Identifying Scope for a Breach

I've spent considerable time of the last ten years in training new team members.  This is a whirlwind of activity; explaining the organization, the history, why some things are done stupidly, as well as how the team has grown to respond to security breaches.

When I first started doing this, it was an informal thing involving a white board and shoulder surfing while I did stuff.  By the time I left my last team I had much more structure around the orientation of these new team members.  But I'd like to go back six years.

I was training a new teammate.  He had no exposure to incident response or incident detection (Both of which I mentally lump together and call "Defense").  I had no formal training in defense, I relied on "just in time" training, sometimes called "On the job" training.  Because of that, I was pretty lousy at explaining things.

I focused on the tools I used and how to use them.
I explained when and why I jumped from one tool to another.

Or at least I tried to.  How do you explain your mental processes, your range of experience?  Without good introspection and clarity you will have an extremely difficult time explaining "Why".  The "What" and "How" on the other hand are easy and what inevitably the discussion turned to.

Too many times, the answer to the "Why" resulted in a one word response of "Because" with no elaboration.  It was in my head but I couldn't express it intelligently.

But I now have a partial explanation on this.  It was my assumption as a responder that my goal is to identify the scope of the incident.  A fair assumption, as that is what any book or whitepaper will tell you.

And it's both wrong and right.

The goal is absolutely to identify the scope.  Proper ID of the scope is an outcome of your investigation.  But as a seasoned incident response analyst, it's not actually the process you follow.  You consciously are asking "Is this out of scope? Is this just a symptom or the cause? What about this thing over here?"
This line of questioning and the reasons I knew when to switch tools or analytic techniques was not methodically identifying the scope of the breach.  The line of questioning and techniques I was using was instead answering an implied question of

What can I find that proves the scope of this breach isn't larger than what I believe it to be?

There's a bit of nuance there, but when it's practically applied it makes a large difference.  My new teammate was not instinctively asking this question in his head and I was at a loss to convey the concept.  He was biased in assuming the data he was presented with did indeed identify the scope of the breach.  And he was right; however the data did not proof the breach was contained to what he was looking at.

Proving the scope of a breach is at a particular size doesn't actually prove anything other than it's existence.  On the other hand, the ability to prove something is false (that is, the breach isn't bigger) is provable.  This is a direct application of Popper's falsifiability concept.

2011 Reading List

Last New Years I set a goal to read 30 books in 2011.  I nearly got there, with a total of 22 under my belt.  That compares with 2010's total of 17 books; a 22% increase.

I moved over to goodreads to keep track of my books a bit better:

"The Medium is the Massage" by McLuhan was my top book of the year, with "The Exploit" by Galloway as my least favorite.  (Anything with 3 stars or above I would generally recommend).  Philosophy was the most tagged category, with infosec and military right behind it.

Interestingly, reading 30 books introduced some logistics problems.  Assuming each book's average cost was $15 I would have $450 sitting on my bookshelf.  Instead, I did a mixture of using Project Gutenberg and borrowing through the public library to balance things out.  Going through that, I repeatedly failed to have the 'next book' ready, and several days or weeks would pass before it would ship or I could get it from the library.  Finally, reading interfered with other activities (computer tinkering, listening to podcasts, etc) more than I anticipated.

Here's my final 2011 reading list:

Five Star:
"The Medium is the Massage" by Marshall McLuhan

Four Star:
"Strategy" by B. H. Liddell Hart
"The Book of Five Rings" by Musashi
"Gangleader for a Day" by Sudhir Venkatesh
"Kingpin" by Kevin Poulsen
"America the Vulnerable" by Joel Brenner
"Dragon Bytes" by Timothy Thomas

Three Star:
"Analects" by Confucius
"The Firm, The Market, the Law" by Ronald Coase
"Soccer War" by Ryszard Kapuscinski
"Managing Humans" by Michael Lopp
"What Technology Wants" by Kevin Kelly
"On China" by Henry Kissinger
"Tiger Trap" by David Wise
"Tempo" by Venkatesh Guru Rao
"Worm" by Mark Bowden

Two Star:
"Starfish and the Spider" by Rod Beckstrom
"Finite and Infinite Games" by James Carse
"Outliers" by Malcolm Gladwell
"Cyber War" by Richard Clarke
"Cyberdeterrence and Cyberwar" by Martin Libicki

One Star:
"The Exploit" by Alexander Galloway

I'm not making a goal for 2012 but I do enjoy reading.  Already on my bookshelf for 2012:
"The Logic of Scientific Discovery" by Karl Popper
"An Introduction to Information Theory" by John Robinson Pierce
"Thinking, Fast and Slow" by Daniel Kahneman
"Military Orientialism" by Patrick Porter
"The Regulatory Craft" by Malcolm Sparrow
"Steve Jobs" by Walter Isaacson
"The Republic" by Plato
"The Brewmaster's Table" By Garrett Oliver

Two new releases I'm looking forward to in 2012:
"Inside CyberWarfare" (2nd Edition) by Jeffrey Carr (Just released a few days ago)
"Liars and Outliers" by Bruce Schneier (To be released in February)

I'm always looking for good books, feel free to leave recommendations in the comments!