Overview

A summary of my presentation "Lessons From The Legion". I'm hoping to give the presentation more often, in order to generate more interesting and useful conversations, so this will undoubtedly evolve, your feedback is welcome.

Alternatively, if you've requested a copy of my slides... I've directed you to this summary instead. For various reasons I'm conscious of how complex copyright law is, and I think I'm just on the right side of it, but I'm not aiming to test that more than necessary. Also the aim is always that the slides help you understand what I'm saying, and help me to remember what to say next, if they're standalone then I've not presenting my ideas effectively.

A very high level summary would be this tweet, if you want to point someone at a very short summary:

"people trying to excel at self-taught technical skills are sub-optimal at strategic decisions required for a nebulous conflict, their emphasis should be on team work, and on the strategies of, and constraints on, their adversaries; they should seek inspiration elsewhere"

As a less brief summary, but trying to keep things snappy, my reasoning is as below. A slide by slide summary is too dense, and makes me realise how many ideas I've pushed into the audience's heads in less than an hour, so I've tried to be more logical below.

Logical Progression of the talk

Introduction

I have a question - In Cyber Security - if we're all so smart, which we are, and we all work so hard, which we do, why is everything so awful?

Most presentations will start with an explanation of who the speaker is, their history, and why you should listen to them, and then give you an answer to the technical question they posed. This presentation is more of an "investigation wall", where the investigator links diverse ideas and newspaper clippings and surveillance photos and post-it notes with string to try and reveal an idea.

Also those technical presentations tend to be tactical, and I think the problem is that we have unintentionally decided on a vague strategy based on tactical choices, rather than an informed strategic choice has decided which tactics we should use.

John Kindervag's presentation "Winning the Cyberwar With Zero Trust" is a good example of thinking at a strategic level and making informed tactical choices accordingly, I specifically mention it here because I borrow some of his slides.

The main three areas I'm familiar with, as a cyber security practitioner, are:

  • System Administrators / Developers
  • Penetration Testing
  • Incident Response

The strategy in all three areas is based on being the most technically skilful practitioner you can - sysadmins patch as quickly and as thoroughly as they can through knowledge of their operating systems, developers code as securely as they can through knowledge of their languages; penetration testing aptitude and success is based entirely on how technically adept the pentester is and how well they apply the "flaw hypothesis methodology"; and incident responses work on their forensics skills to learn how to spot different attacks, and prepare playbooks to run through once an attack has been detected.

Arguably the way this strategy has come about is because of how we train and practice for each area - all of which is based on self-motivated learning, and a passion for the job that is often described as "eat, sleep, breathe security". Therefore the emphasis is on individual skill and knowledge rather than on wider context.

Where has this choice got us? I cite various references that illustrate the poor state of cybersecurity, and the danger that poor cybersecurity poses to organisations in general and civilisation as a whole.

This method of practising reminds me of golf. Excelling at golf is based on individual skill, which is reflected in how a player performs in the game - because success in the game is based almost solely on individual performances. Even in a team game of golf, with a team and against an opposing team, there is very little your team-mates or opponents can do to directly affect your standard of play. And the actual course will be static also, apart from the vagaries of weather.

There is nothing wrong in practising like golf if you're going to play golf, however the practice of cyber security is nothing like the game of golf, I think we need to look at a different game.

Using this kind of analogy, and cross-pollentating ideas, between areas is generally derided, but if you look hard enough there are examples where this works. In particular the idea of TRIZ, of abstracting problems and solutions in order to determine what kind of solution is required in a rapid way.

So, if we're practising for golf, but not playing golf, what game are playing?

I argue that our industry feels a lot more like American Football. It is a ridiculously complex and violent sport, with many specialisms, and very much a team game where your success or failure is very dependent on the quality of your team and your ability to work with them, and how you act against and react to your opponent.

Therefore we should look to learn lessons from a successful American Football team. American Football is the only sport where each team has essentially two squads on it - an Offense for when your team has possession of the ball, and a Defense for when your team does not.

I think that as defenders in cyber security, even red teamers are looking to improve the performce of the blue team and the survivability of defenders, we should look to the best Defense. I classify Defense in American Football, and cyber security, as a "weak link game", where the overall ability of the team is decided by the ability of the worse players on your squad, not the best.

Possibly influenced by personal biases, but backed up by many sports facts I'll quote in the novella length version of this description, I have chosen the Legion of Boom, the Seattle Seahawks defense from 2011 to 2017, as an example to follow.

Looking at the central tenets of the team, and the defensive philosophy of the Seattle Seahawks head coach, Pete Carroll ( who has approximately 40 years of experience and an exemplary record ), I pick some of the main lessons from the Seahawks successful Defense:

First lesson - eliminate the big play.

There is not time to explain the Seahawks' use of "Cover-3 with a single high Free Safety", and their general approach of keeping the ball in front of the defenders to ensure the Defense always has another chance to prevent their opponents scoring, so I look at personnel choices.

Most NFL defenses, when choosing personnel, have emphasised their Defensive Line, the first line of defense against an opponent. Carroll has always specifically looked to the Defensive Backs, the last line of defense, most notably the Free Safety position, which is what he played in college.

