One of the many problems I see with computer security today is that computer network defenders don’t have offensive training and hacking experience. When Incident Responders don’t have solid knowledge of offensive tactics, tools and methodologies, they become a liability with limited analytical value during a network breach investigation.
I see computer network defense a lot like playing defense in American Football. The very best defensive players on the football field work hard to read the offense and deduce their course of action before the ball is snapped. This wisdom only comes from years of experience or it can come from playing both offense and defense. Physical abilities alone will not make a professional football player; it’s the situational awareness and dynamic on the fly thinking that’s needed to become a professional player in the NFL and also to become a professional network defender.
The type of Cyber Security Expertise I’m talking about can only be gained by extensive knowledge and training in both offensive and defensive methodologies and capabilities. This doesn’t mean that your entire Incident Response team needs the ability to identify zero day vulnerabilities and code exploits. However, they should have working knowledge of hacker methodology from reconnaissance, planning the initial attack(s), lateral movement and data discovery, entrenchment and persistence, command and control, etc. Being able to think like the adversary enables IR Teams to recognize telltale signs of compromise far more rapidly than those that do not which can make all the difference in mitigating loss to the business or organization.
The phrase “Train like You Fight” has been used successfully for decades by the military in prepping soldiers for battle. It’s since morphed to become “Train like You Fight” because you will “Fight like You Trained” when bullets start flying. This is true of Network Intrusions and Incident Response work as well. Stress levels are very high during network intrusions; people get emotional and make bad decisions. This is why testing your incident response teams can pay off big-time when the big one hits. Seasoned incident response professionals will be grace under pressure.
Every year the military and other government agencies will hold “Red Team/Blue Team” exercises to test each other’s cyber security posture for detecting and responding to computer attacks. This concept involves cyber warriors (contractors and active duty soldiers) training in “real world conditions” or “simulations” of the battlefield. Special Operations Forces are well known for recreating simulations of an entire village to scale including the buildings, streets, communications towers, power generation stations, and other objects that can become both asset and liability under different scenarios.
A tremendous amount of time, money and human energy go into these battle plans, preparations and contingencies. These real-world exercises provide invaluable insight and metrics which help senior leaders to make more informed decisions and accomplish their mission. Most soldiers will tell you that playbooks go out the window when “bullets are flying”. Likewise, this is true during a large scale network intrusion. I’ve seen grown men cry after losing control of their network to hackers. When it comes down to it, the best incident response teams in the world will tell you it’s all in the preparation and practicing… 90% preparation and 10% execution. Are you prepared?
