Thank you to ISSA UK for a chance to present at their recent meeting. This is a summary of my presentation "Lessons From The Legion", from Thursday December 6th. I've been offered some more opportunities to present this, from which I'm hoping to generate more interesting and useful conversations, so this will undoubtedly evolve, your feedback is welcome.

And thank you to Grant Thornton for their hospitality, and great facilities... and Francesca's help setting things up too.

A very high level summary would be this tweet, if you want to point someone at a very short summary:

"people trying to excel at self-taught technical skills are sub-optimal at strategic decisions required for a nebulous conflict, their emphasis should be on team work, and on the strategies of, and constraints on, their adversaries; they should seek inspiration elsewhere"

As a less brief summary, but trying to keep things snappy, my reasoning is as below. A slide by slide summary is too dense, and makes me realise how many ideas I've pushed into the audience's heads in about thirty five minutes or so.

This isn't really designed to be read, but if you're here I expect you're after a reference or two of something that really caught your eye.

Logical Progression of the talk


I have a question - in Cyber Security - if we're all so smart, which we are, and we all work so hard, which we do, why is everything so awful?

To try and figure this out my presentation is an "investigation wall", a set of interconnected ideas and theories where I try and figure out what the solution is to this mystery.

I start with John Kindervag's presentation "Winning the Cyberwar With Zero Trust", which explains the difference between a strategy, what he calls "The Big Idea", and the tactical and operational level solutions you use to achieve your big idea. John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here: https://www.brighttalk.com/webcast/10903/280059

So what "big idea" has emerged from the tactics we've chosen?

The main three areas I'm familiar with, as a cyber security practitioner, are:

  • System Administrators / Developers
  • Penetration Testing
  • Incident Response

The strategy in all three areas is based on being the most technically skilful practitioner you can - sysadmins patch as quickly and as thoroughly as they can through knowledge of their operating systems, developers code as securely as they can through knowledge of their languages; penetration testing aptitude and success is based entirely on how technically adept the pentester is and how well they apply the "flaw hypothesis methodology"; and incident responders work on their forensics skills to learn how to spot different attacks, and prepare to investigate an incident as rapidly as they can.

Arguably the way this strategy has come about is because of how we train and practice for each area - all of which is based on self-motivated learning, and a passion for the job that is often described as "eat, sleep, breathe security". Therefore the emphasis is on individual skill and knowledge rather than on wider context.

Where has this choice got us? I cite various references that illustrate the poor state of cybersecurity, and the danger that poor cybersecurity poses to organisations in general and civilisation as a whole.

BreachLevelIndex.com is, well, here: https://breachlevelindex.com/

Rapid 7 on the number of CVEs is here: https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/

I specifically cited several recent breaches, namely those of the Marriot Hotel chain, Quora, Dell, Dunkin Donuts, and 1-800-Flowers - that show how frequent breaches are, all of those stories broke after I last gave this presentation, which is less than a week ago.

The Global Risks Report 2018 from the World Economic Forum can be obtained here: https://www.weforum.org/reports/the-global-risks-report-2018 , that lists cyber attacks as one of the most concerning weaknesses to humanity as a whole.

This method of practising reminds me of golf. Excelling at golf is based on individual skill, which is reflected in how a player performs in the game - because success in the game is based almost solely on individual performances. Even in a team game of golf, as part of a team and against an opposing team, there is very little your team-mates or opponents can do to directly affect your standard of play. And the actual course will be static also, apart from the vagaries of weather.

There is nothing wrong in practising like golf if you're going to play golf, however the practice of cyber security is nothing like the game of golf, I think we need to look at a different game.

Using this kind of analogies / metaphors in cyber security is supported by this paper http://www.evolutionofcomputing.org/Multicellular/Cyberfest%20Report.pdf from Sandia National Laboratories; but I mainly refer to TRIZ, In this version of the presentation I just used the idea of TRIZ, of abstracting problems and solutions in order to determine what kind of solution is required in a rapid way.

TRIZ on Wikipedia is here: https://en.wikipedia.org/wiki/TRIZ and for two of the main players in the UK check out Oxford Creativity https://www.triz.co.uk/ and Systematic Innovation http://www.systematic-innovation.com/ ; from limited experience both are definitely worth contacting.

So, if we're practising for golf, but not playing golf, what game are playing?

