Shall We Play a Game?

hello hello yes welcome to the talk shall we play a game I am wolf Gorelick I'm GW Gorelick on Twitter you know of course when I was coming up with this some of you guys may recognize the reference right from from war games like yeah that the classic movie like sneakers war games in Tron that was the trifecta of my generation that launched so much of us on the Commodores and ti 99 and all the great old kit and that had that great line right shall we play a game and I love that that line I love that thought and now is I'm one of the Greybeards in industry often times reach out to friends younger friends you know and say

hey what do you think about this talk what do you think about this topic and like yeah that's so cutting-edge it's so not like you right saw and like saw then I can't don't you mean like do you want to play a game you had the name wrong but I love the concept I'm like no not saw I'm like no no I mean like how about a nice game of chess and they're like what about like how much blood will you give in order to survive I'm like what is wrong with you so in case you guys are curious you know I love my friends I love the younger folks I love my avocado toast but

Millennials are truly ruining everything including talk titles cuz I can't make eighty-year-old references anymore but know that the concept of war games was very fascinated me that that rinse repeat what do you do would things happen what do you do when things are about to to go wrong and how do you prepare your team and prepare your folks I've been playing with this for many many years when I was a security officer for a financial services firm we started off with a series of lunch and learns where I would go scary thing in the news and my team would go oh my god we can't protect it I know well what if we could they're like well we need money I go

what if you had no money and they like why do you do this to us like we can do this let's think about it let's think about the tools we have at hand and over time we gallop it better get a little bit faster and now today I do consulting and oftentimes I will lead exercises quarterly or semi-annually or sometimes annually please don't do any exercises you do well you forget it but I'll do these exercises and I'll be like all right here's the scenario here's what's going on go who sees what 90 guy goes I see this over here I'm like awesome what about the help desk not this guy's I don't know I get a whole bunch of cosmic

light so how do you guys talk so we do these sort of things and and build up strength so today I'm gonna share with you guys some of the things we've learned about what makes for a good exercise how to keep score how to mature it and I'm going to end on a simple maturity model that you can follow if you want to implement these type of exercises in your own environment so starts off prom statement you guys all know this we already raised the hands people who were an instant response we have a life cycle buyer right it looks like des we get ready we see the bad guys who contain the bad guys we recover

we learn we all know this it's in every text book ever criminals of course have their own life cycle it could be a kill chain if you want to call it that it could be an attack path shout-out to my friends in the Michigan security community who use that model whatever it is they're - are following a defined set of steps what's important is time who can do your life cycle faster right and in an instant response we hear all the time Allah takes six months to identify a breach you know verizon said 200 days or 250 or 270 and this other threat reports that 300 a cow a long time before we can even

detect a response takes on average three months what do you mean three months you found the breach to get three months to do anything about it what do you do it alright yeah but we found it but we didn't know should we like images she just I have I have one organization I work with that was fighting a Pecha not Pecha for close to six months because I think it was done and would pop up over here and I think it was gone and pop up again months these things can go on for meanwhile our criminals move this chain off temps very very quickly depending on how noisy they want to be or not there can be doing anywhere from

a week to months to doing initial recon initial breach days right elevate privileges minutes maybe days lateral hours persistence days to weeks again depending on how noisy they want and how big the payload it is so if you think back to that quintessential security model right how long it takes you to protect something as long as that time is quicker then it takes you to detect and respond right someone's breaking in alarms go off you get there before they can break in and steal stuff you're secure if there's a fire going on and it's rated your safe is rated for six hours and it burns for three hours you're secure if that time exceeds the time takes to protect that's

we're in a bad spot and you add that up you see readily why we're in a bad spot criminals can move to our environment about three months and it takes us nine months before we do anything about it that's a problem statement that's we're trying to solve because again and again again when we do this math it's game over right insert coins to continue preferably to your eye our retainer so I don't like that I don't like to lose and I started playing games with my team to try and figure out how to speed it up these games have to start somewhere and as I mentioned it started off in lunch and so I sit down and like let me tell

you a story what did I see in the news what are you hearing crabs what's going on right good eye are scenarios good eye our games begin with that story sometimes the executives coming to us going hey guess what I heard about are we protected from that you're like ah yes yes we totally are I'll get you details in a little bit I'm going into meeting right one of those things sometimes hopefully it's a little more proactive some source for those stories are those breach of the weeks that's probably the predominant source so many podcasts and we knew the stories out there problem is of course they don't usually go into enough detail to actually build out a full threat model

