Friday, October 15, 2010

Cause and Effect

A bit of a philosophical question to the reader:  What is the relationship of security defenders to offense/criminals?  I submit the current accepted belief sees us (the defenders) as a reaction to offensive tactics.  More precisely, security folk tend to observe "defense" as an effect of it's cause, namely, "attack" or possibly "vulnerability".  This rationality manifests itself through reliance on compliance programs or classical risk analysis ( R=(tva), ALE, etc).

I think we can do better, but first need to rationalize security in a different light.  Resemblance.  We need to compare ourselves to our various adversaries and recognize we run similar operations.  Defense holds significant characteristics and qualities of "Offense".  This includes attributes such as
time, motive, ability, techniques, tools, tactics, procedures, operations security (and deception!), collaboration with peers, reputation, money, clarity of mission, infrastructure, law, enemies, competition, allies, customs/culture, politics, visibility, knowledge, skill, strategy, team size, team cohesion, maturity, experience, rapidity, incentive/reward, friction, customers, sellers, brokers, trust, primary loyalty,and more. (in no particular order and not exhaustive)
I do think it's healthy to consider defense and offense as one and the same instead of polar opposites.  If we can compare a defenders attributes versus a particular class of adversary we could potentially draw a consistent method of finding strategic weaknesses to learn from.

So briefly applying this idea:  Our (as in defenders) five largest and consistent gaps compared to attackers include skills, collaboration, money, clarity of mission, and infrastructure.  The offense is better than us.  Indeed, not only do they collaborate as a community but they also freely lift novel techniques from legitimate security researchers.  They are not a cost center but actually turn a profit.  This happily leads to a very clear mission.  All this in combination also allows clever and resilient infrastructures. One fortunate item, the  broad offensive community is a black market.  Black markets focal point is trust.  Folks with authority should go focus on disruption of these trust reputations between members (linkages between sellers, brokers, customers, etc).

rubbish? redundant? useful?

Wednesday, October 13, 2010

Clausewitz and Defense in Depth

 I want to introduce and examine Clausewitzian ideas of friction.

In an attempt to explain why the seemingly simple concepts of warfare are actually quite complex Clausewitz (in 1832) suggested a mechanism called 'friction' to help distinguish 'war on paper' and 'real war' in a book titled "On War".  This idea of friction is the attempt to explain external factors such as chance, weather, individual will, opponent strength and how such variables will swiftly throw any plans out the window.  In my words: complexities in the battlefield must never be assumed to be accounted for. When I speak to external factors, it's important to point out that your 'external factors' may overlap with the offenses 'internal factors' and vise versa.

COL John Boyd recognized Clausewitz did not take this idea far enough.  The commander has the ability to increase this friction for the enemy as well as reducing his own.  A great Boyd quote:
The essence of winning and losing is in learning how to shape or influence events so that we not only magnify our spirit and strength but also influence potential adversaries as well as the uncommitted so that they are drawn toward our philosophy and are empathetic towards our success.” (source)
With that as a backdrop, let's talk about "Defense in Depth".  The current practice of vulnerability management is arguably thought of as a major component of "Defense in Depth". It's effectiveness (or lack of) I've been known to rant at great lengths.  This idea of friction points out it's weakness as a conventionally relied upon tactic. Vulnerability management focuses on removing one's known weaknesses before they can cause harm.  Other conventional components of "defense in depth" include blocking, filtering, proxies, antivirus, authentication, access controls, etc.  I suggest this defense in depth methodology, either explicitly or implicitly believes in a condition of creating moderate to high deterrence environment.  That's where things stop.

"Defense in depth" has become a standard argument for security architecture costs/complexity analysis at the cost of not applying the concepts of Clausewitzian friction. But this is help stagging where the 'battle' will be held.  This is you, as commander, preparing for invasion by increasing friction to the enemy through closing doors, windows, and up-righting walls and turrets (Incidentally it's also adding a degree of friction to you: all this work takes valuable time and effort). And that's where you stop. But we can't stop there: we need to additionally throw barriers, traps and make the 'terrain' as difficult an environment as possible for the opponent through the use of deception, feigns, warning signals, intelligence, etc.

I believe a great and fundamental question that needs raised is: Does your implementation of "Defense in Depth" increase friction for the offense while decreasing friction for the defense?

Also, you should follow the #mircon hashtag this week.  Lots of good tweets on interesting subjects which inspired me to finish this post.

Note:  The bad guys have learned these lessons already.  Indeed, their infrastructures are far more resilient and clever than the ones they are attacking.

One more implication: Using standard best practices can harm you.  The procedures of (let's say) patching or enforcing complex passwords create a certain degree of understanding (aka- lowering the friction for both sides) between the defense and offense of the tactics and procedures you're organization will be adhering to.  (Don't even get me started on Antivirus.)

Anyone use this approach?

Tuesday, October 12, 2010

Utilizing the casebook method


I'm wrapping up Allen Dulles' book "The Craft of Intelligence".  The book focuses on the historical context to intelligence agencies however Dulles briefly touched on two methods used in training case officers which resonated with me.

First, he referenced the casebook method.  This is used heavily in law school. This method analyzes previous court arguments and rulings to generate dialog, act out, and properly identify and understand the proceedings.  Presumably the CIA trainee is given both the various evidence known at the time as well as what actually transpired and how the operator responded.  The trainee then analyzes the data to determine if the operator missed a critical piece of data, or otherwise made the best decision.  Hindsight 20/20 can be a valuable training tool.  Secondly, he quickly summarized live exercises or throwing the trainee into realistic simulations.  These can be from various perspectives to learn the underlying motives, responses, and behavior of each side.

Does your team actively leverage these concepts?  

Using casebook methodology for junior level staff to review previous incident case data and find weak areas of response, wrong and/or right assumptions, and primarily to discover how the senior level analyst proceeded through his investigation.  You do keep historical incident datasets and assessments, right?  If not, consider using the Honeynet challenges as 'casebooks'.

Also, all staff should frequently sit in various exercises including table tops and live drills.  I classify these drills into two categories:  training drills or preparedness drills. Training drills are best way to experience the emotion, uncertainty, and quick-mindedness needed outside of actual incident.  Smaller exercises can focus on preparedness (eg. Does the entire team have contact information for escalation points at the ready?  Are their toolsets ready for rapid deployment?).

I see the casebook method and live fires as a superb tool in escalating team members capabilities and discipline. This is different than knowledge transfer, which is what most infosec courses or certifications stress. It's not a replacement but instead a complement to such courses.  What sort of training methods have worked for you?