Active Response

Always A Bad Day For Adversaries

Tag: situational awareness

Keeping up with the Stream: How I Maintain External Situational Awareness

In any field related to intelligence and security it is critical to stay abreast with external news and developments.  But, your time is a zero-sum game and all security and intelligence analysts must balance their time “reading the news” (consuming news from others) with “creating the news” (generating new intelligence and insight for others) – this is how I view my work time strategically.  Building tools and techniques to more efficiently “read the news” allows you to spend more time “creating the news.”  So it is no surprise that I get asked regularly what I do to stay connected with the world and the community.  Here is my answer, for my particular situation and need.  Mileage will vary.

For me, the key is to take advantage of curated news/information streams instead of curating it myself.  However, just like relying on any one news source, relying on one or a few curators for your news will quickly introduce you to the bias of the curators themselves.  Therefore, I don’t rely entirely on this method and also self-curate to a small extent to lower that risk.

I organize my professional reading into three categories: world, profession (computer science/security/analysis/data science), and discipline (threat intelligence).  Usually, I begin by reading the world news, followed by threat intelligence, and lastly information I need about my profession.  I feel that this appropriately prioritizes my time and gives me the best perspective to solve problems throughout the day.

Here is my particular strategy:

  1. I begin with the top stories on Google News and then to the Economist.  I then browse the front page of Reddit.  Together this gives me a healthy sense of major events in the larger world.  This is critical because my discipline is heavily influenced by larger world events.  However, within this set I also focus my time reading articles which have direct impact on areas of world my daily work touches.
  2. I read curated security and intelligence emails: Team Cymru Dragon News Bytes; SANS NewsBites (weekly); and two others which come from paid services via my employer.
  3. Twitter.  I use key hashtags and user lists to pare down the stream to a consumable chunk.  This is very much an art form and I’ve yet to feel a mastery.
  4. RSS Feeds.  I use Feedly to curate my RSS feeds.  However, over time I’ve found that my other strategies tend to surface most of the gems from the feeds.
  5. If I have time, I’ll then use a financial news site to browse the news about my company as well as major players in cyber security to maintain awareness about the larger business pressures and events which may impact my work.
  6. Return to Twitter.  About 2-3 times/day I’ll return to Twitter to scroll through tweets by key hashtags and user lists to make sure I find anything critical right away.

The Long & Important Ones

About once-per-day I find a white paper or article on which I want to focus and absorb.  For those, I print them out (yes, on paper) and read them later with a pen in my hand so that I practice Active Reading; making marks, underlining, and making comments which help me absorb the material and create an internal conversation.  I find this a highly enjoyable activity which stimulates creativity and engagement helping to foster new ideas.

How do you maintain your external situational awareness?  Please comment below or tweet @cnoanalysis

8 Tips for Maintaining Cyber Situational Awareness


Situational awareness is the perception of your environment and comprehending the  elements within that environment with particular focus on those critical to decision making.

Cyber defenders, operators, and analysts must maintain “situational awareness.”  This is more than sitting in a room with several large televisions streaming Twitter and [insert management’s favorite cable news channel here].

Maintaining situational awareness is the act of continuously defining your environment and identifying (and comprehending) elements critical to decision-making.  The purpose of this act is so that one can continuously orient towards the best decision.

Those familiar with the OODA Loop will recognize this as the observe phase in the loop.

It is important to know and comprehend your environment, which means both your internal situation AND the external situation.

Knowing your internal situation usually comes with dashboards, alerts, network activity graphs, parsing log files, vulnerability scanners, updates from vendors, etc.  From this view an analyst finds particularly interesting events or anomalies and understand their organization’s exposure surface.

Most importantly, the situational awareness from these data points should provide a decision-making construct to identify necessary actions (e.g. “should we patch for that?”, “should we close that firewall hole?”, “should I explore that spike in traffic?”).

However, maintaining knowledge of the internal situation is not enough.  Just as a pilot must keep their eyes on their instruments AND the horizon an analyst must keep their eyes on their internal sensors AND the external threat environment.

Keeping track of just ONE of these environments is hard enough, how can an analyst hope to track both environments effectively,  make effective decisions on that information, and act on those decisions on time?

Both management and analysts dream of some tool that will quickly and easily integrate these disparate and complicated environments simply to make the best decisions quickly.  However until that dream tool is created:

1. Know your organization’s mission statement, business strategy, and business rules

You’ll never know what elements or events are important if you don’t know what is important to your organization.  Be able to articulate your organization’s mission statement.  How is your organization attempting to meet its goals and how do you support that?  How do the various business units work together to create cohesive whole?  With this information you can make an informed decision as to the criticality of an event based on the assets being affected.

2. Be cognizant of external events affecting your organization’s mission

What is happening in your market space or global sociopolitical space which is changing your security profile?  Will that new acquisition by a foreign competitor cause you to become a target of corporate espionage?  Will hackers target your organization in retaliation to country X expelling ambassadors from country Y?

3. Be aware of internal events

What is happening inside the organization?  Is there a new desktop load being deployed?  Who is being fired today?  What are the upcoming mergers/acquisitions?  All of these affect the exposure surface of an organization and it’s target profile to attackers.

4. Find and follow the best

The internet is the greatest collection of human knowledge ever assembled.  Use it.  There are great security researchers and analysts constantly updating information sources with critical knowledge.  Find these sources and follow them.  Use Twitter, Google Reader, Listorious, and other sources to help aggregate this information.  Who/What are the critical sources following?

5. Be aware and able to communicate what is missing

Know what is missing from your viewpoint.  Are there any data feeds which would add to the picture?  What are the biases and limitations of your data sets?  How do these affect your decision-making?  Knowing this in advance and taking it into account will help reduce poor decision-making and unexpected consequences.

6. Know the rule sets, analytics, and data sources

The better an analyst knows their own rule-sets, analytics, and data sources, the more efficiently and accurately they can distinguish critical from non-critical events.

7. Eliminate Useless Information

One must carefully balance the need for information with the danger of information overload which will cause poor or delayed decision-making.  Therefore, eliminate any useless information sources.  This includes high false positive hitting signatures, network activity graphs which nobody pays any attention to.  It is better to have less information of higher quality than high quantity which muddles decision-making.  Replace bad data feeds with something useful, or better yet don’t replace them at all.

8. Not Everyone Requires the Same Information

It is important for organizations to understand that everyone does not need the same information to maintain situational awareness.  People think differently.  Use that to your advantage.  Don’t try to make robots.  People perceive their environment differently from one-another.  Allow each to develop their own information feeds and visualizations to maximize effectiveness.

Powered by WordPress & Theme by Anders Norén