A mRr3b00t Adventure

Join me on an adventure of rambling and exploring the idea that you can in fact not lose the security leadership game! This blog is WIP, it’s just my brain wondering around the question of: can we win the in the face of a seemingly insurmountable force? What do we do as a security leader to protect ourselves and the organisation? How do we start?

The 10 Steps (why ten? Who knows)

What did the last person do? (WDTLPD)
Where are all the bodies? (ICDP)
Cover your ass (CYA)
1. Find the really bad gaps, advise the business in writing ensure if they accept the risk this is in a signed document
Understand the constraints
Understand the GAPS
Realise you can’t win everywhere
Don’t f*ck about, your job isn’t to be liked it’s to protect the organisation
The devil is in the detail
Focus on actual likely cyber threats before weird nerd edge cases
There are never only 10 steps (but the NCSC 10 steps aren’t a bad starting point!)
See point 10
If someone is doing an audit/assessment (especially if its regulated) do not obstruct them (thanks @cybersyrupblog for the nudge!)

Getting Started (The first 100 days)

Identify key stakeholders
Understand the business
Understand the money
Understand the current state
Understand the requirements (that’s all of this but it’s important to keep focus)
Work out how to demonstrate and communicate value
Get working on discovery ASAP – you can’t defend what you don’t know about, and you can’t make choices if you don’t know what the options are
Understand the risk appetite and tolerances
Understand the key assets and revenue streams
Understand the laws
Do something useful/valuable
- That means probably both doing lots of discovery and reducing risk somewhere
- No one likes just bad news, find some good news, even if you have to create the good news scenario (you will need friends in the org to achieve this)
Don’t forget to tell people

Initial Discovery

Read all the docs you can
Business Annual Report
Audit reports
Previous pentests (remember the scope was probably gamed!)
Get discovery wheels running
- Technical Discovery
- Maturity Assessments
- Don’t worry if you can’t find everything all at once, look at Zachman and how artists paint pictures, start with a sketch, don’t let perfect be the enemy of better
- Keep adding layers
Talk to people, make friends. HUMINT is key
SIGINT – all orgs have signals they might just not be leveraging them well
Gain access to intel
- Threat intel
- HUMINT
- OSINT
Talk to your team
Talk to your colleagues
Use your network

How you do these types of activities will vary between org and with your own style. You might have a large team, you might not. You might have lots of budget available, you might not. Don’t try and decide there is only one way to lead, this is not true. You need to work the way you need to achieve the mission. This isn’t a textbook, some shit will work in some orgs and won’t in others. Adapt, improvise, and overcome.

Painting a Picture

Where do I start? What model do I use? Is NIST CSF better than CMMC? What about CIS TOP 18/20? What about NCSC CAF? What about one of the other options?

Calm down, it doesn’t really matter which one you pick, they are all a much of a muchness. What matters is that you learn, understand, and communicate.

Some of the key areas to consider

Requirements
Strategy & Architecture
Governance
Portfolio
Operating Model
People and Skills
Finance
Resources
Projects and Change
Communications
Risk Management
Asset & Configuration Management
Vulnerability Management
Patching and Remediation Management
Network Defence
Security Operations
Security Monitoring
Detection
Incident Response
Backup and Recovery
Continual Improvement

Preparing for a really bad day

Your job is to defend against threats and help the organisation manage risk. That means you need to be planning for a really bad day, and helping the organisation realise that with cyber, even the best laid defences can sometimes be pwn3d! So, I’m not going to go into every area of technology and cybersecurity but perhaps consider these areas as a priority!

Backup and Recovery

Are all my business-critical services backed up?
Can the backups be affected if someone r00ts my entire network?
In the event of total loss of network how long will it take me to recover?
Have we implemented the 3-2-1 rule?
Have we tested this?
Have we conducted security assurance?

Incident Response

Have I setup an incident response team?
Have I retained incident response expertise?
- Have I made sure this will be effective?
Have I prepared for major incidents?
Have I prepared for minor incidents?
Have we established “safe” out of band comms? E.g., signal group with key personnel?
Have we prepared an operating base for when a day that is bad?
Do I know what the orgs legal reporting requirements are?
Do I know what the orgs contractual reporting requirements are?

How do orgs usually get pwn3d?

Use threat intelligence and incident knowledge to identify, protect, detect and respond to cyber threats. Make sure you are using intelligence based decisions. You do not want to invest a ton of money on a “magic box” and then have your pants pulled down because RDP was exposed or someone was phished and in an hour someone has gone from initial access to domain admin and has encrypted your backups and your network!

The trial never ends

Today this ends the story… It’s Sunday I’m going to put the keyboard down, but hopefully this helps people think, it’s not a step by step guide (the don’t exist/work) as all things depend, but hopefully it gets people thinking a little.

Other ramblings of mine

mRr3b00t’s little blog about the Cyberz and getting into them! – PwnDefend

Board Level Security Metrics – PwnDefend

Cyber Leadership – PwnDefend

Cyber Security Assesments for Normal People – PwnDefend

Red Team Readiness Assessment

Enterprise Technology Generalisations