Further to my presentation at DC151 please find a list of the most relevant references. It's almost all the same as those from earlier meetings, but I did want to highlight what a pleasure it was to present there, thanks to everyone who came, and to those who took part in the discussion afterwards - I've still got a couple of pages of notebook notes to work through.

As before, I've categorised references by type, kind of, I figure that's the easiest way for people to navigate this. Constructive feedback always welcome - I'm sure there's a better way to list these, but I'm not sure how.


"Bullshit Jobs" is by David Graeber, there's a description here https://www.penguin.co.uk/books/295446/bullshit-jobs/

The Numbers Game by Chris Anderson covers Strong Link and Weak Link games, and well, actually, I should buy this and read it, but this article covers all you need to know: http://www.asalesguy.com/soccer-and-messi-basketball-and-lebron-how-one-is-like-sales-and-the-other-isnt/

Blog posts:

Peak security product - Anton Chuvakin's point on not having enough people is here https://blogs.gartner.com/anton-chuvakin/2018/06/21/is-security-just-too-damn-hard-is-productservice-the-future/

Rapid 7 on the number of CVEs is here: https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/


Blinky Boxes - Frasier Scott's presentation on threat modelling has slides here: https://speakerdeck.com/zeroxten/threat-modeling-the-ultimate-devsecops I think this is part of his current repetroire, so best caught live of course; or seeing as he's in DevOps, it'll have iterated several times already.

CTFs - The Last CTF Talk You'll Ever Need from DEFCON 25, is here: https://www.youtube.com/watch?v=MbIDrs-mB20

CTRL+Break The OODA Loop by Abel Toro of Forcepoint from BSides London 2018 isn't up yet on their channel https://www.youtube.com/channel/UCXXNOelGiY_N96a2nfhcaDA ; it was on Track 3, I'm hoping that was recorded... or that Abel will be giving the presentation again.

The Cuckoo's Egg reference was inspired by Paul Midian's BSides Glasgow 2018 keynote "Everything You Know Is Wrong" - https://www.youtube.com/watch?v=KvksyvF6MN4

Hacker's being needed on the Blue Team comes from Harron Meer's Nullcon Goa 2018 keynote: https://www.youtube.com/watch?v=2F3wWWeaNaM

Ian Fish - Crisis Management - from CrestCON 2018 - is here: https://www.youtube.com/watch?v=R1UOW3xGpZE

Intruder's Dilemma - is mentioned in this from BSides Munch 2018: https://www.youtube.com/watch?v=PQgsEtRcfAA

Penetration Testing Must Die - Rory McCune at BSides London 2011 - is here: https://www.youtube.com/watch?v=MyifS9cQ4X0

Playbooks - Common Traps & Pitfalls in Red-teaming by Andrew Davies and Jon Medvenics from CRESTCon is here: https://www.youtube.com/watch?v=bYTrwzFUSSE

Strategy - John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here: https://www.brighttalk.com/webcast/10903/280059


The Base of Sand Problem, the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face, can be found here: https://www.rand.org/pubs/notes/N3148.html

The Cyber Resilience Report from KPMG, that really makes the point that preparation is key, can be found here: https://assets.kpmg.com/content/dam/kpmg/ie/pdf/2017/09/ie-cyber-resilience-2.pdf

The Global Risks Report 2018 from the World Economic Forum can be obtained here: https://www.weforum.org/reports/the-global-risks-report-2018

Outpost24's report on their survey of RSA attendees can be found here: https://outpost24.com/sites/default/files/2018-05/RSA-2018-Survey-Outpost24.pdf

State of CyberSecurity Report - InfoSecurity Magazine - where they highlight regulation can drive security - can be found here: https://www.infosecurity-magazine.com/white-papers/state-of-cyber-security-report/

Seattle Seahawks and other less cybery references:

The article "Bobby Wagner Can See into the Future" is here: https://www.si.com/mmqb/2017/06/29/nfl-bobby-wagner-seattle-seahawks

Bobby Wagner's PFF rating is from this tweet: https://twitter.com/PFF/status/1005914257563836416 ( as a side note, check out this video on Luke Kuechly, who's also on that list, that's basically team-mates and rivals saying how smart he is https://www.youtube.com/watch?v=umfgvffJ6M0 )

Fewest points allowed - this ESPN article summarises it nicely http://www.espn.co.uk/nfl/story/_/id/17886833/how-seattle-defense-dominated-nfl-five-years-running-nfl-2016

Introduction - the quick cartoon shoulderpunch is taken from this introduction to the game: https://www.youtube.com/watch?v=3t6hM5tRlfA

Kam Chancellor - I think this video sums up what he provided in the narrow focus I use, you may recognise part of it: https://www.youtube.com/watch?v=qgh8HmKVja8 ( as a side note, while I don't think it's relevant to the analogy, Kam Chancellor appears to have retired http://www.espn.com/nfl/story/_/id/23967587/kam-chancellor-seattle-seahawks-safety-appears-announce-retirement-via-twitter - this is a good video summary of what he provided to the team https://www.youtube.com/watch?v=8SltNCS4Jg0 )

Legion of Boom - there's a nice retrospective that's just a five minute video: https://www.youtube.com/watch?v=N73r5HemB0M

If you want an emphasis on the boom, watch this: https://www.youtube.com/watch?v=xF6OLtz280Y

My main source for Pete Carroll's philosophy, in many senses of the word, is here: https://www.fieldgulls.com/football-breakdowns/2014/2/3/5374724/super-bowl-48-seahawks-pete-carrolls-richard-sherman-marshawn-lynch ; I have a lot of reading to look forward to.

