Most Likely and Most

Dangerous threats must defeat five layers of security. All Around Defense is met, as the

defense considers both technical attacks through the network, and human-borne attacks

via phishing. Dynamic Application Security Testing (DAST) can be added to protect against

additional vectors. Mutual Support is met as the defenses are sequenced and designed to

work in concert (but note that the real test of mutual support occurs during the Action

phase, discussed below). Reserves exist in the form of an Incident Response Team (IRT).

The Offensive Spirit is met as the defender has thought like the attackers and taken steps

to counter them. And finally, Deception may be met through the deployment of a

Deception-based technology as part of the DETECT Effect.

Broadly speaking, this is a reasonable defense for most organizations. It is unrealistic to

expect every defense to strongly achieve all six principles. However, reflecting on the

DAMROD principles of defense provides tried and tested criteria to assess the robustness of

a defense.

4. ACTIONS

Analysis and planning are irrelevant unless translated into reality. Practically speaking,

this means projects, checklists, and short-term goals. The value in Effects-based

planning, and in putting together a One Page Summary particularly, is that they provide a

vision for teams and individual contributors to link their work to a wider objective.

The Actions phase further perfects Resource Refinement, assigning people and dollar

values against the Tactics that achieve the Effects.

Depending on the size of the organization and team, there may be several stages of Action

planning. Tables and lists are helpful at this late stage to split the plan into manageable

pieces.

General frameworks like PRINCE2, PMP, or even Agile and Kanban are effective

frameworks to plan actions.

14

CONCLUDING THOUGHTS

Bringing Strategy to life is a challenge in any profession. It is especially difficult against

an opponent that is actively trying to defeat you. Cyber is a domain of conflict, and to

win, the defenders must treat it that way.

Sequencing the planning of cyber defense into the four key phases of Strategy, Effects,

Tactics, and Actions breaks down a complex problem into practical portions.

➢ Strategy to give direction by understanding the terrain and the threat

➢ Effects to create change by countering the threat and defending the terrain

➢ Tactics to achieve the change through people, policy, and technology

➢ Actions to make the plan reality by putting resources to task

Damrod’s Cyber Strategic Framework provides a visual workspace where the concrete and

the abstract interact in a common language.

There are overwhelming numbers of cyber products, practices, and vendors. Effects based

planning allows organizations to purchase only the solutions they need, with a clear intent

on their deployment, boosting return on investment and value for money.

An effective defense requires more than the layering of technology or passing adherence

to a generic standard. Due consideration must be given to the risks and consequences of

failure. Only with an understanding of how and why attackers move through systems can

defenses be adequately designed. Assessment against the principles of DAMROD

encourages the interconnectivity of the defenses, ensuring that different teams and

technologies work in unison to provide real protection against complex threats.

Technology will always be a part of cyber defense. However, it is the analysis and

leadership of humans that ensures technology is correctly applied to cyber conflict. In

that event, the cyber defender must Plan to Win.

15

ANNEX A