ciso responsibilities

(Pet peeve: Articles that don’t have dates on them. Don’t be that type of site. Ok, I know the article I link to is dated in 2021 [if you turn on javascript], but the note that I made to myself referencing this article was made in 2019…)

A post over on CSOOnline, “How the CISO role is evolving,” goes over some interesting discussion points about the CISO role.

I initially targeted my notes on the list of skills for the CISO:

  • Security operations
  • Cyberrisk and cyber intelligence
  • Data loss and fraud prevention
  • Security architecture
  • Identity and access management
  • Program management
  • Investigations and forensics
  • Governance

Holy cow, is there anything in Infosec left untouched there? Then again, CISO is the top of that leadership pyramid, right? But, this illustrates to me how difficult the CISO’s job will be if they do not report into or next to the IT overall organization. Reporting outside of IT means lots of consulting and ultimately audit-like tasking that hopes all of the above items end up getting done (and likely won’t be). And I’ve yet to see IT auditing being even partially effective or useful.

Later in the article, it starts to get real about the most important job requirement for a CISO role not necessarily being the technical understanding. I think it’s true that at this level, a key skill is “advocating for security within the company leadership.”

I think leadership traits are also important, but that’s always a funny thing within any department, team, or organization. Particularly in a technical field. At least for me, technical credibility is a key trait of leaders I respect and react positively towards. Someone who does not understand the technical aspects and demonstrates this by being wrong on a regular basis, just do not get respected by me and will not be a good leader for me. And it’s not like I need them to be highly technical; but I need them to be technical enough to know and be open about their limitations, and big enough to allow others to fill in the gaps. Leaders who get technical things wrong, don’t understand that they’re wrong, and thus never seek information from their team in order to make proper decisions, are what cause security to take steps backwards.

And it’s not just me, but many technical teams will stop listening to security if the people they interact with are regularly wrong, or vague, or confusing, or belligerent, or just not keeping up. Technical people who know the right answer don’t tolerate people who cling to wrong answers.

Another way to say this is the CISO needs to know enough to know their team is performing as needed, or if they need assistance.

establishing a cybersecurity program

I don’t recall where I found this graphic, but at least it has citation on it. I liked it enough to keep it, and just wanted to move it out from my personal notes into here.

I do like these steps, though obviously there are plenty ways to tackle this problem. And if someone needs or needs to show some sort of process/plan, this makes a good pragmatic start.

One thing I would change on this is to make sure this isn’t like a 1-year process right here. I feel like steps need to be taken pretty quickly to start *doing* something and getting some output and value. For example, Step 7 shouldn’t be waiting for earlier steps to develop. Step 7 should strive to start as soon as positive movement can be achieved. Early, easy wins, or foundational pieces.

I also prefer to think in terms of maturity levels based on some sort of model. I think that’s what is meant here by tiers. That is just a difference in preferred terminology.

threat hunting, a great definition from fidelis

Threat hunting is a cool term. It’s so cool that so many people, managers, and marketers have latched onto it and used it to describe almost anything you can think of from pen testing to SOC operations to red teaming to incident response. It’s become a pet peeve of mine how badly “threat hunting” is mis-used and mis-understood.

And I’m still convinced that threat hunting started for two main reasons. First, to slip in between the major efforts already in play between detection engineering (the blue team SOC), incident response which tackles found things, and handling threat intelligence, which usually ends up being an automated feed and corrrelation mechanism within a SIEM. Another way to put it: the human in between the matured automated technical activities.

And second, something for bored internal red teamers, IR folks, and senior detection engineers to do in between the main projects. (I’m joking, but I’m not….but I am…)

I just skimmed through a free PDF that caused me to make this post to keep this link around and share it: Threat Hunting Essentials, Part 1: Threat Hunting Defined, by Fidelis Cybersecurity.

In this, they not only talk about a good definition of Threat Hunting, but also examples of what it is not. This is super important, because I’ve talked to way too many people from keyboard warriors in the trenches up to management and executive levels who have the wrong idea of what Threat Hunting is. And having it wrong almost certainly means the chances of a successful threat hunting team are limited, and they probably won’t be happy hunters if everyone is operating under slightly different missions. That is bad friction.

Fidelis gives this definition:

“Threat hunting is the proactive hypothesis driven discovery of artifacts, activity, or detection methods not accounted for in passive monitoring capabilities.”

And see, even trying to isolate a good definition like this will still be open to interpretation. It is best to read the entire paper, as they do an amazing job of framing the problem, tackling the problem with easily understood examples and language, and allowing it all to funnel down into something that I consider easy to handle. There’s lots of good examples and discussions over recent years, but it’s been hard to find one so clear and yet (mostly) concise enough to present to others.

And yes, it can still be done by bored internal red teamers, senior detection engineers who need a break, or incident responders that don’t have any incidents being currently worked. But the inputs, outputs, methods, results, and expectations need to get aligned in order for the mission to add value and be successful.

And I’ll also just add that Threat Hunting is an advanced activity. It should only be a thing with maturing security operations and engineers teams, and only for those with senior skills in understanding offensive tactics, forensics artifacts left behind, and where the gaps in blue team visibility occur.

learning and training goals for 2022

This is my sixth year openly posting about my learning and training goals, though it feels like I skipped a year. Last year was not a productive year on the personal training front, so most of my items here are not really new. And I’m already about a half year late making a post like this, which means a few of these items might already be done or in flight.

