The “Switch Target” Part II – The Three “R’s” of Cyber Defense?

By Peter M. Tran, Senior Director, RSA Advanced Cyber Defense Practice

In Part I of my post on Switch Targeting, I discussed the fundamentals of how adversaries use seemingly trusted hop points as vectors in and out of primary targets similar to how bank robbers target, stage and execute their robberies. Now I want to introduce the concept of the three “R’s” or R3 based on my experience in the field helping organizations position themselves to detect where these switch targets may be relative to their own attack infrastructure as part of designing a Next Generation Security Operations Center (SOC). R3 is comprised of three focal areas for the Chief Information Security Officer (CISO) to consider —- Readiness, Response and Resiliency.

Readiness refers to an organization’s understanding of their current operating state measured against its ability to handle cyber security incidents driven by predictive intelligence. If you were breached today, would you know exactly what to do and how you would perform? Do you know where your highest value targets (HVT) and programs (HVP) are and what the impact would be if they were breached?

Response drives an organization’s ability to triage, analyze, escalate and remediate material cyber incidents.

Resiliency is the ability to predict, respond to and/or mitigate cyber incidents while operating and sustaining an optimized security operations capability. Are you leveraging historical attack intelligence, behavioral anomalies and advanced analytics to enumerate your risks mapped to likelihood of attack targeting of your enterprise?

In concert, R3 provides a predictive site picture that would look more like a weather report in that risks mapped to likelihood is a graduated continuum of hot, mild and cool zones where real time decisions can be made on mitigating risks of attack based on movements in network behavior severity and likelihood levels.


Now take this concept one step further and apply this to mapping multiple data cubes such as business risks, nodal anomalies, threat intelligence, HVTs and HVPs and begin analyzing based on behavioral clusters, distribution, frequency, relative closeness, densities, separation, relationship and subspace trending. An example of this would be Eigenvector analysis relative to how attack infrastructure analysis would be rendered so that attack vectors/targets can be determined before material impact occurs. Below is an example of a given attack infrastructure of an enterprise where severity and likelihood zones can be identified quickly based on nodal relationships between an organization’s core infrastructure related to potential hostile or high risk relationships/active targeting.


This becomes extremely powerful for the security analyst and network defender to execute real time response or mitigation while sustaining operational efficiencies all while feeding back into the R3 loop. In my next post, I will discuss the value of attack attribution within the R3 concept and the impact to Next Generation SOC design. If you’d like to hear more about Next Generation SOC design approaches for advanced cyber defense, please listen to my recent slidecast recorded April 2nd at: (

Peter Tran leads RSA’s world-wide Advanced Cyber Defense Practice and directs overall professional services for Global Incident Response/Discovery (IR/D), breach readiness/management, remediation, cyber intelligence/exploitation analysis, Next Generation SOC design/implementation and proactive computer network defense.


No Comments