CSO Perspectives (Pro) 8.30.21
Ep 57 | 8.30.21

Adversary playbooks and cybersecurity first principles.


Rick Howard: Have you ever come across an idea to solve a thorny problem that was so crystal clear in your mind that it was such an obvious step to take to eliminate some obstacle that you just knew that as soon as people heard about it, adoption of it would be swift and unambiguous, and we would all move on to the next thing? And then later, you're shocked that the entire world hasn't followed your lead? Things like - oh, I don't know - don't iron the shirt while you're wearing it? Or how about, never draw out to an inside straight? Or from one of my favorite movies, "The Princess Bride," never get involved in a land war in Asia?


Wallace Shawn: (As Vizzini) Ha-ha, you fool. You fell victim to one of the classic blunders. The most famous is never get involved in a land war in Asia. But only slightly less well-known is this - never go in against a Sicilian when death is on the line (laughter). Or how about - just take the damn COVID-19 vaccine already? All right, and just one more - how about throwing 25 years of cybersecurity best practices out the window in favor of first principles? 

Rick Howard: Now, I've run across a lot of these ideas in my line of work, and I'm sure you do, too. And I've generated quite a few myself over the years. I've run global SOC operations for several companies in my career, and I've always asked my boss to move operations to Key West - you know, for reasons. But I refuse to give up on a couple of joint concepts that I helped develop a few years ago called proactive defense and adversary playbooks. They represent the idea that instead of attempting to block each individual tool that bad guys use to break into our networks, as the security practitioner's ultimate objective, we instead build proactive defensive plans designed specifically to defeat the goal of whatever the bad guys are trying to accomplish - you know, elevate our sights a bit. We do that by building adversary playbooks for all known adversary campaigns and use them to facilitate the automation of intelligence collection, intelligence sharing and distribution of prevention controls to our security stacks. So strap in. This is one of my favorite topics, and I can't wait to get started. 

Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: When I'm trying to learn something new, I find it useful to understand the history of the thing. It allows me to grasp why the idea exists, the changes made to the idea over time, and then I can understand why we are in the current state. Now, you may have noticed that in these CSOP shows, there's usually a mini history lesson tucked in somewhere. You know, and by the way, my friend Steve Winterfeld, the Akamai advisory CISO and regular guest at the CyberWire has table, he's told me time and again that he hates these history segments - as in, oh, I can't believe he's walking us through 20 years of cybersecurity history again. Well, Steve, just because I know it annoys you, this part's for you. 

Rick Howard: I was the Palo Alto Networks CSO from 2013 until 2019. One of the first tasks that the CEO, Mark McLaughlin, gave me was to build from scratch a public-facing intelligence organization that we eventually named Unit 42. The guy that I hired to run that organization is Ryan Olson, who is a very old friend of mine, a world-class threat intelligence mind and one of the best leaders I've had the pleasure of observing in my 30-year career. And as I've mentioned in previous essays and podcasts, the intelligence process is straightforward. You decide what intelligence questions you need answered, collect information that might help you answer those questions, create intelligence products that attempt to answer those intelligence questions with the information you collected and then seek feedback from your customers as to whether or not the answers were satisfactory. Rinse and repeat. It's not called the intelligence lifecycle for nothing. 

Rick Howard: As Ryan and I were deciding what Unit 42 was going to do, we had to describe in detail the intelligence questions that the new group was going to tackle. We quickly arrived at the concept of adversary playbooks. Although it took us many years to describe them in a way that wasn't confusing to the non-initiated, the general concept at a high level was a no-brainer. 

Rick Howard: Ryan and I are fans of the 2010 Lockheed Martin intrusion kill chain paper. It outlined a fundamental shift in defensive strategy. Before publication, most network defenders deployed a general-purpose defense-in-depth architecture that was passive. We installed common prevention and detection schemes that we designed to impact classes of attack tools, like specific malware or phishing techniques. We layered them in our architecture so that if the first tool deployed failed, for whatever reason, the second tool would kick in. If that one failed, then the third one would step in - on and on with turtles all the way down or until we ran out of tools. 

