The Fog of War in Incident Response Awareness

The case for cyber ranges – Part 2

In my previous blog post I was telling you why you need continuous, hands-on security training to be prepared for a cyber incident. Let me tell you the story of a security team that was caught off guard…

But first, The Fog of War. This was actually the title of a pretty interesting Academy award winning documentary film about Robert McNamara, who served as the Defense Secretary in the Kennedy and Johnson administrations. We all know that the Vietnam war was at its height and the title of this film was perfect for the time. However we can relate the term Fog of War (FoW) to network security as well.

The definition of the FoW is "the uncertainty in situational awareness experienced by participants in military operations". This is taken directly from the Joint Service Command and Staff College notes. This is where officers go to learn how to lead in battle. You can change the definition slightly and have it pertain directly to network and security operations staff - "the uncertainty in situational awareness (what the heck is going on) by network and security staff in network operations". In other words, how are people reacting when the "stuff is hitting the fan". When someone is "knee deep" in the middle of a compromise, how situationally aware are the personnel going to be to detect, react, and mitigate a security incident.

Let me give you a great example of how the FoW set in on someone and how it can impact efforts. We were conducting an exercise with a group of people in Singapore. We had the entire security team from a corporation doing what they would do during the day. We had implemented the company’s network in a lab (think cyber range) and the policies were in place on those devices. We started the way attackers would start - we started by scanning their network, looking for services and ways to infiltrate. We did find something that looked juicy, so we proceeded down that road.

A few hours into the exercise, we pulled up the company's web page, which had been defaced. We had 2 large screens in the front of the room with the defaced web page showing. The web administrator didn't even notice for about 5 minutes. He finally looked up and saw the defaced page. During this exercise, we had the senior management of the company sitting in the back of the room watching the activities and also responding to any efforts the team might have to do. The web administrator ran to the back of the room and suggested to his management that they take their web page offline because of the defacement. Management approved of this action. The web administrator ran back to his PC and deleted the index page. One little problem - the defaced web page kept showing up! In his haste (FoW), the web admin failed to see the big picture. He immediately jumped to the conclusion that seemed logical without considering all possibilities. We had not hacked their web page - we had done a DNS Reflection attack. The team never did figure out what had happened - we had to tell them during the out brief.

The point here is that this team had never really been "knee deep" in a compromise. They had not had the stress and pressure of keeping their network secure and running. Sure, a compromised web page is not something that causes a network outage. But it sure would cause concern for customers and vendors of that company. Would I want to continue to do business with this company? Probably not!

Lessons learned here is that during times of crisis, no one knows what is going on and everyone wants to know what is going on. A good Incident Response leader will have tested their personnel, so they know what that stress and pressure feels like BEFORE it actually happens in production. And when an incident happens, the leader lets their personnel loose, let's them do what they do best.

To make sure you do not fall into the trap of the Fog of War, make sure you have the ability to practice your cyber security skills. Put yourself under stress to detect, respond, and mitigate a real attack. Of course you do not want to do this on your production network. This is why having a place to practice, a place that can realistically simulate network application traffic and realistic security threats, such as a cyber range is absolutely critical. If you practice and put yourself and your team into the stressful situations, you will be better prepared when something happens on the production network.

Train Like You Fight!\