I updated my All Aboard presentation.  It's my thoughts on project management, vision, goals, and impediments. 

Some thoughts around team management and project management. 

Using small incremental steps to build up to the big project. 

​Happy Fall everyone!

I attended my 5th graders field trip to The EDGE challenge course a few weeks ago.  It was  great experience to see their young minds trying to solve/complete challenges in a group environment. 

• Chaperones were told to NOT HELP the teams
• Young minds are a reflection of their experiences
• Team/Group dynamics
• Communication
• Frustration 
• Lessons Learned/Continuous Improvement

My thoughts on micro-management and other areas of project/product and team management. 

I attend a lunch and learn for Tenable yesterday in Tysons Corner.   The talk covered their TENABLE.io product mostly with small mentions of their other tools/products: Security Center and Nessus. 
Tenable.IO is there newest product.  It has a faster scanning engine and more integration capabilities (web app scanning).
Here is the high level architecture of the tool.  The product provides all of the functionality of the old nessus scanner and has added multiple things: 

• Active Scanner - Like old Nessus product
• Passive Scanner -  Captures network information across the wire to inventory and alert for changes in the environment (between active scans)
• Agent - Install agent on end points for on demand/scheduled VM scans
• API and SDK to start creating integrations with other systems in your environment
• Third-party sources - System is building 'connectors' to allow other systems to send information into the tenable.io product.  (example they used was AWS.  You enter your creds for AWS environment it will pull and load the CloudTrial logs and provide vulnerability information off of that data) 
• Container Security - Plugin for scanner to detect Containers running on servers/assets

How you can utilize this tool: 

• OPS: Start utilizing scanner during on-boarding process of new devices and changes to understand your environments/assets
• OPS/IT:   Utilize the active scanner to keep a baseline of your network/asset.  Use the passive scanner as a way to keep an eye on things in that environment 'between' active scans. 
• DEVELOPMENT:  If you using Docker or any other Container type technology and want to add another layer of security into your Security Lifecycle. Part of the tenable.io suite allows for scanning of Docker Containers, this could be added to your CI/CD server to run scans against containers every time there is a build and add some additional security to your SDLC process. 
• Research/Intel :  Pull output from tenable.io tool and match it with current threat details in your Threat Management Tool (i use Recorded Future to help with this piece).  If done right it will take the vulnerability information and match it against the 'threats/risks' and provide a good guide on where to start with patching and the timeline needed . 

Did a presentation on Bright Talk about Ransomware.  If you want to hear me drop my knowledge you can check it out: 

https://summits.brighttalk.com/webinar/ransomware-prevention-is-the-best-medicine

 RFUN is Recorded Futures yearly conference.  It's a 2 day event.  First day covering training of the Tool and second day was multiple key notes and breakout sessions.  This year it was held at the Newseum in Washington, DC. 

Day 1: 
Multiple training courses on how to use the Tool and it's robust API for integrations/automation and to help with Event Enrichment and Correlation.  Recorded Future has multiple integrations with other tools to allow Analysts to quickly get 'backing/context' information(enrichment) for an IP, Domain, Malware, Threat Actor, and Vulnerability.   Other integrations allow your SIEM, log, EDR, and endpoint solutions to automatically alert based off of Recorded Futures Risk Lists.  Recorded future also has information provided by their Omni Partners allowing users to see more details related to the event and insights these vendors provided all in one place. 

After a full day of training there was an opening reception at the International Spy Museum.   Myke Cole talked with the group about the need for Cyber Leaders to get "in the weeds" when discussing and understanding the current threats.  Executives need to understand what these threats mean and how to protect their environments from them. 


Day 2: 
The morning of Day 2 was all keynotes and 'Fireside chats'​. 

The Grugq discussed the need to detect and remediate intrusions in a quick and efficient manner. He highlighted how hard it is to know if your defense is effective and how the offense has the positive signs of an attack (launch attack did it work = yes/no). He discussed dwell time and how attackers work to stay under the radar.  Attackers who successful elude detection can live on the network for up to 5 years (5 years being when companies usually revamp their hardware/services/solutions).  But one key take away from the talk was how attackers behave after they compromise a machine.  When hitting the machine, moving to the next stage of attack (data exfil), and then cleaning up after themselves(remove root kit, scrub logs, etc) the detection rates were fairly low.  But if the attacker kept repeating the date exfil steps(and actions on the machine) the chances of detection started to go up quickly.  One other aspect of the talk was that Attackers don't have time on their side but the defenders do.  Once the attacker launches that attack time is against them but the defender has all the time to detect/notice and take action.

The next talk was a fireside chat with Errol Weiss and Christopher Ahlberg (CEO of Recorded Future).  Errol is the SVP of Cyber Threat Intelligence at BoA.  This talk went over everything from building a good Threat intel team (starting small and building based on customer requirements) to providing daily briefs to your company which discuss current threats, events associated to it, and the recommendations to protect yourself/company. 

