Julian Cohen

When you do these exercises at work, you don't need to use the diamond model or the Lockheed Martin Kill Chain. I use them in my presentations because they are well understood accepted standards, but you may want to use more and less detail and more or less data in your model.pic.twitter.com/hiBS4n1gvQ

What events may change our adversary's motivation, capabilities, and resources? What events may change our adversary's tools, techniques, and procedures? How confident are we in these predictions?pic.twitter.com/D7U1QMr2Oo

What events may change our set of adversaries? Is our security strategy growing with out organization and with our adversaries? How quickly is our organization getting added to new target lists and being discovered by new adversaries? How confident are we in these predictions?pic.twitter.com/PZMs3lFyI6

Do we have enough supporting data and threat intelligence (quantitative and qualitative) to justify our work to our CISO and to our board? How confident are we in our adversary simulation? Can we confidently predict future adversary behavior? Do we have enough historical data?pic.twitter.com/H8J9EcnejY

Before we can begin to prioritize and execute, we need to review our work. How confident are we that our set of adversaries is complete and accurate? How confident are we that we understand their resourcing, capabilities, motivations, and constraints? Are our defenses effective?pic.twitter.com/Y7jPcm0C6W

Finally, with a carefully understood attack, I asked the audience to design defenses to prevent, detect, and monitor the attack using Lockheed Martin's Intrusion Kill Chain Courses of Action Matrix (https://pbs.twimg.com/media/DbUGM0LVwAUOVSx.jpg …).pic.twitter.com/SqLtbtiQxt

Make sure to sanity check your work.pic.twitter.com/5emcDqVIfj

Then I asked the audience to build an attack playbook using infrastructure like Samsung and an Windows XP exploit with the resources of the cyber division of the South Korean military.pic.twitter.com/II1IGMrjkR

Then I asked the audience to help us design an adversary that a North Korean healthcare organization might encounter. Using the Diamond Model (https://threatconnect.com/wp-content/uploads/cshydiamond_full.png …), I asked them to consider who the adversary might be, their motivation, and their capabilities and resources.pic.twitter.com/3UjFb0MPNE

Then I asked the audience to design an organization for us to protect. I asked them to pick an industry and consider the size of the org, whether the organization is public or private, what countries the org operates in, and what kind of infrastructure the org needs to operate.pic.twitter.com/btULWsb58p

First I introduced some concepts that you've probably heard me talk about before on Twitter.pic.twitter.com/iNPrv3Tgvt

What kind of dystopia have we created for ourselves?pic.twitter.com/bwlTPASZU9

This tastes like someone dropped a couple of lime Skittles into my water.pic.twitter.com/sPnewm3XSF

I found the pot of gold at the end of the rainbow! It's this signals intelligence dish at 33 Thomas Street.pic.twitter.com/ReQNdJMMKr