The chapter further outlines the topical issue through sub-topics such as OODA loop, PDAR and J2 intelligence cycle, Cycle and CND and incident response. Other sub-topics include the role of Digital Forensic in Cyber C2 for situation awareness, how models relate in situation awareness, issues with cyber defense in situation awareness and why active defense is required. The chapter provides a presentation on how active defense enhance organization intelligence cycle. It ends with a summary of the main points in the literature review.
2.2: Defining Cyber Security and Situation Awareness.
Situation awareness is defined as the capacity to swiftly and efficiently address arriving stimuli with appropriate responses (Cumiford, 2006). It impacts defensive operations at the tactical level through the provision of the ability to recognize and respond to actions of the adversary (Tadda, n.d.). Endsley (1995) describes SA as the view of the fundamentals in the surroundings within a degree of time and space, the understanding of their connotation, and the protuberance of their status in the near future.
SA integrates the surroundings, goal, organization, existing substantial and human possessions, and other actors in the environment (Pew, 2000). Situation awareness provides a decision making model that can be broken into three components.
The first one entails being aware of the current environment (Endlay and Garland, 2000). It is followed by the other component of determining the importance of certain incidents in the cyber world domain. The last component entail being able to tie the alertness to opportune and apt responses (Cumiford, 2006). In the SA model, cyber situation awareness system is responsible for processing of the incoming data the purpose is to try and repel any attacks from the external source (Tadda, n.d.). In order to do so, a cyber SA system must have such tools as intrusion detection systems, firewall logs, system logs, network flow and connection data (Tadda, n.d.). Models within a cyber SA system combine to enable the cyber SA system to capture and reason about past, current, and future states of the system operations and possible threats. The system is able to build new models or modify existing ones based on a combination of new and old information. This is made possible through positive relations of all models within the cyber domain, as well research in the field (Hettinger and McKeely, 2011). The Cyber SA updates these models based on the input from the external environment, self status and planning and reasoning outputs. This decision making model is pegged on the following capabilities: recognition of particular situations, determination of the significance of particular situations, reactive and proactive capabilities, ability to handle uncertainty and incompleteness, and ability to break goals into constituent parts (Cumiford, 2006). To make the cyber SA decision making model perform better, four additional capabilities are required. Temporal reasoning is required as situations occur in time, including the modal logic. 2.3: CND and incident response and its role in SA Computer network defense is a system aimed at protecting information systems against attacks. A classic CND is comprised of multiple niche intrusion detection tools, each of which carries out network data analysis and produce a unique alerting output (Beaver, et al, n.d.). Passive defense involves such tools as password protection, data encryption, and firewalls.