Further to my presentations at Snoopcon and DC4420, please find a list of the most relevant references.

I'm flattered by the interest I've received, if my ideas had coalesced sooner, and I'd have expected such a response, I would have done this in advance. Thank you for your patience.

I've categorised references by type, kind of, I figure that's the easiest way for people to navigate this. Constructive feedback always welcome.


"Bullshit Jobs" is by David Graeber, there's a description here https://www.penguin.co.uk/books/295446/bullshit-jobs/

"It's Football, Not Soccer" is by Stefan Szymanski and Silke-Maria Weineck. I haven't read it, I just spotted a tweet. The book is here: https://www.amazon.co.uk/Its-Football-Soccer-Vice-Versa-ebook/dp/B07C9DJFKD

The Numbers Game by Chris Anderson covers Strong Link and Weak Link games, and well, actually, I should buy this and read it, but this article covers all you need to know: http://www.asalesguy.com/soccer-and-messi-basketball-and-lebron-how-one-is-like-sales-and-the-other-isnt/

Blog posts:

Log Blog - Tim Brown's blog on incident response issues can be found here: https://blogs.cisco.com/security/the-importance-of-logs

Rapid 7 on the number of CVEs is here: https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/


Blinky Boxes - Frasier Scott's presentation on threat modelling has slides here: https://speakerdeck.com/zeroxten/threat-modeling-the-ultimate-devsecops I think this is part of his current repetroire, so best caught live of course; or seeing as he's in DevOps, it'll have iterated several times already.

CTFs - The Last CTF Talk You'll Ever Need from DEFCON 25, is here: https://www.youtube.com/watch?v=MbIDrs-mB20

CTRL+Break The OODA Loop by Abel Toro of Forcepoint from BSides London 2018 isn't up yet on their channel https://www.youtube.com/channel/UCXXNOelGiY_N96a2nfhcaDA ; it was on Track 3, I'm hoping that was recorded... or that Abel will be giving the presentation again.

The Cuckoo's Egg reference was inspired by Paul Midian's BSides Glasgow 2018 keynote "Everything You Know Is Wrong" - https://www.youtube.com/watch?v=KvksyvF6MN4

Hacker's being needed on the Blue Team comes from Harron Meer's Nullcon Goa 2018 keynote: https://www.youtube.com/watch?v=2F3wWWeaNaM

Ian Fish - Crisis Management - from CrestCON 2018 - is here: https://www.youtube.com/watch?v=R1UOW3xGpZE

Incident Response in Your Pyjamas - Paco Hope - Securi-Tay 2018 - is here: https://www.youtube.com/watch?v=k1J1-WyyJs4

Intruder's Dilemma - is mentioned in this from BSides Munch 2018: https://www.youtube.com/watch?v=PQgsEtRcfAA

Penetration Testing Must Die - Rory McCune at BSides London 2011 - is here: https://www.youtube.com/watch?v=MyifS9cQ4X0

Playbooks - Common Traps & Pitfalls in Red-teaming by Andrew Davies and Jon Medvenics from CRESTCon is here: https://www.youtube.com/watch?v=bYTrwzFUSSE

Pratchett - Circle City Con - The Network Night Watch, by @munin and @hacks4pancakes, is here: https://www.youtube.com/watch?v=kjEdaJ6KhOo

Strategy - John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here: https://www.brighttalk.com/webcast/10903/280059


The Base of Sand Problem, the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face, can be found here: https://www.rand.org/pubs/notes/N3148.html

The Cyber Resilience Report from KPMG, that really makes the point that preparation is key, can be found here: https://assets.kpmg.com/content/dam/kpmg/ie/pdf/2017/09/ie-cyber-resilience-2.pdf

The Global Risks Report 2018 from the World Economic Forum can be obtained here: https://www.weforum.org/reports/the-global-risks-report-2018

Outpost24's report on their survey of RSA attendees can be found here: https://outpost24.com/sites/default/files/2018-05/RSA-2018-Survey-Outpost24.pdf

State of CyberSecurity Report - InfoSecurity Magazine - where they highlight regulation can drive security - can be found here: https://www.infosecurity-magazine.com/white-papers/state-of-cyber-security-report/

Seattle Seahawks and other less cybery references:

The article "Bobby Wagner Can See into the Future" is here: https://www.si.com/mmqb/2017/06/29/nfl-bobby-wagner-seattle-seahawks

Bobby Wagner's PFF rating is from this tweet: https://twitter.com/PFF/status/1005914257563836416 ( as a side note, check out this video on Luke Kuechly, who's also on that list, that's basically team-mates and rivals saying how smart he is https://www.youtube.com/watch?v=umfgvffJ6M0 )

Fewest points allowed - this ESPN article summarises it nicely http://www.espn.co.uk/nfl/story/_/id/17886833/how-seattle-defense-dominated-nfl-five-years-running-nfl-2016

Introduction - the quick cartoon shoulderpunch is taken from this introduction to the game: https://www.youtube.com/watch?v=3t6hM5tRlfA

Kam Chancellor - I think this video sums up what he provided in the narrow focus I use, you may recognise part of it: https://www.youtube.com/watch?v=qgh8HmKVja8 ( as a side note, while I don't think it's relevant to the analogy, Kam Chancellor appears to have retired http://www.espn.com/nfl/story/_/id/23967587/kam-chancellor-seattle-seahawks-safety-appears-announce-retirement-via-twitter - update on 3rd July: this is a good video summary of what he provided to the team https://www.youtube.com/watch?v=8SltNCS4Jg0 )

Legion of Boom - there's a nice retrospective that's just a five minute video: https://www.youtube.com/watch?v=N73r5HemB0M

If you want an emphasis on the boom, watch this: https://www.youtube.com/watch?v=xF6OLtz280Y

My main source for Pete Carroll's philosophy, in many senses of the word, is here: https://www.fieldgulls.com/football-breakdowns/2014/2/3/5374724/super-bowl-48-seahawks-pete-carrolls-richard-sherman-marshawn-lynch ; I have a lot of reading to look forward to.

