Oh Noes!

Oh Noes Incident Response RPG Cover

Security is not a game. It just shares a lot in common with certain games. Oh Noes, as an incident response RPG, highlights that and makes great use of it.

I put a lot of my security knowledge down to being a heavy user of games. This includes both tabletop RPGs and board games. Social deduction and storytelling games provide practice dealing with people and presenting. Strategy games give a chance to spot and exploit system weaknesses. Others provide a myriad of other useful skills.

For another project for 2020 I’m going to pick out some which are directly or peripherally useful to a cyber security professional – whether for awareness building, threat modelling, or for useful skills development.

Oh Noes is probably one of the most directly related to security that I have come across, and I strongly recommend it. It’s also free, which is always helpful.

Inspired by a mix of classical tabletop RPGs and incident response exercises, Oh Noes! is a thin (but effective) layer of gamification over a tabletop incident response exercise. No matter how useful and enjoyable (at least I enjoy them) tabletop IR exercises are often seen as a tedious mandatory exercise rather than a chance to prepare and try out security. Wrapping a layer of gamification and entertainment around them is a good way to push engagement and more regular sessions. The game itself recommends quarterly rather than annual. With the right Incident Master and company culture regular Wednesday pizza and gaming sessions might happen.

At the very least it’s a new take on normal IR planning and is worth a shot. It’s published free by Expel, along with some handouts and a few scenarios to begin with. The first few sessions should be run by someone with a bit of experience running tabletop RPGs (as well as an understanding of IR and the company) to get the full experience.

Genre: business, security
Subjects: game, incident response, security, threat modeling, training

Intercept: The Secret History of Computers and Spies

I needed a break from text books recently, so picked up Intercept by Gordon Corera for a relaxed, light read. Covering the origins of ‘computers’ in espionage back during the first world war, through to major attacks of the last few years, Gordon covers the topic objectively and with enough depth to be informative without overwhelming a more casual reader.

Going from the first war, through Bletchley, the cold war, national corporate espionage, and the beginnings of genuine cyber warfare involving known damage to infrastructure, Intercept provides a narrative framework for the parallel development of computer espionage with computers themselves – as well as asking interesting questions about the meaning of espionage in our new information age. There’s a sizeable mention of Cliff Stoll’s adventures as well, which provides a lot of wider context around the Cuckoo’s Egg.

Definitely an easy read, written in a light, narrative style while still managing to avoid imposing moral judgments on the decisions taken – simply examining their effects and consequences. One to take on the beach or out to the park, or just to sit and read on the train. Recommended especially to anyone interested in the history of computer espionage through the 20th century to today.

Genre: computer, espionage, history, security
Subjects: computer espionage, history, security

The Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage by Cliff Stoll

Every now and then I’ll read a book which I add to my library on the history of security. The Cuckoo’s Egg by Cliff Stoll has definitely earned its place among them. Well written for a non-technical audience, with enough detail for those of a more technical leaning to fill in the gaps, it’s a great read.

From the initial discovery from an accounting error down to an intruder’s unfamiliarity with software, through over a year of careful and methodical tracking, monitoring, and running headlong into bureaucratic brick walls (which may be familiar to some), to a dramatic climax. Throughout Stoll gives a very personal, first-hand account of the hunt, the effect that being a computer security expert can have on your life (early morning calls may bring back bad memories for some), and the way that looking into security deeply enough brings about the realisation that while it is a solution, and is needed, the need for openness cannot be overstated.

Especially interesting are the principles which Stoll details during his chase of the spy, all of which are in use in some form today. Of course, the criticisms of certain agencies only ever taking in information and not sharing it, to the detriment of innocents, is a political position that many would agree with even now – particularly given some recent leaks of vulnerability stockpiles.

If you’re looking for a security read for the beach (or, more appropriately at this time of year in front of the fireplace with a hot, alcoholic drink) then this is definitely one to grab. And if you’re looking for a Christmas present for your security aware and/or professionally paranoid friends or family then I cannot recommend The Cuckoo’s Egg highly enough.

Genre: autobiography, computer, espionage, security
Subjects: autobiography, computer espionage, counter-espionage, security

Threat Modeling: Designing for Security

I first read Shostack’s Threat Modeling some time ago and have tried to use the lessons since. Recently though it’s been recommended as reading for the MSc course, so I picked up my much-notated and dog-eared copy for another run through with fresh eyes.