but breach the week's work another one's great this pen tests pen tests provide phenomenal stories give you an example I was doing an assessment sitting out the client in a conference room asking questions you have this to you that would you do about this and he said yeah okay awesome he gets a phone and his other guy gets one they're looking at your neck we'll be right back wait what's going on we'll be right back they run out of the room and I knew my guys are doing a pen test so I kind of knew was possibly us like I hope it's us see so comes back and look what happened he's like don't worry about it

but I won't know what happened other guy comes back like what happened he's like well let me tell you what happened like yes should not have asked to see so pull them aside like what wealth goes on because well you know that fishing tests running oh yeah the one where we're like you know saying hey by the way you should you log in to your HR portal and tell us how much PTO goes yeah that one he goes so the funny thing happened the CEO was writing his corley update like yes and he saw that uh-huh and he remembered something about the HR team doing something about benefits and he put it in the top of his email you

should really do this right now and everybody's been clicking on it we've now lost like 95% of our credentials yeah mommy I'm sorry I'm sorry but that's a good story though right when your threat modeling that's a great time to go hey remember what they happen to pen test that was bad but have you thought about what happens when people social engineering executives that's a great starting point threaten tell is another place is good much like breach of the week breach of the week tends to be very high-level so and so got breached Wendy's paid 50 million dollars like oh wow that's bad what do they do someone stole credit cards Wendy's paid $59 okay but what is the breach 50

million dollars like ah threaten tell is like the exact opposite 11050 1714 what is that that's an IP address what happened with it I don't know did they lose money 11050 come on guys so threaten tell us actually like the opposite problem instant response is a great one because it always looks like that doesn't it no but things go wrong and it gives you a good story you know you come back in there I call man last week we got hit but this instant yours happen we want to do a threat model we want to tear it prior to lessons learn awesome sources for these stories we take these stories and then we tell them out I say good

story has three main points it has a heart it's interesting it's funny you hear it you want to go that's a good story we're gonna tell someone else that which is vital in organization because you want that message to spread right it's has a point what's the point of that well the point with the executive and the HR there was executives are getting fish their targets and when they get hit there's a bigger ramification okay good and point three is it has data it's supported by facts so what about executives I don't care yeah I know but it happened to us that one off but do you know like a third of the time right now executives are the primary

target oh wait really yeah there's just a second brides and dad to reach your part or crowd circle of life you know you get the idea heart point data good stories good stories that we can build the things I caution don't create FUD so much of our industry grew up on Tron and war games and then we want to scare people because they won't listen to us because I don't want to be scared they're just building IT and oh my god don't you realize what the bad guys can do about and we did that in the 90s and now we're like okay good well scare them and then they'll be scared straight and it's like yeah do

you know like though your brain on drugs commercials did that work for a generation I just wanted to X and watch after that no no so don't create FUD this is not about scaring the users it is about informing them it is about educating them I do want to see what my gift looks like in a big screen it looks pretty good okay I was very curious about it all right moon Ford another thing is is that any objections you face and you will face objections and tongue stories are actually really key data points and they're really key data points because it allows you to learn something interesting give you example I was doing one of these exercises and I was on

system Center and if anyone has seen Dave Kennedy's talk how when you a breach system Center it was awesome he hit the keys and he lights up the slider he's going like this and shells are popping it's like thousands of shells and minutes and everyone goes it's like rock star right and I was so pumped and the guys we need to do this and so I'm in the table in the comp room at the table talking about this and the director of security pushes herself away she folds are emotions that never happened here I'm like you guys are putting in system search because yeah it doesn't matter so my gut instinct is old she didn't like my story so forget her

but no I was I thought this is a good example good teachable woman I'm like yeah you're right you know that probably what happened here so there's this thing called Google dorky and she said what is that and go ahead says it's a dorky name don't worry about it but you google things like system center your company name I'd do it and we're on the projector it pops up and she goes oh that's interesting yeah so the first link is LinkedIn where your guys are like hey I know I know the system said okay that's bad yeah so there's your targets your second link is a guy going hey I'm trying to implement system center there's this problem and here's

why it's not working so there's your targets and there's your source of information on what you you know craft or fish okay but the third link the third link was my favorite case study with a quote from her and Microsoft's page about how great system center is like and so she pulls herself back to the table doesn't even now she's wrong she points her people go see see this is why we bring him in you guys need to listen teachable moment though right teachable moments teachable moments all right next thing that happens once you have a good story and this is something that bothered me for years is what are their tactics if you're not a red team