If you want to see just how many players there are on a team then you'll see the Seahawks roster here: https://www.seahawks.com/team/players-roster/

Tackling video - the Seahawks 2015 video summarising their technique is shown here: https://www.youtube.com/watch?v=6Pb_B0c19xA

Olivia Jeter, Defensive End for Blandensburg High School, is covered in these videos: https://www.youtube.com/watch?v=yAYS2VnfFi8 and https://www.youtube.com/watch?v=5xD8qjihHf8 Yes, I do realise that those videos are from 2014, but she provides such great soundbites, I must find out what happened to her.

YouGov's survey on British interest in various sports is here: https://yougov.co.uk/news/2018/01/10/what-most-boring-sport/


Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited, is here: https://twitter.com/jeremiahg/status/996469856970027008 I've got into interesting discussions on how true or untrue that figure may be, watch this space.


Bananas - Chiquita using pharmaceutical packaging is detailed here: http://archive.boston.com/business/globe/articles/2007/03/07/yes_we_have_one_banana/

Banks using mobile phone companies ... I had a single reference for this and lost it, so as per my real world presentation, I think I said something generic like "there's many examples of banks talking to many different industries", do get in touch if you find any particularly good ones.

Bartle's Taxonomy of player types is taken from this: https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_types

BreachLevelIndex.com is, well, here: https://breachlevelindex.com/

The Caffrey Triangle is mentioned here https://paxsims.wordpress.com/2016/08/19/connections-2016-conference-report/ , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming.

Cyber Resilience - Phil Huggins' Black Swan Security blog is here: http://blog.blackswansecurity.com/2016/02/cyber-resilience-part-one-introduction/

Cyberscape - the amount of tools we have, is taken from Momentum's cyberscape: https://momentumcyber.com/docs/CYBERscape.pdf

Dentistry using space technology is here: https://phys.org/news/2010-10-benefits-space-technology-dentists.html

Emergency response - the three element model can be seen is some detail here on the College of Policing website: https://www.app.college.police.uk/app-content/operations/command-and-control/command-structures/

Francium - my main inspiration for choosing the element Francium is here: http://www.sparknotes.com/mindhut/2013/09/06/the-worlds-most-dangerous-elements

HorseSenseUK - Equine Assisted Education - can be found here: http://horsesenseuk.com/

Incident Response, the four stages - I detailed that in this blog post: http://blog.sonofsuntzu.org.uk/post/2017/03/26/Notes-on-Incident-Response-from-the-SC-Congress

Incident Response Timelines - this is taken from the Logically Secure website, and can be found here: https://www.logicallysecure.com/blog/ir-metrics-part-1/

Intruder's Dilemma - I think the first reference to it from Richard Bejtlich is here: https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html

MWR - the TechCrunch article I refer to, where F-Secure note the need for offensive capability, is here: https://techcrunch.com/2018/06/18/f-secure-to-buy-mwr-infosecurity-for-106m-to-offer-better-threat-hunting/

Naval - Paul Raisbeck, who uses his naval experience in what is loosely described as management consultancy, can be found here: https://www.linkedin.com/in/paulraisbeck/ , and a relevant piece by him here: https://www.linkedin.com/pulse/what-could-your-business-learn-from-royal-navy-people-paul-raisbeck/

OODA loops are basically described here, but again, please pay me to research these concepts: https://en.wikipedia.org/wiki/OODA_loop

Playbooks, Rick Howard, the CSO of Palo Alto, on the small number of opponent's playbooks: https://www.csoonline.com/article/3207692/leadership-management/exploit-attacker-playbooks-to-improve-security.html

Practice - "any incident response plan is only as strong as the practice that goes into it" is from Mike Peters, Vice President of RIMS, the industry body for Risk Management. Best to search online for that specific quote and use whichever source will look best in your board level presentation.

TRIZ on Wikipedia is here: https://en.wikipedia.org/wiki/TRIZ and the main British consultancy, as far as I can tell, is here: https://www.triz.co.uk/


Sometimes I get the gist of something and use that. If you know any of these ideas better than I do, meaning that I've missed a nuance, or not read an important reference, please do get in touch. I always appreciate constructive corrections.