Strategy 9: Communicate Clearly, Collaborate Often, Share Generously
Key Takeaways
The SANS Institute discusses the importance of communication in security incident response teams, focusing on Strategies of a World-Class Cyber Security Operations Center, specifically Strategy 9: Communicate Clearly, Collaborate Often, Share Generously, and introduces the SEC450 course on Blue Team Fundamentals
Full Transcript
this is the blueprint podcast bringing you the latest in cyber defense and security operations from top blue team leaders blueprint is brought to you by the Sans Institute and is hosted by Sans senior instructor John Hub and now here's your host John hubard hello everyone and welcome back to the blueprint podcast my name is John hubard and I'm your host and again with us uh for Maroon shirt day if you're watching on YouTube we have our we have our three amazing guest hosts uh Kat nurer ingred Parker and Carson simmerman uh in this episode what we're going to be talking about uh is communication uh last time we talked about kind of the tools of the sock and and more of the technology piece but there's a human part that comes into the sock as well right people process and technology and so this chapter uh chapter nine is going to bring us to talking about uh communicate clearly collaborate often and share generously and so um as we all know right when we're trying to communicate uh in normal life in business in all kind of respects often when there's a problem communication is the heart of that problem right so this is going to be something I'm sure that's going to be very very important for everyone to hear uh even though we're probably aren't going to be talking about packet captures and things like that right a whole different dimension that is equally as important to get correct so to start us off um who'd like to kick off with kind of a little bit of an intro to the section and why this was in the book so as we were outlining this version of the book you know you we were in rooms we had whiteboards we're putting up all of these different ideas and this and actually the the next strategy on metrics were two that just kept popping up in like oh well it could go here or it could go there or it's part of this and we realized that these were things um that are critically important to the sock and the sock success but they kind of transcend any one of the other strategies that we were looking at and we thought it was really important to just bring that out highlight it put some thought behind you know what do we think what have we experienced in this space and especially you know there was a point in time when socks were kind of relegated to the basement of an office and you never heard from them and you know if you said sock you know people thought of different compliance or they thought of what they put on with their tennis shoes or whatever like your your siso your CIO had no idea what you were talking about but the socks have really evolved they've come out we talked about this you know earlier in terms of like they're really a a business and a mission enabler at this point which means they are ideally having a seat at the table in more and more conversations with in your business across Industries you know with with other constituents everything else and so we really wanted to highlight all the different ways that the sock gets engaged within its own teams with other teams you know wherever you need to have that kind of presence and understanding of what the sock is so you mentioned giving the the sock a seat at the table um where do you think as a kind of industry and as a profession uh security teams are in 2023 in in terms of asking for that seat at the table and being able to communicate at the higher level with a board or with kind of the other sea Suite as compared to where we've been in the past I I'll I'll share a story I remember um a presentation I went to I think this is like Defcon in like 2008 and this this one person got up on the stage and it was the title of the presentation was all about industrial control system attacks and he's like and the whole presentation which was a half an hour was about all the things that like Rin and like someone thought a thing happened in one place no one's ever really actually seen an actual icsc an attack we're like well I think this is a problem but you know whoever knows when it's going to become news and like those days are so behind us none of us have to worry about um the SE Suite being a aware of security and aware of cyber threats rather I think a big piece of it has to do with how do we funnel that awareness towards something that benefits us and benefits who we're protecting that's my piece of this yeah and I think the communication shifted when it it we we started speaking some of the language of um Executives so when you start talking about reputations and money lost and revenue and intellectual property disappearing out of your um your business uh that's when it got the attention of exe Executives in several very large incidents that hit large companies um I think triggered some of that awareness for us unfortunately sometimes it takes a a large event to put us on the map so now we have the opportunity to use it as a platform for good right never let a good incident go to waste as they say that's right that's right so what I'm hearing is success is possible right in this because we have now the kind of credibility to say like hey this is a real problem we've all seen the headlines and all that sort of thing so when it comes to successful communication uh in this chapter and the way you you kind of broke it down I love the kind of way you broke it down into the various uh different aspects and ways of communication and then the groups that you're communicating with so you kind of got into uh who needs to be informed and how you going to collaborate and how are you going to share and then how is that going to happen within the sock and other Security Professionals uh inside org how is that going to happen with the constituency and how is that going to work with the greater cyber security community so I figure we'll kind of walk through each of those things um talking about the socks specifically uh where should we start with what are we looking to achieve with communication with maybe other analysts or managers or just the actual core security operations team yeah I I think you actually very nicely covered table 22 there with your introduction uh question and yeah so within the sock itself um that's certainly where you want to start with your information and informing so coming up with reports uh for each other so