or if you're on defense it's very difficult to get outside of your world and see what those tactics are right it's very difficult to go from that 50-million Wendy's story to actual breach tactics so how can we do that and if you think about this very effective a good exercise tactics the controls you have and how we exercise it so I'm gonna start tactics you can build a snare on the story write that attack life cycle begins to have a story if it's in like a common data breach you're like yeah well you know we have this health information yeah we do and you know employees are downloading what they shouldn't but they are and they're putting on their

computer so that's bad I know and do you know the number one breached in the OCR what's number breach those hair stolen laptops like we're gonna stop that person Mike right do and that becomes your first threat level right a very simple high level scenario similar you can tell the exact same story you don't we store the health hungry I know and criminals are fishing DB they're absolutely the fish a database minister and we is not there he'll go and they'll steal the creds like that's terrible I go I know like does it happen I go have you heard of anthem like oh and now you get a story now you get a scenario so

that's a good start you can start breaking out those stories in the individual data points finally with the miter attack framework this has become so much easier because heretofore when we do threat models or we do scenarios we'd have no way of tying it back to a common framework when the IR team would find things they'd have no way to tie it back to a common framework when our pen testers will come in then Penta they were all you got this problem Ephram okay it's great but what are the tactics we need to defend him sir I don't know the ones that we report on no way to tie back to a common framework with the miter attack framework we now

can say our threat Intel team sees this our pen testers see this our IR folks have seen this here's the common tactics we're seeing and know by the way here's a story that supports them really powerful stuff it looks something like this in the world's largest excel file for those of you doing this is really cool to me I love Excel it's huge and beautiful alright so when we do these we'll do them with Excel and we'll start over here here's our attack lifecycle right this is right from attack of the attack framework here's the steps the criminals are taking the next row is the individual tactics they'll use and then we personalize it for the individual

example for those of you guys you probably recognize this is patch in that patch I'm moving through an environment so we can say you know privilege escalation was that looked like what the graph to valid accounts what would that look like well they look like the malware attempting to log in the dormant accounts or disabled accounts because they're on the box do you have a do you have alert for that do you can you respond to that right we can build out that scenario and do very granular step-by-step line by line descriptions of what the criminals do and then as I mentioned great stories have heart they have a point the supported by data we

can say how frequent is this happening some threat reports are now giving heat maps of my turn giving real-world data of my turn and some of the threat Intel feeds have mine are linked to it so you can say yeah and by the way that tactic we just talked about is now responsible for 40% of the breaches over the last quarter really yes so we can stop that we'd be in a real good spot we can start using threat intelligence some more smart way but caution here when you do that you got to be careful not to be too specific in the system Center example worked with that customer with System Center if they don't have systems on

earth they have service now you want to worked at all dudesman that would never happened to us and be like let me Google you and system Center like we're a service now chapeau but isn't it still valuable to ask what would happen if the criminals got ahold service center or ServiceNow rather I can bet you it wouldn't be good if they got ahold of ServiceNow I've seen what happens when criminals get ahold of VMware consoles oh that's bad so we don't want to be too specific we want to elevate at one level so the same thing when target happened I saw a whole bunch of smoke people going we would never let our HVAC vendors into our

network like really yeah never what about other third party supports never on HVAC do you have a managed IT provider maybe are they running Bob Garner uh-huh do you want to factor authentication they don't touch HVAC right we don't want to have it so focused we have to pull it up same thing with Equifax I loved all my friends in the Microsoft world I went hot c-c Apache and struts if you're running net what have happened like really guys never have ho days in your coat I mean I asked em er has a problem really so taking it up that one level looking at things like their party vendors or service management or your Web Apps allows you to create a model

that's a little bit more broad lo more able to catch more criminal activity once we have these we can then do the tabletops tabletops are so much fun table tops here I mean specifically IT tabletops aid tea table tops with your subject matter experts I do not mean and we've I've done these I do not mean let's get in HR let's get in you know your corporate counsel I mean it's getting all the smart folks who are actually running the IR exercise hands on keyboards eyes on glass boots on the ground let's get them in the room and talk through it one of the things that's very interesting is to do what I'm about to talk about and then use that as the

injects for a larger tabletop conversation we did this the law firm they sent out the representative from their legal counsel that's another representative from their IR retainer and their PR retainer we all got in a room and I'm like your IT guys just said this what do you do and that was a great conversation but what I'm talking about here is a more technical right what's pet Chad not pet you doing in the network and scanning and so take a tabletop and we get people in the room why because we want to make sure that we share the story now we want to make sure that we educate participants on the Eyre lifecycle that's number one get a run through that