Rick Howard: By passive, I mean that the prevention controls deployed didn't focus on defeating any specific bad guy; they were general-purpose tools designed to defeat any adversary, like a fence that keeps everybody out, like an old firewall rule that blocks all ports except port 80, like blocking a common tool that many bad guys use like Mimikatz. We didn't actively design them to block any specific operators and the techniques that we knew they were using at every stage of the attack sequence. The genius of the kill chain paper was the realization that blocking general-purpose bad guy tools was not the defender's ultimate objective. Doing that is important, obviously, but the first-principle goal was to prevent the success of the adversary's campaign. 

Rick Howard: For over 20 years, the network defender community has been operating under a perceived conventional truism. As Peter Mackenzie and Tilly Travers, both from Sophos, described it in 2020 - quote, "the standard cybersecurity maxim is that defenders need to be right all the time, meaning that they have to block all of the bad guy tools, while an attacker only needs to be right once; in other words, use one tool that isn't blocked," unquote. 

Rick Howard: With the kill chain paper, the Lockheed Martin researchers flipped that maxim on its head. The typical adversary attack sequence might contain anywhere between 30 and 300 steps, depending on how complicated the campaign is. The attacker has to deploy each of those steps correctly and precisely. No mistakes can be made. If the defender can disrupt any of those steps, they have successfully broken or killed the intrusion sequence or intrusion chain. That makes it possible for defenders to design defensive plans specifically to prevent the success of known attack campaigns from the likes of the hacktivist group NetWorm, the cybercrime group APT40, the ransomware group BlackMatter or nation-state actors like Stone Panda from China, Cozy Bear from Russia, the Lazarus Group from North Korea, Charming Kitten from Iran and the Equation Group from the United States. You just don't deploy a prevention control for a newly discovered piece of malware. You deploy a series of controls designed to stop the entire attack sequence of a known adversary campaign. 

Rick Howard: This leverages the attackers' common practice of not replacing entire attack sequences when they improve their code. Typically, they upgrade a piece of it somewhere along the kill chain. The benefit to the defender is that even if the attacker installs something new that the defender had no protections for - like a zero-day exploit, for instance - the other defensive controls already deployed in other areas along the kill chain, like delivery, command and control, lateral movement and exfiltration, will prevent the success of the adversary campaign. Like I said, that was genius. 


Rick Howard: As Ryan and I were building Unit 42, we decided that the main question the team would be answering is what are the attack campaigns for all active bad guy groups? We called that collection of campaign intelligence Advisory Playbooks, and it was purely an effort to make the Palo Alto Networks product line more effective. As with other orchestration platforms from Checkpoint, Cisco and Fortinet, Palo Alto Networks offered a way to block cyberadversaries across multiple points on the intrusion kill chain. 

Rick Howard: The trick for Unit 42 was to establish the initial adversary playbook for all active campaigns, keep them up to date when changes happen and deploy them into the back-in Palo Alto Networks infrastructure that automatically creates permissive controls for the product line and delivers them to the customer in real time. Ryan and I quickly realized that even with a large intelligence team, doing this intelligence work manually was never going to cut it. We needed automation. 

Rick Howard: Now, about at the same time, the Fortinet CEO, Ken Xie, made a handshake deal with my boss to establish the first-ever ISAC, or information sharing and analysis center, for security vendors. That eventually turned into the Cyber Threat Alliance. Mark turned to me, handed me this dripping bag of chaos and distrust - because, you know, security vendor competitors are famous for loving each other - and told me, don't let this fail. 

Rick Howard: The members of the Cyber Threat Alliance decided to distinguish themselves from what other ISACs were sharing by rethinking the intelligence-sharing paradigm. Instead of sharing intelligence in formats like PDFs and spreadsheets that humans had to read, they instead agreed on a format for the security vendor community that facilitated the automation of every vendor's back-in architecture, their ability to create prevention and detection controls for their own products. The Cyber Threat Alliance agreed on a subset of STIX, or the structured threat information expression standard that had become the de facto format for the community to store threat intelligence. Ryan and his Unit 42 developers built the first beta version of the sharing platform, and later, Palo Alto Networks made it open source and gave it to the now-not-for-profit Cyber Threat Alliance. Since then, the Cyber Threat Alliance has evolved the platform to Version 2.X something, called Magellan. And the system of automatically sharing threat intelligence among security vendors has been running for several years now. 