that you know what's going on and for your um folks above you um so your stakeholders and being able to brief uh out that's informing who these folks are and you know what's going on and then informing people of the broader community so it's more of a oneway you're informing people it's not as much of a two-way conversation the next category after informed is collaboration so that's where you work together on something so you're sending cyber threat intelligence um back and forth among your sock members this is where you might collaborate with other socks um and you know socks that are like you so if they're in the same business you are uh that's another one and then more broadly within the community so you know outside of uh all your organizations Al together because you can get some really interesting creative um ideas from other organizations um interestingly uh working outside of con constituency constituencies um you you will get competitors who will work with each other during an incident now which is I think over the last 10 years has been become more prevalent I think that uh when we're all being attacked by the same adversaries somehow competing for business and um you know Revenue becomes a little bit secondary during an incident so that's been pretty cool for security operations anyway and then the final uh area is sharing so just sharing sharing is caring and being able to provide your information um to others so that they can grow and learn so when mentoring staff within the sock you know helping them to grow along that's certainly where I am in my career now I I think this podcast is a a great example of that all of us are are giving back at this point and trying to share what we know um hopefully so people will take it and build on it and get better than we are right um yeah so those are the three oh car you gonna add to that yeah I was gonna I was gonna offer two points there one of them is um I would encourage the audience the readers to think about this space and we broke it down in table 22 here um both during a major incident and during what I'll plotly referred to as peacetime so think about your mental model in terms of communication collaboration sharing across the sock inside the sock with your stakeholders and with the brighter Community both in the context of during a major incident and then um you know not during a major incident um and that might that might make you think oh I hadn't thought of that um you know otherwise the other the other reason why we put this chapter where we did in the book actually goes right off of one of the last Things We Said in the previous strategy strategy and that is is don't let the sock become a black hole of data um it has a lot to offer others and one of the um messages we'll offer you during the strategy today is that the sock gains tremendous impact um and tremendous support when it democratizes um its its data estate yeah so if if we're going to get into like specifics on the way that the sock is getting that done um let's take the team switching over and and going to you a shift change over meeting right or like a daily standup kind of thing um starting there I think that's kind of the uh the informed section the very first part of table 22 uh passing from from the the sock to itself in One Direction as one set goes home and one goes in right um what are you thinking about in terms of uh socks that need to do a change over meeting what what kind of critical information are they needing to pass uh between them and between shifts to be effective I can talk about this um and actually this is another opportunity to talk about how my thinking has changed since 10 strategies um and one of the things that I expressed concerned about um veiled concerned but concerned nonetheless in 10 strategies was you know how do you effectively handoff cases from one analyst to a next in some kind of fall of the Sun situation which I think is a very good example to instruct us on on how we can do you know case handoff and there's a lot of context that goes into cases and um and in working those cases and and even that much more in a major incident in fact in major incidents in large uh organizations like Fortune 500s Etc um that incident response and investigation apparatus can be absolutely sprawling um and yield yield copious amounts of data and notes and queries and other such things in a very short period of time um so when I think about um handoff I actually do very much think that fall of the sun is possible whether you're doing it 22s or 38 or some other model that works for you um and there's two essential components that go into it one is a written record of you know how we got to where we are right now or at least the recent you know de velopments in terms of what what were the queries that went into what was done what were the data reproduced from that and what conclusions um have we drawn from that um in so doing I'll I'll quote I'll offer one of my favorite quotes in all of security operations actually came from colen Powell he used it many times and his quote was something to the effect of um tell me what you know tell me what you don't know tell me what you think make sure I know the difference and it's it's utterly uh critical for us to remember that and in the context of of shift pass down right Case Case hand over Etc um because people often get the muddled and then they get confused and and Badness ensues so the first piece is having all that written down in the second pieces warm handoff um I it is possible to do shift Handover in a way that is asynchronous meaning no handoff meeting and in in what I'll refer to as peace time that might be okay but during a major incident doing War handoff um from you know one fall the Sun to the next or from you know you know the folks who went home at the at the night in the night to the folks who showed up in the morning it's it's very important to ensure that stuff doesn't get dropped yeah so here's the thing about oh sorry so Carson you know is talking about very large organizations and and some of that so I wanted to highlight even when you're really tiny if you're one or two people that are doing incident response if you have an incident it is super important to communicate so that there isn't just one person who knows what's going on because I guarantee you're going to be hunted down in the middle of the night if you're the only one that knows something um you know just speaking for a friend um so really important to you know hand things off if it's a middle of the night you know even telling uh you know the security organization if there is one the overnight guards hey we got