A Scouts Perspective on Network Defense

Everybody having a good day so far? You having fun? Have you learned something new? You feel lucky? Did you go out and speak to some sponsors? There's a little bit of a delay there. [Music] So, I I do want to say thank you again to all our sponsors. Thank you, of course, to Georgia University College of Business for providing this lovely facility. Uh so if you see Joan or any other university members here, please make sure you say thank you to them. Uh it's definitely huge of them to provide us this beautiful facility that we have today. Uh also our other sponsors, no search press, Southward, Alpha Networks. Uh for this particular talk, we're going

to be giving away um this is the practice of network security monitoring. So that's a no search book. We're also giving away a blue team handbook. So those giveaways will come up at the very end of the talk. So pay close attention because there will be trivia questions. Okay? So you want to answer trivia questions so you can win these cool prizes. Uh so again, thank you all for being here. Uh I'm having a blast. Hope you are as well. So without further ado, I'd like to introduce Mr. Justin Edgar. He's going to be giving his talk on Scott's perspective on network defense. So please join me in welcoming Mr. Justin Edgar. Hey guys, thanks for coming. Uh, just a

heads up, this is a calman's respect on information security. If the words NBN and IP or IBP give if you uh PTSD, now's the time to leave. Uh, when I change this slide, we're going to borrow and lock the doors. Just a heads up. Uh, my name is Justin Edgar. In lean speed, you get the I exclamation point. My name is Justin Edgar. Uh, my Twitter handle's on there. I don't tweet. So, if you want to, it's better to talk about me there than you see me. Um, I'm going to talk about myself because I'm a narcissist. I'm going to talk about the framework that I'm going to tie this to, which is the military's uh defensive planning

methodology, if you will, for lack of a better word. U, we're going to focus on the IPB or the intelligence preparation of the battlefield portion of that. I'm going to talk about why I think that's relevant to the current threat environment that uh through my key. Um, talk about some practical applications of the network and then give some references at the end. Again, what I want to get out of this is uh I don't think really there's a lot of published doctrine around defense um on a kinetic and physical type of um method, right? And I think there's a lot of intellectual property or intellectual capital that we can use as as network defenders to um enhance our ability to

see the battlefield to voice sensors appropriately and to effectively combat the the enemy right. So I'm a year army veteran. Uh, I was a cavalry man, 40 lbs and a goatee ago. Uh, here's a picture to prove it. Um, I got out of service as you can see wor as hell. Um, got out of service, went to a consulting firm, earned a SISA, quit, worked at a security firm, much happier, glad to be here. Um, I fought a counterinsurgency. I planned operations in a counter insurgency. Um, so I feel from that perspective I'm I'm a relevant uh source of information in this in this regard. There's me again, narcissism. There we go. So, we're going

to use the FM5.0 uh army operational planning guides as a start. Um, this is available. Anybody can read this. It's available online. It was you probably get on past or something, right? Um and what it is, it defines a cycle of planning for the military. It allows us to take inputs, um output orders, and along the way assess our ability to complete the mission and refine it. It's cyclical. It's highly resource intensive. Um for people who have been on battle staff, they're probably having issues just seeing this thing right now. Um but what it allows us to do is create a plan, assess that plan, and then go back and make changes to the plan, right? and do

that in a formulaic manner. I think that's important when we come when it comes to um network architecting, network defense because we kind of go out of willy-nilly, right? I have a network, let's admit it. Throw a bunch of appliances in there. Now what? Right? We don't apply intelligence. We don't apply we don't give the enemy a voice in a lot of our information security planning efforts. Again, it's cyclic. Uh a few things here and I'm going to focus on the visualized portion of this of this particular graph. Right? Right. So, there's a lot to this. I'm not going to go through full-blown MDMP. Um, I'm going to focus on the visualization. Again, that's intelligence preparation

of battle. And here's the manual FM34-130 intelligent preparation of battle. Again, if you can't find online, it's probably on Facebook. So, it starts in a very, you know, Sunzu manner, right? Where we analyze and visualize the battlefield. Excuse me. In a physical battlefield, we start with a map or some sort of region and area of operations that we that is assigned to us and we overlay things that impact us operationally. As you can see in the graphic there, we have vegetation, surface drainage, you know, coverts, uh, riots, all that stuff affects our ability to to move move throughout the environment. And we take that on a map and we say, "Okay, these are the places I can go and

these are the places I can't go. And these are the places that are important to me as a defender or on an offensive capacity." Right? If there's a choke point, that's important for offense. It's important for defense. Right? I codify my ability to uh affect the enemy based upon terrain. On top of that, I overlay the enemy's ability to influence me. Right? So, these are you can see little lines here. Fancy iconography. technology for the military. These are avenues of approach and the little X's and ticks say how large that is. So this is where the enemy can move through the environment based upon my analysis of the trains train ability to support that. Right? We have to take into

account things like wheel travel, track travel, uh foot travel, etc. So what we really do is is kind of have a node a go no-go picture of what we can do within our excuse me area of operations. And finally we put that into sort of templated enemy activity. Right? So you see the big arrows up here. That's where the enemy can go where we expect them to go in response to um our movements or our um navigation of the train. So once we define the train, we want to take a second and define the enemy. Um in this case, we start with what's called a dock template, a doctrinal template. And that says based upon my

composition and what I know of the enemy from intelligence perspective, this is what they look like, right? This is their hierarchy. And on top of that, I'll take and I'll put them on the terrain. So I say, okay, I've got this many units. This is what they do. You do a little battle, little calculus. This is where they're going to go. And then I start assessing where I would place them in relationship to the terrain. Right? So, I got the no-go, no go no uh excuse me, go no go terrain. Um, and we start to use that to develop courses of action, right? So, we got enemy terrain. Now, we start trying to figure out what

they're going to do, right? We're using intelligence. We're using either experience or intelligence functions to template the enemy's activity once they hit the ground. And these are called forces of action, co-as. And in our course of action creation, we create multiple courses of action based upon enemy activity or likeliness of enemy activity, right? There's things that will most likely happen. The enemy will most likely come over the mountain with helicopters and shoot at us. Or most um most dangerous course of action, the enemy deploys a tactical nuke and we all die. Bad news. But we take these overlays and we create these forces of action and we kind of stack them up, right? So, um, as you can see in these

few different diagrams here, each of these course is action slightly different, represents the enemy's different utilization of our space as we visualized it. We do that a few times. We we want to develop a few different courses of action. Again, likelihood and the dangerousness of that course of action. And we do that on acetate in service or we have someone else doing it for us in acetate which is tedious. And we stack them all up on top of each other and where they overlap where these course of action overlap where the enemy's patterns of movement overlap we develop what are called named areas of interest and we label those based upon the courses of action that are present

at those named areas of interest. Right? So for example here uh we've got a name any of interest period interest number four across which course of action 1 2 and three pass right so we have some overlap there and it makes it very interesting for us um when it comes to planning and in and the follow on laying on of assets to those you know those areas of interest. So when we're developing these co-as, there's a few things we need to make sure they that they adhere to, right? So you want each one to be suitable. It's got to do something. The enemy is not going to, you know, kill one as the enemy spins around in circles

and falls down. Ideal but unlikely. Feasible. It's got to be within the constraints of some resources, right? They're not again attacking new problem. That was a feasibility failure, right? Acceptable. Uh they're not all going to get out of their vehicles and bum rush us. um that's just well outside of their risk tolerances probably depends where you're fighting and uh it has to be unique. We're not going to overlay the same course of action over and over. And finally, there has to be some sort of consistency with doctrine and that comes from experience and intelligence, right? And I'm going to come back to that content that that particular bullet at the end because when we do this again,

it's cyclical over and over again. And we enhance our intelligence, we enhance our experience by by analyzing the success and failure of these plans. and uh refighting them, right? Remploying this process. So following that, we put friendly forces on the ground, right? We apply our own friendly forces to defeat these these templated course of action in our defined area of operations covering particular these areas of interest. Right? So we have we have focus, we have effort prioritization, right? And we don't often see We take into account the assets that we have. So we see different types of of observational assets that are that are um available for use, excuse me. Um things like stuff flying through the air

intend on hitting us. Uh things about people talking on the phone about nothing, etc. Um people who are going to go out and ask questions. We have sensors we can apply and those sensors can sense different things. They're irrelevant in some context and irrelevant for others and they provide to us information in a variety of means. And finally we want to do is analyze the gaps. So we have forces of action, we have sensors we can apply to observe the activity those those particular name areas of interest and then once we've kind of taken this risk based approach to asset application we can look at the gaps. We can analyze the gaps. Do we need additional sensors? Do I need

additional assets? Do I have 24-hour coverage of these named areas of interest? Right? It's very programmatic, very formulaic, uh, walks out, very military. I like it. And we use that to develop a plan. So, in this case, I was a scout. We have our constant surveillance matrix. We put people in places to do things. And very, very critical to this are your instructions, right? your your your reporting requirements for that particular asset. I expect to see this happening there. And when you see that, I need you to tell me. I don't want to see, you know, that I don't want to count the birds flying through the AO with my Q36, even though I'll probably get that sometimes.

Um, so we need, so we give these sensors a prioritization when it comes to observation, and we tell them what we want them to tell us about. We're applying intelligence. We're not um we're not pulling in, you know, ridiculous amounts of information that may not may or may not apply to the threat that we think we're facing. So, who cares, right? We're here for information security. Thanks, Justin, on that that terrible talk about military doctrine. I feel like this is applicable, right? We use terms like uh threat reconnaissance and payload delivery, excfiltration, right? These are all this all of military nature is a military function being formed by our enemy and we as blue team we should hope

um are defenders against this activity right I feel like we sometimes become absorbed in the minutia I don't think we often take the enemy's activity into our planning for architectural defense and that's why that's why I care in particular and that's why I'm kind of crafting this this talk um something very interesting about the network is that we own the terrain, right? We can manipulate it. It's almost like the Matrix, right? Um we can we can build bridges, we can close down uh tunnels, we can create mountains or model, right? So unlike physical terrain, we are in in full control of our of our technical domain. And I think that's very very cool. And then finally, um on the

defender side, as much as we'd like to, um we apply observation assets because we can't exactly just go shoot these people. um that would be really nice but uh unfortunately that's not a possibility in most cases. Um so I'm going to go and take this and translate this into network seek in the next portion here. Um and again I want we want this to be a cycle right? So um forgive my shoddy graphics but let's begin. So imagine this is your network and everything here is inside and everything over here is outside. We know it's threedimensional network. got it. Forgive me. Um, and this is our perimeter, right? This is a four letters. This is our This is where our

blue meets their red potentially. For those not familiar with contour maps, this would be a mountain, right? Little ridges or little circles make things higher. So, in threedimensional terms, we have a mountain at the edge of the perimeter. uh we might have some bridges or tunnels that allow us to bypass that that tunnel that that that uh no go terrain and and enter the environment. And in these cases, it's it's things that we need from a business process standpoint. Someone's got to send us mail. Don't want it. Lots of spam going to happen. We apparently we have to let people get on Facebook. Um partner VPNs, things like that. There are reasons for data to

enter our environment. Um, unfortunately we can't just put a huge amount up. And then we have kind of anomalies, right? DNZ, for example, would be kind of in the mountains, kind of not in the mountains, might have some limited tunnels in there to to access it. So this is kind of a 3D flattened control reference. We also have things you want to protect, right, from a priority kind of uh uh standpoint. There are things that are important to us as an organization, things that give us a competitive advantage, things that really suck if we lose them, uh things that we have to protect thanks to compliance purposes, etc. Um and in front of that set people,

um so you know, engineer assets, they might have access to R&D type information. Our finance people might have access to finance data. Um, and hopefully we have some some spurs some physical separation between the data itself that's important to us and the people who have access to that data. Does this diagram make sense? Anybody have any questions about this? I'm not a very good PowerPoint artist. Excellent. So, we define the terrain, no go terrain, key terrain, objectives, whatever you want to call it. And we've got, you know, man-made structures that permit us to traverse it in unusual ways. So on top of that, we take, now we overlay the enemy. So first we define it. This is our doctrinal template,

right? This is our best gate guess based upon experience and intelligence that allows us to figure predict what the enemy is going to do and then overlay that onto our environment. So in this case I've picked a few different ones through script hitting hackists some advanced threats with different types of of goals in the environment. Um also of significance is of risk. I say most significant right so things that are most likely high high rate of occurrence and also things that are most dangerous of high level of risk associated with that particular activity right and that drives our prioritization of observation when we see those overlaps those points where we can observe the activity and

then we stick those on top of the map. So CO one script kitty maybe we're going to see some website defacement or abuse of you know not locked down admin uh rights in the web. Um we might see him send a blanket um spearfish to everyone in the organization that's misspelled maybe there's a prince in Nigeria in that email or something and that's going to land at the the weakest point in our environment. The people are going to click on everything. and they always click on everything. Doesn't matter how poorly crafted it is and whether it's bad stuff.exe, they're going to claim on it and they're going to get in, right? Course of action one most likely.

Anybody disagree? Me neither. That's why I made this slide. COA 2, you're activist again. Web defacement. You made somebody mad. Now they're going to mess up your web page. DOS perhaps DOS of public uh facing services etc and then maybe a more indepth infiltration of your environment if they are able to achieve a point of penetration. So, your activists are going to do some doxing, right? They're going to maybe going to move from Suzie and accounting who clicks on everything's muck box into accounting data and release that. Um, they might send out a list of all your addresses for your local police department, right? Your officers. We've seen that happen. Code three, financial theft, advanced threat. We see a lot more

actors used for these type of infiltrations, right? We'll see passive and active um web um infiltration methods. We'll see very very advanced and targeted email. Thank you for your LinkedIn profile. I just saw you at this conference. Here's the agenda. And then they click on it. And they will move perhaps not through our no-go areas, but utilize credential abuse to move from one department into another department's data. Right? Not an unlikely scenario. We've seen this before. We all understand this. you know, professional culture. And then finally, IP theft. Same general infiltration routes, although perhaps leveraging uh downstream relationships, perhaps uh partners or subcontractors or the weakest link in the security chain. uh entering the environment, finding

someone some unsuspecting Susie clips and everything and accounting and then moving with with legitimate administrative credentials throughout the environment essentially ignoring all of our man-made training, right? Any disagreement there? Good. So again, like we talked about earlier, we're going to overlay these courses of action on our terrain and do some analysis. suicide overlaps couple on the web whole bunch of email that's that lines up with our current uh threat reporting rep 90% of stuff comes through through the web partner VPN what this doesn't do a good job of describing is the risk associated with these right that comes back to us so maybe color them differently maybe I as a presenter would color them differently I should

any questions so far this kind of makes sense right doing the same thing over again. That's why they promise that well let's keep going. So then we our course of action right on the web activists and script kitties might have an impact on our web facing servers etc. NAS and AI2 emotes action followed in that that threat vector both likely and dangerous make sense. So then we apply assets, right? We take this reconnaissance matrix that I would have used the scout or would have been given as a scout. Go do this. Look at this stuff. We take that, we apply that to our observation methods, right? and place our assets in the environment with a mission with some reason to be looking

somewhere based upon our analysis of the the threats likelihood uh of a movement through a particular environment, right? Particular threat vector and an area where we expect to see them. Now we're applying intelligence to our actions. Now we're not stabbing in the dark. Now we're actually doing things intelligently. Right? I have five minutes pretty quick. There's some things I haven't done here and very very worth your kind of personal exploration. Engineering assets, right? There's a lot of doctrine around engineering assets and and obstacles. Um obstacles are meant to do things block, disrupt, neutralize, etc. Um very worth your your effort to try to convert that into um into cyber speed and something I'll be working on myself. Um however, that

being said, a an obstacle that's not observed is not an obstacle. So apply your intelligent observation as well. Uh and finally there's no mention of offensive capabilities here. Um and I think we all kind of walk that line as to how to affect the bad guys that are affecting us. Um so doing that intelligently be something else I work on. some references here. Uh, F50O, IPB, uh, Intel surveillance reconnaissance reconnaissance operations are great places to go to start. Start with 50 if you're interested in kind of pursuing this as a as a potential method to your madness. Um, and it'll refer you as it moves through the process. And then there's some additional uh, references. The Defense

of Duffer Drift, if you get a chance, it's a great read. It's a vignette about it's kind of like uh, what's that Tom Cruz movie on there? Um yeah, like die the other day where this young lieutenant does the same thing over and over, dies and dies and dies and dies and improves stability and defend a particular piece of land. Very very valuable and I think it reinforces the the point that I'm making today. Um FM 324 counterinsurgency highly highly applicable to this type of fight. Um it has the paradoxes of counter counterinsurgency in it which I was going to repurpose into the paradoxes of counterinsurgency uh cyber counterinsurgency but someone else already did that. So there's a link I

missed it happened in February. And then if you own this uh picture of the caps I haven't put on slide. Sorry. Does anybody have any questions? Back up. I think I saw people writing this down. Have any questions? Question three. Where are you? Hey in in this model if you misassess the threat how does it come back and counteract that? So this is a cycle requires assessment. You know, um assessment is easy in the physical space. We did something, we all died, it didn't work out or we did something, we got to where we're going. Um I think the kind of the follow on to that is is maintenance metrics, which we all talk about pretty often is is measuring the

success or failure. So um I've place my sensors. I expect to see activity based upon my my templated threat activity or threat template. If I do not see that either it's not there or I assess them poorly. Um so I think that there's certainly some some merit to you know talking about the metrics. I think it's a great point. Thank you. Any other

questions? All right the doors. Thank you for your time. We have a couple trivia questions. Right. A couple trivia questions. That's right.