Monday, August 29, 2011

Dragon Bytes Followup

Last year Richard posted a review of "Dragon Bytes" by Timothy L. Thomas. This book was no longer being published when Richard reviewed the book; to the extend that Richard had to do a followup post to answer questions on how to obtain a copy.

Fast forward nearly a year and I was able to obtain my own copy through Amazon's new/used program. I liked the book. I did a few searches and found several of his papers on the Defense Technical Information Center ( Some of them are directly related to "Dragon Bytes" while a few cover Russian theory and one covers Al Qaeda. They're worth checking out if you have not had an opportunity to get a copy of the book due to it's unavailability.

The Chinese Military’s Strategic Mindset

Google Confronts China’s “Three Warfares

Russian and Chinese Information Warfare Theory and Practice

Russian Views on Information Based Warfare

Dialectical Versus Empirical Thinking: Ten Key Elements of the Russian Understanding of Information Operations

Al Qaeda and the Internet: The Danger of “Cyberplanning”

Also, I recommend "On China" by Henry Kissinger if this subject interests you.

Friday, August 26, 2011

Sustained Operations

Lately I've been thinking of security operations in the context of the duality of defensive and offensive operations. An offensive operation may achieve little if it doesn’t account for security controls deployed by a defensive team. Alternatively, a defensive operation must take into account the tools and tactics used by various categories of offensive operations. In this view, security operations is the combination of both offensive and defensive operations. It is the competition between these two operations.

An offensive operation can exist without a defensive counterpart however a defensive operation cannot exist in a successful or sustained fashion without at least one effective offensive operation. This perception that offensive operations do not exist, are ineffective, or otherwise in a nebulous or unknown state is an undertone in the continual incorrect risk calculations performed by business leaders. This recently has been reflected by both Sony and RSA breaches in 2011 and their apparent disregard for defensive personnel.

If security operations is the duality of defensive and offensive operations, what is defensive and offensive operations? Offensive operations is the willful and sustained intent of an actor or a set of actors to control your technology or information against your will. The operation includes actors as well as the actor’s specific strategy, tools, tactics or procedures. For instance, the Zeus Trojan is not an offensive operation but is a tool of an offensive operation. Exfiltrating data through the use of encrypted RAR files to a drop host is not an offensive operation but may be a procedure of one.

Defensive operations is the willful and sustained intent of actors to prevent such control. This operation may include tasks such as incident detection and response, architecture design, vulnerability discovery and correction. More on what makes up a defensive operation will be outlined in later posts.

The defensive posture built over the last several years has strengthened to a degree which generally deters automated threats such as worms or brute force scanners. The steady and slow advancement of security over the last twenty years has yielded an unexpected result: the offensive side has moved to sustained operations.

Some conclusions:
  • Defensive operations must move to a sustained model of operation in order to counter this growth of depth by nearly all offensive operation categories.
  • It’s in the best interest of offensive operations to have a continuing bag of tools, tactics and procedures and use each as needed over a large period of time.
  • Offensive operations are no longer reliant on a particular exploit. Unlike twenty years ago, such exploits are only a subset of tools at the disposal of the offensive operation.
  • Nearly all defensive operations are exceptionally bad at acknowledging and sharing the offensive operations tools tactics and procedures with each other. I suspect this lack of acknowledging or sharing of information is a contributing factor to successes by the offensive operation.
  • Correcting vulnerabilities as they are uncovered does negligible good for the defenders while deterring known tools, tactics and procedures has a greater impact.

If you haven't read it, my cause and effect post from last year attempts to compare defensive and offensive operations.

Wednesday, August 24, 2011

Beginning Somewhere: Incident Response/Leadership Cycle

First off: there must be a pre-existing reason to create a defensive capability. How does one prove or gain acceptance of that reason? There's no formula for 'selling' a defensive posture; this post will not outline how to create a sustained defensive posture. The below summarizes how I instead think about growing an operational incident response team and it's capabilities within a company.

This construct applies the theory of leadership. Leadership is, in my words, the act of doing the right thing with the long view in mind. It is not the easy thing to do with the short term in mind. This dichotomy is not exact but it focused on the characteristics we need.

I call this construct the Incident Response/Leadership Cycle. This is straight forward. It begins with the willful intent to detect a security incident. That willful intent will stir up a multitude of actions such as response and recovery. It is necessary that leadership acknowledges and appreciates how the detection is made. This is the second phase - generating increased leadership visibility. If such appreciation is merely a pat on the back then this step hasn't fully been realized. Such leadership must desire not solely prevention of future incidents but a desire to migitate and prepare for the next instance. This leads to the final step of the cycle: increased detection capabilities. Raising this detection capability will provide the next incident to respond to; hopefully earlier in the attack than the previous incident. This detection capability implicitly improves the response capabilities of the team through new experiences and resources.

This cycle is how I've come to articulate the pragmatic growth of a team of IT or risk professionals into an operational and defensive focused team. It relies on both the professional and leadership's desire to have an ear to the ground and prepared to respond.