something going on shouldn't be anything um you know just call me if there's you know something really bad you know that kind of thing so you can even do a handoff uh a warm handoff so to speak with a non-cyber security organization if you're the only person um but no matter what you shouldn't be the only one that knows something I was thinking about you know shift change and passing information around and just keeping in mind that ideally you know you have a case management system or you have your sim or you have these other tools that are capturing a lot of this information that make it available to people what they need over time and you want to set your your meetings and your Communications up in this place to be really focused on what does somebody need to know that they can't get from those systems so is there a outstanding phone call that you're just waiting on a response from is there an anomaly like I was looking at this data and I haven't figured out what's going on with it can somebody go take a look at that is there a hey we're missing this data or we're waiting on you know Engineers to do something or whatever it is those are the things that think can be really impactful during these discussions because they're driving what does that next shift need to do rather than here's a history of all the stuff like hey we took care of this we closed it out it was a fishing email whatever else like that's not the place to spend the time because your systems ideally are going to be capturing that and so really think about how you can focus those meetings keep them pretty short because you know at the end of a shift people are just like they're done they're burnt they're ready to go they have they have other plans in mind and when you're just getting started you don't have all the context yet like you haven't logged in maybe you haven't like sat down and started to look at data so if you try and put too much on top of somebody they're like I eyes are GL glaze over they won't remember everything so try and keep them short try and keep them focused and try and talk about the exceptions rather than all of the things I think really really good advice you know looking for what your systems aren't going to tell you and how much you know how confident you are and the things you know how you got there all that stuff I love all of that um what about peace time as we call it right uh if there's nothing major going on on what is the sock talking or passing really to the next shift is it um situ situational awareness is it you know health of what's going on in the environment like what other kinds of info might otherwise be passed back and forth when there isn't a major problem there there is no sock that doesn't have stuff going on all the time because it's not it's always about how are you improving what intelligence came in today what uh what's going on with that latest engineering plan maybe you're trying to figure out hey we need to go write detectors for these new attack techniques like what's the status of projects comes up a lot of times if you're not maybe having a bunch of incidents that are coming in you're still I mean I've I personally have not worked on any sock where there aren't more projects going on than you possibly have time and people for and so all of those things are going to come up as well even if the actual alert queue was pretty quiet that day the sock is almost never quiet yeah um I was just going to suggest there's also something we we often call an Ops tempo for for a sock um and that can kind of lay out your communication strategy you would want to set that up during peace time right so having daily meetings I don't as ingred said I don't think I've ever worked in a sock where we didn't have daily meetings didn't always have incidents going on but we always had something going on and there's you want to know what the teams are working on so like a daily standup meeting like a 5 10 minute you know 15 minute whatever it is depends on the size of your organization just here's what's going on here's what we're working here are the major projects and these are the people doing them you know that kind of discussion to start the day because people then feel the context of what's going on the sock is it a very busy day is it a quiet day and we're just getting to do tools and build things and create scripts and do that kind of work or are we working an incident we we could probably have a whole uh blueprint episode just on how to do a good op standup um I'll offer a just a couple points um and also mentioned something in terms of a mediumsized sock having a pass down log um from shift to shift or dayto day is really helpful especially when you've got as we were saying just some things that are in your case tracking system but it's all the things that weren't that could go in your pass down log like I saw this weird thing you you should follow up on that it hasn't made a case yet um um Ops standups should be short um and if they're getting really long um one of the things to think about is is how do we break that up particularly if you're a bigger shop um or if they're really long why are they really long and should we be talking about some of those things in the different Forum on a on a different Cadence one of the other things to think about op standup is that it shouldn't just feel like everyone's talking to the sock manager though that is superficially true some of at least some of the time one of the ways to know you're doing a good op standup is that there are other people in the room who are like oh yeah that's like really important like oh thank you for that or whatever um that's how you know that it's or one of the ways you know how it's a lot of good tips and tricks in there one of the other things I was kind of thinking of uh looking for hints on is um you know everyone struggles with the the problem of of sock like tribal knowledge as we call it right uh how do we pass information forward and not backward in time unless you can figure out how to do that but forward into the future amongst people so when there's new team members and that new experienced person is left how do we make sure that the sock persistent memory right as you've have called it um some of those sorts of things is there any kind of system or tools or other kind of organization techniques you've seen work for that this goes back to whatever the tool is that everybody will log into anyway is going to be the right tool to use because if you try and create some elaborate Knowledge Management System and it's some place completely different that you have to go it's not going to be comfortable this