WEBVTT

00:00:02.540 --> 00:00:05.160
And as long as we're talking about things that we all love,

00:00:05.190 --> 00:00:07.130
I of course have to bring up NIST.

00:00:07.140 --> 00:00:09.800
Who doesn't love them some Cybersecurity Framework?

00:00:09.800 --> 00:00:14.410
Not to be confused with the CSWF, or Cybersecurity Workforce Framework,

00:00:14.420 --> 00:00:19.290
which describes tasks, and knowledge, and abilities that people need to know,

00:00:19.290 --> 00:00:24.070
or understand, or be able to do associated with specific roles in cybersecurity.

00:00:24.740 --> 00:00:28.160
Instead, the CSF, or Cybersecurity Framework,

00:00:28.170 --> 00:00:31.280
is also from NIST, but not necessarily associated with NICE.

00:00:31.290 --> 00:00:33.960
So not all NIST is NICE, but all NICE is NIST.

00:00:33.970 --> 00:00:37.260
The point is that the Cybersecurity Framework is completely separate.

00:00:37.270 --> 00:00:41.660
It's a set of functions broken down into categories and subcategories.

00:00:41.840 --> 00:00:45.070
These are functions that you can see majorly reflected in the

00:00:45.070 --> 00:00:47.340
SmartArt wheel of security that I showed you earlier.

00:00:47.340 --> 00:00:50.000
Functions like identify and protect,

00:00:50.010 --> 00:00:52.310
which focus on identifying the security needs and

00:00:52.320 --> 00:00:55.910
implementing proper controls and administration of networks

00:00:55.910 --> 00:00:58.500
and services to ensure those needs are met.

00:00:58.500 --> 00:01:01.150
Though for the tools that we're going to be discussing,

00:01:01.160 --> 00:01:04.750
on the network or on the hosts, performing things like security monitoring,

00:01:04.750 --> 00:01:06.920
or threat hunting, or even incident response,

00:01:07.200 --> 00:01:11.580
those are most often going to fall into the detect and respond functions.

00:01:11.790 --> 00:01:12.580
For instance,

00:01:12.590 --> 00:01:15.820
for a network‑monitoring tool like Arkime, formerly Moloch,

00:01:15.830 --> 00:01:18.850
it would fall into the detect function, more specifically,

00:01:18.850 --> 00:01:22.820
into the category of security continuous monitoring and covers the

00:01:22.820 --> 00:01:25.460
subcategories requiring the monitoring of the network and the

00:01:25.460 --> 00:01:27.550
monitoring from unauthorized connections.

00:01:28.140 --> 00:01:28.900
In this way,

00:01:28.910 --> 00:01:32.230
you can look for functions that you're missing in your organization and match

00:01:32.230 --> 00:01:34.880
them with tools in this path that map to that function,

00:01:35.120 --> 00:01:37.250
or in some cases, check that compliance box,

00:01:37.250 --> 00:01:38.550
if you're into that kind of thing.

00:01:39.540 --> 00:01:43.080
And before I again bring you to the circle of security armor,

00:01:43.090 --> 00:01:46.560
in a way that I see it, let me first give you the original source.

00:01:46.940 --> 00:01:49.480
The NIST Cybersecurity Framework is conveniently

00:01:49.480 --> 00:01:54.260
located at www.nist.gov/cyberframework.

00:01:54.270 --> 00:01:56.620
There are loads of resources that you can explore on your own,

00:01:56.620 --> 00:02:01.040
but as you see here, this circle of security was not something that I made up.

00:02:01.050 --> 00:02:05.270
These functions, the same ones that we are mapping the tools and capabilities to,

00:02:05.440 --> 00:02:09.020
are the foundation of NIST's cybersecurity policy,

00:02:09.020 --> 00:02:12.120
fulfilling these functions continuously to achieve specific

00:02:12.120 --> 00:02:16.020
outcomes relative to improving your organization's security

00:02:16.020 --> 00:02:18.470
posture and reducing overall exposure.

00:02:19.140 --> 00:02:22.520
As much as I don't want to spend time just scrolling through a PDF with you,

00:02:22.520 --> 00:02:24.770
I have spent some time reading through these frameworks,

00:02:24.770 --> 00:02:27.320
and maybe that's some time that I can save you.

00:02:27.330 --> 00:02:29.060
So let me show you the highlights.

00:02:29.070 --> 00:02:32.620
This document provides a decent outline for how these functions or

00:02:32.620 --> 00:02:36.350
actions can be accomplished by connecting risk management and senior

00:02:36.350 --> 00:02:40.320
leadership with the business needs in the correct cybersecurity action to

00:02:40.320 --> 00:02:42.700
mitigate risks to those business needs.

00:02:43.140 --> 00:02:43.860
Now don't get me wrong,

00:02:43.860 --> 00:02:47.130
these are for sure technical hands‑on explanations of tools

00:02:47.130 --> 00:02:49.400
that are within this blue team tools path,

00:02:49.590 --> 00:02:53.240
but with enough information to relate the use of these tools directly

00:02:53.240 --> 00:02:55.860
to your business use case and company stakeholders.

