Table of Contents
In the business/self-help bestseller ‘The 7 Habits of Highly Effective People’, Stephen Covey Jr. defines a habit as ‘the intersection of knowledge (what to do), skill (how to do), and desire (want to do).’ Through repetition, dedication, and a constant drive for learning and improving, we develop constructive habits that can transform both our personal and professional lives.
To understand how cybersecurity professionals cultivate better habits, Lumu recently hosted a webinar in conjunction with the SANS Institute titled “7 Habits of Highly Effective Cybersecurity Operators.” The talk featured our own VP David Sylvester, alongside SANS Instructor Jorge Orchilles, CTO of SCYTHE and co-creator of the C2 Matrix project, and Evgeniy Kharam, VP, Cybersecurity Solution Architecture at Herjavec Group. What follows is a paraphrased recap of the key sections of the webinar.
Operationalize Existing Frameworks that Add Context
David Sylvester: 90% of our daily behavior boils down to our habits. In essence, they define us. So as cybersecurity operators, we better have good habits. Besides good habits, if we’ve learned anything over the past decade, effective cybersecurity operators must collaborate and learn from others who are facing the same challenges. This was the impetus that led to the creation of the MITRE ATT&CK® matrix, the globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Jorge Orchilles: ATT&CK is actually a common language. It allows the cyber threat intelligence team to understand how adversaries work, share that information with incident responders, the security operations center, and the blue and red teams—it’s a common language that we can all understand. But, while ATT&CK is a great place to start—and also a great tool for measuring where you stand—only known attacks that have been seen in the wild are going to be cataloged in the ATT&CK matrix.
Evgeniy Kharam: Reinforcing a routine into a habit takes time. It will take several weeks to codify these behaviors into a fixed and reliable program. It took some time for cybersecurity operators to get to the point where they’re regularly using ATT&CK but now it has become an indispensable common language. When I call someone and I want to explain something that happened, I can use ATT&CK because the moment I tell you that it happened on this step, you can understand right away. So time to resolution and understanding what happened has decreased drastically.
Advocate and Rely on Tools that Empower You and Your Team
EK: “Tools versus people” or tools in general is one of my favorite topics. Around 15 years ago we had antivirus, email security, firewalls and that was pretty much it. The SIEM came and now we have more than 150 to 200 different types of tools or vendors so it’s very hard to know, ‘do I really need this too?’ The broad embrace of security tools has created a new set of problems for security teams. Are they properly tuned? Are they collecting the information that they’re supposed to be collecting? Are people using them correctly? We cannot just deploy tools by themselves. They need to be connected and part of the entire technology stack to get a holistic view of an environment.
JO: I once worked for a large financial firm that had over 120 different cybersecurity tools in its portfolio! We need to stop buying new stuff and actually assess what percentage of these tools are actually being used. We test things in the lab and say we’re going to get 90% coverage of MITRE so let’s buy it. Then, through the engineering and implementation process, you end up using like 20% of the capability you’re paying for.
Use Internal Security Signals First
DS: Anyone who has spent time in the enterprise trenches can relate to the saying, ‘swimming in data, drowning for wisdom.’ Organizations have on average 18 intelligence sources that feed their security operations center and this surfeit of data all too often leads to an inability to take decisive action. The spambox is a great example of an overlooked internal signal that is too often an afterthought, which is why we tell customers to not just block the spam but use it to analyze how adversaries are targeting their email accounts.
JO: You have all this data already inside that we need to do a better job of leveraging and internal signals are a natural place to start.
EK: Internal data is key. There’s so much information available internally that security teams can use for threat intelligence. For instance, they can use the data from DNS and from their firewalls to better understand what’s happening inside the network.
Put Threat Intelligence to Work
DS: Anyone who has spent time in the enterprise trenches can relate to the saying, ‘swimming in data, drowning for wisdom” There’s no shortage of threat intelligence, and effective cybersecurity operators need to put it all to work
EK: Humans are simply not capable of looking at so many different locations. We need tools to help automate and aggregate the information so we can correlate it across different areas and sources. When we are able to put all that information on one screen, we are better able to make sense of it all.
JO: Cyber threat intelligence is both a process and a product. So what we call intelligence for your organization is going to be different for another organization. We have indicators of compromise that could be a domain, hash value, or IP. So all of these intelligence feeds need to be put to work because there’s no one size fits all solution.
Develop Threat Hunting Abilities
EK: You need to allocate a set amount of time each day to do threat hunting. The idea of doing this activity on a continuous basis is what really makes it an effective habit.
JO: I would suggest employing threat hunting playbooks such as the free Threat Hunter playbook developed by Roberto Rodriguez as a way to codify this practice into a daily habit. Ask yourself: “What are the top things going back to cyber threat intelligence? What are the top things most likely to attack you? See if you can create a playbook for that and go hunting. If you’re a SOC analyst, work with your manager and see if you can get at least an hour a day to do this.
Mitigation & Remediation: Don’t Skip Either
EK: Too many security teams focus their energies on treating a symptom rather than curing the disease. When you find a problem and you mitigated the problem, by say, closing a firewall rule, you cannot stop there as you haven’t actually found the source of the problem. Otherwise, you’re just going to be duct taping the problem. You need to understand if data left the environment, why it happened, and what was the intent of the malicious actors who are trying to get inside your network.
JO: I see mitigation and remediation as a difficult yet necessary part of the security lifecycle. We’re all working so hard and investing so much effort mitigating an incident that it’s only natural that many of us will just need to take a break when we’ve finally finished mitigating and then we’ve forgotten to document the lessons learned.
Consider Each Day as a Learning Opportunity
DS: The more you learn, the more you realize you don’t even know. Of course, effective cybersecurity operators need to find time for the pursuit of knowledge. And that’s half the battle.
EK: Podcasts are a great way to stay current with the latest information and strategies. First of all, the SANS podcast has amazing content and is released all the time, as well as our very own Security Architecture podcast which is also released quite frequently. I also suggest engaging in conversations on LinkedIn and using the site to ask and answer questions as well as joining some of the discussions that are happening on newer platforms such as Clubhouse.
JO: My daily reads include the Internet Storm Center and I would recommend the SANS News Bites newsletter which provides a twice-weekly summary of the key news stories happening around the industry. Though I am hesitant to admit it, if you follow the right people in InfoSec, Twitter is a great resource where you’ll find some really good blog posts and discussions. Follow the wrong people and it’s going to be a dumpster fire.
Watch the entire webinar and gain detailed insights for effective cybersecurity operators from David, Jorge, and Evgeniy.