How can the proper solutions and mitigations be put in place without understanding threats facing networks?

That was part of the thinking behind packaging an unclassified version of a years-long review of the Department of Defense’s network for the vendor community.

The NIPRNet/SIPRNet CYBER Security Architecture, or NSCSAR, was an effort conducted with the National Security Agency, the Defense Information Systems Agency and the services to evaluate security on DoD’s unclassified and secret network.

One of the really important things that came out of that was this threat framework, said Craig Harber — formerly a lead system engineer for NSA, now a lead systems engineer within the Mission Integration Division at Cyber Command — speaking at a defense conference in Charleston, S.C., Dec. 7 hosted by the Charleston Defense Contractors Association.

This threat framework, however, was classified — meaning the government was not sharing it, he said. Now there’s an unclassified version of that threat framework that really talks about adversary behaviors, providing a “DNA” of adversaries.

“It really helps us understand what specific activities are they doing,” he said. “Today I can tell you what does a Russian adversary look like, what does a Chinese adversary look like, what does and Iranian, North Korean [adversary look like]. Because they take certain steps along the way when they attack our systems and we capture that.”

When looking at those behaviors collectively, it drives what security measures are actually needed.

Harber said one of the things he hopes to do on the sidelines of the conference is sit down with the industry representatives and discuss what is really needed from a capabilities standpoint across the board.

Some of the most important work done over the last 12 to 18 months was to package the report into a format that could be shared with industry so now everyone understands what adversaries are doing, he said. This includes not only the nation-state threats, but insider threats as well.

Harber said the report indicated perimeter defense looked pretty good, but once the adversary got inside the network “not so good.”

Vendors can now be better informed as to what to offer in terms of detection, protection and response.