Tag Archive for CIRT

Defense Mitigation Against The Cyber Kill CHain

Joey Hernandez perspective on Mitigation Against Cyber Kill Chain

Joey Hernandez perspective on Mitigation Against Cyber Kill Chain

As we continue to develop capabilities within organizations providing Defensive Cyber Operations it is critical to develop organizational maturity. Current methodologies although effective are unsustainable do to the rapid evolvement of cyber threat.
A organizational level approach can be made by adopting some of the following objectives:
1. Increase the pay scale for “qualified” CND Analysts – CIRT staff are often the lowest paid tier of Incident Response personnel.
2. Hire “Analytical” people – A Great Sys Admin does not a Great System Defender Guarantee. “Better analytical capability makes up for a lot of memorized technical knowledge. Having both makes you a god.”
3. Function Rotation – Although specialization is a critical capability, functional rotations assists in creating analytical thought by adding perspective and insight to all aspects of DCO.
4. Teach analyst how to communicate – share your best business practices what’s worked and not worked. Not only with internal teams, but with colleagues in industry. It is terrible to have great analysts that nobody wants to work with..
5. Hire passionate team players – I can send you to all the certification training in infosec the world has to offer but if you aren’t doing this because you live it…. We are both wasting our time.
6. Employ – “better leadership to foster Passion”
7. Start utilizing the sensors and systems in place to their capacity/capability – Too many times systems are not employed fully whether lack of system training or misunderstood vendor support agreements. Garbage in garbage out.. Nothing in nothing out
8. Require training and certification – Ensure a common baseline for both the technical and communication side (GCIH, CISM, Project Management, MBCI) the management piece is to ensure analysts can write and follow from beginning to the end and understand the operational impact of incidents. Although this seems obvious take a look around
9. Exercise your capabilities – through, xnet or similar means to make teams operate together
10. Audit and assess – internally often, (show me, tell me, provide me documentation) to ensure organizational maturity. The team will have a vested interest.
Proactive efforts to accomplish specific steps will assist in maturing the DCO craft.

A passion for this work helps people dig for root cause, and gets people looking for the needles in needle stacks, fixing the broke, and documenting processes to help build the whole team rather than oneself.
Special Thanks To Kevin Partridge https://twitter.com/usefulinfo#! For helping me see the light on the need for great leadership to foster the passion (6) the quote on (2), and elevating my maturity focus from a team to an organization on (10) – All Through a G+ posting
http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-060.pdf Cyberspace Operations