By failing to prepare, you are preparing to fail - Benjamin Franklin This is especially true when dealing with an active cyber conflict. Effective usage of the required tools and infrastructure requires expertise, which can only be developed through significant time and practice. This article will cover preparatory steps that should be taken on each side before engaging in cyber operations. This article is a part of a detailed analysis of the same topic from the book - by . Adversarial Tradecraft in Cybersecurity Dan Borges We will explore how to break down and measure long-term planning and how to gauge operational efficiency. We want to develop an effective plan, wiki documentation, operational processes, and even code to automate these strategies, ensuring consistency and repeatability. The aim is to reduce the complexity of computer security at scale by planning and using various frameworks to help automate and manage different tasks we may encounter. Our plans will have to be flexible according to operators and developers. As Eisenhower said, "The plan is useless, but planning is essential." In our situation, this means that while the exact actions are taken may deviate from the plan, and while the plan should not be entirely prescriptive, a broad roadmap is critical for the direction of the team, especially during a high-stress event or time of crisis In this article, we will cover the following topics: Communications Long-term planning Communications As you begin to form your cyber operations team, plans should be documented to ensure the team has a set of broad goals and, at a minimum, a shared direction or North Star. These plans should be written down for long-term reference, team collaboration, and development. While planning may seem like a task for managers, even individual contributors can develop their skills or tools by participating in shared collaboration and team direction. Planning is a team effort that unites the team in a shared vision. Both offensive and defensive teams benefit from having a wiki to store and share team knowledge, which may have been acquired on behalf of each team member over a long period of time. A knowledge base may also be a code repository such as GitLab or a simple document repository such as an SMB share with documents. It should enable sharing within the team and be publicly hosted or on a private network, or even ephemerally shifting as a Tor .onion service. Ultimately, the intent is that we maintain a common medium where team members can share plans, tools, and information regarding tools, techniques, and policy. This location should be accessible, and the solution should be semi-permanent, emphasizing long-term team support. Choosing a good wiki or note repository is critical. You may want a publicly hosted product with an API to enable automated integrations; you may want a privately hosted service or even something with open-source code that you can review. This decision depends on your risk tolerance and any requirements for . You may want a strong feature set such that you can restrict pages and workspaces from users or groups. Compartmentalizing different development and operational details will help mitigate the exploitation or compromise of one of the operators. One feature that I’ve always appreciated is real-time, cooperative document editing, such as with Google Docs or Etherpad. Collaborative document editing can be very effective for the real-time editing and review of policy across distributed teams. Another set of compelling features could be integrated alerting and email updates. confidentiality authorization A good example of a self-hosted, open-source wiki application is DokuWiki, a simple and open-source wiki I’ve used on various engagements. While I’ve presented readers with many features and options, wiki solutions should be an easy choice for competition scenarios. In competition environments, focus on a simple, easily accessible solution that includes and controls and promotes team collaboration. authentication confidentiality A close second to knowledge-sharing technologies are real-time communication and chat technologies. Communication is the lifeblood of any team. The quicker that real-time communications become, the closer they get to chat, and the quicker team members can iterate, develop, and collaborate on ideas together. Chat capabilities are critical for your team, so it’s important to choose the right infrastructure or leverage what you have. Even if your team has the luxury of all being in person, they will still need to send each other digital information, logs, and files. Generally speaking, chat or communications should be considered as whatever your primary method for digital interaction with your team is, for example, email, IRC, XMPP, Slack, Mattermost, Zoom, or even more ephemeral communications such as Etherpad. One major consideration you will want is the ability to copy/paste directly into operations, so using something like traditional SMS may not work well for primary communications. You can take this a step further and supercharge your team’s chat with chat-ops. Having the ability to issue group tasks directly from chat can give your team powerful automation abilities, such as the ability to publicly triage hosts or receive scan data from the networks and share it in a chat room with the whole group. I’ve used chat-ops on an incident response team in the past to quickly interrogate our entire fleet of machines for specific indicators of compromise, with the whole team present. We could also pull artifacts from hosts and quarantine machines directly from chat, making for very fast triage and response times while scoping an incident. It is advised that if you go heavily into chat-ops, you have dedicated rooms for this as the bot traffic can overwhelm human conversation at times. Another feature you may want to consider in your chat application is the ability to encrypt chat logs at rest, which provides additional and to the communication. This is supported in the Slack chat application as a paid feature, known as Enterprise Key Management, or EKM. confidentiality integrity EKM allows you to encrypt messages and logs with your own cryptographic keys stored in Amazon’s Key Management Service or AWS KMS. Such features can be a lifesaver if part of your