I argue that our industry feels a lot more like American Football. It is a ridiculously complex and violent sport, with many specialisms, and very much a team game where your success or failure is very dependent on the quality of your team and your ability to work with them, and how you act against and react to your opponent. In addition it's the sport that is closest to actual conflict - I drop in a quick quote showing that Condoleezza Rice agrees https://www.nytimes.com/2002/04/17/sports/on-pro-football-dream-job-for-rice-nfl-commissioner.html - I think cyber security has a lot to learn from wargaming - the simulation of war, and War Studies in general.

( as a side note, a French General, on watching the game around 1916, said something along the lines of "that isn't a sport, that is war" - if you know a good source for that quote please do get in touch )

Therefore we should look to learn lessons from a successful American Football team. American Football is the only sport where each team has essentially two squads on it - an Offense for when your team has possession of the ball, and a Defense for when your team does not.

I think that as defenders in cyber security, even red teamers are looking to improve the performce of the blue team and the survivability of defenders, we should look to the best Defense. Possibly influenced by personal biases, but backed up by many sports facts I'll quote in the novella length version of this description, I have chosen the Legion of Boom, the Seattle Seahawks defense from 2011 to 2015, as an example to follow.

Looking at the central tenets of the team, and the defensive philosophy of the Seattle Seahawks head coach, Pete Carroll ( who has approximately 40 years of experience and an exemplary record ), I pick some of the main lessons from the Seahawks successful Defense:

First lesson - train how you fight

Because American Football is such a complex game it is necessary to practice complex play calls and formations in advance, and to ensure that each individual knows their responsibility, and everybody else's responsibility, on each play so that they can function as a team.

Because the teams are so large there are enough players for the second and third string players in each squad to form "scout teams". These teams imitate the playing style and formations of upcoming opponents so that both they, and the first string players, understand what is coming up in next week's game, and also are less surprised by any of their opponents individual styles in the game.

This links into the concept, taken from the study of wargaming, of the Caffrey Triangle, showing how a red team - in a red team exercise specifically designed to assist the blue team - should act depending on the objectives of the engagement. The Caffrey Triangle is mentioned here https://paxsims.wordpress.com/2016/08/19/connections-2016-conference-report/ , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming. ( I believe Matt Caffrey's forthcoming book on this and his other concepts, is stil stuck at the United States' Government Printing Office ). I argue that in military simulations or exercises the red team or red force is often in the bottom left hand corner of that triangle, just there to give the blue team something to shoot at. Penetration testers work almost solely at the top of the triangle, being the most effective attackers they can regardless of genuine threats or limitations. I think commonly in cyber security the red force, whatever it is, should operate in the right hand corner, emulating the TTPs of genuine adversaries in order to prepare the blue team for their real world opponents.

Rory McCune is a good person to watch about the limitations of pentesting, the presentation of his that I refer to, Penetration Testing Must Die - Rory McCune at BSides London 2011, is here: https://www.youtube.com/watch?v=MyifS9cQ4X0

The Seahawks are known for their "full speed" practices, to ensure players aren't surprised by the intensity of a game. This approach is reflected in the recent findings and recommendations of the Close Combat Lethality Task Force, a description of their approach can be found here: https://breakingdefense.com/2018/11/mattiss-infantry-task-force-righting-a-generational-wrong/

As an example of the difference between trying to fix everything, and trying to fix only what our adversaries will exploit, I cite Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited; the specific tweet is here: https://twitter.com/jeremiahg/status/996469856970027008 I've got into interesting discussions on how true or untrue that figure may be, watch this space.

This relates to ensuring your organisations practice at the right time, which is as early as possible. This point is worth a presentation on it's own, but instead I briefly cite Adam Shostack's keynote from Brucon covers this nicely, and can be found here: https://www.youtube.com/watch?v=-2zvfevLnp4

This issue also reminds me of "The Base of Sand Problem", the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face in cyber security. This paper can be found here: https://www.rand.org/pubs/notes/N3148.html. This report essentially says that the military modelling and analysis industry has made some crucial mistakes about what it focuses on, which leads to the ineffective use of its resources. In this context, a footnote that states military victories are based on the ratio of effective forces, not on who simply had the largest force compared to their opponent.

One last point on this before I moved on... analysis of players in team sports, described here https://phys.org/news/2018-12-joint-successes-chances.html demonstrates that the ability of players to play together has a greater positive effect on the teams they move to than their raw skill level. And the ability to play/work together is, of course, enhanced by realistic and dedicated practice.

Second lesson - eliminate the big play.

