The Human Element in Cybersecurity: Lessons from SOF Truths and the OODA Loop

The Human Element in Cybersecurity: Lessons from SOF Truths and the OODA Loop

In today’s digital age, where technology reigns supreme, it’s easy to get caught up in the allure of automation, artificial intelligence, and the latest cybersecurity gadgets.

However, as we navigate the complex landscape of cybersecurity, it’s important to remember that humans are the linchpin in this battle against digital adversaries. This article explores the significance of the human element in cybersecurity, drawing inspiration from the SOF Truths (Special Operations Forces Truths) and the OODA Loop (Observe, Orient, Decide, Act).

The SOF Truths, or Untied States Special Operations Command – Special Operations Forces Truths, are a set of principles that highlight key aspects of special operations and the roles of Special Operations Forces (SOF). These truths provide insights into the nature of special operations and underscore the principles that guide the work of SOF personnel.

FIRST Special Interest Groups (SIGs)

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

1. Humans Are More Important Than Software

The first of the SOF Truths tells us that when it comes to cybersecurity, humans take precedence over Software. The right team of skilled individuals can effectively safeguard networks, clouds, servers, and data, even with limited technological resources. On the flip side, no amount of cutting-edge Software can fully compensate for a lack of knowledgeable and capable personnel.

2. Quality Over Quantity

The second truth emphasizes that in cybersecurity, quality is more valuable than quantity. A small, well-trained, and well-led team can outperform a larger force, especially when dealing with the intricate and ever-evolving tactics of cyber adversaries.

3. SOF Cannot Be Mass Produced

Building on the SOF Truths, it’s important to recognize that cybersecurity expertise cannot be hurried. Just as it takes years to train Special Operations Forces to the highest level of proficiency, it also requires intensive training and experience to develop cybersecurity professionals who can tackle specialized missions effectively.

4. Competence Cannot Be Created After Emergencies

Preparedness is key in both Special Operations and cybersecurity. In the digital realm, waiting until an emergency arises to create competent and capable cybersecurity teams is not a viable strategy. Cyber threats are constant, and being ready to respond promptly requires maintaining well-trained teams during peacetime.

5. Dependency on Non-SOF Support

While Special Operations Forces are highly skilled and adaptable, they also rely on support from other branches of the military, such as the Air Force, Army, Marine Corps, and Navy. In cybersecurity, the collaboration of various professionals, including engineers, technicians, and intelligence analysts, is crucial to enhance the effectiveness of cyber defense.

6. OODA Loop in Cybersecurity

In addition to the SOF Truths, the OODA Loop concept, which stands for Observe, Orient, Decide, Act. This decision-making process is highly relevant in cybersecurity. Observing and understanding the adversary’s actions, orienting oneself to the evolving threat landscape, making informed decisions, and taking rapid action are fundamental in the battle against cyber threats.

In conclusion, the human element remains at the core of cybersecurity. While automation and technology are invaluable tools, they cannot replace the insights, adaptability, and expertise of cybersecurity professionals. As we strive to protect our digital assets and information, let’s remember the timeless wisdom of the SOF Truths and the agility of the OODA Loop.

Don’t get fooled, plugin in ChatGPT into a existing Software isn’t going to be a game changer, as per the Gartner AI Hyper Cycle.

In terms of looking a solution to this problem, FIRST SIG might be a good start.

