Book Review: Extreme Ownership: How U.S. Navy SEALs Lead and Win

After reading about Pirates, I decided to read a little something on leadership. The book I grabbed was Extreme Ownership: How U.S. Navy SEALS Lead and Win by Jocko Willink and Leif Babin. The book is by two SEALs that worked together in Iraq came back back to the U.S. and started their own Leadership consulting firm.

The key concept is willing to take ownership of not just the successes but also the failures. The key example is the commanding officer, Jacko Willink, “publicly” accepting a horrible failure of a mission, as the ultimate owner of the failure even though several others who made mistakes offered to take the blame. At the the end of the mission it was him not making sure everything was done right that caused the problem, and he owned knowing it could cost him his career.

There are were other things covered. Topics through the book included planning. Keeping the plans simple. Empowering the teams to be able to decentralize their command structure. Lead from the top down and the bottom up. Having disciplined Standard Operating Procedures, that allowed the team in the combat zone the freedom to adjust to the current situation.

The biggest take away though was one scene when Lief Babin was involved in Hell Week, part of SEALs training. The section was on “there are no bad teams, just bad leaders”. The SEALs leading HELL week as trainers showed this by swapping the leaders of the winning and losing race teams. The leading one brought the losing team up to challenge his old team every race after.

The trick was setting way points in the course, and pushing them to each one. Don’t worry about the course as a whole, just the next goal, and let that build to the end.

The other thing I liked about the book, it would show the concept of the chapter in the battle area, broken down in principle, and then finished in a business environment.

The authors at the end said there is nothing really new in the book, just a new way of looking at the concepts. I know I followed some of the concepts in the past, and I picked up a few new ones to go forward with.

One I’ve put in to practice already is the concept of way points. While that wasn’t the goal of no bad teams just bad leaders, it did stick out. I’ve put it in to practice with my classes. While there is still a lot to go, I just have to go from way point to way point, and not worry about the next way point until I get to the one I’m heading for now. I don’t have to worry about the Degree at the end of my current program. Just the last 2 classes before I get to the degree. Of those, I only have to worry about the current class I’m in. Id on’t have to worry about all 12 weeks. Just the week I’m in. And break that week down in to manageable segments.

It really has lifted some of the stress I was feeling.

Book Review: Under the Black Flag

I recently read Under the Black Flag by David Cordingly it was an interesting book.

It’s a book written in the 90s looking at the history of pirates during the golden age. It talked about some of the romantic myths that raised up around the golden age, and how those myths came to be.

The book shows how pirates lived and died, the difference between Privateers and Pirates. How the line between the two types could be blurred. And, what eventually lead to the down fall of the golden age of piracy.

The most interesting case, though one of the smallest in the book was Captain Kidd. Who was commissioned as a Privateer (complete with letter of Marque), crossed in to Piracy to appease his crew, and paid the price for it at the end. The political intrigue was a nice twist in the rope too.

What really lead to the end of the golden age of piracy was Hunt Teams (multiple ships hunting the pirates down), clemency (though some pirates went back to their former ways),  and visible reminders in ports of what happened to captured pirates. Countries not being at war led to some of the downfall too.

But the thing is, things had to change before piracy ended. The defenses put up around ports and along the gold trails didn’t do much to stop or deter the Privateers or Pirates going for the gold. For example, Henry Morgan’s attacks on Porto Bello, even though there were 3 castles protecting the place, it still fell to Morgan.

Ships carrying arms didn’t do much either, other than anger the pirates. It wasn’t until Naval vessels put on acts as either other Pirate Ships, or as merchant ships, that having armed sea going ships mattered.

The book did give some interesting history lessons, and gave some ideas that could be re-applied to cybersecurity to secure the Net Today. Think of the Internet as the Sea, and hackers as villainous pirates.

I also know I’m not the first person in InfoSec to read the book and draw some parallels between our industry and the Golden age of piracy. Adam Hogan talked about this a few times. I saw his talk at Bsides Columbus in 2017.

While a history book on pirates, it does give some ideas as to how to change how we’re doing InfoSec today. It was worth the time it took read, and gave some interesting thoughts on how to deal with the problems InfoSec faces today.

Validate data, before sharing.

I’m going to have to add a couple more slides to my Threat Intelligence: From Zero to Basics deck. But I told GrrCON that I would have an updated deck from Circle City Con anyway.

Over the last two weeks I’ve seen some stuff shared publicly in Threat Intelligence Platforms, that really shouldn’t have been. The data wasn’t valid, at the time of sharing.

Continue reading

One of the differences between college and real life (bias in speaking)

Last talk I have, I expected audience participation, because I asked for it. I failed the audience. I know how to improve the talk for last time.

What was my bias that lead to me failing the audience? I’m used to participation being part of my grade, and having to participate. Others in classes were the same way. Yes we had some that barely participated. But usually half the class did.

Because that’s what I was used to in college class setting, that’s what I expected at a conference talk. The result was I failed my audience with expectations that I shouldn’t have put on them.

Script(s) to extract HTTP Host data from file

A while ago, created a new repository on GitHub for the scripts I wrote for DFIR. Since then, it only had the Computer Ping script in it. Today I added the first of the Extractor scripts.

The first extractor script, xHttpExtractor.py came about from a web based tool I used. It would run on a file uploaded to it, and then list a bunch of indicators, system artifacts, url calls outs, network communication, etc. However the tool didn’t have a good export mechanism at the time. So I would copy and paste everything to a text file, and then extract the url host details from the text files. Mainly so I could add the URL indicators to the web proxy.