There is not time to explain the Seahawks' use of "Cover-3 with a single high Free Safety", and their general approach of keeping the ball in front of the defenders to ensure the Defense always has another chance to prevent their opponents scoring, so I look at personnel choices.

Most NFL defenses, when choosing personnel, have emphasised their Defensive Line, the first line of defense against an opponent, who line up closest to the "enemy". Carroll has always specifically looked to the Defensive Backs, the last line of defense, most notably the Free Safety position, which is what he played in college.

This is reflected in the NIST Cyber Security Framework, and the five Core Functions. I am old enough to remember when Identify and Protect were the only aspects seen as useful, but slowly we are learning that Detect, Respond, and Recover are at least as important in surviving an attack, rather than believing in the "Defender's Dilemma", that if an attacker breaches us we have immediately lost.

I cite Adrian Sanabria from his presentation at the RSA conference earlier this year: https://www.youtube.com/watch?v=bMkVjDx3cqQ, on "It’s Time to Kill the Pentest", but just he has a great slide on how a hack is a series of steps, not a single event. This is like a "drive" in an NFL game ( https://www.sportingcharts.com/dictionary/nfl/drive.aspx ) where an opponent can gain yards, but your aim is to stop them scoring points.

I would argue that the emphasis should be on Detect, Respond, Recover - the last line of defense, not the first.

Here I crowbar in Sounil Yu's "Cyber Defense Matrix", using it just to show how the majority of our products focus on the "Protect" function, and come into effect before a breach. I use slides from his presentation at the RSA Conference 2017. https://www.rsaconference.com/videos/solving-cybersecurity-in-the-next-five-years-systematizing-progress-for-the-short-term; showing how you can take the functions of the NIST Cyber Security Matrix, and the assets that form the infrastructure, and you can map what products fit where. There's much more to this idea, and it's really worth your time watching that video. Of note here, although Yu's work is at least a year old, is the gap within Detect, Respond, Recover on the "Applications" row of that matrix. However a couple of vendors who were at DevSecCon ( where I presented a different remix of this ), SysDig, and Contrast Security, would appear to have products within that space.

This ability to recover is important because we all work in "Cyber Resilience" now, where the emphasis is on recovering from a breach, not just on preventing it. It's worth reading "Cyber Resilience", Phil Huggins' Black Swan Security blog here: http://blog.blackswansecurity.com/2016/02/cyber-resilience-part-one-introduction/. I emphasise the "Pace of Decision Making" aspect.

This links to John Boyd's OODA loop, OODA loops are described well on Wikipedia https://en.wikipedia.org/wiki/OODA_loop, here, please pay me to research these concepts further, I think this one is particularly key.

Through a description of the OODA loop process: Observe your current situation and decide all the relevant factors, Orient yourself and your adversaries within that space, Decide on the next course of action, and then Act to execute that execution, Boyd argued that by going through this process faster than your opponent, by "getting inside their OODA loop", you could defeat your opponent through speed rather than sheer power. The problem is, as we're defenders, the opponent always starts their OODA loop before we start ours, so how do we catch up? The answer lies in the final lesson...

Final lesson - Out hit your opponent

I reference the "The Base of Sand Problem" again https://www.rand.org/pubs/notes/N3148.html, because it states that first order determinantes of victory in conflict is based on processes, tactics, and strategy - these are harder to define and measure; but I argue we should focus on our own way of thinking, our opponents way of thinking, and crucially how we can affect our opponents' processes, tactics, and strategy.

It is a physical game, it is a collision sport, and there are psychological and as well as other gains to be made by simply hitting your opponent as hard as you can.

Also this tallies with the previous aim, to eliminate the big play, as it physically puts the defenders in an excellent position to tackle or otherwise collide with their opponents - but I never have time to tie together that aspect of the sport. For this I use clips from Richard Sherman, Earl Thomas, but mainly Kam "Bam Bam" Chancellor executing the "Shoulder Punch", a Seahawks tackling technique which is as it sounds.