Threat Modeling Fundamentals

Before I go into the book itself I am going to talk a little about threat modeling as a concept, and its value. Even if you do not go as far as using a formal methodology, are not looking at technical threats, or even have nothing to do with security in your company I highly recommend trying to use at least the basics of threat modeling. The simple idea behind it all is that when you are developing, planning or building something you should consider the threats – which are not the same as risks. A lot of attempted risk management takes place in the absence of consideration of threats, and (from experience) often without considering vulnerabilities. Risks arise from the combination of a threat and a vulnerability – the threat is a factor outside of your control. The vulnerability is something you can mitigate or even remediate.

The fundamental of threat modeling is to look at the threats to any endeavour, consider them carefully against vulnerabilities which exist in that endeavour (often because a threat hasn’t been considered) and manage the risks that arise, either by closing down vulnerabilities or simply accepting any residual risk. There are plenty of formal methodologies out there, as well as a few games, but to begin the principles are the important bit and a lot of the security awareness training I do works around teaching people how to build some sort of threat model before anything else.

The Book

Shostack’s book is not the only one available on threat modeling, but by many, it is considered to be the most important. It’s an enjoyable read in and of itself, and can even be read cover to cover if you’re interested in the subject matter (the writing style is helpful here, friendly and engaging). It also works well as a reference book to dig into when you’re trying to teach, learn or do a threat model. Working up from the fundamentals to the structured approaches of threat modeling, covering Microsoft’s STRIDE methodology, looking into attack trees and libraries, and advancing smoothly throughout I’d highly recommend this to anyone who wants to make use of threat modeling as well as those who need a good reference work on the subject.

Genre: business, security
Subjects: threat modeling

Confidential: Business Secrets – Getting Theirs, Keeping Yours

Not exactly a traditional information security book, Confidential by John Nolan is definitely one I would recommend to anyone on the protective/intelligence side of cyber. You won’t get details of different ways to breach technical systems or develop IoCs for your SIEM – but there are so many tomes on those subjects.

What Confidential does do exceptionally well, aside from providing a comfortable and entertaining read, is address the human side of things. While most of us in cyber are unlikely to encounter industrial espionage (hopefully), social engineering is a common attack vector and Confidential covers it more thoroughly than most.

The first third of the book focuses on what should be a familiar topic – elicitation of information from human sources – which is always useful to read about. If you have a threat intel team working to actively collect intelligence then this really should be in their office library. Covering a dozen elicitation techniques in reasonable depth gives anyone an effective starter toolbox, and the base knowledge to go out and find more specialist tools as needed.

Part two focuses on source identification – while this is most likely the least relevant of the sections I would still highly recommend reading, especially if your cyber department has any ties to a competitive intelligence/counter-intelligence function or any responsibility for training staff in not giving away the crown jewels at conference bars and networking events.

There is a wealth of knowledge here which, with a little imagination, can be applied to finding human vulnerabilities inside (and outside the company), profiling and identifying threat actors and groups, and piecing together snippets of information to better understand competitors.

“…the internet is perhaps the single fastest, most economical and wide-ranging source-identification and development means available.”

The third and final section is probably the most useful in cyber – though I recommend reading the whole book through both to provide context and because it is a very enjoyable read. The third section covers protecting your information and trade secrets – again from a very human rather than technical standpoint – but almost everyone in cyber is well aware that most vulnerabilities boil down to people rather than technology (or at least the easiest ones to exploit). Given the opportunity, I would be making this section mandatory reading for everyone in a company – and passing it out to suppliers and partners. Along with Kevin Mitnick’s Art of Deception, this is definitely one of the simplest ways to teach people about both threats and defence.

The appendices are worth a read in their own right and provide supplementary material on each of the sections as well as a brief discussion on the ethics of competitive intelligence, and some sample paperwork which with a little work would be very useful for your threat intel knowledgebase.

“…no matter how abrasive one’s boss or business rival, it’s also highly undesirable to try and plant explosive-laden cigars or poisonous doughnuts in front of them.”

My own copy of the book is now stuffed full of notes, markers and highlighted passages where I have found something either interesting, valuable, or just entertaining. It is written casually rather than as an academic textbook and is a very comfortable read over a cup (or several) of coffee – though there may be the occasional sideways glance if you leave the dust cover on. With side boxes running through the author’s experiences from the governmental intelligence world and contrasting the two, short snippets from cases worked on and of course annotated extracts from Arthur Conan Doyle’s Sherlock Holmes (definitely worth a read – I’ll be going through my own copy with a fine-toothed comb after this) I would recommend anyone in cyber, and certainly in Intel, grab one of the copies available and dive in,

Genre: business, security
Subjects: competitive intelligence, elicitation