We are all normalizing to a new paradigm now with a world racked with the CORVID-19 novel coronavirus. The virus is forcing almost everyone to look at new ways of working and causing all sorts of difficulties, both technical and practical. At the same time, perhaps we should be looking at the opportunities that these difficulties present. Our situation may have been forced upon us, but there are other methods of work, communication, and tools to support employees that we may find to provide organizational leaders with real advantages. These could range from lower costs efficiencies to personal advantages like less commuting and a better work-life balance.
The new paradigm applies even to the Security Operations Centre (SOC). So, what things are changing and how can we adapt effectively? The most obvious change is the requirement for social distancing and, for many, lockdown in our own homes. As a result, Virtual Private Network (VPN) connections have never been so important. Enabling two-factor or stronger authentication methods are essential to ensuring the security of your network and business. Once a VPN has been set up, many of our normal Security Operations Centre (SOC) tools will be accessible as though we were in the SOC itself. But, merely having access to tools is not enough.
There are new gaps in our working methods. For example, when a larger incident occurs, it is normal for a team to gather at a briefing table to coordinate their efforts, ensuring all are working in concert and using those best skilled for appropriate tasks. And the playbooks that we have developed to handle the different categories of an incident may be based on assumptions about where the SOC team is and how they can share information and communicate. A further significant change is, of course, the team leadership and overall management. The systems we have in place to manage the events and the SOC team itself, including the metrics we gather, will all have to be reviewed to ensure they can be adapted to the remote working requirements.
Collaborative Working and Communication Tools
The immediate answer to the need to gather and communicate freely and effectively is the use of collaborative communication and sharing tools. There is a huge range to choose from for example:
Zoom, GoToMeeting, Webex
Tools that allow us to meet and share information and ideas directly are an essential alternative to physical presence. These and others address the need for a group to share screens, talk freely, and include the all-important video feature allowing you to see each other. Used well, these systems ensure a remotely distributed SOC team can communicate almost as though they are in the same room. Getting decent quality headsets with integrated microphones is an absolute must and there are plenty of online shopping sites such as Amazon where you can order those. You may also need an external video camera if you are not using a laptop with an integrated video. My personal favorite is Zoom but you ought to ensure you are happy with its privacy features as there have been some concerns expressed recently.
Slack, Microsoft Teams, Facebook for Work
great for group chat and file sharing with the ability to pin key documents and track files as they are shared. Slack is very popular with development teams but is well suited to other teams and SOC teams are also big users. A favorite feature for me is the advanced search modifiers that help you find relevant channels, files, and conversations with ease.
GoogleDocs, Office365, and Igloo
These are great for sharing files and working collaboratively on shared documents. In the context of a SOC, these could be the documents gathered during the investigation. These tools are great for sharing ideas via wiki-like functions and SOC teams can use cloud drives to rapidly record, update and isolate the hypotheses they are creating during an investigation, ensuring real-time updates to the entire team.
CodingTeam
If the SOC scope of responsibilities includes the creation of specific tools or recovery code, then CodingTeam is the classic tool available since 2005 for ensuring that code is rapidly shared, updated collaboratively and bugs are effectively tracked. There are many other source code forges around, but this is a favorite of mine because of its simple but powerful interface. It really helps coders concentrate on the code and not how to share the code. If you are part of an international SOC team with multiple languages, you will also use the language translation features based on gettext within CodingTeam (see CodingTeam.org).
Individual Skills Training
Our adversaries are also looking at the changed circumstances to find new weaknesses and find new ways of exploiting the huge number of remote users and remote connections that have grown in response to the crisis. So, even though we are working from home, we will all need to ensure that our training does not get out of date. Going to an offsite training is not an option at the moment and continued development of technical and soft skills is critical to IR team success. What are the options currently available to those looking to keep their team prepared?
Product Specific Online Training
Many security product vendors have already at least dabbled in remote training for their key products so this area is quite well addressed. Many vendors provide some forms of self-directed training on their portals. Now is a good time to hunt them down and allocate some time. But have you looked at the free materials on platforms like YouTube? There are many bite-sized “learn by demonstration” sessions covering many specific aspects of all the key security products and tools. It is especially worth looking out for the cloud-based training platforms that have grown over the last couple of years. They offer unprecedented opportunities for both individual and team skills development. These will be a good fit for the periods of spare time that you may find and you could share the best with colleagues on your collaboration wiki.
Cyber Range Training
Many companies are turning to immersive training in virtual environments to ensure their team stays up to date. A Cyber Range will allow you to experience either an environment where an attack has occurred or a live attack. Training in a real-world environment with real-world attacks will keep your skills sharp and ready to go, ensuring that you are able to defend your network when the time comes. Cyber Ranges come in all different shapes and sizes, providing varying levels of reality, tools, and network environment complexity. Look for the most realistic option available as this will provide the most effective form of immersive training.
Peer to Peer Sessions
Don’t forget that your team members will all have specific and sometimes unique skills. As a way of keeping in touch and improving your skills, you could agree on a schedule of bite-sized internal training where each of you runs a Zoom (or similar) session to share a skill or method. In one of my previous roles, we had coffee-break sessions where we did exactly this. So why not do this remotely? This is especially good for up-skilling junior SOC team members with the specific skills that the SOC team needs.