References:

Fipped

Fipped

Flipper zero

  • https://www.redteamtools.com/rfid-electronic-access-control
  • https://shop.redteamalliance.com/collections/2021-classes/products/1-day-defcon-special-event-flipping-out-about-pacs-applied-modern-hacking-tools-and-techniques
  • https://flipc.org/

Lora – Long Range Protocols

  • Meshtastic
  • https://www.youtube.com/watch?v=vxF1N9asjts
  • https://www.youtube.com/watch?v=7NxgD22amCQ
  • https://www.allaboutcircuits.com/news/asset-tracker-test-proves-efficacy-zeta-new-lpwa-network/
  • https://www.szanysecu.com/en/h-pr–0_526_3.html?complexStaticUrl=true

Car Hacking Village

  • https://github.com/nonamecoder/FlipperZeroHondaFirmware
  • https://medium.com/@naoumine/vehicle-hacking-with-icsim-part-1-f4bd632cac9e
  • https://www.carhackingvillage.com/talks
  • https://forum.flipperzero.one/t/car-key-emulation/1094
  • https://forum.flipperzero.one/t/car-key-emulation/1094/7
  • https://www.reddit.com/r/flipperzero/comments/u922ur/car_key_cloning/
  • https://gigazine.net/gsc_news/en/20221227-flipper-zero-car-key/
  • https://www.youtube.com/watch?v=1RipwqJG50c

Microsoft Windows Defender Bypass (Research)

Microsoft Windows Defender Bypass (Research)

GMER

  • http://www.gmer.net/

Fancy Defender evasion? RegLoadKey, RegUnloadKey or NtLoadKey, NtUnloadKey

1. Export CurrentControlSet to a file
2. Edit path in a file
3. Import a file as new ControlSet
4. Change “Select” values to new one
5. Reboot

https://www.linkedin.com/posts/grzegorztworek_fancy-defender-evasion-yet-another-method-ugcPost-7090917993022443520-YXY9?utm_source=share&utm_medium=member_desktop

CrowdStrike Bypass

  • https://www.horangi.com/blog/bypassing-crowdstrike-falcon
  • https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/
  • https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/
  • https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf
  • https://twitter.com/NinjaParanoid
  • https://bruteratel.com/tabs/features/

Red Team Tools

  • Siliver – https://github.com/BishopFox/sliver
  • Mystic – https://github.com/its-a-feature/Mythic
  • Covenant – https://github.com/cobbr/Covenant

Reference

  • http://www.detectx.com.au/bypass-av-edr-remoting/
  • http://www.detectx.com.au/bypassing-av/
  • https://securitytrails.com/blog/red-team-tools
  • https://securitytrails.com/blog/red-team-tools
  • https://cybersecuritynews.com/red-team-tools/
  • https://github.com/A-poc/RedTeam-Tools
  • https://www.pluralsight.com/paths/red-team-tools
  • https://bishopfox.com/blog/9-red-team-tools
  • https://www.techtarget.com/searchsecurity/tip/5-open-source-offensive-security-tools-for-red-teaming

National CyberWatch Center

CLARK is the largest platform that provides FREE cybersecurity curriculum. It is home to high-value, high-impact cyber curriculum created by top educators and reviewed for relevance and quality. Whether you’re looking to teach something new tomorrow, align with curriculum guidelines and standards, or refine your current course, CLARK has free resources ready for you to use!

https://clark.center/details/cobrien/0e116db4-cf8d-409b-adf8-9744f62ebc27

Cyber Security Software Vendor, Partner and Distributor Strategy.

Channel Distribution strategy for a Cyber Security Software in the context of Managed Security Services, including competitive incentives such as Market Development Funding (MDF), Deal Registration, and more:

Understanding the principles of creating a high-performance channel, and best practices for managing your partners, MSP, MSSPs in order to increase your revenue through a indirect model.

