After my presentation of Lessons from the Legion at "Cyber London hosted by Capital One", way back in July of this year Dan Tilley dropped me an email with some interesting questions. As he asked such good questions, and I was happy with my answers, with his permission I've put this together as a blog post.

What do you thinks security vendors can do to improve and adopt the approach you describe in your presentation?

Partly what yours seems to be doing, which is improve visibility of both your assets and attacks to them. Those basics are hard ( Wendy Nather has been tweeting some useful stuff about this recently ), just making something like asset management easier makes everything else easier for security practitioners.

Then mainly it's inter-operability, shared standards for classification/taxonomies and for how they're communicated, that makes it much easier to add a product into an environment, and integrate it into existing systems, with minimal extra effort by security teams. My presentation is the beginning of an approach, I *think*, that emphasizes detection and response over prevention/protection.

Oh, and ease of use in general, not just for inter-operability. Thinkst's Canary is a huge advance in this area, and has sales to match that advance - also I gather that's why Duo Security are doing so well too. Technically a product only has to be good enough if it's actually usable by existing resources, it doesn't matter how well engineered it is if security staff just don't have the time or skills to implement it - and as with Canary, a very aggressive approach to false positives is essential to not suffer "alert fatigue".

I would like to hear more about your analogy of cyber security/resilience to military operations and whether you think it is more akin to asymmetric warfare?

I think in general there's a lot to learn from the right parts of kinetic warfare ( i.e. some parts of that RAND document are hugely relevant, the importance of human factors, the importance of effective forces over sheer size, and so on ) but also there's much to ignore - it's much easier to be innovative in the cyber domain than in the physical world, and the nature of "cyber weapons" is so different to that of convention weapons I sometimes wonder whether the same term should be used.

As for asymmetric warfare - kind of. Some parts are very relevant, for example the attackers tend not to have a home base, they "live off the land", and can operate using guerrilla tactics - which makes them ephemeral and requires much greater resource from the defenders than the attackers. But on the other hand the success of insurgents tends to be based on the populace they operate within, whereas that "populace"... the computers and networks under attack... should be completely loyal to, and under the control of, the defenders - so a lot of the "hearts and minds" type factors simply don't apply.

Without going into too many half-researched analogies, also with military operations success seems to be depend, to a great deal, on preparation and logistics, I'd argue cyber security/resilience is the same - by the time you're in the conflict you should have already won it.... and there are inevitably relevant Sun Tzu quotes ;)

Do bear in mind my understanding of asymmetric warfare comes from a few wargames and a couple of books ( The War of the Flea, and The Defense of Jisr Al Doreaa spring immediately to mind ), so education welcome. I think it's a fascinating subject, and certainly has enough lessons within it that the cyber security industry could save itself decades by using the right ones, and will learn something by figuring out when analogies don't work or are taken too far.

You mentioned playbooks in your talk how can we go about setting up essentially a database/storage of these playbooks and more importantly how could we go about sharing this information across the community in a relevant way?

First of all you need a structure to put the adversary's TTPs into - Fusion-X's "enhanced cyber kill chain" looks interesting, and also I've glanced very briefly at MITRE's ATT&CK, but they're both on the "to do" list. From there I know STIX and TAXII are relevant, but I have an elementary "wikipedia level" understanding of both.

From there it's the building of trust networks through things like CISP I think... but this is where I think I'd advocate a very different approach. As with everything else above, this is a high level feeling I'd love a chance to start exploring through actual facts and research... but I wonder whether the Intelligence background of the industry, and particularly the number of ex-Intelligence people in the industry, has actively harmed our efforts. While it's understandable in standard warfare, or espionage, not to let the enemy find out what you know about them - in cyber conflict it might be different - which comes down to what "weapons" are, as I mentioned above. All weapons are based on knowledge, a lot of which is given up in their use, so the gain in telling everyone about the new enemy weapon you've uncovered through being attacked by it is much greater than what you lose by revealing to the enemy that their weapon has been uncovered - also the revelation forces the enemy to upgrade. If you share information with as many other blue teams as possible, and they reciprocate, that makes the size of your "team" larger, and the size of the pool of information on adversaries much larger, forcing the enemy to upgrade more and more frequently, which should become harder.

Also the advantage to the defenders is that they gain operational effectiveness by working together in this way, whereas it's something attackers can't replicate. If attackers share their methods with others, meaning they receive less individual benefit from them, they'll be less effective - so the blue teams have a strategy the attackers can't match. This assumes every other "blue team" is in a position to make use of that knowledge, and many other things... these are half-thought through ideas. I don't know if they're of value or not, which is partly why I'm being much more enthusiastic about sharing them... get my ideas out into the world and see if they survive.