USMC infantry tactics and your blue team. Like PB and Jam.

by Matthew Demaske, Director of Threat Research

Does it sound weird? It shouldn’t. If you’ve read any of my previous posts, you’ll know that I’ve talked about Sun Tzu, the brilliant military strategist. His work still inspires those from all walks of life some two thousand years after his death. However, we’re going to talk about something a little more recent. The Marine Corps. My beloved Corps. I served 5 years as a data network specialist, or “data dork” as we were affectionately called by our brethren. I was enlisted so I never had the pleasure of taking a trip to Quantico, Virginia for The Basic School(TBS), where all freshly commissioned officers and warrant officers learn how to actually become officers. While researching for another blog post, I stumbled across a TBS officer’s manual for Rifle Platoon Defense. While glancing over it here, I noticed a large amount of similarities between the strategies of a successful blue team and a successful rifle platoon. 

The manual focuses on several key defensive fundamentals.

1. Knowledge of the enemy

A defender’s options are dictated in large part by what the attacker does. Therefore, thorough knowledge of the enemy’s capabilities, operational concepts, and habits is essential to a successful defense.

In order to know your enemy, you must also know yourself and your security posture. What are their likely avenues of infiltration? Where are your current weak spots, either administratively or technologically? As we discussed in the first part of my Blue Team Basics series, what would an attacker want from you? Where is it? Furthermore, a good general knowledge of the latest “red” techniques is always helpful. If your analysts aren’t running down an incident or suspicious alert, they should be scouring the internet for the latest adversarial techniques, forensic methods, indicators of compromise, etc.

2. Maneuver

While steadfastness and the tenacious holding of key terrain are essential in the defense, the defender must not become immobile. The defender must maintain freedom of maneuver

I take this as the blue team must not get “stuck” in a certain way of doing things. Your team must remain flexible and react to changes to the landscape. The defender’s mindset 5 to 10 years ago was to sit a security appliance at network egress/ingress points and sit back. Before that, you were lucky to have any kind of intelligent appliance like an IPS/IDS. You would set up a firewall and pray. Before too long, we got host-based detection software based on signatures. Then, it was anomalous behavior and heuristic detection software. Now, we have cyber threat hunters who proactively seek malicious activity without provocation. Some organizations are still years behind and they will be infiltrated if they have not been already.

3. Preparation

The defender usually organizes the defense on terrain of his choosing. While the attacker can choose the specific time and point of attack, the defender, through the proper selection of terrain and reinforcing obstacles, can direct the energy of the enemy’s attack into terrain which is advantageous to the defender

How do you prepare against an attack? The first step to an effective blue team doesn’t start with the analysts or security products. It starts with the organization, from infrastructure design to conduct policies. Should users be able to download and execute binaries? What websites should users be allowed to visit? Are there local admin accounts on every workstation that share the same password? What does the acceptable software policy say? What files should be executed from user’s temp folders? What do your password policies look like? Do you have separate accounts for administrative activity? Two factor authentication? Tokens? These are all things that come into play when talking about preparation for an attack. The more tightly your organization’s network is locked down, the fewer avenues attackers have to infiltrate. If the analysts know these avenues well, they can better prepare for when an eventual incident occurs.

4. Flexibility.

While the platoon commander utilizes tactical cunning and a thorough tactical planning process to determine the enemy’s course of action in advance, the plan must be flexible enough to deal with different enemy courses of action

Always be ready for the unexpected. While it’s important to have plans for most scenarios, you need the ability to improvise on the fly. If you’ve graduated to proactive threat hunting for example, you may come across a scenario where you catch a breach or a red team assessment in action. If that happens, your regular IR plan may go out the window. If you start an active investigation, it could tip-off the adversaries and you’re now in a game of cat and mouse. It’s rare, but I’ve seen it happen. I was logged into into a remote server rushing to off-load event log data as they were erasing forensic evidence. That’s probably not part of the normal IR plan, but your organization must try to employ the kind of analysts who demonstrate this kind of critical thinking ability.

5. Defense in Depth

Defense in depth is the positioning of mutually supporting defensive positions throughout the defensive battlespace to absorb and progressively weaken an enemy attack.

This phrase describes multiple layers of security controls erected to slow the advance of an attacker. You wouldn’t just place a gate on the main road entering your military compound and forget about everything else. You would also build a fence and place guards around the perimeter. You would probably have a list of those who are allowed to have access to the facility. You would also have a list of people who are allowed to access specific parts of the facility at certain times. You would have doors or other physical barriers. You would probably have guards inside the facility and guards watching on camera. This is defense in depth. You prepare for the adversary to bypass one or more security controls. However, the more controls they have to bypass, the chance of detection rises exponentially. You have devices at ingress/egress points. You have host based malware detection software. You ensure ACLS are in place. Your organizational security policies are in place and audited regularly. Your users receive training and alerts on the latest phishing scams. You’re logging EVERYTHING. That is defense in depth. No singular point of failure.

I hope anyone reading this came away with a new appreciation for old tactics. Thanks and Semper Fi!