Thursday, September 1, 2011

Establishing Defensive C2

Sustained defensive operations should expect an incident at any time. This has tought me that well crafted, exercised, and useful C2 is required. This is particularly important for operations which have small teams, geographically separated personnel or lack a 24x7 operations center.

The below techiques may seem banal but it's striking at the seemingly lack of recognition by the community on how vitally useful they are. Offensive operations are deliberate in both their actions and their C2. Defensive operations require those same characteristics. I loosely define communications plans as a formalized C2 structure at both an organizational and technical level.

A successful communications plan allows for adaptability, high tempo operations, preparedness, and leadership understanding. These aren't buzzwords, they are achievable and necessary. It is a foundation for medium to large scale incident response operations.

Individual preparedness
All personnel mobile phones should include contacts which are needed during incidents. This includes team members, leadership, external parties, or preplanned meeting locations (see below). Such a list should reside on each team member’s mobile phone. As a contingency, keeping a subset of the most critical contacts on wallet-sized cards and carrying them on your person can provide coverage when cell phones are unavailable.

Keeping these lists up to date can be a nuisance; testing them through scheduled call trees can make sure they remain up to date and useful.

Secure comms
Think in terms of both standard as well as worst case options. If you can no longer trust your hosts or networks how can you properly share and collaborate with team members? How can the defensive team access workstations, servers, or security controls? How can you inform leadership? When and how can you engage law enforcement? Have preparations on how to securely share documents or files with in-team, in-company, or external parties. As maturity develops, different categories of communications may be used. For instance, open email may be satisfactory in some incidents while encrypted attachments are needed in other cases. Out of band communications may also be desired in certain circumstances. Quickly deploying an airgapped network for defensive operations may be needed. Having these defined ahead of time will prevent “just-in-time solution building”. Finally, staff will gravitate towards communications medium they typically use; treat this familiarity as a strength when building a communications plan.

Defensive operations rely on access to equipment. This includes workstations, phones, servers, and other security systems. These control channels - including hands on a keyboard in a data center, coordinating collection of evidence, remote access, application access, and log retrieval - and their contingencies should be considered in the communications plan.

Preplanned Meeting Locations
You know those meeting spots where everyone is trained to walk to in case of a fire drill? Having such preplanned locations (either physical or virtual) can be essential in unknown or complex situations. Many organizations telephone systems can create predefined conference bridges. These conference bridges can act as a central preplanned meeting place for geographically dispersed teams. These bridges can act as a staging and coordination center and can be invaluable. If you do use such systems, be mindful that they may be VoIP and not necessarily out of band.

Various communication media can be used in different ways. Technical staff can achieve a higher performance tempo through utilization of secure and instant communications through services such as jabber, skype or SILC. Such virtual conference rooms can act as a copy/paste medium to spread critical log file entries or other plaintext to team members in real time. If timestamps are enabled its backlog can also serve as a useful historical timeline of response activities. This medium is excellent as it is both realtime and can be used in conjunction of other media such as physical or telephone meetings.

Recognize that heavy incident response operations will utilize a variety of communications at once. These channels can often clash and cause delays or confusion. The response staff should reserve their own communications channel for coordinating activities - determining the vector, scope, and seriousness of the situation. Other channels should be pursued to communicate findings, reports, and recommendations to higher leadership, business partners, law enforcement, etc.

Some conclusions:

  • Comm channels are key and often underappreciated during response activities.

  • Comms plans are essentially C2 activities. These C2 channels need clear paths from top leadership to defenders to defender equipment- if a defender can't initiate analysis or containment then it's going to be a bad day.

  • Comms plans should address realistic contingincies surrounding confidentiality, integrity, and availability.

  • This isn't an exercise of paper but of preparedness.

No comments:

Post a Comment