Robert M. Lee discussed Crashoverride the first ever malware framework designed and deployed to attack electric grids..  Robert discussed the threats to our power grid and future issues we will need to address. 

Next up was discussion on AI with Chris Poulin and Staffan Truve.  They covered multiple areas in the world of AI and machine learning.  

Last morning discussion was the Future of Recorded Future by Matt Kodama the VP of Product.  There are a lot of interesting areas RF is moving into not just security related. 

Here are the afternoon breakout sessions i attended: 

"Trafficker" Analysis:  Human Trafficking Threat Intelligence: 
Presentation by Jason Wonn from the Global Emancipation Network which focuses on human trafficking. Jason discussed how they use the Recorded Future tool to research different trends to alert police.  This organization is always looking for volunteers especially technology smart folks with time to spare.  If you want to help go here.
​
Case Study:  Threat Intelligence at Fannie Mae
Brian Scavotto from Fannie Mae discussed some of the challenges they faced around Threat Intelligence.   He discussed how he is using his team to educate the user base there for the latest threats and how they can protect themselves.   They have started an internal Threat Blog and Cyber Situational Awareness Report  which is emailed out to the company weekly. He also discussed the importance of cross team collaboration and seeing how the Threat Intel team can help other groups in the company. 

Technical Sources: The Science and Art of File Reputation
Igor Lasic discussed the Reversing Labs products and the benefit they provide to Recorded Future.  Reversing Labs is now a partner of Recorded Future and some of the File Reputation information will now be displayed in the Intel Cards. If you are looking for a STATIC analysis tool it might be worth taking a look. 

Case Study:  Threat Intelligence at TIAA and Vanguard
The last talk of the day and my favorite of the conference.  These presenters provided multiple use cases on how they are using Recorded Future in their environments to help manage security and RISK.   Couple of examples: 

•  Situational Awareness around Entities they have built in RF.  Any time there are changes around these entities they can see trends/changes and can act accordingly.   These changes can be related to anything from security news, to company announcements, to their partner/vendor news and issues. 
• Daily Threat Brief:  There team provides a threat brief to the company based off of the events in RF.  It is all automated and provides everyone with a good idea of what is happening 'now' in the Cyber arena. 
• Alerts:  They have setup alerts in RF to notify them when any of the following is seen on the internet; BID #s, Supplier ID#, Corporate Credentials (email, user names, etc), CIDR Block information, Domain information, Typo squatting.
• Vulnerability Research:  They have RF showing them the latest threats against their supported product list so they can make better decisions around which patch or workaround needs to be applied and when. 
• Dashboard Creation:  They have created multiple Threat Views in RF to show them any specific news around some of their Office locations. 
  

They also talked about the need to track Use cases.  Just like requirements in development work the use cases need to be documented, discussed, reviewed(periodically) , and the outcomes need to be noted. 

All in all this was a great conference and recommend to everyone to check out the Recorded Future product. 

When in doubt about your job ask yourself the following questions:

1.  Do you like the work you do? 
2.  Do you like the folks you work with? 
​3.  Are you learning/growing? 

If you answer NO to any of these then ask WHY NOT?   

No one can answer these questions but you!  Other folks can help you GET to your answer but at the end of the day it's up to you!  If you answer NO, ask yourself how can i change that to a YES?  Can I get involved with other projects at work?  Can i spend more time with my colleagues to get to know them?  Can i signup for an on-line learning site?  Or ask other team members how they do their work?  

If there is no good answer or action plan you can put together it might be time to move on our look for other opportunities. 

I attended the IR 2017 conference in Pentagon City this last week.  The vibe at this conference was great.  Everyone I met there was very friendly and open about current security issues and how they are handled.   Here is a round up of some of the talks I attended and my takeaways: 

Day 1
Keynote: 
Eric O'Neil keynote about current security threats.   Ransomware being one of the bigger threats we are facing today.  He shared a story about how they took down Hanssen who was selling American secrets to the Russians. (read more about it here>

Complement to Attack Method - 
Talk was around building a standard for Playbooks/Workbooks for automation.   So no matter what type of platform you are using you could apply the playbook from other tools (Phantom to Cybersponse, Threat Connect, to SIEMPlify).  

Takeaways: 

• Good sites
  • http://www.threathunting.net/ - Good starting point for getting into Threat Hunting. 
  • CAR Mitre - Cyber Analytics Repository (CAR)
  • ​OpenC2 - OASIS Open Command and Control (C2) - Creating a standardized language for the command and control of technologies that provide or support cyber defenses

Building an IR Plan that your Organization will ACTUALLY USE! - Kelly McCracken - Salesforce
Discussed how Salesforce manages their Incident Response and laid out some great advice about building teams and collaboration. 