Continue reading

Different ways to use TOR

While catching up on SANS’ Internet Storm Center Storm Cast during my drive, I heard this episode. In it Johannes Ullrich was mentioned this article about using DRM Decloaking TOR users. Short version, users running the Tor Browser Bundle click a link, and Microsoft Windows launches the media player not using the TOR network, exposing the user’s real IP address.

This attack could be mitigated by using TAILS or something else that forces all traffic through TOR. Which made me think I should share all the ways I use TOR.

Continue reading

Read “Effective Threat Intelligence: Building and running an intel team for your organization”.

Recently I read the kindle version of “Effective Threat Intelligence: Building and running an intel team for your organization” by James Dietle. I found out after the fact there was a paper back version of it, and even gave one copy away as a Christmas present.

Anyway, this is the book I wish I had in January of 2016, when  I moved from Incident Response / Event Analysis to Threat Intelligence. It’s a good primer on the subject. While it’s not completely new material, it’s the basics in one place. When I started doing TI, I had to learn from the ground up, and things were scattered. Some was easy, other parts were more advanced, and nothing made a good how to. Especially when I wanted to start showing value from the word go.

I think that if I had, had this book and read it when I was starting it would have been very beneficial. While it’s not as in depth as SANS For578,  I do think that it would make a good primer for anyone in IR going to SANS for Cyber Threat Intelligence.

 

 

Doing OSINT

The other day I mentioned Sailing the Sea of OSINT. Then in a Facebook group I’m in, they posted the BBC article about Ambulances Jamming car radios. In the group we made some speculations. But having a bit of a radio background, HAM Radio, CB Radio, and Broadcast Radio in college. I know how some of systems work.

So I went and dug up several articles on their pilot program. None however said how they worked. Just that they worked with the RDS radios in some cars. So I went and looked up RDS. Radio Data Systems, and the similar Radio Broadcast Data Systems in North America, is a protocol for sending data over the airwaves along with an FM signal.

In this case of both, they use PTY tags to associate what the data is. This is the same system that displays  the radio system call sign and song title on some radios. It can do more like say what type of music station it is based off the tags they use. This would allow people to search by genre.

However when they made the protocol they included a tag for Alarms (in the EU) / Emergency (in North America).

Reading up on the receivers with the RDS protocol / system built in they are designed to switch to the frequency broadcasting the Alarm / Emergency tag. Even if the radio is playing a “cassette” (which tells you how old this protocol is), a CD, connected via Bluetooth. Basically, if an RDS equipped radio is turned on it will tune to the station for the frequency the ambulance is broadcasting to.

The neat parts of this, the goal is to make it 10 to 15 seconds of alert, based on the speed of the ambulance. Which tells me the broadcast switch is tied to the Light and Siren switch, as well as either the ambulances GPS or ODB-II port, and the broadcast power is associated off that.

The people that came up with the idea said because Ambulances are getting stuck in traffic and or people are having accidents trying to get out of the way.

This is probably one of the items that really should be considered in Autonomous cars.

Review of “Sailing the Sea of OSINT in the Information Age”

Just read, or re-read “Sailing the Sea of OSINT in the Information Age” by Stephen C. Mercado from the Studies in Intelligence Volume 48, number 3. I’ve had this for a while, I bought it 2013. Which is part of why I don’t remember if I read it before. It’s available from the CIA’s Library. It’s an article from the CIA’s Peer Reviewed Journal.

I found it very informative, even for something originally written in 2007.  While today, I think most of us in IT, think of OSINT as mainly tracking social media accounts (what some call SOCINT), it really goes beyond it.

The main points that were brought up:

  1. OSINT has been there for a very long time, since the beginning of Intelligence programs in the United States. It just hasn’t ever been formally given a department like others.
  2. It’s based off public media like magazines, books, news papers, radio and TV broadcasts.
  3. There are not enough people who understand foreign language / culture to get proper use out of OSINT.

There is things in the public space where OSINT lives that comes out better than in some of the other sources of intelligence. An example was information gathered by the Japanese about a former KGB officer.  “The resulting book and Levchenko’s press conferences were, according to a US intelligence officer, more revealing than his CIA debriefing”.

Which oddly ties in to something I saw on my Firefox browser recently.

So I’m curious, do we as a mono-langauge culture really have the skills we need to do intelligence. How many data leaks are found on foreign language hacking forums?

 

 

 

The article is worth the read, and brings up some good questions. I liked Mercado’s recommendation on making the Foreign Broadcast Information Service an intelligence service again, put OSINT under it, like how the NRO has IMGINT, and create incentives for people to study things like language and culture to increase the ability of the agency.

You can’t buy threat intelligence, or yet another “article” on Data vs Information Vs Intelligence.

The background:
This is a blog post I’ve been meaning to write for a few months now. It’s based in part off a twitter conversation that carried over in to a phone call. It is also something I’ve personally observed, a trap I fell in to, and heard other Threat Intelligence people say they observed. And while reading Cyint’s favorite tweets of 2016, I finally decided to sit down and write.

In the tweet list was a tweet was from Alex Pinto asking ‘how many more #ThreatIntel articles do we need about the difference between “data”, “information” and “intelligence”?’

So my answer is, as many as it takes to break out of our own echo-chamber / choir and figure out how to talk to our Cybersecurity peers and the stakeholders. So everyone is able to understand what is being bought. So here is yet another article talking about Intelligence vs Data Feeds being sold as Intelligence.

The Problem:
Companies are selling data feeds while calling it intelligence.

Continue reading