is also a place where leadership can get really involved with expectations because if somebody discovers something you know or or figures out a new kind of query or whatever it is that you want to capture and there's not a level of accountability for actually then taking that and saying oh did you put that on this page did you put it in your Wiki did you put it on your blog did you put it in your Confluence page whatever it is it doesn't happen and and this is not a natural thing because the you know that Ops Tempo it's going to keep people moving hey there's the next thing so this has to be a kind of a culture-driven piece of it's really important and I'm going to give you the time to go document whatever it is you just discovered and the expectation when it comes to performance reviews everything else is did you document did you put it in there and try not to make that documentation something that's like oh you know so and so person you know does that really well so we're always going to have them go do it because then that person is going to get so frustrated like they might do it they might be okay like the first time and then the 20th time they're asked to do something they're like I can't say no but I really hate this so try and make it something that everybody does it's consistent it's just part of your routine basis and it's using whatever system you happen to have in place um that people are comfortable in um one thing that I find is we really try and have a place that's a more casual like you can just put something in and if honestly if you want to put a meme in if you want to put funky colors if you want to do whatever like it's much more of that graffiti board like just put something down and then people are just kind of like yeah this is a fun place I'm putting a set of notes and then you make sure that is not the place that your siso goes to look for information because you know you want it to be hey this is just our team is talking amongst yourselves and this is why in the the chapter the strategy we talk about the difference of the different pieces you want to communicate and what you want to do within your team and how you want to set that up and allow people to share that information is and should be different than when you need to formalize it and so you have to think about those different layers of you just want to capture something you just want to make it available who is going to have access to it what are they going to do with it how formal do you need to be and so all of that comes into play I'm gonna pile on um the answer to your question John succinctly and ingred was reading my mind as she often does uh is three-word standard operating procedures everyone in the sock must be accountable to both reading and writing them on a Cadence that will generally feel daily and I don't care who you are it I don't care how long you've been doing it or how senior you are I am reading or writing in sop almost daily and I've been doing this for 20 years um and the reason why that's the case is that there's too many different incident types and too many scenarios and too many old things for us to keep it all in our minds and you know we've got to write that down amongst other things to support not only you know people new people coming in people leaving um is also consistency and predictability in the organization and also to ensure that you know the operational principles promulgated by management are heard and understood and followed by people elsewhere so that we're all on the on the same page so updating Sops is something that should be Dem democratized it should not just be one person it shouldn't just be a quote unquote Tech writer it shouldn't just be a lead it should be literally everyone um and one of the other things and this becomes increasingly challenging as a sockets older sockets bigger um is having a designated place for the Sops that is not the same place you puked query yesterday um because when God help you you're searching for an sop you want just theop and not 3,762 different emails that someone dumped in a one note last year that's crazy man yeah like yeah and I I actually wanted to go back to your thing too you're talking about persisting um P persisting history which which I like um and I think that using our construct it's about sharing working with those people who are new um I think the sharing comes down to at least start start them on the incidents and the interesting things that have happened in the past and if you don't have any incidents that in itself is really very interesting right at this point of where we are um so you know bringing people up to speed and sharing ttps that we have how do we share with other folks and kind of just bringing them along um and how did we discover it because that's always the hardest part of any incident is how did we find it to be with you know and giving them tips on where do you find breadcrumbs and where do you look and how do I start if I'm looking for something malicious um so that sharing column is is where I would start with someone new part in particular yeah and that's a that's a great point if you go and look at that table we're we tried to give examples that were not only just written Communications but really talked about the fact that in this in this strategy we're thinking about this like how do you communicate during a meeting how do you Mentor somebody how do you you know go out do a podcast how do you do all these different things and that this is really about all those different forms of communications and all the different ways that you might want to document or engage with somebody and so certainly within your own sock especially that that mentorship that sharing piece that Katherine's talking about is huge and you need that both the hey I'm going to put it on paper so I don't lose it from my mind as well as the hey I'm G to talk to somebody and I'm going to work with them and I'm going to help them understand what's actually happening in the space beyond what a lot of different dimensions to consider right formality and usability and fun right you picture for with your keyboard cats and all sorts of fun stuff that you can throw in there um yeah I love all that right there's there's a lot of different jobs to be done and and each one of them kind of has its own spot and its own kind of optimized task in place that thing has to happen um good stuff uh what about communicating with other related security teams so like the CTI team right when the sock sees an incident obviously they got to get some information when they get some information they got to pass it to the sock and the IR team