Takeaways: 

• Define your IR process
• PRACTICE!  Your organization needs to run through your IR process BEFORE there is an actual incident.
• Scenario Planning;  Brainstorm different scenarios(Outage/Exploit/etc) and define what/who/how. 
• One Message up to Management.  Define WHO is sending the message so you don't have multiple messages going to Management from multiple people. 
• Representatives - Define who the point/representative is from each involved team.  Know who is the 'authority'/Incident Commander
• Define Notifications:
  • internal -
    • Develop Communication matrix
    • Who is involved?  team/personnel
    • When will notifications be sent?
    • By who?
    • When will updates be sent and how? 
  • External
    • Check contracts for what is required for notifications to customers/clients.
    • Who approves the notifications?
    • Who develops the notifications? 

​

IR Preparation - Continuously Assessing Global IT Assets - Mark Butler CISO Qualys
Discussion around tracking your assets whether they are on-prem or in a cloud architecture.  Tracking and understanding threats against assets and what threats to worry about is paramount.  

Takeaways: 

• Understanding Vulnerabilities in current environment and the ability to understand the RISK to current assets is vital to getting the correct patch/update out at the right time.
• Asset management is crucial to security.  if you don't know what you have you are open to a HUGE level of attack and uncertainty.   Need to be able to understand active exploits to what assets are at risk. 
• Need to monitor for changes in environment, new assets, changes to asset, etc.

Day 2
Keynote
CyberSecurity IR Social Maturity Handbook Discussion
Presentation around teams, communication, and collaboration.   The speaker and his team have researched the importance of communication and collaboration within a CSIRT atmosphere.  The handbook link is below.  I recommend if nothing else reading the Executive Summary of the Handbook.   Lots of great information and exercises to try with your teams. 

Takeaways: 

• Copy of the handbook here: http://tinyurl.com/CSIRTeamworkRegistration
• Hold weekly discussions with teams to discuss scenarios and how they were handled and identify ways to improve the tools, techniques, communication, and process.
• Have a way to share 'what folks know' in the organization so teams know where to go for Subject Matter Experts and/or for help. 
• Take time to build the team.  Trust can go a long way during an incident. 
• There is a workshop coming up in Arlington VA Nov 16th: 

Accelerating Analysis with Decision Trees - Rodney Caudle
Great presentation on some of the research Rodney has done using Decision trees to help with Incident Response.  Using Root Nodes and Leafs Nodes in a tree to walk through the specific questions which need to be answered,  WHEN, and the choice/decision.  The class was really collaborative, at the end we did a white board exercise discussing a decision tree for  blocking traffic from an attacking IP. (image at bottom of page)
​
Takeaways: 

• Brain storm with your team/organization for different scenarios threat/security/etc and start talking through a decision tree.  It's a great whiteboard activity and you will find holes in your tools/process/techniques which you can improve on. 
• Decisions trees are a good way to document what you would like to do in an Automation Platform. 
• Rodney's SANS paper is available here: www.sans.org/reading-room/whitepapers/incident/investigative-tree-models-33183 
• Create an Objective Statement for playbooks (what/why) to explain what it is used for an value. So you have an easy way to communicate the overall goal of the playbook.   it's also a nice way to define things in layman's terms so anyone from the Sr Analyst down to the Intern can understand what it is doing and why we need it. 

How do I know my SOC is ready for Automation - Karlo Arozqueta
Discussed some of the steps from: Carson Zimmerman book on building a SOC:

• Schmoocon talk: https://youtu.be/u4Zxk6WeVio 
• Ten Strategies of a World-Class - Cybersecurity Operations Center Book

Discussed the importance of training and growing analysts.  Using the right folks to mentor new employees not just folks that have 'free cycles' but the most productive members of the team.

Takeaways: 

• Use different tools to tests your security posture.  One type of tool: 
  • Verodin - Attack automation to audit people, process, and procedure
• Do not forget to do things manually every once in a while even if there is automation.  Need to be able to use the tools if automation platform/process breaks. 
• Teach new analysts a task not a tool.  if they know how to accomplish a task they will pick up the tools and techniques along the way and become a productive member of the SOC faster. 
• Don't be afraid to let folks go if they are not producing, nothing worse than a poor analyst training a new analyst.  Poisoning the well. 
• Make your star Analysts mentors, allow them to train and help new hires.  Don't pair your new hire with someone with 'spare cycles' because they might not always be the best for training. Aim for the most productive folks.
• Define metrics and revisit them over and over again to make sure they are the 'right' ones and are showing showing you the good/bad/ugly. 
• Train your folks!  Get multiple people trained up on your tools/technologies.  Spend the money!
• Use Food and Activities to build your team togetherness/trust.

​
​Effective Use of Threat Intelligence to Speed Incident Response
Travis Farral 

High level discussion about the need for Threat Intelligence in IR.   Also the inclusion of the Intel team when doing IR.  

Takeaways: 

• F3ead: http://smallwarsjournal.com/jrnl/art/f3ead-opsintel-fusion-%E2%80%9Cfeeds%E2%80%9D-the-sof-targeting-process