Eyre lifecycle again and again and again also why it's important have an interesting story so the state had pay attention maybe make some popcorn have some good time with it we just say hey read the IR live in the report and sign off that you review the IRA report quarterly they will absolutely click that ticket every single time they will absolutely not pay attention to be ready so I want to make sure that they run through that we also want to make sure we gain consensus on controls I've been in so many environments where the helpdesk guy goes oh that's not my area network guy has it awesome never okay what do you do it's not my area the

server got has it server guy what do you do we don't have anything gain consensus on controls and of course you're gonna miss a whole bunch of control so build the use cases for why we need to invest and spend time and maybe buy technology to put in place new controls purposes for a tabletop this is the control side of things obviously we're looking at prevention detection back to you know the time it takes to breach the prevention the time it takes to the detection those are my two favorite controls there are times when people want to get more fancy we want to talk about disruption we want to talk aggregation deception technology is always sexy we're gonna put in honeypot

sometta all that's cool oh it's great but I'd argue first stage when you're starting off the tabletops you start with prevention and detection this allows us to get some very interesting metrics simple metrics people talk all the time about defense in depth and I like the idea yeah sure defense in depth yeah we did it but against Y whatever really defending against and what's our depth against we say defense in depth against the path and attackers taking through the network as evidence and tracked by the mitre framework and you know our controls on it then we can have some interesting conversations about where should add or remove we just said we got lots of layers so yeah kudos we

got two Sims awesome three abs how you're off the charts how would the bag ask in this way so you can put together some great metrics that way if you think of this as a spreadsheet we've got the tax stage right the tactics these come from attack writer we've got the controls and the other descriptions those are what glues us together and then a control framework first one that comes from that story and the narrow throat modeling I talked about a minute ago this is we're focusing in the tabletop let's have this conversation figure out what we really have when we boil it all down it looks like this now what's cool about this is in the bottom

of the top of these are frameworks right tack and C is controls in this example it's that middle in the description that actually makes it work it's the middle and that's the true story of what the criminal would do and what we would do it's the middle that's our narrative in our meat it's the middle that we can act on those tactic descriptions and control descriptions can line it up to something high leveling master CS if you want of course this is great for high level people and your program you're buying to get support and low levels great for technical people what am I actually going to do this then allows us to roll up in some pretty cool metrics as well

along the framework what what do we have in place to stop initial access we didn't place for privilege and lateral movement excellent raishin were terrible at where should we invest it's let's catch the exfiltration that stopped the initial access we can have some good talks and conversations around where we need to be spending our time to improve things and then we can actually emulate it right run the game you guys seen this in a maker space or Maker Faire the the life-sized game a mousetrap haven't you gotta see it the ball starts and things goes flying it's fall on the track and it goes down there and then there's a hammer falls in the car and god awesome

you got to see it but it's a great metaphor for what happens in these scenarios we know the track the ball is gonna fall right it's following that threat model we already laid out the question is will it actually make it down the bathtub will it actually make it in the bucket will the car get smashed will the right things happen to stop that ball from proceeding or will it make it right would an attacker be able to actually execute this path this is the exercise portion though this is the adversarial portion we take that threat model and we start breaking out oh you're doing idiot logging authentication that's awesome was the last time you try to log into a

disabled to account and did your sock notice or important to you oh you're you're protecting email boxes from you know people practicing in using them fantastic have you have you tried that cuz their logins things these are specific IT tactics right we are doing this and specific tasks we're going to test it this way to make sure the controls are ready very simple very straightforward in a predefined path to make sure the assumptions are there and so often they're not a couple weeks ago I was working with the organization then these twelve VIP systems very important highly controlled very rigorous twelve of them and one of the controls was network access the cables were locked right the