and everyone else and like pentesters and red teamers uh what are we thinking about for methods of communication with those types of teams we'll be back after a quick break if you're enjoying this episode then you're undoubtedly interested in building the strongest security operations team that you can for those who want to go even deeper did you know that Sans has not one but two courses that cover security operations centers as well for the leaders managers and directors out there my co-author Mark Orlando and I offer 551 building and leading security operations centers this course covers building your team your physical and virtual workspace getting the right data into your tools and then focusing on security priorities through everyday execution of important security tasks and building the best sock team possible for the technical practitioners out there my course SEC 450 blue team fundamentals security operations and Analysis is designed to cover everything you need to jump in being the best sock analyst that you can be we cover important data types sock tools security logs malware analysis technique Automation and much much more in addition if you want to prove you can deliver the best on any security team both courses have an accompanying certification available from gak that's the Gom for 551 and the GAC for 450 check out both courses and free demos available on the Sans website you can get registered today for an in-person course at one of our many events or go to on demand and take either class anywhere at your own pace thanks for listening okay this is is one of my very favorites I have lots of stories and I have feelings to go with Carson's I love Carson's I have feelings about this um cyber threat intelligence CTI and we talked about it in uh strategy 6 um that is one of those areas where people did not like to share for a very long time it was about I'm going to keep all my indicators and all my stuff to myself and the world just opened up when we all started sharing it you know didn't happen all that long ago might maybe 10 years Max of when we actually started sharing hey I saw this weird thing and it was because we we were having our lunch handed to us right so when we started comparing notes and and hey we got this thing we started putting together pictures um that we were all experiencing together and that's how we were you know able to track some of the aps is working across um various cyber threat intelligence and incident response because it would be two different groups sometimes you know so bringing those organizations together and including Counter Intelligence types of um folks so it was traditionally folks that didn't work together um before and they had different languages by the way so you're asking how do you summarize and what do you summarize um we're starting to come together well we're not starting we're coming together on language um when it when it's around incidents and we use ttps and we use what are the the motives uh you know what what are they trying to gain you know so we've adopted some intelligence kinds of things um you know what is an adversary looking at you know um yeah so over time uh We've shifted in how we share and who we share with especially when credit right that's been probably one of the biggest things like the attack has caught fire like crazy right and now we have a common language we have a common body of knowledge it's got groups it's got you know software it's got campaigns now right all that kind of stuff just makes it so much easier to like start out with this and have like a base of of stuff and and language to go off of and then let alone kind of work to as a community talk about how to evolve that that body of knowledge um as a Saka is working through an incident what are the types of things that need to be shared specifically between hey this incident just finished you know feeding back to a CTI team and then in the other direction to help the sock kind of catch stuff better the next time I'm going to offer a piece of this um you know when I think about CTI teams I think about them being inside the sock um so I would I would challenge the audience to think about the CTI team as a team that is with you during major incidents um in the sense and and that's for a lot of reasons I think about their analytic technique I think about their their data access um and I think about you know the way they talk about findings you know if we've got a major incident it's it's you know it involves a named or well attributed actor or in fact they were probably maybe the ones helping with the attribution um you know applying those same thoughts here um alongside the investigators the responders the triage analysts Etc I think is still very important um and I've I can't recall a major incident I'd ever been and where the Intel team wasn't alongside for that major incident even as close as the teams can be though it it is important to keep in mind that they they somewhat speak different languages and they have different intents for what they're trying to do and you know thinking about what are you passing back and forth you know if you're the sock you need to help the intelligence team actually know what you care about and the types of things that you want to be looking for because if they go off and they read an intelligence report that's analyzing a piece of mware and they're providing you you know all of this this information about what's happening at this low level and you're like we don't have a mware analyst on our team that's not the level we work at not important to us we can't capture that information like they're spending their time on something that's not as valuable um or if you don't have a particular piece of software in your environment and they're like oh my goodness this is happening and everybody cares about it and you're like and we don't because we don't run that um so it's really the sock can provide those kind of you know help with those intelligence requirements passing over what they actually are interested in what's happened before what they've seen the intelligence team can help characterize that and find new information to support it and then the intelligence team feeds that back in and says hey have you looked for this have you seen that this is something new that this particular adversary group do and then you work with them you create that cycle of oh so let's create a detector that can actually go look for that oh look we found this what else should we be looking for let's talk to the intelligence team how does this adversary group work okay well that's how that group works so let's go see if we can find