Mitre’s ATT&CK Security Framework

Mitre’s ATT&CK security framework was mentioned often at the Techno Security and Digital Forensics Conference. I admit that I’m not well-versed on it, yet. However, its purpose makes sense. It’s a knowledge base for Adversarial Tactics, Techniques, and Common Knowledge, which is what the acronym ATT&CK stands for. Mitre created a short video to explain about ATT&CK and why it was created:

An example of how ATT&CK is a common body of knowledge which folks are striving to keep up-to-date is with respect to identified threat groups. As of this post there is information available about 86 groups, mainly nation state actors.

One of the things I try to do in my security presentations is help folks stop thinking in just what they’re good at. For instance, in my How I Would Hack SQL Server, I point out that as an attacker, going directly against SQL Server is an option of last resort. It’s much easier to find the data I care about on a file share, an Excel spreadsheet, or some other less secure spot. Compromising accounts and then using those accounts is the easier and safer road to success. What ATT&CK details is what attackers do. Therefore, if you’re in charge of security systems or applications, looking over the ATT&CK framework will help you look at your systems more as an attacker would.

Why Security Through Obscurity Is Bad (Alone)

Security through (by) obscurity is where we try to protect an asset by hiding it. Anyone who has ever played the game Capture the Flag knows that a motivated opponent will eventually find the flag. If there were no other deterrents in place, the opponent will scour the playing area and find the flag. If hiding an asset (the flag) doesn’t work for that simple game, it doesn’t work for information security.

However, Capture the Flag doesn’t just involve hiding the flag. In all variations of the game, all teams have attackers. Therefore, part of the deterrent is acting quicker than your opposition. In a lot of variants, each side also has defenders who have some ability to discourage or thwart attackers. Even if the particular variant doesn’t have the concept of defenders, a team can be sneaky. It can overload one side, trying to trick the opposing forces that the flag is hidden over on that side. Or some of the attackers could mock act in dismay when an opposing team heads into the wrong area of the playing area, leading that team to think they are close to the flag when they aren’t. In other words, there are always additional countermeasures.

The problem in information security with a strategy of security through obscurity alone is we are making the assumption that we are smarter than any adversary with plenty of time and opportunity on his or her hands. We don’t. Therefore, we need to have the other appropriate countermeasures (controls) in order to protect our assets. There’s nothing wrong with making an asset harder to find (obscuring it). However, that can’t be our only mechanism of protection.

Security Controls: CISA vs. CISSP

When looking at the Certified Information Systems Auditor (CISA) exam, we focus on teaching 3 types of controls:

  • Preventative – keeps an incident from occurring
  • Detective – Identifies the occurrence of an event and possibly the actor
  • Corrective – Fixes things after the incident

However, the Certified Information System Security Professional (CISSP) indicates there are also 3 types of controls, but they are different than the ones listed as “types” by the CISA:

  • Administrative – These are management type of controls. They are also known as soft controls and sometimes folks call these manual procedures.
  • Technical – Also, logical. These are controls we attribute to software and hardware.
  • Physical – Controls that protect the physical environment such as guards, locks, fences, and cameras.

So what does the CISSP do with the 3 listed by the CISA? Those are called control functionalities. There are 6 of those:

  • Preventative
  • Detective
  • Corrective
  • Deterrent – A control intended to discourage an attacker.
  • Recovery – A control which returns the environment back to normal operations.
  • