A summary of my presentation "Lessons From The Legion", from Thursday October 18th 2018. I've been offered a couple more of opportunities to present this, from which I'm hoping to generate more interesting and useful conversations, so this will undoubtedly evolve, your feedback is welcome.

A very high level summary would be this tweet, if you want to point someone at a very short summary:

"people trying to excel at self-taught technical skills are sub-optimal at strategic decisions required for a nebulous conflict, their emphasis should be on team work, and on the strategies of, and constraints on, their adversaries; they should seek inspiration elsewhere"

As a less brief summary, but trying to keep things snappy, my reasoning is as below. A slide by slide summary is too dense, and makes me realise how many ideas I've pushed into the audience's heads in half an hour.

Logical Progression of the talk


I have a question - In Cyber Security - if we're all so smart, which we are, and we all work so hard, which we do, why is everything so awful?

To try and figure this out my presentation is an "investigation wall", a set of interconnected ideas and theories where I try and figure out what the solution is to this mystery.

I start with John Kindervag's presentation "Winning the Cyberwar With Zero Trust", which explains the difference between a strategy "The Big Idea" and the tactical and operational level solutions you use to achieve your big idea. John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here: https://www.brighttalk.com/webcast/10903/280059

So what "big idea" has emerged from the tactics we've chosen?

The main three areas I'm familiar with, as a cyber security practitioner, are:

  • System Administrators / Developers
  • Penetration Testing
  • Incident Response

The strategy in all three areas is based on being the most technically skilful practitioner you can - sysadmins patch as quickly and as thoroughly as they can through knowledge of their operating systems, developers code as securely as they can through knowledge of their languages; penetration testing aptitude and success is based entirely on how technically adept the pentester is and how well they apply the "flaw hypothesis methodology"; and incident responses work on their forensics skills to learn how to spot different attacks, and prepare playbooks to run through once an attack has been detected.

Arguably the way this strategy has come about is because of how we train and practice for each area - all of which is based on self-motivated learning, and a passion for the job that is often described as "eat, sleep, breathe security". Therefore the emphasis is on individual skill and knowledge rather than on wider context.

Where has this choice got us? I cite various references that illustrate the poor state of cybersecurity, and the danger that poor cybersecurity poses to organisations in general and civilisation as a whole.

BreachLevelIndex.com is, well, here: https://breachlevelindex.com/

Rapid 7 on the number of CVEs is here: https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/

The Global Risks Report 2018 from the World Economic Forum can be obtained here: https://www.weforum.org/reports/the-global-risks-report-2018

This method of practising reminds me of golf. Excelling at golf is based on individual skill, which is reflected in how a player performs in the game - because success in the game is based almost solely on individual performances. Even in a team game of golf, with a team and against an opposing team, there is very little your team-mates or opponents can do to directly affect your standard of play. And the actual course will be static also, apart from the vagaries of weather.

There is nothing wrong in practising like golf if you're going to play golf, however the practice of cyber security is nothing like the game of golf, I think we need to look at a different game.

Using this kind of analogy, and cross-pollentating ideas, between areas is generally derided, but if you look hard enough there are examples where this works. In this version of the presentation I just used the idea of TRIZ, of abstracting problems and solutions in order to determine what kind of solution is required in a rapid way.

TRIZ on Wikipedia is here: https://en.wikipedia.org/wiki/TRIZ and the main British consultancy, as far as I can tell, is here: https://www.triz.co.uk/

So, if we're practising for golf, but not playing golf, what game are playing?

I argue that our industry feels a lot more like American Football. It is a ridiculously complex and violent sport, with many specialisms, and very much a team game where your success or failure is very dependent on the quality of your team and your ability to work with them, and how you act against and react to your opponent. In addition it's the sport that is closest to actual conflict - and I think cyber security has a lot to learn from wargaming - the simulation of war, and War Studies in general.

( as a side note, a French General, on watching the game around 1916, said something along the lines of "that isn't a sport, that is war" - if you know a good source for that quote do get in touch )

Therefore we should look to learn lessons from a successful American Football team. American Football is the only sport where each team has essentially two squads on it - an Offense for when your team has possession of the ball, and a Defense for when your team does not.

I think that as defenders in cyber security, even red teamers are looking to improve the performce of the blue team and the survivability of defenders, we should look to the best Defense. Possibly influenced by personal biases, but backed up by many sports facts I'll quote in the novella length version of this description, I have chosen the Legion of Boom, the Seattle Seahawks defense from 2011 to 2017, as an example to follow.

Looking at the central tenets of the team, and the defensive philosophy of the Seattle Seahawks head coach, Pete Carroll ( who has approximately 40 years of experience and an exemplary record ), I pick some of the main lessons from the Seahawks successful Defense:

First lesson - train how you fight

Because American Football is such a complex game it is necessary to practice complex play calls and formations in advance, and to ensure that each individual knows their responsibility, and everybody else's responsibility, on each play so that they can function as a team.

Because the teams are so large there are enough players for the second and third string players in each squad to form "scout teams". These teams imitate the playing style and formations of upcoming opponents so that both they, and the first string players, understand what is coming up in next week's game, and also are less surprised by any of their opponents individual styles in the game.

This links into the concept from wargaming of the Caffrey Triangle, showing how a red team - in a red team exercise specifically designed to assist the blue team - should act depending on the objectives of the engagement. The Caffrey Triangle is mentioned here https://paxsims.wordpress.com/2016/08/19/connections-2016-conference-report/ , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming. I argue that in military simulations or exercises the red team or red force is often in the bottom left hand corner of that triangle, just there to give the blue team something to shoot at. Penetration testers work almost solely at the top of the triangle, being the most effective attackers they can regardless of geneuine threats or limitations. I think commonly in cyber security the red force, whatever it is, should operate in the right hand corner, emulating the TTPs of genuine adversaries in order to prepare the blue team for their real world opponents.

Rory McCune is a good person to watch about the limitations of pentesting, the presentation of his that I refer to, Penetration Testing Must Die - Rory McCune at BSides London 2011, is here: https://www.youtube.com/watch?v=MyifS9cQ4X0

As an example of the difference between trying to fix everything, and trying to fix only what our adversaries will exploit, I cite Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited, is here: https://twitter.com/jeremiahg/status/996469856970027008 I've got into interesting discussions on how true or untrue that figure may be, watch this space.

I also use the presentation "Playbooks - Common Traps & Pitfalls in Red-teaming" by Andrew Davies and Jon Medvenics from CRESTCon is here: https://www.youtube.com/watch?v=bYTrwzFUSSE; where they state that a great deal of what they've seen from red teamers is from the "Advanced Penetration Testing" book, so you can key on those specific methods in order to detect attacks.

This issue also reminds me of "The Base of Sand Problem", the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face, can be found here: https://www.rand.org/pubs/notes/N3148.html. This report essentially says that the military modelling and analysis industry has made some crucial mistakes about what it focuses on, which leads to the ineffective use of its resources. In this context, a footnote that states military victories are based on the ratio of effective forces, not on who simply had the largest force compared to their opponent.

Second lesson - eliminate the big play.

There is not time to explain the Seahawks' use of "Cover-3 with a single high Free Safety", and their general approach of keeping the ball in front of the defenders to ensure the Defense always has another chance to prevent their opponents scoring, so I look at personnel choices.

Most NFL defenses, when choosing personnel, have emphasised their Defensive Line, the first line of defense against an opponent, who line up closest to the "enemy". Carroll has always specifically looked to the Defensive Backs, the last line of defense, most notably the Free Safety position, which is what he played in college.

This is reflected in the NIST Cyber Security Framework, and the five Core Functions. I am old enough to remember when Identify and Protect were the only aspects seen as useful, but slowly we are learning that Detect, Respond, and Recover are at least as important in surviving an attack, rather than believing in the "Defender's Dilemma", that if an attacker breaches us we have immediately lost.

I cite Adrian Sanabria from his presentation at the RSA conference earlier this year: https://www.youtube.com/watch?v=bMkVjDx3cqQ, on "It’s Time to Kill the Pentest", but just he has a great slide on how a hack is a series of steps, not a single event.

I would argue ( I forget I actually said during the presentation ) that the emphasis should be on Detect, Respond, Recover - the last line of defense, not the first. I had a very interesting but quick conversation about that with Panaseer afterwards. Unfortunately I was interrupted while on their BrightTalk webinar earlier in the month, and couldn't make time to read the 451 Research report, but I'm intrigued in how their services fit in, or don't fit in, with my current way of thinking.

