Cyber analysis and warning capabilities include (1) monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat.
- Monitoring — detecting cyber threats, attacks, and vulnerabilities and establishing a baseline of system and communication network assets and normal traffic.
- Analysis — using the information or intelligence gathered from monitoring to hypothesize about what the threat might be, investigate it with technical and contextual expertise and identify the threat and its impact, and determine possible mitigation steps. Analysis may be initiated in reaction to a detected anomaly. This is a tactical approach intended to triage information during a cyber incident and help make decisions. It may also be predictive, proactively reviewing data collected during monitoring to look at cyber events and the network environment to find trends, patterns, or anomaly correlations that indicate more serious attacks or future threats.
- Warning — developing and issuing informal and formal notifications that alert recipients in advance of potential or imminent, as well as ongoing, cyber threats or attacks. Warnings are intended to alert entities to the presence of cyber attack, help delineate the relevance and immediacy of cyber attacks, provide information on how to remediate vulnerabilities and mitigate incidents, or make overall statements about the health and welfare of the Internet.
- Response — taking actions to contain an incident, manage the protection of network operations, and recover from damages when vulnerabilities are revealed or when cyber incidents occur. In addition, response includes lessons learned and cyber threat data being documented and integrated back into the capabilities to improve overall cyber analysis and warning.
Typically, cyber analysis and warning is executed, or managed, from a central focal point known as an operation center or watch center. Such centers can serve a single organization or a number of organizations. Centers generally include physically and electronically connected multidisciplinary teams with access to a variety of communication and software tools. The teams are made up of specialized analysts, sometimes referred to as watch standers, with a combination of expertise in information security, intelligence, and cyber forensics. Teams may also include subject area experts with specialized expertise in certain critical infrastructure sectors, industries, or technologies.
The centers operate tools that integrate data and facilitate analysis by the watch standers. The data come from a multitude of sources, including internal or external monitoring, human or signals intelligence, analytical results, warnings from other entities, and information collected from previous threat responses. Centers decide when and how to issue formal and informal warnings that contribute to further analysis or provide information that aids in decisions about how to respond to an incident.
Depending on the size and organizational structure of an organization, the analysis and warning team may work with incident response teams during a cyber incident. The incident response team manages the decisions required for handling an incident using information discovered during monitoring, analysis, and warning. The team may also coordinate with those responsible for information security for the organization in order to assess risks, remediate vulnerabilities, and prepare for and respond to attacks.