Rick Howard: So just what is an adversary playbook? At a high level, an adversary playbook consists of several intelligence components. First, it represents an acknowledgment that cyberadversaries aren't robots. People are behind the design of each and every attack campaign trying to accomplish some goal. But an adversary playbook is not about attributing the campaigns to actual people or organizations. It's not important that we know that a specific attack sequence originated from the Russian general staff main intelligence directorate or GRU. It's interesting for sure. 

Rick Howard: But that kind of attribution doesn't help the commercial, academic and most government network defenders prevent the success of the campaign. I mean, what do you do with that information? That kind of attribution is best left to the government intelligence agencies, who might be able to determine it with some confidence and also do something with it once they do. For the rest of us, what is important is giving names like Fancy Bear to the group behind these observable and repeating patterns are not the same kinds of attack sequences that, say, Wicked Panda or Charming Kitten or the Lazarus Group uses. Sometimes, they overlap with a common tool, but the entire attack sequence is generally not the same. 

Rick Howard: Second, the adversary playbook recognizes that any particular group might run more than one campaign. As I said earlier, for the most part, adversary groups don't run completely distinct attack sequences. In other words, groups like Sandworm don't typically run Campaign 1 with a sequence like ABCDE and Campaign 2 with an entirely unique attack sequence like VFWXYZ. Campaign 2 is more likely to be ABZDE, with just a slight tweak to Campaign 1. This is not always true, but it's common. 

Rick Howard: Third, the Adversary Playbook uses a standard language to describe each step in the attack sequence to facilitate collection, sharing and prevention control distribution. At Unit 42 and the Cyber Threat Alliance, they have agreed to use the naming conventions and the MITRE ATT&CK framework and to store that intelligence with the STIX standard. 

Rick Howard: With that history behind us - by the way, you're welcome, Steve - you might be asking yourself, what's the current state of proactive defense and adversary playbooks? I'm so glad that you did. That shows that you're following along. I left Palo Alto Networks in 2019, and my influence over Unit 42 and the Cyber Threat Alliance stopped there. Before I left, Ryan and I published our current thinking of the proactive defense and adversary playbook concepts in a white paper published in the fall 2020 edition of the Cyber Defense Review distributed by the Army Cyber Institute. If I do say so myself, that paper is really good. There's a link to it in the program notes of this episode. 

Rick Howard: Unfortunately, the idea hasn't caught on. Palo Alto Networks has moved away from the idea and has never really implemented the concept in their products. Unit 42 still collects intelligence on adversary campaigns, but the Palo Alto Networks product set doesn't organize their threat protection against known adversaries. They still organize around blocking and detecting technical tools and techniques with less regard to what the adversary is doing across the kill chain. The same goes for the Cyber Threat Alliance. Members are required to share a minimum volume of intelligence every day and have a fully functioning automated sharing platform designed to collect and share adversary campaigns. But they mostly only share intrusion kill chain indicator of compromised artifacts with no relation to the adversary campaign - things like malware hashes and samples, URLs, IP addresses, ports, mutexes, email headers, plus other network traffic indicators. It's not a bad thing. It just stopped short of the original vision. 

Rick Howard: That also means that the Cyber Threat Alliance members haven't embraced the proactive defense adversary playbook model, either. Palo Alto Networks isn't the only one. Checkpoint, Cisco, Fortinet and the other 32 members are still doing it in the old passive defense-in-depth way. Don't get me wrong. Automated sharing between security vendors is still way better than every one of their collective customers trying to do it manually on their own. At least this way, each vendor is automatically generating product protections for their customers with this new shared intelligence. 

