Kevin Johnson and John Strand recently gave a presentation at RSA 2013 titled “Tactical Sec Ops: A Guide to Precision Security Operations.” Not surprisingly, this has been something that we’ve been talking quite a bit about internally. So much so that Secure Ideas will be teaching Tactical Security Ops at Black Hat USA. We initially started talking about tactical security ops because we’ve observed the reactions of some of our clients while we are doing penetration tests. Or because we’ve found something that is fairly easy to catch and our client is surprised when we show it to them. As catchy as tactical security ops sounds, just what do we mean by it?
To me, tactical security ops is when our hands are on the keyboard and we are heads down doing the technical work which defending our organization requires. At those times we suspend reality (to an extent) and ignore security frameworks, long policy documents and meetings. It may be that you found something during log analysis that has triggered a deep dive into your environment. Or you are testing an application that was recently stumbled upon. Whatever it is that got us going, tactical security ops is where we need to bring our technical skills to bear on a particular issue or task.
One of the major things we can and must be doing is to frequently and consistently run an automated inventory of the systems and applications on our network. We need to have something that we can run all hours of the day, every day, that will tell us what hosts we have, what hosts are new and which have disappeared. Gather as much identifying characteristics about the scanned systems as you can. IP address, hostname, operating system, and common network applications are some of the things we can and should be getting. We want to get used to what is normal in our environments and when something steps outside that normal baseline. For example, is it of interest to you when a Windows 7 workstation suddenly starts running SSH? How about a MySQL database appearing on your network? In fact, where did that database show up at? Is its IP address a DHCP address? Is that normal?
There are a lot of other questions that could be asked based on your analysis. The point is that we can’t protect systems very well that we don’t know are there. And we certainly want to know when something has gone rogue and isn’t supposed to be there. With some up front effort we can setup scanning to gather this information, do so across large environments, and get it into a format that allows us to spot the outliers. We can detect and respond to these changes quickly, instead of when your pen tester tells you that he exploited a Window 2000 system that you didn’t even know existed. Or worse, when a bad guy finds that system.
To that end, Secure Ideas will be teaching Tactical Security Ops at Black Hat USA 2013. This is a brand new course that we have created to help security pros and organizations to defend their environments. The class is extremely hands on and over 50% of it will be spent in lab time. In fact, the type of scanning described above is one of the labs we will be performing! Students will walk out with techniques that they can start using immediately. If you would like to attend, you can register for the class here. If you have any questions about the course, please let us know! We are extremely excited to present this course and provide our students with critical skills to be used and adapted in protecting their networks.
Jason Wood is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.