00:02:56.340 --> 00:02:57.450
And one last note,

00:02:57.460 --> 00:03:00.340
as you explore the specific subcategories that are covered,

00:03:00.340 --> 00:03:03.260
the documentation also reveals references,

00:03:03.260 --> 00:03:06.920
controls, and standards that are also related to the relevant actions.

00:03:06.930 --> 00:03:09.330
So if you're a CIS or if you're an ISO shop,

00:03:09.340 --> 00:03:12.870
you can relate these functions to specific controls

00:03:12.870 --> 00:03:14.460
within those frameworks as well.

00:03:14.540 --> 00:03:16.840
Now that you have the official story from NIST,

00:03:16.850 --> 00:03:18.560
let's talk about what was missing.

00:03:19.040 --> 00:03:23.350
I really appreciate the perspective that the CSF brings to the way that you look

00:03:23.350 --> 00:03:27.530
at roles within your security org, but I'm not someone who is beholden to any

00:03:27.530 --> 00:03:31.070
one framework. And as far as this framework goes,

00:03:31.080 --> 00:03:33.530
it does leave out some really important components.

00:03:33.810 --> 00:03:34.200
First,

00:03:34.200 --> 00:03:36.490
it leaves out the requirement for those functions to

00:03:36.490 --> 00:03:38.550
be linked together to be effective,

00:03:39.040 --> 00:03:42.460
each with their own inputs and outputs that feed the continuous cycle.

00:03:42.840 --> 00:03:43.640
And second,

00:03:43.640 --> 00:03:46.390
there's no function covering the ever‑changing nature of the

00:03:46.390 --> 00:03:49.560
threat and how those threats, as they change,

00:03:49.570 --> 00:03:52.170
change where your limited resources should be focused.

00:03:52.740 --> 00:03:53.180
Also,

00:03:53.180 --> 00:03:55.730
there's nothing to check that those policies or recover

00:03:55.730 --> 00:03:57.360
activities were actually effective.

00:03:57.740 --> 00:04:01.330
That's where Intel in the center and the second‑third of the primary

00:04:01.330 --> 00:04:04.620
colors security game, emulation, or Red Teaming, comes in.

00:04:05.000 --> 00:04:07.780
These are functions that are equally important to the successful

00:04:07.780 --> 00:04:10.370
mitigation of risk to your organization's mission.

00:04:11.040 --> 00:04:13.730
But what framework governs this, and how can we use our

00:04:13.730 --> 00:04:17.040
understanding of threat actors' tactics to increase the

00:04:17.040 --> 00:04:19.170
efficacy of our blue team tools?

00:04:19.740 --> 00:04:23.710
Well first, let's talk about pyramids. These days, everybody's got to pyramid.

00:04:23.720 --> 00:04:26.340
There's pyramid schemes, there's ancient pyramids that may or

00:04:26.340 --> 00:04:29.300
may not have been cold‑fusion power sources, and for cyber

00:04:29.300 --> 00:04:31.860
security, we have our pyramid of pain.

00:04:32.540 --> 00:04:35.090
And though it sounds like some sort of out‑of‑control Mad Max

00:04:35.090 --> 00:04:37.580
death challenge in a post‑apocalyptic world,

00:04:37.590 --> 00:04:41.910
it's really about creating the security operation set of functions fed

00:04:41.910 --> 00:04:46.650
by Intel that leverage information to detect the bad guys. Depending on

00:04:46.650 --> 00:04:48.350
what type of information you're using,

00:04:48.360 --> 00:04:52.230
it can be easy or hard for these malfeasance individuals to

00:04:52.230 --> 00:04:54.660
bypass your detections or protections,

00:04:54.670 --> 00:04:58.260
and this is represented by the lowest level of the pyramid of pain.

00:04:58.840 --> 00:05:02.930
This metaphor works pretty well because the base is also wider, and

00:05:02.930 --> 00:05:06.990
information wise, requires the largest dataset that's also the most

00:05:06.990 --> 00:05:10.780
volatile dataset to try and keep up. Now I talked about that

00:05:10.780 --> 00:05:12.830
before, the pace of innovation.

00:05:12.840 --> 00:05:15.970
You need to keep up with the adversary's pace of innovation, and one

00:05:15.970 --> 00:05:19.710
way to start to get ahead is by looking at TTPs,

00:05:19.740 --> 00:05:22.750
as opposed to things like hashes or IPs.

00:05:23.340 --> 00:05:26.140
When we're leveraging TTPs as indicators, or tactics,

00:05:26.140 --> 00:05:27.580
techniques, and procedures,

00:05:27.590 --> 00:05:31.490
you can develop behavioral detection for these techniques that will remain

00:05:31.490 --> 00:05:35.200
effective regardless of whether the attacker changes their IPs, domains,

00:05:35.210 --> 00:05:41.160
hashes, or other uniquely‑identified atomic IoCs, which stops you from having

00:05:41.160 --> 00:05:43.770
to play such a fast‑paced game of whack‑a‑mole.