Traits if Effective Channel Managers

SubstanceStructureStyle
Demonstrate an understanding of your partners’s needs, and present your technology and programs in a manner that makes them want to engage with you.Adopt a structured framework and methodology for developing your channel strategy, to recruit, develop, enable and manage high performing partners.Establish a relationship with your partners, by adopting the appropriate approach to engage with senior stakeholders and deal with difficult situations.
Traits if Effective Channel Managers

DynamicDSI Model

  1. Channel Partner Selection:
    • Identify potential channel partners that specialize in Managed Security Services and have a strong customer base.
    • Evaluate their technical expertise, market reach, customer satisfaction, and financial stability to ensure they align with your product and business goals.
  2. Partner Onboarding and Enablement:
    • Provide comprehensive training and certification programs to empower partners with in-depth knowledge of your Cyber Security Software and its value proposition.
    • Offer technical documentation, sales collateral, and product demos to aid their understanding and promote effective sales pitches.
    • Conduct regular webinars and workshops to keep partners updated on new features, updates, and industry trends.
  3. Competitive Incentives:
    • Market Development Funding (MDF): Allocate a portion of your marketing budget to support joint marketing activities with partners. Offer co-branded marketing materials, campaigns, events, and lead generation programs.
    • Deal Registration: Implement a deal registration program to reward partners who proactively identify and register sales opportunities. Provide them with exclusive access to pricing discounts, protection from channel conflict, and priority support.
    • Volume RebatesPerformance-Based Rewards: Set up a tiered partner program that offers escalating rewards based on partner performance, including sales targets, customer satisfaction, and product adoption metrics. Rewards may include enhanced margins, exclusive access to beta versions, or early access to new features.
    • Certification based Rebate Tiers
  4. Channel Marketing Support:
    • Provide partners with customizable marketing materials, such as white papers, case studies, and solution briefs, that they can use to educate prospects and differentiate themselves in the market.
    • Offer co-branded demand generation campaigns, including email templates, landing pages, and social media assets, to drive awareness and generate leads.
    • Facilitate joint marketing events, such as webinars, seminars, and conferences, where partners can showcase your Cyber Security Software and engage with potential customers.
    • Round Tables
      • Industry Specific Event Marketing
      • Threat landscape Insight Webinars
  5. Channel Support and Collaboration:
    • Establish a dedicated channel support team to provide timely assistance to partners regarding technical queries, pre-sales support, and post-sales implementation.
    • Foster open communication channels with partners, such as partner portals or online communities, to facilitate knowledge sharing, collaboration, and feedback.
    • Encourage regular business reviews with partners to discuss performance, address concerns, and identify opportunities for improvement.
  6. Continuous Partner Development:
    • Conduct regular training sessions, workshops, and webinars to enhance partner skills and knowledge in emerging cyber security trends and technologies.
    • Provide beta access to new product features and encourage partners to provide feedback and suggestions for improvement.
    • Recognize and reward top-performing partners through awards, incentives, and public recognition.
  7. Partner Recognition
    • Rewards
    • Certification
    • Annual Events
  8. Partner Maturity Matrix and Model ( Journey )

Remember to adapt and customize this strategy based on your specific business goals, target market, and competitive landscape. Regularly assess the effectiveness of the program and make adjustments as needed to maximize channel partner engagement and revenue generation.

References

  • Market Development Fund
  • Usage and Software Credits
  • Free Software to develop Professional Service and Managed Services
  • ToolKit
    • Managed Service Agreement
    • Statement of Services Examples
    • Marketing Fund
    • Market Develop Fund
    • Rebate Program
    • Awards and Events
    • Certification Training e-learning
    • Deal Registration
    • Deal, Registration,
    • Startup Funding examples;

Malware Analysis Course and Certification

Malware Analysis Course and Certification

1) Ultimate Malware Analysis by Zero2Automated
https://lnkd.in/dN7v2zNj

2) Practical Junior Malware Research by TCM Security
https://lnkd.in/dR6mTmQ8

3) Giac Reverse Engineering and Malware by SANS
https://lnkd.in/d6UvAbun

4) Certified Malware Analyst by Ethical Hackers Academy
https://lnkd.in/dt3xQFQT

5) Malware Analysis by Red Team Academy
https://lnkd.in/duBMbZV8

6) Malware Analysis Course by Black Storm Security
https://lnkd.in/dwhn_uuH

7) Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software 
https://lnkd.in/dmyhKDBV