MAC addresses were set the everything was in place and if anyone pulled that cable out or anyone plugged anything else and boom the alarms went off the mousetrap fell the attacker was captured right there like awesome that's great let's test it what lets us it I thought we were just doing cabled up oh yeah but tomorrow we're testing it okay one was fine five was fine right eight was fine nine no no we could plug anything we wanted that one hmm did the alert cough no was the mousetrap you know you can hear just a badger I get the kids go it's no mouse trap it was great and this is the type of thing you won't

catch Anna pentas a pen testers going to go through the first path in as quick as possible because that's what they should do but when we do adversary emulation we're actually testing what our assumptions are we think this will work how oftentimes does it really work see without exercising the defense who really truly have no assurances that it will work and so that's we're running down these spreadsheets and executing tests and each one of them becomes so absolutely important key warning here is create evidence that incidents I'm running out of time so I won't tell you this story but CB afterwards if you want there's many times when you're executing is that you have the opportunity to

perhaps cause some damage so be very careful obviously next thing we need to keep score we need to keep score and know where we're at I'd rather give you some ideas of how to keep score what's our defence coverage right what's our defense in depth but if you're doing these regularly and you should be I would argue at least quarterly doing them again and again you begin to see some interesting themes and we can start off very simple with keeping score hey how many we held all right how many were there the people come together that's a good metric when you're beginning what is our scenario defense and death that's a good metric how are we getting better or

worse what's our stage control coverage that is across that lifecycle across the attack manner framework how many of those might our top levels are we actually fulfilling on and what's our protection pretty important metric number and percentage as you get more mature you can start doing things like number of exercises held control effectiveness right of the 20 controls we said we had how many of them actually were their number and percentage and then we get to the the best one which is time to detection time to detection is where you want to get to ultimately where you run these exercises you know that the the mousetraps supposed to fall you know this Splunk - we're supposed to

let up you know the phone is supposed to start ringing did it okay now that we know that it does and we can do it consistently how fast and how quick did they find it and by tuning that up we get right to the heart of the problem we said in the beginning which is how fast can we identify and detect and respond so as we would sure that's where we want to head towards we can also begin to find some cool themes so I love you some sanke diagrams so we can start looking all the different tactics and where it lines up and what it controls at what stopping power and start looking it that

way we can also begin if we're lining up two controls to look at the overall stopping power across the whole deadline or across the whole kill chain with things like RCS controls and lining them up to NIST so we can start to see where we're strong and we're of a criminal walked in for example supply chain risk management back to the whole target example that they would just be able to walk across that whole line in that McCollum very interesting things become possible we start aggregating this data and you're doing multiple exercise so shall we play the game that was the talk today that was the theme this is not obviously a matter of life and death

thankfully it's also not a matter of you know thermonuclear war national secrets thankfully but it is a matter of making sure your team knows the ir life cycle knows prevention detection response is well practice some well exercised in that such that when it happens helpdesk knows how to talk to the IT guys and the administrators not talk to network guys and everyone speeding into that the InfoSec instant handler and the communications going up in them across appropriately and of course making sure those exercise really do result in controls that really do exist in our effective it's about learning how to respond faster and detect faster so I promise you a maturity model here it is

starting out is that story right story around the water cooler story around lunchtime very ad hoc here's what happened what would we do as you begin to mature you can build out more a formal process maybe we do it once a month or once a quarter and we can start having table tops bring people together or use a whiteboard spreadsheet powerpoint and some practice dimension breakfast protip breakfast cut food as you start to mature further we're going to take those scenarios and we're going to break them up into individual tactics and have more conversation about individual controls so getting into that one level deeper we're personalizing it to the actual story as we come even more mature we're

gonna align those tactics and controls up to a framework such as the tech mitre framework or C s critical security controls or insert your control framework here and we're going to begin to exercise these to make sure their assumptions really a do fit right that we say that we can detect can we really we say that we prevent is it really functioning and then as we reach the highest level of maturity we're doing those exercises we've added automation where we're automating those exercises and checking them on a regular basis and of course throughout this process we've been adding metrics how many tabletops are donna what not so we can move into a stage of continuous maturity that's a

way to take from right now doing nothing all the way to where you could be in a year or two building an entire program around this instant response exercise model and of course scoring points because all about the points especially when you can start gamifying it and getting people excited that we go faster than we did last time do we stop more than we did last time where are we at where we're going we got people really competitive especially when you break them into two different teams it's a it's a great sense to be really excited about where you're going where you're doing and ultimately it's about making sure that when things really do happen are people

already they're comfortable too confident they know how to communicate you know how to get things done that's it for me I'm think I'm pretty much up in time here's my contact information if you want to hit me up with any questions and hey enjoy the rest of beat sides