So, what do I have in play this year? I’ve sort of skewed things a bit towards the blue team side of things last year, and that’s still the plan this year. I pride myself with having deep knowledge of red, blue, and forensics skills and I possess a strong belief that each plays and improves upon the others, whether in a team situation or as a long wolf.

Formal Training/Certifications

AWS Solutions Architect Associate certification renewal. I’ve done this once, so should be good to do again, but I’ll be consuming courses on Udemy and ACloudGuru in this pursuit. I truly thought about doing the Professional version of this, but I’d like more consistent hands-on AWS work before it.

AWS Security Specialty certification renewal. I’ve also done this once, and am not too worried about this one, but I do distinctly recall these questions were dense and tricky. As with SolArch, I’ll be using Udemy and ACloudGuru to prepare.

CISSP renewal. This is really about paying the fee, yet again. With all the other stuff I do, the CPE tanks are always full.

GIAC GCFA (FOR508) forensics certification renewal. This is also just paying the fee. But, I then need to carve some time out to go over the updated course materials and labs.

Antisyphon training courses. I’ve really liked the format of the BHIS/Antisyphon courses, and the cost as well. I plan to continue to take courses here as long as they have interesting topics offered. I’ve so far taken three, and while I’d just take them all if I could, here are some leading choices: Applied Purple Teaming (Ickler/Drysdale), Enterprise Attacker Emulation and C2 Implant Development (Thyer), Hacker Ops (May), and various others that tend to lean into Red Team stuff.

OffSec. A stretch goal. Since getting my OSCP some 5 years ago, I’ve wanted to get back and do some more of the advanced courses, labs, and subsequent certs that Offensive Security offers. I just haven’t done it yet. I likely won’t get to this in 2022, but I think in 2023 I want to look very hard at the annual subscription which opens up materials for all of OffSec’s certs.

Informal Training BTLO is a sort of blue team themed lab and gamified ladder, much like HTB is for red team skills. The company behind this also offers courses for blue teamers, but I’m more interested in the labs to practice skills, learn new tools, and improve what I know through hands-on trial and error in a safe environment. This has exceeded my expectations so far, and I’ve even exceeded my own goals on the platform. I started out just wanting to learn some things and maybe make the top 100. Today, I’m trading off the global #1 spot with several others.

Practical Malware Analysis book and Reversing, debugging. Getting into and even successfully through the RE challenges on BTLO has whet my appetite for continuing down this path some more. I’ve long dabbled very lightly in reversing, debugging, and dissassembly, but never to a degree that makes me feel skilled at it. I’ve broken through some barriers while doing BTLO challenges, and I’m wanting to keep that ball rolling. I’d like to go through exercises in the Practical Malware Analysis and Malware Analysis Techniques books while also getting started in TryHackMe’s related areas. I also still have access to the Zero2Automated course set, but that seemed a bit beyond me when acquired a few years ago.

Microsoft Azure and M365 stuff. I namely want to just go through materials for AZ-900 & AZ-500, and then also MS-900 & MSSC-500 and other stuff in the SC-series. I don’t really plan to pursue any of the associated certifications, but I’m not entirely ruling it out, either. This is mostly to get more exposed and build foundations in Azure and M365 offerings as they become more and more ubiquitous in the enterprise. Very similar to picking up AWS skills a few years ago. Also plan to learn more about Azure Sentinel.

Splunk Learning. I use Splunk at work, and I’ve long put off the more formal courses. Splunk has recently re-organized their certification and learning offerings, and while I can’t say I think they’re good changes, I still want to plug through the material at some point. Much like MS stuff, I don’t necessarily plan to do the certifications. These courses are definitely only worth it if the business or Splunk credits pay for them. It’s otherwise better to just sign up for Boss of the SOC (BOTS) (free!) on a regular basis to gain some hands-on experience.

TryHackMe (THM). I’ve only briefly used this platform once, and just have not made the time or effort to get back here. I think now might be the time. I’ve almost fully completed BTLO, I don’t really want to go back to HTB yet, I’ve gotten up to where I want to be on PentesterLab. And THM is just a blank spot for me that I shouldn’t have let go so long.

PentesterLab. I still have a sub to this lab site, and while I’m mostly caught up on what I want, they still push out content enough to keep me coming back, particularly on the Code Review badge lately.

C2 & Attacker Emulation. Last year I took a course in using various C2 platforms, but didn’t feel like I got quite enough out of it on the first run. I’d like to wield my home lab a bit further and try more C2 platforms out and just gain more familiarity. If I achieve other things before the end of the year, this could be a nice break before 2023 activities.

Gentle Career Aspirations

I don’t normally do this, as I don’t want to suggest to potential employers that these are the only things I want to do, but it’s good to at least tell myself these things in case career opportunities land in my lap. But, in a way, doing these for work in the next few years would probably make me a happy employee (not that I’m not happy now, but it’d be exciting to look forward to and then learn and do):

  • pentesting, red teaming, purple teaming…even just testing new exploit POCs
  • C2 and attacker emulation to test and improve controls, both technical and response
  • web app testing and other application/development security
  • architect-level planning and design and advisement, configuration hardening
  • ever-increasing hands-on in AWS and Azure/M365