A mRr3b00t Adventure
Join me on an adventure of rambling and exploring the idea that you can in fact not lose the security leadership game! This blog is WIP, it’s just my brain wondering around the question of: can we win the in the face of a seemingly insurmountable force? What do we do as a security leader to protect ourselves and the organisation? How do we start?
The 10 Steps (why ten? Who knows)
- What did the last person do? (WDTLPD)
- Where are all the bodies? (ICDP)
- Cover your ass (CYA)
- Find the really bad gaps, advise the business in writing ensure if they accept the risk this is in a signed document
- Understand the constraints
- Understand the GAPS
- Realise you can’t win everywhere
- Don’t f*ck about, your job isn’t to be liked it’s to protect the organisation
- The devil is in the detail
- Focus on actual likely cyber threats before weird nerd edge cases
- There are never only 10 steps (but the NCSC 10 steps aren’t a bad starting point!)
- See point 10
- If someone is doing an audit/assessment (especially if its regulated) do not obstruct them (thanks @cybersyrupblog for the nudge!)
Getting Started (The first 100 days)
- Identify key stakeholders
- Understand the business
- Understand the money
- Understand the current state
- Understand the requirements (that’s all of this but it’s important to keep focus)
- Work out how to demonstrate and communicate value
- Get working on discovery ASAP – you can’t defend what you don’t know about, and you can’t make choices if you don’t know what the options are
- Understand the risk appetite and tolerances
- Understand the key assets and revenue streams
- Understand the laws
- Do something useful/valuable
- That means probably both doing lots of discovery and reducing risk somewhere
- No one likes just bad news, find some good news, even if you have to create the good news scenario (you will need friends in the org to achieve this)
- Don’t forget to tell people
- Read all the docs you can
- Business Annual Report
- Audit reports
- Previous pentests (remember the scope was probably gamed!)
- Get discovery wheels running
- Technical Discovery
- Maturity Assessments
- Don’t worry if you can’t find everything all at once, look at Zachman and how artists paint pictures, start with a sketch, don’t let perfect be the enemy of better
- Keep adding layers
- Talk to people, make friends. HUMINT is key
- SIGINT – all orgs have signals they might just not be leveraging them well
- Gain access to intel
- Threat intel
- Talk to your team
- Talk to your colleagues
- Use your network
How you do these types of activities will vary between org and with your own style. You might have a large team, you might not. You might have lots of budget available, you might not. Don’t try and decide there is only one way to lead, this is not true. You need to work the way you need to achieve the mission. This isn’t a textbook, some shit will work in some orgs and won’t in others. Adapt, improvise, and overcome.
Painting a Picture
Where do I start? What model do I use? Is NIST CSF better than CMMC? What about CIS TOP 18/20? What about NCSC CAF? What about one of the other options?
Calm down, it doesn’t really matter which one you pick, they are all a much of a muchness. What matters is that you learn, understand, and communicate.
Some of the key areas to consider
- Strategy & Architecture
- Operating Model
- People and Skills
- Projects and Change
- Risk Management
- Asset & Configuration Management
- Vulnerability Management
- Patching and Remediation Management
- Network Defence
- Security Operations
- Security Monitoring
- Incident Response
- Backup and Recovery
- Continual Improvement
Preparing for a really bad day
Your job is to defend against threats and help the organisation manage risk. That means you need to be planning for a really bad day, and helping the organisation realise that with cyber, even the best laid defences can sometimes be pwn3d! So, I’m not going to go into every area of technology and cybersecurity but perhaps consider these areas as a priority!
Backup and Recovery
- Are all my business-critical services backed up?
- Can the backups be affected if someone r00ts my entire network?
- In the event of total loss of network how long will it take me to recover?
- Have we implemented the 3-2-1 rule?
- Have we tested this?
- Have we conducted security assurance?
- Have I setup an incident response team?
- Have I retained incident response expertise?
- Have I made sure this will be effective?
- Have I prepared for major incidents?
- Have I prepared for minor incidents?
- Have we established “safe” out of band comms? E.g., signal group with key personnel?
- Have we prepared an operating base for when a day that is bad?
- Do I know what the orgs legal reporting requirements are?
- Do I know what the orgs contractual reporting requirements are?
How do orgs usually get pwn3d?
Use threat intelligence and incident knowledge to identify, protect, detect and respond to cyber threats. Make sure you are using intelligence based decisions. You do not want to invest a ton of money on a “magic box” and then have your pants pulled down because RDP was exposed or someone was phished and in an hour someone has gone from initial access to domain admin and has encrypted your backups and your network!
The trial never ends
Today this ends the story… It’s Sunday I’m going to put the keyboard down, but hopefully this helps people think, it’s not a step by step guide (the don’t exist/work) as all things depend, but hopefully it gets people thinking a little.