this next thing and so it's really I think especially with CTI but even with um your engineering teams everything else it's an iterative Loop where you have to figure out how to have a continual cycle um and ideally how to do this at the lowest level possible I've seen some failures where um organizations say okay we don't want the analysts you know like taking their heads up or being uh you know bothered with having all these small conversations you know we're we're just have the managers talk to each other and they do a routine sync and they do something else but all the creativity and all the good ideas really comes from the different analyst teams or the analyst and the engineer teams or whatever working the things out and figuring out what they need to do to solve the problem um with just the manager saying okay how do we facilitate how do we make sure that we're going to meet goals how do we make sure that you know you've got what you need to do this and it doesn't you know devolve into okay somebody spent eight hours on a shift just chatting about whatever um but for the most part you want to just kind of get out of the way and let these teams talk to each other and create the space for them to be able to do that yeah and I I'll give a real concrete example we brought it up a little bit in the CTI chapter and that's around attribution if you talk to most security operations folks the one's doing in the incident response uh there is a tendency to want to just move on to the next thing um there's also a tendency with uh real nent organizations to play the wack-a-mole I'm just going to block this IP address and so we try to really encourage people to listen to intelligence and listen to other people so that you can get out in front of that whack-a-mole because otherwise you're just shutting stuff down blindly and you're not going to get anyone out of your networks and systems by just shutting things down so intelligence and that watching and that whole balance that we were talking about in some of our earlier um strategies um really comes to a head here with communication it's understanding that Intel has a different um a different Mission but they speak you know they're speaking about attribution they're trying to understand who the adversaries are why they're coming after you and anticipating a so can't really anticipate all by themselves because they just see what's already in the networks by definition all all the all the stuff that's in your systems in and Cloud um so yeah that's they have different missions and different reasons for being but communication is where they come together to bring different perspectives one of the things that that was said along the way there um that kind of caught my attention was ingred had mentioned you got to let the CTI team know what you want as the sock right but in the spirit of your collaborate piece here uh being a two-way Road uh I have not been a threat intelligence analyst and I know that some of you have sat in that chair much more seriously than I ever have for sure uh so from the CTI team perspective what do they want to receive from the sock uh and what's going to be like you know the desired format of that or the format of the question is there any kind of guidance there you can give people in a sock yeah so I would start so both teams the sock and the CTI need to know what's important to the business as we were talking about in strategy six so what are we protecting and where is it um the C CTI team needs to understand okay so you have this intellectual property and this kind of business here are similar things and similar adversaries that are going after in other businesses right so that's what they're looking to connect um the security folks can provide that CTI analyst with here's the kinds of things we're seeing here's the ttps we've had before so that's the kind of stuff um the the sock should be feeding to the CTI folks right so here's what it's looked like before here's what we found um threat hunting is kind of where this stuff comes together you know so threat Hunter has to understand both worlds yeah definitely that's that's one of those uh spots where it's like you're not using the the signatures that you already know or like oh that's the hash I'm looking for right it's like well they kind of do things like this we don't have that and so you got to lean on CTI for what to look for and then play a little bit of analyst to like dig through all the data yeah that's a that's a good call and kind of I had really thought about it like that before but that is kind of a middle ground between just reactive and uh purely kind of like the CTI piece of it so um yeah I like that uh yeah if I could add one more thing there it's what I've wanted when I've been on CTI times is feedback on the products the CTI team is giving to the sock that is the number one thing is the CTI te's feeling like oh I've I've written up this report was it too long was it too short did it have the right information am I hitting the mark are these the types of things you care about and if the sock just is kind of taking that and either just you know either doing something not doing something whatever but isn't providing that feedback on the product that's going to do you no good and so taking that time to actually sit down and say okay what did we like about this what were we able to use is there a different format you could put it in how could we make this more automated hey you know Pros doesn't really work for us hey if you could actually tell us the you know talk about the attack technique that went with this particular thing make sure that's included or not like whatever it is you need that feedback from the sock to the CTI team is critical to you actually improving the quality of what you can do with that CTI um I'd offer here um when as we're talking through this um people might be thinking about really long word documents or Google Documents or whatever that someone spends a lot of time polishing and putting pictures in and drawing pictures and blah blah blah and one of the things people and and and that all has its place I love WR reading myself a really good Intel report that's 50 pages long on my favorite actor um I would also challenge the audience to think about this I in the context of of uh of documents or things captured in another electronic form that are shorter turer a whole lot less finished and thrown together in a matter of minutes or perhaps a couple hours um and quickly thrown over the fence perhaps through some kind of tip in fact one of the ways to think about do you need a tip is if your sock is engaged in the kinds of