Quote of the day

“Most people are starting to realize that there are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it. Therefore, prevention is not sufficient and you’re going to have to invest in detection because you’re going to want to know what system has been breached as fast as humanly possible so that you can contain and remediate.”

-- Ted S.

The Cyber Moscow Rules | OODALoop

Lessons learned from US agents who operate in enemy territory have been captured for years and transformed into a code of conduct popularly known as “Moscow Rules.” Those old rules existed for a reason. Real-world experience proved their effectiveness when agents had to operate in the presence of adversaries.

Since modern cyber defenders are also frequently required to operate in the presence of adversaries there are lessons from these old Moscow Rules relevant to cyber defense.

With that as an introduction, the following is a modified list of the old Moscow Rules designed to help the cyber defender under fire.

Consider these as “Moscow Rules for Cyber Operations”

I like this one:

Understand the human tendency to forget about the threat as soon as the current attack has been mitigated. Do not fall victim to this cyber threat amnesia. When not under visible attack, study, prepare, and test your own defenses.

Focusing on the goal

I've experienced plans going wrong many times during the several years I've been Red Teaming. Sometimes because of poor planning, some others because the real world always has the last word, especially when Mr. Murphy is along for the ride - and he always is.

Over the years both experience and mental resilience had taught me to assess the situation and adapt the original plan, go to a plan B or just work without a plan. While on the field, ideally you’d be looping through 4 steps constantly:

  1. Understand the problem (in this case what caused the plan to not work)
  2. See the solution (how do I solve this in a simple, fast and reliable way)
  3. Communicate the new plan (to your team or to you, mentally saying the plan helps red team the issues)
  4. Execute it

However, while doing this you have to keep in mind the goal of the mission, assessment or engagement. It is very easy to lose focus of the goal. An instructor at one of the schools I attended while on the military, always told us to focus on the end goal, no matter how bad it was. Mission came first and if the mission was to recon a target and gather intel then that should be the focus. All our planning was geared towards achieving that mission. Once we had that, then the rest (kit, transport, alternative exfil points, etc) would cascade from there. Remember: Rule 16: Target dictates the weapon and the weapon dictates the movement. The goal comes first. The what you are planning for.
It is very easy to lose focus of this when the conditions on the field are chaotic, or not as expected. We tend to focus on the things on front of you, and while these are often pressing and more important (sometimes life or death), once we solve the immediate problem, we need to go back to the original mission.

The best way I found to do this is adding the following to the steps described above:

0: What is the goal.

So, identify the goal, identify the problems preventing you from achieving the mission, find a solution (don’t forget: the solution is in the problem), communicate that solution and execute it. If it didn’t work, or a new problem arises, start again, but always keeping the question what is the goal as the first step. This will keep you focused on your mission.

Quote of the day

"Security is nigh near impossible. It’s extremely difficult to stop a determined adversary. Often the best you can do is discourage him, and maybe minimize the consequences when he does attack, and/or maximize your organization’s ability to bounce back (resiliency)."

A Few Thoughts

I had a conversation with another Red Teamer recently. He and I disagree on many things, but we also agree on the basics.
The quotes below are something we talked about and we both agreed.

  • Stop thinking about the "perimeter". It's too late, the attackers are already inside.
  • Stop thinking about stopping attacks. You can't. They will continue to come. Think about making it harder for them to move inside and get that data. If you focus on stopping them, you will miss their moves.
  • Stop thinking about being able to monitor everything. Red Team this and try to think 2-3 steps ahead and prepare detection and misdirection.
  • Stop thinking about different attackers. An attacker is an attacker.
  • Don't stop learning, preparing, getting stronger and smarter.