CERT-EE Symposium, Tallinn, May 30th 2016.Extended version, updated June 5th.
I will try to give meaning to
the phrase tactical response.
The talk is based on my personal experience,
and expresses my personal views on the matter.
The first slide said
And it is. It's quite long.(Pushing past a 100 slides...)
Tactical response addresses the
attackers, and their missions and goals.
Not just their tools and infrastructure.
A.k.a. "Uh, tactical...?"
exists in a continuum of different layers
of abstraction, scope and purpose.
At the tactical level we think in
terms of single attacks and incidents.
Of single or sequences of engagements.
At the tactical level you are aware
that you have an intelligent and
A tactical response is the
when you suspect a targeted
attack with an unknown scope.
Way too many organizations only ever
respond in the technical domain.
Like re-imaging computers and
blocking IPs, domains and hashes.
And only that.
During a mainly
there is little or no acknowledgement,
awareness or focus on the opponent.
But if all you see are technical
artifacts, like shoes and tracks...
...you are missing something important.
The shadows in the back.
The guys wearing the shoes.
The result oriented and
mission driven attackers.
in your networks...
...with your data as
Responding at the technical
level is challenging enough.
But we need a lot more to
be effective as responders.
When the scope is unknown we need to
go beyond a purely technical response.
Any mature response capability
must at the very least be able
to respond at the tactical level.
So what is
Wasting attacker time with a honeypot.
Sabotaging their exfil channel...
...but nothing else.
Or feeding them bogus data.
Or deceiving them in other ways.
It's focusing your efforts on effectively
stopping adversaries from achieving
their mission objectives.
While managing the fallout.(Involve the right people...)
While limiting your risk exposure.(Don't let them steal your crown jewels...)
While keeping a keen eye
on your operational security.
As you scope the incident and plan how to
of the attacker once the scope
is known and the plan is ready.
What it's not is
computers they have compromised.
as part of your response
capability is also important.
Using threat group campaign analysis to inform
your IR is a form of operational response.
Or perhaps it's more a kind
of operational preparedness?
So is tracking threat group activity and specifically
hunt for them when they seem to be extra active.
When you know their spear-phishing cycle is three
weeks, you can use that in responding to that threat.
Operational response is responding to the
as a whole, not just the particular
attacks you detect against yourself.
Looking beyond single incidents to
will most likely strengthen your abiliy
to prepare, detect and respond.
To me, the much talked about
is a form of operational response.
Hopefully this way of
framing it made the concept of
a bit clearer and more tangible.
Should you happen to disagree
I would love to hear from you.
Describe the strategic
and political levels.
CSIRTs are analysis driven response units.
So we need analytical models.
is a CSIRT adaptation of
the intelligence process.
Created to help plan
our analysis capability.
And to help you to get
from data to wisdom.
So we can get past a pure
Data is a digital blob.
Information are lists of
nodes and attributes.
Knowledge is said information
with relationships in a graph.
Insight is a contextualized
network of knowledge graphs.
Wisdom is knowing how to use it.
is meant to help you organize your
analytical efforts to gain insight.
Then with experience you can gain wisdom.
Technical analysis extracts
needed information from data.
Like extracting CC domains
and IPs from a piece of malware.
Integration of other sources
brings in information and
knowledge from outside the CSIRT.
Like a network diagram from operations.
Or a set of indicators related
to the threat group you hunt
from a fellow secret squirrel.
Tactical analysis is piecing
together the knowledge graph
explaining what the attacker
is doing in your network.
Like explaining how they breached
A, pivoted to B, logged into C,
dumped X and exfil'd it via D.
using techniques i, n and m.
Operational analysis is learning
more about the attacker's entire
operation, across both your
incidents and those of others.
Like piecing together that your
incidents A, D and Y relates to
some external incidents k and p
and is likely threat group 42.
Strategic analysis is figuring
out why the attacker is running
their operations and which risks
they expose your organization to.
Like figuring out that APT1
is exposing you to the risk of
IP theft and competition from
the benefacting Chinese companies.
So which questions should
your CSIRT be answering?
Which decisions and
actions do you want your
to enable and support?
These are questions every
should ask themselves.
isn't how CSIRTs work.
Because incident response
mostly isn't transitioning
between clear cut phases.
Because incident response
is better modelled as a set
of interacting loops.
And here's one:
A.k.a. the CSIRT circle of life.
It depicts the smallest possible loop
a CSIRT can operate and still deliver
Explaining the model in more detail.(I will probably do this later.)
Any severe incident
needs a CORE IR TEAM.
The information manager fights the
inevitable information overload.
The tactical analyst figures out
what the adversary's mission is.
The coordinator is the IR process owner.
In my experience these roles are not optional
if you want to go beyond technical response.
They are essential.
And require different
mindsets and skill sets.
These are the guys that will run
that will enable tactical response.(More on that in a bit.)
The CORE IR TEAM
obviously needs support.
These guys support the core
team in any way they can.
Describe the support needed from
the Situational Awareness Team,
the Detection Development Team
and the Security Monitoring Team.
Fighting your adversaries.
We are operating in a time
constrained, adversarial context.
Hence the OODA loop.
A model for understanding your
interaction with your adversaries.
Look for data gaps
and wasted time.
Attack your attacker's OODA loop.
Be smarter. Be faster.
Explain the model better.
In the meantime, read up on
John Boyd and the OODA loop.
To engage your adversaries and
not just their infrastructure