conversations we've been describing over the last five minutes or so you probably need a tip and if it feels like you're writing 50 Page Long papers and throwing them over a brick wall and not getting a lot of interaction with them you might want to rethink your communication style yeah and one more thing since we're on the subject of collaborating with CTI and socks um I think the way I look at it is uh security operations are focused on the past it's stuff that's already happened it's already there somewhere we just have to find it CTI is focused on the future it's like what's going to happen what they want to ideally anticipate what could happen next it's a very very tough job if a CTI analyst is doing their their job but just think about it you know having a CTI analyst tell you what's already happening happened is is not as helpful as hey this group is coming after Banks and you're next you know that's useful right that's the ideal for collaboration between two um if we're expanding the circle uh Beyond kind of security teams and and talking about communicating either with the greater it organization or the business and constituency at large uh what are some of the things a security team in a sock however we kind of bound the sock because we kind of switch back and forth between saying is CTI part of it or not part of it security people the security group how do we need to uh uh what do we need to think about with communicating with the larger constituency I think you start with just what Does the Sock do what services does they offer you know way back when in the early strategies we were talking about you're going to create a charter you're going to talk about you know what the the scope of the sock responsibilities are and basically having that knowing if it's you know a formal service catalog if it's um just letting people know like what data you're collecting uh what are the likelihood of you know they're going to be involved with an incident all of those types of things you really want to start establishing the what Does the Sock do for the constituency and communicating that so know what to expect if they get a call from you and so really it's it's start there and then you can build to talking about you know okay so what's new what's changed what should you know about the environment you know where have we got but it starts really simply with just once you start leaving the security teams although people are much more cybercity savy than they were five years 10 years ago 20 years ago whatever it was um many of them still don't know what we actually do and so you have to educate your community on what the sock doese yeah yeah my my goal in communicating to non-security people is not to have them look at me like I'm the Grim Reaper every time I come you know their way they're like oh something is definitely wrong and the way to to counter that is to communicate when during peace time as we were saying earlier you know uh make your make your way outside of the dark rooms and go and talk and you know just kind of talk to people figure out what's important to you what are you doing you know that have a different kind of relationship than just the Grim Reaper something's wrong I'll offer three short comments here one of them is I will never forget you know walking calling somebody walking in somebody's office whatever vo calling them Etc and and saying you know you're who you're from and like you know why are you talking to them it's like people just love it when they when you tell them that they have to back away from their computer they're not getting anything more done that afternoon they're just absolutely thrilled just kidding um so that I've still got that ringing through my mind um you know Ang's absolutely right um you know having that what who are we what do we do kind of 45 minute half hour whatever it is to help people understand um and what value is the sock bringing um love doing those briefings love keeping them fresh um the the sock should tie into the annual cyber security training for the constituency so that people know you know what button to smash when they think they've got a span or a fish or whatever um that's a big piece and having them being able to go to that front door where they can understand you know when and why to contact the sock whether they're ordinary users or major system owners or what have you um and then following all of that um for a much smaller segment of the constituency that are kind of what I'll refer to as high needs users High needs Services High needs stakeholders um I think about much more routine um contact around some of the things the sock is doing which we can talk about whenever you're ready so the uh the thing I'm thinking here along with this is with the Grim Reaper talk is uh any specific tactics or or things that you've seen used uh to give feedback to users when they're doing well right A lot of times it's either they show up with bad news right the security team does or the average user is like yeah it's the sock I hit the button and they're the people that get it but like I don't really know if I'm doing it right right um how do we use the carrot and not only the stick is maybe another way of asking that question yeah I mean one of the simplest things is you know I've worked at a couple places where we've had hey you've got the button built into to your email oh I think this is Spam I think this is whatever and make sure you've got a response to it you know make sure that you give even just that automated thank you for sending this this is the next set of actions we're going to take and it's an opportunity to also educate and you can provide a little bit more information like if you also see this or you see something else you could do XYZ and then if you do find something you know it's okay to pick up the phone and call somebody and actually say Hey you submitted this I had a couple questions about it and okay that's great thank you very much and then you you move on and so those kinds of just quick touch Point Communications you're not going to do that with everybody in your constituency but that person is going to say oh yeah you know they're you know if they're in person or they're on slack or they're doing whatever they're going to talk to their friends and say just say oh yeah you know I reached out to security and they actually got in touch with me or something so it's making sure that you aren't that black hole anytime that person has a reason to call you text you email you drop you a message in your you know platform of choice that there is some sort of response that acknowledges what they thank you for the time