If you want to see just how many players there are on a team then you'll see the Seahawks roster here: https://www.seahawks.com/team/players-roster/

Tackling video - the Seahawks 2015 video summarising their technique is shown here: https://www.youtube.com/watch?v=6Pb_B0c19xA

Olivia Jeter, Defensive End for Blandensburg High School, is covered in these videos: https://www.youtube.com/watch?v=yAYS2VnfFi8 and https://www.youtube.com/watch?v=5xD8qjihHf8 Yes, I do realise that those videos are from 2014, but she provides such great soundbites, I must find out what happened to her.

YouGov's survey on British interest in various sports is here: https://yougov.co.uk/news/2018/01/10/what-most-boring-sport/


Grugq being unimpressed by deception technologies is here: https://twitter.com/thegrugq/status/1007724361426452480

Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited, is here: https://twitter.com/jeremiahg/status/996469856970027008 I've got into interesting discussions on how true or untrue that figure may be, watch this space.

Vincent Yiu on recruiter messages on LinkedIn is here: https://twitter.com/vysecurity/status/1005071605419118592


Bananas - Chiquita using pharmaceutical packaging is detailed here: http://archive.boston.com/business/globe/articles/2007/03/07/yes_we_have_one_banana/

Banks using mobile phone companies ... dammit, I had a single reference, which I think was a line or two in an article I had to use archive.org to source, but looking for "banks learning from" online there's many industries and many examples.

Bartle's Taxonomy of player types is taken from this: https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_types

BreachLevelIndex.com is, well, here: https://breachlevelindex.com/

The Caffrey Triangle is mentioned here https://paxsims.wordpress.com/2016/08/19/connections-2016-conference-report/ , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming.

Cyber Resilience - Phil Huggins' Black Swan Security blog is here: http://blog.blackswansecurity.com/2016/02/cyber-resilience-part-one-introduction/

Cyberscape - the amount of tools we have, is taken from Momentum's cyberscape: https://momentumcyber.com/docs/CYBERscape.pdf

Dentistry using space technology is here: https://phys.org/news/2010-10-benefits-space-technology-dentists.html

Emergency response - the three element model can be seen is some detail here on the College of Policing website: https://www.app.college.police.uk/app-content/operations/command-and-control/command-structures/

Francium - my main inspiration for choosing the element Francium is here: http://www.sparknotes.com/mindhut/2013/09/06/the-worlds-most-dangerous-elements

HorseSenseUK - Equine Assisted Education - can be found here: http://horsesenseuk.com/

Incident Response, the four stages - I detailed that in this blog post: http://blog.sonofsuntzu.org.uk/post/2017/03/26/Notes-on-Incident-Response-from-the-SC-Congress

Incident Response Timelines - this is taken from the Logically Secure website, and can be found here: https://www.logicallysecure.com/blog/ir-metrics-part-1/

Intruder's Dilemma - I think the first reference to it from Richard Bejtlich is here: https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html

MWR - the TechCrunch article I refer to, where F-Secure note the need for offensive capability, is here: https://techcrunch.com/2018/06/18/f-secure-to-buy-mwr-infosecurity-for-106m-to-offer-better-threat-hunting/

Naval - Paul Raisbeck, who uses his naval experience in what is loosely described as management consultancy, can be found here: https://www.linkedin.com/in/paulraisbeck/ , and a relevant piece by him here: https://www.linkedin.com/pulse/what-could-your-business-learn-from-royal-navy-people-paul-raisbeck/

OODA loops are basically described here, but again, please pay me to research these concepts: https://en.wikipedia.org/wiki/OODA_loop

Playbooks, Rick Howard, the CSO of Palo Alto, on the small number of opponent's playbooks: https://www.csoonline.com/article/3207692/leadership-management/exploit-attacker-playbooks-to-improve-security.html

Practice - "any incident response plan is only as strong as the practice that goes into it" is from Mike Peters, Vice President of RIMS, the industry body for Risk Management. Best to search online for that specific quote and use whichever source will look best in your board level presentation.

Star Wars - security lessons to learn from Hazel Southwell, can be found here: https://www.linkedin.com/pulse/how-blow-up-your-death-star-genuine-data-security-from-southwell/

TRIZ on Wikipedia is here: https://en.wikipedia.org/wiki/TRIZ and the main British consultancy, as far as I can tell, is here: https://www.triz.co.uk/


Sometimes I get the gist of something and use that. If you know any of these ideas better than I do, meaning that I've missed a nuance, or not read an important reference, please do get in touch. I always appreciate constructive corrections.