8) Malware Analysis Fundamentals by Let’s Defend
https://lnkd.in/dSDUeyP7

9) Malware Analysis Detection Engineering
https://lnkd.in/dSEA37wQ

10) Malware Analysis Master by Mandiant
https://lnkd.in/dNM54d2C

11) CS6038/CS5138 Malware Analysis
https://class.malware.re/

12) Malware Analysis CSCI 4976 by RPISEC
https://lnkd.in/dC7kZkAK

13) Reverse Engineering 101 by Malware Unicorn
https://lnkd.in/dwGu22if

14) Purple Team Analyst by CyberwarfareLabs
https://lnkd.in/dBAqYG3j

Information Security Risk Assessment Checklist: Risk Assessment and Analysis Methods: Qualitative and Quantitative

Information Security Risk Assessment Checklist

  • Framing Risk
    • Understand the business
    • Define & document the environment
    • Decide Risk Assessment Approach
    • Define how risk dcecisions will be made
    • Qualitative vs Quantitive vs Semi
  • Identifying Risk
    • Document threat environment
    • Identify threat scenarios & actors
    • Identify vunlnerabilities
    • Calculate likelihood & Impact
    • Consider current security controls
  • Responding to Risk
    • Document risk remediation plans
    • Accept, Mitigate, Avoid, or Transfer
    • Derive Risk Ratings
    • Focus on High Risk first
  • Monitoring Risk
    • Perform effective monitoring
    • Monitor high risks for remediation
    • Track risks over time
    • Perform audits ensuring risk treatment

Threat modeling, the cloud, and shared responsibility

An interesting aspect of cloud-related threat models is that cloud-based threats must take into account shared responsibility models that are specific to each cloud provider and service.

If a key output of any threat modeling exercise is a set of identified threats, then the ideal state for any threat is that you eliminate it completely by way of design, engineering, or otherwise. Of course, the value of threat modeling is that you not only identify threats that you can eliminate, but that you make thoughtful decisions about how to deal with the remaining threats that you cannot.

alt

In this model, threats end up in one of three states:

  • Green, which is as good as it gets for a threat you can’t eliminate outright. Of course, if controls are available, there’s a good question to be asked re: whether those controls can be implemented such (i.e., by using restrictive defaults or policies) that the threat is eliminated and thus removed from this grid entirely.
  • Yellow, which is probably the most common. In this state, you’re able to rely on either security controls or on monitoring. The trick with relying solely on monitoring to mitigate a threat is that monitoring is only an effective mitigation when coupled with detection (knowing the threat occurred) and response (doing something about it).
  • Red, which should leave you questioning your design, your cloud provider, or both. In particular, threats in this state require putting significant trust in both your cloud provider and the security inherent to their platform, as well as your ability to engineer for safety.

Reference:

  • https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods
  • https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/
  • https://www.netwrix.com/information_security_risk_assessment_checklist.html
  • https://www.slideteam.net/risk-analysis-powerpoint-presentation-slides.html#images-10
  • ISO 27001:2022 Lead Implementer https://www.udemy.com/course/information-security-for-beginners/?couponCode=JUNE2023

How to conduct a Business Impact Analysis

Step-by-step procedure and a set of questions to conduct a Business Impact Analysis (BIA):

What is a Business Impact Analysis

A Business Impact Analysis, or BIA, predicts how disruptions will impact a business’ critical business functions (CBF) and what the likely outcomes of those disruptions would be. As potential loss scenarios are identified, this deep dive into your business can also offer recovery strategies, including the order in which critical functions and processes are restored. 