Rick Howard: Since you're listening to season six, episode seven of this podcast, you've probably already bought into the general idea that intrusion kill chain prevention is a viable first principle infosec strategy. You may not have deployed it yourself, but you see value in the proactive defense idea. It's one thing to agree to a principle, though. It's quite another to put it into practice. When Ryan and I started down this path in 2013, it took us a while just to get our heads around what needed to be done. And then it took even longer to build something close to what we needed. In the end, Adversary Playbooks may not be the perfect solution that we need for deploying an intrusion kill chain prevention strategy, but there is nothing else out there right now that can operate at scale. If you're looking to pursue this idea, Adversary Playbooks are the path. And the thing is we are so close to getting this into the community. It wouldn't take much to bump the security industry in this general direction. 

Rick Howard: So what can you do to help? Well, if you're like me and you want to draw your sword and tilt at this particular windmill like Don Quixote and Sancho Panza from the famous novel, it starts with you. Begin organizing your own threat intelligence around the idea of proactive defense and adversary playbooks. Don't bite off more than you can chew. Start with one adversary group, and work up from there. At the end of the day, you are looking for several working components. The first one is what are the controls deployed for every data island that you maintain designed to stop some cybercrime adversary group like FIN11? The second is automating the process of collecting new threat intelligence on FIN11. And have analysts regularly review the collection for the purpose of deploying new proactive controls. And finally, automate the process of deploying newly designed FIN11 controls to the security stack of every data island. 

Rick Howard: Once you get your own organization moving in this direction, the next thing to do is to focus on the security vendors that you use. They aren't going to come along on their own volition unless there is a consensus built with their customer base. Apply pressure on them. At every opportunity, ask them why they don't have this capability. They should be able to present to you from the products that you have installed from them a list of the security controls across the intrusion kill chain for the likes of NetWorm, APT40, BlackMatter and all of the nation-state groups, just to name a few. If you find a vendor that is leaning in the right direction, buy them and kick every other vendor out that refuses to even consider the idea. Also, pressure the vendors that supply your current security stack to join the Cyber Threat Alliance. Threaten to drop them if they don't. This makes the entire community safer. 

Rick Howard: Next, don't forget your industry's cyberintelligence-sharing organizations, the ISACs, information sharing and analysis centers and the ISAOs, information sharing and analysis organizations. Encourage them to build the automation that will allow them to share threat intelligence with other ISACs, similar to the Cyber Threat Alliance model. Better yet, encourage them to use the Cyber Threat Alliance as the hub for sharing between ISACs. I know. I know. We all have issues with helping vendors, but that's not what this is about. This is about deploying security controls around the world as fast as possible for any newly discovered threat. The vendors already have a way to do that for their customer base and their product set. We are choosing, as a group, to leverage that capability to help everybody out. 

Rick Howard: Finally, poke and prod your government security leaders and organizations to get with the plan. In the U.S., these are the key players - Jen Easterly, the CISA director, the Cybersecurity and Infrastructure Security Agency, General Paul Nakasone, the commander of the United States Cyber Command, director of the National Security Agency, or NSA, and chief of the Central Security Service, Anne Neuberger, deputy national security advisor for cyber and emerging technology and internal coordinator for President Biden's cyber-focused executive order and, finally, Chris Inglis, the national cyber director, the president's top cyber adviser and coordinator. At every opportunity, engage them and their respective organizations about this idea. Get them talking about it at a high level so that they can spread it around their circles. 


Rick Howard: Now, that's a lot. I know. But if, indeed, the intrusion kill chain prevention strategy is an infosec first principle - and you all know that I think it is - then the proactive defense adversary playbook idea can't be abandoned. As a community, we must embrace it or something like it or we will have left a giant opportunity on the table for reducing the probability of material impact to our organizations due to a cyberattack. For me personally, I really don't want to have one more of my crazy notions like moving to Key West put on the rubbish pile as another good idea, never executed. Do you think you can help me out? 


Rick Howard: And that's a wrap. Next week, we are on a one-week hiatus because of the Labor Day holiday. But the week after, I'm interviewing Ryan Olson on the direction that he and Palo Alto Networks have taken in terms of adversary playbooks after I left. You don't want to miss that. As always, if you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. The CyberWire "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening, and have a great Labor Day holiday.