This is reflected in the NIST Cyber Security Framework, and the five Core Functions. I am old enough to remember when Identify and Protect were the only aspects seen as useful, but slowly we are learning that Detect, Respond, and Recover are at least as important in surviving an attack, rather than believing in the "Defender's Dilemma", that if an attacker breaches us we have immediately lost.

I would argue ( and if I remember during the presentation I'll actually say it ) that the emphasis should be on Detect, Respond, Recover - the last line of defense, not the first.

Second lesson - train how you fight

Because American Football is such a complex game it is necessary to practice complex play calls and formations in advance, and to ensure that each individual knows their responsibility, and everybody else's responsibility, on each play so that they can function as a team.

Because the teams are so large there are enough players for the second and third string players in each squad to form "scout teams". These teams imitate the playing style and formations of upcoming opponents so that both they, and the first string players, understand what is coming up in next week's game, and also are less surprised by any of their opponents individual styles in the game.

This links into the concept from wargaming of the Caffrey Triangle, showing how a red team - in a red team exercise specifically designed to assist the blue team - should act depending on the objectives of the engagement. I argue that penetration testers work almost solely at the top of the triangle, being the most effective attackers they can, when they should operate in the right hand corner, emulating the TTPs of genuine adversaries in order to prepare the blue team for their real world opponents.

Also I stress here that any kind of practice is required, as the discipline of Incident Response is notorious for organisations referring to their plans for the first time, or even writing them the first time, during an actual incident. Constant practice is crucial, especially when we are moving from being in Cyber Security to proposing Cyber Resilience.

Third lesson - know your enemy

I briefly introduce John Boyd's concept of the OODA loop - Observe Orient Decide Act - as a way of understanding how you process information in a conflict, and how "getting inside your opponents OODA loop" by progressing through the steps faster than them, leads to victory.

This takes me to showing plays by Bobby Wagner, a Linebacker with the Seattle Seahawks, and arguably the best player at this position, and who has stated that the game is "90% mental" because as you can only get as fast or as strong as everyone else. I show a play whereby, even though on defense, even though on the side of the ball that's meant to react to the play, Wagner knows what the offensive is going to do and so is able to take advantage of that to disrupt his opponent.

As a side note - this emphasis on researching your opponent, and therefore being so much more confident during a game, has many more references from the entire Legion of Boom, especially their three most well known Defensive Backs. I have some references, and some video clips... when I say there's a three hour version of this presentation waiting to be written I'm not joking.

I link this to the RAND paper from 1991, the Base of Sand Problem, mainly because of the excellent footnote that explains that the effective of forces - their training, logistics, and positions - is much more crucial to deciding who is the victor in a particular conflict, than the sheer size of any force.

Also I use references that your opponent has a limited number of playbooks, and therefore learning them is an achievable aim, rather than attempting to defend all assets against all attacks from all possible adversaries.

Fourth lesson - out hit your opponent

The second of Pete Carroll's tenets, it is a physical game, it is a collision sport, and there are psychological and as well as other gains to be made by simply hitting your opponent as hard as you can.

Also this tallies with the first aim, to eliminate the big play, as it physically puts the defenders in an excellent position to tackle or otherwise collide with their opponents - but I don't often have time to go into this level of detail on the game.

For this I use clips from Richard Sherman, Earl Thomas, but mainly Kam "Bam Bam" Chancellor executing the "Shoulder Punch", a Seahawks tackling technique which is as it sounds.

The aim here is to inflict pain on your opponent, and to reduce the speed of their OODA loop. I've learnt here to specifically state that I'm not advocating any kind of "strikeback" methodology, but in showing that on the blue team we've forgotten that we're facing an opponent.

I link this to the standard Incident Response methodology, which is based on Gold, Silver, and Bronze Commanders, and is designed for what I'd describe as "non-sentient opponents". Maybe we need to add a "Francium Commander", based on the most dangerous of elements, where an incident would be handed over to someone who would specifically attempt to deceive and disrupt the enemy. This could be achieved through deception, in making your opponent so unsure of their context that they are reduced to ITIL type processes to ensure they aren't detected. Also I emphasise that this is a team game, and that sharing adversary TTPs with other defenders assists everyone and builds the size of your time.

Summary

Usually at this point I stress that I'm not sure of my ideas, but that F-Secure's purchase of MWR shows that someone else agrees, at least in general, with some of what I'm proposing.

Also that what I'm advocating, which is only half-thought through at best, is a change in strategy and/or doctrine and/or ideology. These are the most difficult changes to make, and the least liked, organisations prefer simple solutions that state they'll eradicate the problem, regardless of their actual effectiveness. However as many have said, for example Anton Chuvakin of Gartner, the industry does not have enough staff, and already has more than enough products, yet we are still facing more of the same problems.

At this point I summarise all of the above, and kind of finish indecisively to encourage questions rather than proposing I have definitive answers.

END

The latest set of references should be elsewhere on this blog, please scroll down, or up, the find the version related to whichever "performance" you watched.

Combining the logic above with those references is something I should do, but at the moment I'm happy to do that "live" during the performances of this talk. Questions on supporting evidence are welcome by email or in the comments, and overall if you've any questions please do get in touch.