Consider the Impact

The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include:

  • Lost sales and income
  • Delayed sales or income
  • Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
  • Regulatory fines
  • Contractual penalties or loss of contractual bonuses
  • Customer dissatisfaction or defection
  • Delay of new business plans

Business Disruption Scenarios

  • Physical damage to a building buildings
  • Damage to or breakdown of machinery, systems or equipment
  • Restricted access to a site or building
  • Interruption of the supply chain including failure of a supplier or disruption of transportation of goods from the supplier.
  • Utility outage (e.g., electrical power outage)
  • Damage to, loss or corruption of information technology including voice and data communications, servers, computers, operating systems, applications, and data
  • Absenteeism of essential employees.

Procedure for Conducting a Business Impact Analysis:

  1. Define the Scope: Determine the boundaries and objectives of the BIA. Identify the critical business processes, systems, and resources that will be analyzed.
  2. Assemble the BIA Team: Form a cross-functional team comprising representatives from different departments, including key stakeholders, subject matter experts, and IT personnel.
  3. Identify Potential Disruptions: Brainstorm and document a comprehensive list of potential threats or events that could disrupt business operations. This may include natural disasters, cyberattacks, equipment failures, or supply chain disruptions.
  4. Assess Impacts: For each potential disruption, analyze the potential impacts on the critical business processes and resources. Consider the following areas:
    • Operational Impact: How will the disruption affect day-to-day business operations?
    • Financial Impact: What are the financial consequences, including revenue loss, increased expenses, or insurance claims?
    • Customer Impact: How will customers be affected? What are the potential reputational impacts?
    • Legal and Regulatory Impact: Are there any legal or regulatory requirements that may be impacted?
    • Employee Impact: What are the potential effects on employees, such as safety concerns, workload, or morale?
  5. Determine Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): Define the acceptable downtime and data loss limits for each critical business process or resource. This will help prioritize recovery efforts and allocate resources effectively.
  6. Identify Dependencies: Identify the dependencies between critical business processes, systems, and resources. This includes dependencies on suppliers, IT infrastructure, personnel, or other external factors.
  7. Document Findings: Compile all the information gathered during the analysis, including the identified risks, impacts, dependencies, and recovery objectives. Document these findings in a clear and organized manner.
  8. Review and Validate: Review the documented findings with the BIA team and other relevant stakeholders to ensure accuracy and completeness. Validate the findings against available data and industry best practices.
  9. Identify Mitigation Strategies: Based on the BIA findings, develop mitigation strategies to minimize the potential impacts of disruptions. This may include implementing redundant systems, backup processes, contingency plans, or alternative suppliers.
  10. Communicate and Document: Share the BIA report and its findings with key decision-makers, stakeholders, and relevant personnel. Maintain proper documentation of the BIA process and outcomes for future reference and updates.

Questions to Ask During a Business Impact Analysis:

  1. What are the critical business processes and resources that must be analyzed?
  2. What potential threats or events could disrupt these critical processes and resources?
  3. How would each potential disruption impact the day-to-day operations of the organization?
  4. What are the financial consequences of each disruption? Are there any revenue losses or increased expenses?
  5. How would customers be affected by each potential disruption? What are the potential reputational impacts?
  6. Are there any legal or regulatory requirements that may be impacted by the disruptions?
  7. What are the potential effects on employees, such as safety concerns, workload, or morale?
  8. What are the acceptable downtime limits for each critical process or resource (RTO)?
  9. What are the acceptable limits for data loss for each critical process or resource (RPO)?
  10. Are there any dependencies between critical processes, systems, or resources? If so, what are they?
  11. How can the organization minimize the potential impacts of disruptions? What mitigation strategies can be implemented?
  12. How can redundant systems, backup processes, or contingency plans be leveraged to ensure business continuity?
  13. Are there alternative suppliers or resources that can be used in case of disruptions?
  14. How can the organization communicate the BIA findings to

Shift-Left / DEVSECOPS / SDLC / SecureStack

HoneyPot Pipeline

1. Running a Cowrie ssh honeypot
2. Using Thug as a Javascript client honeypot
3. Running Snare/Tanner web honeypot
4. Running Opencanary a low interaction honeypot

Reference