and here's what you can expect from us either you're not going to hear from us again or you will from hear from us and this is the time frame and this is what we might also need so just really making that very clear can be really helpful yeah and when you have really Limited resources uh you'll have things there's this phenomena called uh sock fans uh you get little uh you got some of your users are real fans of security they just really want to be deputed deputized so I'm always a fan of okay deputize them you know and they'll be those folks that you know report like you know couple times a week at least right hey I found this thing and so certainly giving those kinds of folks a little bit of attention is is a good thing and and rewarding them for that it's like yeah look hey we we took what you said you know whether we knew it or not you know and kind of bringing them along on the journey with you um it's a way of expanding your sock too a little bit you know and using some of these power users I I want to make a comment um on something ingred said before we dive into sock fans um there's there's another by the way I'm a big fan of of of deputizing sock fans domain uh you should um unless Katherine gets it first um one of the other opportunities is following or even um before it's over any major incident where the sock engages a system or service owner and the system or service owner shows both fellowship and genuinely helping the sock you know you know bottom out on an investigation or effectuate a a good response or you know gain the right context they need to do either so on and so forth um uh praising uh those stakeholders can go a long way I and it's easy to forget which is why I call it out yeah especially as you are um preparing Communications to go up and so maybe you're talking to you know aiso to the board to e to whoever it is see sweet um making sure that you talk about the Partnerships and the people that brought in and the kind of support that they gave um really goes a long way to making sure that people feel like they are appreciated for the the time that they spent working loves you know recognition for uh having helped out and like especially with something that significant right um there there's nothing to lose by calling out people and say this person was a huge help they were a team player along the entire route right that's that's nothing but wins all around um in terms of uh going towards like communication with leadership specifically Beyond just the the general everyone in the constituency uh we talked about getting a seat at the table the fact that we have earned that seat at the well I don't know if earned is the word or need it regard L right I think that it's a security podcast we've earned the seat at the table and therefore when we sit down in that seat uh and maybe have you know whether we call it a steering committee meeting sometimes people use that term or other kind of you know hey business what are you doing we're the sock how can we help kind of conversations uh what are we talking about in those conversations like is there any kind of guiding questions that you can give to uh people or other kind of advice think about recognize that those conversations need to be different than the ones you have internally and that when you start talking about the business you're going to be talking about risk you're really going to be thinking about you know can that o
Original Description
"Research has shown that communication is one of the most important factors for success in security incident response teams. In this chapter, the authors discuss the critical types of information that must be shared within the SOC, with the constituency, and with the greater cybersecurity community.
SANS Cyber Defense Discord Invite - sansurl.com/cyber-defense-discord
This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman.
Support for the Blueprint podcast comes from the SANS Institute.
If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals.
This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career.
Check out the details at sansurl.com/450 Hope to see you in class!
Contact, Courses, and More:
For feedback, reviews, guest pitches, or to get in contact with me for any other reason, head to blueprintpodcast.live (https://blueprintpodcast.live/) !
Check out John's SOC Training Courses for SOC Analysts and Leaders:
• SEC450: SOC Analyst Training - Applied Skills for Cyber Defense Operations (https://sans.org/sec450)
• LDR551: Building and Leader Security Operations Centers (https://sans.org/ldr551)
Follow and Connect with John: LinkedIn (https://www.linkedin.com/in/johnlhubbard/)
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from SANS Institute · SANS Institute · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
SANS NetWars
SANS Institute
SANS DFIR NetWars
SANS Institute
Hack The Drone - SANS Cyber Academy UK
SANS Institute
SANS VetSuccess Immersion Academy
SANS Institute
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
The 2015 SANS Holiday Hack Challenge
SANS Institute
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
SANS VetSuccess Academy Overview
SANS Institute
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
SANS Institute
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
SANS Data Breach Summit & Training 2017
SANS Institute
SANS Secure DevOps Summit & Training 2017
SANS Institute
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
SANS Institute
SANS Institute
ICS515: ICS Active Defense and Incident Response
SANS Institute
SANS Institute
SANS Institute
Introducing the NEW SANS Pen Test Poster
SANS Institute
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
SANS ICS Security Training, Munich, Germany
SANS Institute
SANS Automotive Summit Webcast
SANS Institute
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
SANS Security Operations Summit & Training 2018
SANS Institute
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
A Sneak Peak at the New ICS410
SANS Institute
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
Introduction to Linux
SANS Institute
Introduction to Malware Analysis
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
SANS Webcast - Zero Trust Architecture
SANS Institute
SANS STX Cyber Range
SANS Institute
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Auto-Fix is not the Problem. The Signal is the Problem.
Dev.to AI
Card Testing Fraud: How the $1 Charge Storm Works and How to Stop It
Dev.to · ABDULLAH AFZAL
Understanding CORS Preflight Requests
Dev.to · Alireza Hassankhani
Reproduce an OAuth Refresh-Token Rotation Race With Two Requests
Dev.to · jaryn
🎓
Tutor Explanation
DeepCamp AI