There are only two certainties in a company’s life: Taxes and your network will be hacked.

I recently returned from the 15-day cyber warfare exercise hosted by the Massachusetts Army National Guard.  Attendees included soldiers and airmen from Vermont, New Hampshire, Maine, Massachusetts, Connecticut, and Rhode Island as well as personnel from private organizations such as Mitre and ManTech.

An important change in this year’s event was that actual representatives from the Massachusetts Governor’s IT office, Massachusetts Water Resources Authority (MWRA), and the Massachusetts Department of Transportation (DoT) were active participants.  They were able to give an accurate portrayal of their interests and identify network resources that are critical to them.  This was all vital information to our “Blue Team” defenders.

I was acting as a “Red Team” aggressor and by the luck of the draw I was selected to attack the team of defenders I have been working with for the past few years.  I provided them denial-of-service attacks, phishing campaigns, website defacements, and other “cyber effects” for them to detect, react, and report on.  In several areas my team performed well, but I was most impressed with the cooperation and information sharing between my military coworkers and their civilian counterparts.

I have had some time to reflect on the lessons learned and the direction I want to take my team in the train-up leading to next year’s exercise.

  1. Baseline your infrastructure.

As a system owner, just knowing what accounts are privileged and what servers you have on your network is no longer enough. System owners need to know what kind of traffic is normal within their network, what services/processes should be running on each device and which devices need to talk to each other.  When equipped with this knowledge, a network defender is far more effective at detecting ill intentioned actors on your network.

  1. Know what is most critical.

In previous exercises military personnel played the part of industry representatives and identified key infrastructure as being the domain controllers or DNS servers.  Having actual industry representatives at this year’s exercise radically changed the defenders ideas of what is most critical.  For example, representatives of the Governor’s office identified the Governor’s external website as being critical as it is the “face” of the government in Massachusetts. It is important to have identified those critical systems before an attack to focus the network defense on what is most important to the organization instead of focusing on what the attackers see as most important to them.

  1.  Able to detect wrongdoing.

There are only two certainties in a company’s life: Taxes and your network will be hacked.

Every organization should have a secure and centralized logging server along with sensors, distributed throughout the infrastructure, capable of full packet capture.  Having this in place provides not just data but contextual information about what is going on in your environment.  There seems to be a trend for organizations to spend considerable resources on IPS/HIPS systems, but once an attacker compromises their system they lack actionable information and throw up their hands in defeat. These defensive measures are admirable, but we should operate on the motto: “Prevention is ideal.  Detection is a must.”