This ability to recover is important because we all work in "Cyber Resilience" now, where the emphasis is on recovering from a breach, not just on preventing it. It's worth reading "Cyber Resilience", Phil Huggins' Black Swan Security blog here: http://blog.blackswansecurity.com/2016/02/cyber-resilience-part-one-introduction/. I emphasise the "Pace of Decision Making" aspect.

This links to John Boyd's OODA loop, OODA loops are described well on Wikipedia https://en.wikipedia.org/wiki/OODA_loop, here, please pay me to research these concepts.

Through a description of the OODA loop process, Observe your current situation and decide all the relevant factors, Orient yourself and your adversaries within that space, Decide on the next course of action, and then Act to execute that execution, Boyd argued that by going through this process faster than your opponent, by "getting inside their OODA loop", you could defeat your opponent through speed rather than sheer power. The problem is, as we're defenders, the opponent always starts their OODA loop before we start ours, so how do we catch up?

Final lesson - Out hit your opponent

I reference the "The Base of Sand Problem" again https://www.rand.org/pubs/notes/N3148.html, because it states that first order determinantes of victory in conflict is based on processes, tactics, and strategy - these are harder to define and measure; but I argue we should focus on our own way of thinking, our opponents way of thinking, and crucially how we can affect our opponents' processes, tactics, and strategy.

It is a physical game, it is a collision sport, and there are psychological and as well as other gains to be made by simply hitting your opponent as hard as you can.

Also this tallies with the previous aim, to eliminate the big play, as it physically puts the defenders in an excellent position to tackle or otherwise collide with their opponents - but I don't have time to go into this level of detail on the game. For this I use clips from Richard Sherman, Earl Thomas, but mainly Kam "Bam Bam" Chancellor executing the "Shoulder Punch", a Seahawks tackling technique which is as it sounds.

The Seahawks tackling video summarising their techniques is shown here: https://www.youtube.com/watch?v=6Pb_B0c19xA; for Chancellor himself, I think this video sums up what he provided in the narrow focus I use, you may recognise part of it: https://www.youtube.com/watch?v=qgh8HmKVja8

The aim here is to inflict pain on your opponent, and to reduce the speed of their OODA loop. I've learnt here to specifically state that I'm not advocating any kind of "strikeback" methodology, but in showing that on the blue team we've forgotten that we're facing an opponent, and we can affect that opponent. The pyramid of pain I refer to is David Bianco's, taken from http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html; that illustrates the more complex aspects of their practice are of more value to your adversaries, so when you understand them and can act against them, you cause them the greatest amount of pain.

To me the explanation of this comes from Bartle's Taxonomy of player types, there's a good summary: https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_types; the "killers", people who like outwitting, defeating, demoralising a human opponent, those "killers" all join the Red Team when they enter cyber security, which means that aggressive and effective approach is lost from blue team strategies.

For this specific "performance" we had just watched Sarka give a great presentation on human weaknesses, yet we ignore the humans who are our adversaries and focus on technical defenses and techniques. The specific slide used a card from Reciprocal Strategies, who can be found here: https://www.reciprocalstrategies.com/resources/brt_cards/.

Haroon Meer has been arguing for more hackers to join the blue team for several years, I show a clip from his Null Con keynote, which can be watched here: https://www.youtube.com/watch?v=2F3wWWeaNaM. Do persevere with the flickering screen.

To inflict that required pain I think deception is key, I'm reminded of Clifford Stoll's "The Cuckoo's Egg" book, and how incident response started with deception. Paul Midian's presentation can be found here: https://www.youtube.com/watch?v=KvksyvF6MN4. For more on deception please refer to my post about my DevSecCon "remix" of these ideas.

But the emphasis here, just as an overarching strategy, is not to only think how you can improve your own abilities and skills, and the strengths of your organisation, but how you can degrade the effectiveness of your adversary.


Questions on supporting evidence are welcome by email or in the comments or even on Twitter, and overall if you've any questions please do get in touch.

And while I realise it's not the most useful of documents, a PDF of the presentation is here.Lessons-CyberTech-4point7-presentedpdf