organization or infrastructure is compromised by allowing you to compartmentalize different chat rooms and logs. It can also pay to have a contingency chat solution in place, so that team members have a fallback if their chat is compromised or they lose , for whatever reason. A contingency chat solution would preferably have a strong cryptographic method for proving , such as GPG keys, or using a solution such as Signal. Furthermore, having these pieces of infrastructure in place, including a knowledge base and an effective communication system, will greatly enable the team to develop their plans and further infrastructure cooperatively. These two components will be critical to both offensive and defensive teams alike. availability authentication Long-term planning Long-term planning is some of the most important planning your group can do. It will allow you to set a theme for your group and give the team an overarching direction and avenue to express their innovative ideas. The length of your long-term planning cycle depends on the scope of your operations. For competitions, this could be an annual cycle, or you could start planning with only weeks leading up to the competition. Generally speaking, a long-term plan can be anything that helps you prepare for an operational engagement during your downtime. Over time, you can also iterate on these plans, such as adding or removing milestones as an operation develops and new needs arise. Some examples of long-term plans are three-year to five-year plans, annual plans, quarterly plans, monthly plans, and sometimes even be preparations for a single event. As an example, from a competition perspective, this could mean using the months before developing a training and hunting plan. Higher-level planning may seem frivolous, but in general, the team should have an idea of its general direction, and it is best to write this down to ensure all are in agreement. Over time, these larger plans may be broken down into milestone objectives to help team members digest the individual projects involved and time box the different tasks involved. These milestone objectives will help determine whether progress is being made according to plan and on schedule. Time is one of your most precious resources in terms of economy and planning, which is why starting the planning sooner can help you tackle large tasks and potential time sinks. In addition, you will want to use your downtime to develop tools and automation to make your operational practices faster. For example, if your team is spending a lot of time auditing user access and rotating credentials, you could plan to develop a tool to help audit the users of a local machine and domain. Long-term planning should involve creating projects, which then encompass the development of infrastructure, tools, or skill improvements you want to make available to the group. Make sure you over budget for time on projects and milestones to allow for pivoting or error along the way. This also means ensuring you don’t overtask individuals or take on more projects than you have resources for. The benefit of long-term planning is in building up your capabilities over time, so do not rush your project development and burn your team out early. Similarly, if you fail at long-term planning, you may find yourself in a cyber conflict technically unprepared, scrambling to get tooling in place, or simply blind to your opponent’s actions. No plans are perfect. You need to measure how close you are getting to your objective and make course corrections if something is not going according to plan. Contingency plans should be available if goals, objective milestones, or metrics aren’t being met. The timing of our plans is absolutely critical when playing against an adversary, so we need to know when to pivot to maintain the advantage. If we start to get data contrary to our plan, such that some techniques may be detected, we need to modify our plans and potentially our tooling to support our new strategies. This is rooted in our : if our strategy is discovered, we will lose our advantage, so we should be prepared to pivot our operations in that situation. Former UFC champion said, principle of innovation George St-Pierre “Innovation is very important to me, especially professionally. The alternative, standing pat, leads to complacency, rigidity and eventually failure. Innovation, to me, means progression, the introduction of new elements that are functional and adaptable to what I do”. As you go through your long-term planning, consider blocking time for ad-hoc or unspecified research, tool development, or even process refinement. These stopgaps in long-term plans allow for pivots to be incorporated more easily. If a plan goes awry, these flexible gaps can be easily sacrificed for course correction. Otherwise, if the plan succeeds, these flexible gaps can be capitalized on for process improvement. Summary In this article, we examined infrastructure for any team, such as knowledge sharing in a wiki and chat technologies to enhance the team’s communication and operations. We explored some long-term planning strategies to build out a cyber operations team, including options for contingency plans and using alternative tools. About Dan Borges is a passionate programmer and security researcher who has worked in security positions for companies such as Uber, Mandiant, and CrowdStrike. He has served in several security roles, from penetration tester to red teamer and from SOC analyst to the incident responder. Dan has been programming various devices for >20 years, with 14+ years in the security industry. He has been a member of the National Collegiate Defense Competition’s Red Team for 8 years and a director of the Global Penetration Testing Competition for 5 years. Featured Image Credits: iStockphoto.com/LuckyStep48

Amazon

Google

Mandiant

Slack

Uber

Check-out our Expert Insight store page now!

Too Long; Didn't Read

Questions about cloud security? Get answers here.

How to Prepare Against Sophisticated Cyber Attacks

Too Long; Didn't Read

Companies Mentioned

Expert Insight

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

How to Prepare Against Sophisticated Cyber Attacks

Too Long; Didn't Read

Companies Mentioned

Expert Insight

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES