The NERC Distortion Field

Date

About six months ago I left an awesome job at NERC. Back in 2011 I was being interviewed and was promised that I’d have interesting puzzles and meet interesting people. That particular gentleman, as is often the case, was correct. It’s extremely humbling when I read a book …

more ...

What I should have said

Date

Last year I was fortunate to serve as an advisor during an executive table-top exercise surrounding a power outage from a cyber attack. Executive rule number one: when an executive keeps going back to a particular topic it should demand your focus. Over the course of these two hours I …

more ...


Identifying Scope for a Breach

Date
I’ve spent considerable time of the last ten years in training new team members.  This is a whirlwind of activity; explaining the organization, the history, why some things are done stupidly, as well as how the team has grown to respond to security breaches.
When I first started doing …
more ...

Defensive Kill Chain

Date
So I became aware of the intrusion kill chain in 2009 when Mike Cloppert referenced it in one of his presentations at the SANS Incident Detection Summit (I can’t find an agenda to this).  In 2010 he released a formal paper on the concept.  If you’re not familiar …
more ...

Creating a tabletop exercise scenario

Date

There are several types and ways to conduct exercises, drills and team training. A tabletop exercise is one of the ways that I’ve found generates understanding, traction, and visibility. It can be a bit overwhelming to create a good tabletop exercise. Why? It requires an attacker mindset, creative use …

more ...

Establishing Defensive C2

Date

Sustained defensive operations should expect an incident at any time. This has tought me that well crafted, exercised, and useful C2 is required. This is particularly important for operations which have small teams, geographically separated personnel or lack a 24x7 operations center.


The below techiques may seem banal but it …
more ...

Dragon Bytes Followup

Date

Last year Richard posted a review of “Dragon Bytes” by Timothy L. Thomas. This book was no longer being published when Richard reviewed the book; to the extend that Richard had to do a followup postto answer questions on how to obtain a copy.



Fast forward nearly a year …
more ...

Sustained Operations

Date

Lately I’ve been thinking of security operations in the context of the duality of defensive and offensive operations. An offensive operation may achieve little if it doesn’t account for security controls deployed by a defensive team. Alternatively, a defensive operation must take into account the tools and tactics …

more ...

Beginning Somewhere: Incident Response/Leadership Cycle

Date




First off: there must be a pre-existing reason to create a defensive capability. How does one prove or gain acceptance of that reason? There’s no formula for ‘selling’ a defensive posture; this post will not outline how to create a sustained defensive posture. The below summarizes how I instead …

more ...