Attack Types and Traces
It’s next to impossible for a SOC team to keep ahead of the game as the threat actors are leading as they develop new attacks and we must react to them. At the minimum, we can at least catch-up effectively and ensure we are ready for the first time an attack or variant is used on systems we are responsible for. Again, YouTube resources can be invaluable as a source of detailed attack analyses. There are great resources like the SANS Institute and their free CyberAces course, EDX Cybersecurity courses, and great individual skills YouTubers like Itrinago, HackerSploit, Null Byte and the Cyber Weapons Lab, And, for a good understanding of cloud-based ranges, try Cyber Range Training. Time spent searching and watching on YouTube will be well spent. Just try not to get sidetracked too often as there are so many amazing content producers out there. Again, when you find a good resource, help your team by sharing on your preferred wiki or chat resource. Of course, there are also the trends and overview reports that can help give you a picture of the trends and likely events.
These include:
The Verizon Data Breach Investigations Report
This is freely available and an invaluable resource for gaining a carefully thought out analysis of trends and changes. They fully explain their methodology for collecting, analyzing, and summarising their data and this is essential if you are to determine its applicability to your circumstances and operations. Unusually, this report is well written and almost an entertaining read. Plan to spend a few sessions on the report if you wish to get the best from it.
The annual IBM X-Force Threat Intelligence Index
This is another great source of trend intelligence and they use a good methodology which is well explained.
You may also find similar annual reports from Sophos, Trend, Symantec, and FireEye useful for getting a detailed understanding of the cyber attack trends at the endpoint.
Another invaluable resource is the MITRE Att&ck framework which provides an assessment structure. Using this, you can evaluate your current controls against the different attack vectors as classified within this matrix. For mature security operations, you could carry out the assessment against your whole structure, but it still has a very real value as a method of executing a point assessment for particular attack vectors that your organization is concerned with.
Team Cyber Security Investigation and Response Exercises
All the activities we have discussed so far concentrated largely on individual learning and skills but, in the new remote working paradigm that we are faced with, this will not be enough. We also need to develop and polish our skills to adapt to our new work environment. Only practice will perfect our coordination, communication, investigation, and information sharing skills. Our training extends beyond the purely technical skills to include how we communicate with teams and management around us as they too are affected by the changes. Here are some of the approaches that will assist with this area which is, perhaps, the most complex training issue:
Tactical SOC Exercises
You could attempt to set-up and simulate an attack on some part of your own network however you would be well advised to consider using a web-based cybersecurity exercise range such as Cyberbit Range. This would allow your team to pit their wits against full attack scenarios that include all of the kill-chain stages and many different targets with a wide library of pre-built attack-types and scenarios. The SOC team can then investigate, hypothesize, and respond in real-time on complete enterprise-grade virtual networks.
By using the selected collaboration tools and information sharing methods you have selected for your remote working, you will be able to develop, test, and hone your teamwork skills. The platform includes methods of scoring the team’s successes and a debrief mechanism to ensure all of the lessons learned are identified and captured. With choices of complexity and timescale for the scenarios, your team can find a slot that will work for you. So now, even though you are in an unfamiliar working system, you can rapidly develop and sharpen both your technical and team skills at the same time.’
Table-Top Exercises
In military terms, these are often called “Tactical Exercises Without Troops” (TEWTs). This kind of exercise is often best applied to the management and senior management functions and can include problems like dealing with the Press, authorities, and user communities where there is a Public Relations element to the cyber-attack. These take quite a bit of preparation by those who are going to run the exercise and they must select an incident type that is relevant.
Having done that, they will need to develop a flow of key information and indicators that will be fed to the team to simulate the incident. In addition, they will need to determine a recording method that allows the exercise effectiveness to be measured and analyzed. Done well, they are demanding and very realistic, often using third parties to represent all of the external players such as Press, government agencies, the public, and law enforcement agencies. Even if organizations have completed tabletop exercises previously, it is well worth considering re-running them now in the context of lock-down and remote access as it will substantially change the response timings and communication methods.
Combined Table-Top and Tactical Exercises
Finally, the ideal refinement would be to combine a live tactical exercise on a cyber range in parallel with a table-top exercise with role-playing for various levels of management. The technical aspect is entirely taken care of by Cyberbit Range and, with a little preparation, the management table-top exercise can be developed alongside. Using this approach, the technical drivers of the incident are provided by events occurring on the Range and the investigation results of the SOC team. The tabletop exercise can have additional problems thrown at the management in terms of their responses (Press, TV, announcements, internal and external communications, and key decisions) and these may include their wider responsibilities to employees, shareholders, and the customer base.
Taking Things Further
Given the above resources and ideas, it is clear that we all have a lot to do. The cyber risk has not receded, rather it has morphed and mutated as it always does in response to changed circumstances. We must react equally well and build systems, processes, and skills in response. Our due diligence in making the best adaptations to our new working paradigm is essential for the protection of our organizations, customers, reputation, and assets. Ensuring that we have prepared effectively and practiced on a platform that matches our new remote working and communication methods forms an essential part of this due diligence. Let’s all ensure our adversaries are met with a polished effective response to their nefarious activities.