Saturday, February 01, 2014

Red Sky Weekly: Developing your security plan? Try this simple exercise.

On Wednesday I had the misfortune of telling an attorney that his client had been breached... and breached bad. We discussed what would happen next.. how would he approach the problem. And do you know what he told me?

"I'm going to my security team." Good for you! I said.

And then he told me --"not the information security team; the physical security team." Why? I asked.

"They know people. And they can work with the information security people. Information security guys know bits and bytes. Physical security people know bad guys."

Wow. What a perspective! I've heard tell of converged security teams, and while some efforts have been really well done, as many seem to fail. To have this attorney, a pretty computer savvy guy in his own rite tell me he'll talk to his physical security guys before his information security team.. it hit me like a ton of bricks! It's easy to fall into a rut and think like the good guys, but isn't it just as important to think like the bad guys? How do we get information security guys to think more like the bad guys, but still use good business process?

When was the last time you took a realistic look at how bad guys might actually come into your network? Does your pen tester follow a script, or plug a wireless air freshener into your conference room, or pineapple in the coffee shop next to your office? Does he know how to exploit the print spooler or hard drive on your copier? When was the last time someone reviewed your DNS logs for persistent connections and larger than normal packets, monitored for command line net commands, or scoured your network for rogue virtual VPN concentrators behind your DMZ???

...thinking like a bad guy. Acting like a good guy. How, you ask?

Try this simple group exercise. It'll help your team get past their good guy mentality. It's fun as hell, and is a VERY effective tool for brainstorming, cataloging, and prioritizing. Be creative.
  • Take a couple of hours with a few of the most devious folks you know it your infosec circles. These can be coworkers, but don't necessarily have to be. Grab a beer and start brainstorming. I like using sticky notes. Pass out a bunch of them. Each sticky note gets a single scenario. What's a scenario? It's a way someone might threaten, access your network, steal data, disrupt your business, etc. Stick to cyber. Keep it focused.
  • Post the stickies on the walls. Don't worry about where. Just get them up. Once up, they don't come back down. This is brainstorming. There are no stupid ideas.
  • Once the stickies are gone and the ideas exhausted, organize them. Lump them together on the wall in kill chain format. Start with Reconnaissance and work your way through to Objectives... seven phases, all representing layers of defense in depth in your environment. 
  • Now, look at your groupings. Multi-vote on the prioritization of the most likely scenarios in each grouping. This will help decide what you need to protect for first. Are there commonalities? Which do you think are more probable? 
  • Start listing defensive measures for each of the groupings, at each phase in the kill chain. Highest multi-voted stickies go first. The next go next, and so-on.
  • Take pictures of the now prioritized groupings with your smart phone. Print them off. Pass them out. 
  • Think about your environment. How do you protect for each prioritized sticky note? 
Now, go back to your office and formulate your plan. It's a simple matrix with all of the vulnerabilities listed down the left, and the kill chain processes listed across the top. In every square, show how you've protected against that threat, risk, or vulnerability. Use Red, Yellow, and Green to depict mitigated, partially mitigated, or either not or unknown. Unknowns are white. Now go to work. You have a plan.

So, we may not understand the psychology of criminal behavior, but we can leverage simple crowdsourcing to come up with a plan for protecting our networks. This very easy and fun exercise that can be carried out in an afternoon, and is one of the best ways to get new perspectives on what might hurt you today, tomorrow or next week... and how you might prioritize and protect against these threats. 

BT BT

Wow. I can't believe January is over. I spent a night in Pittsburgh after a day with some folks who've just started a new security practice.. CBTS (Cincinnati Bell Technology Services) brought in a bunch of folks who'd been with GE Aerospace (CISO, Director of Incident Response, others) and started a new business. These are smart guys. I've been dealing with them since the startup days of of our efforts dealing with APT (eight, ten years ago now??? It seems like yesterday!). Anyway, great group of folks. If you need incident response for help on a major breach, other companies have LONG waiting lists. You might actually get an appointment with the CBTS folks!

What else is happening? The month started slow, but ended with a tornado of activity.

We're planning our outreach activities.. 

We're doing our first Booz'n and Brainstorm'n session of the year. What's a Booz'n and Brainstorm'n session? We invite really smart people. Usually a dozen or so, plus Red Sky members and the team. The price of admission for invites? Bring one or two ideas or problems that you face, and be ready to open conversation after the first martinis are gone. It's amazing how intellectual tennis plays out with small amounts of liquid brain lubrication! Our guys take notes, and we regroup the next day to figure out which ones can be acted on. It's great fun and intellectually stimulating all at the same time!

  • So, what is it? "Booz'n and Brainstorm'n" 
  • Where?  Harvard Club of Boston.. night before the threat day
  • Who?  It's an invitation-only event. We've invited National Security Fellows (NSFs) from the Harvard Kennedy School and CISOs or Chief Threat Intelligence folks in the Red Sky Alliance membership. The NSFs are mid-to-senior government and military folks who get sent off to Harvard to study for a year before taking on more influential positions. It's fun to exchange ideas with them over cocktails. We did one last March with last years class. It was amazing fun! I'm very much looking forward to meeting the new crop of NSFs! 
Threat Day is coming up, tentatively scheduled for March 18th at a member site in Boston. As long as we've got members on travel, we figured we'll kill two birds with one stone. We normally do cocktails the night before, so why not do a Booz'n and Brainstorm'n session instead? Sounds like fun right?


More from last week:

  • We published three analytic products this week.. A priority intelligence report (PIR), a Cyber Threat Analysis and Intelligence (CTA&I) report and a Fusion Report. PIRs are 'wolves closest to the sled'; CTA&I report is 'what's coming'; and Fusion Reports are usually analytic, usually tech focused, and retrospective in nature. All tell a story and include indicators that you simply drop into your defenses. In fact, two of our members this week told us that they LOVE the fusion reports. One said they use every snort signature. The other told us they'd won a major contract, largely because they participate in Red Sky Alliance and have access to great, deep, snort rules, yara rules, high confidence malicious mail information, and LM Kill Chain formatted IOCs. 


  • Wapack Labs is finally getting through the forming, storming, norming and performing of operating with the FS-ISAC SOC. We knew it'd take time, and were hoping by mid-February to find the rhythm. It looks like we're normalizing and settling in! 


We're building our outreach schedule for the year. If you're interested in sponsoring an event (this is new for us).. contact Steve Hunt. He's heading up the effort. We're in the process of scheduling a series of webinars, regional Booz'n and Brainstorm'n sessions and several other events.

Last, we authored a country report on Iceland entitled "A Wapack Labs Assessment of Risks to Information Security in Iceland". If you're considering using data centers in Iceland as your off-shored backup, drop us a note. We plan to market this report through Amazon and would be happy to add you to the distribution list when the report goes live.

Closing out... we talked of a manual process for crowdsourcing your security planning. Need help? Scenarios? Focus? Call us. You may consider joining our crowdsourcing engine (Red Sky Alliance). No pressure, but the best security planning comes from being able to exchange information with others... inside and outside of your peer group.  If you don't feel comfortable in the portal, call Wapack Labs. We'll tell you what we think are the priorities that you need to think through.

Amazing week. I'm hoping next week is as much fun! I think it will be. We've got about a half dozen inquiries for membership that we're doing demos for, and, I'll be on the road (actually in the air) on Wednesday for meetings in DC and NYC before returning Friday morning.

Until next time,
Have a great week!
Jeff