The Seahawks tackling video summarising their techniques is shown here: https://www.youtube.com/watch?v=6Pb_B0c19xA; for Chancellor himself, I think this video sums up what he provided in the narrow focus I use, and if you've seen the presentation you'll recognise part of it: https://www.youtube.com/watch?v=qgh8HmKVja8

The article from the Bleacher Report, that gives a quick summary of the Legion of Boom, can be read here: https://bleacherreport.com/articles/2806038-i-dont-fear-it-the-seahawks-are-russell-wilsons-team-but-is-he-enough

The aim here is to inflict pain on your opponent, and to reduce the speed of their OODA loop. In this blog format I should specifically state that I'm not advocating any kind of "strikeback" methodology, but I'm showing that on the blue team we've forgotten that we're facing an opponent, and we can affect that opponent. The pyramid of pain I refer to is David Bianco's, taken from http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html; that illustrates the more complex aspects of their practice are of more value to your adversaries, so when you understand them and can act against them, you cause them the greatest amount of pain.

To me the explanation of why we haven't taken that approach in cyber security, why we treat an adversary's attacks in the same way that we'd respond to a natural disaster, comes from referring to Bartle's Taxonomy of player types, there's a good summary: https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_types; the "killers", people who like outwitting, defeating, demoralising a human opponent, those "killers" all join the Red Team when they enter cyber security, which means that aggressive and effective approach is lost from blue team strategies.

For this specific "performance", to highlight that we forget that our opponent has the same human weaknesses that we do, I use a card from Reciprocal Strategies, who can be found here: https://www.reciprocalstrategies.com/resources/brt_cards/.

Haroon Meer has been arguing for more hackers to join the blue team for several years, I show a clip from his Null Con keynote, which can be watched here: https://www.youtube.com/watch?v=2F3wWWeaNaM. Do persevere with the flickering screen.

To inflict that required pain I think deception is key, I'm reminded of Clifford Stoll's "The Cuckoo's Egg" book, and how incident response started with deception. Paul Midian's presentation can be found here: https://www.youtube.com/watch?v=KvksyvF6MN4.

There then followed a rather rapid set of references to how others, in some form, support this approach, beginning with Saumil Shah's keynote from Black Hat Asia in 2017 ( https://www.youtube.com/watch?v=834S-rqEmFA ) he states, as one of his Seven Axioms of Security, they we need a creative defense, don't give the adversary something they expect.

Similarly in his presentation from London DevSecCon this year, Petko Petkov covered Honey Tokens and Dark Nets: https://www.youtube.com/embed/GoS2MXbH23Y?rel=0 ; why not use your control of your network to set traps for attackers and improve your position. Also, if they suspect such traps are in place, they could or should slow your adversaries down.

Also a talk from the day before, Matt Pendlebury highlighted the surprising demise of attack aware applications: https://www.youtube.com/embed/HQxs3xn7tLA?rel=0 ; again, your application has high fidelity information on whether it's being attacked, and is in the best position to respond appropriately.

I'm reminded of a presentation by Alex Davies at BSides London earlier this year, showing how we should work together, and being able to share information efficiently and quickly will be to the benefit of all. It can be found here: https://www.youtube.com/watch?v=yfEiuJFMisY. This increases the pain imposed on your adversary, as any other campaigns they are running against any other targets will be similarly affected.

The aim is to turn the Defender's Dilemma into the Intruder's Dilemma, which is nicely summarised in a presentation from BSides Munich https://www.youtube.com/watch?v=PQgsEtRcfAA .

The language to use to describe these attacks is MITRE's ATT&CK framework, I refer to this presentation by Katie Nickles and John Wunder from BSides Las Vegas earlier this year: https://www.youtube.com/watch?v=p7Hyd7d9k-c

There are many more ideas in the presentation "Gaslighting with Honeypits and Mirages" from Kate Pearce, but only the slides are available online http://www.secvalve.com/images/Kate_Pearce_honeypits_ACSC2017.pdf ; I hope she has a chance to present it in future where we can all see the recording.

Because the whole point is to slow the adversary down, make them so unsure of their environment, and whether they're being monitored, that they have to go through more and more checks to make sure they're not burning valuable resources unnecessarily, and that puts their current campaign and all similar campaigns at risk. The emphasis of Change Control was always to ensure that an infrastructure change would not damage the company, force your opponents to move that slowly because they are so unsure of the environment they're in.

This solution is not a product you can buy, but it's a thing you can do. Otherwise we are doomed to keep being golfers trying to play a much different game. The emphasis here, just as an overarching strategy, is not to only think how you can improve your own abilities and skills, and the strengths of your organisation, but how you can degrade the effectiveness of your adversary.


Questions on supporting evidence are welcome by email or in the comments or even on Twitter, and overall if you've any questions please do get in touch.

And while I realise it's not the most useful of documents, a PDF of the presentation should be with ISSA UK to publish where they see fit.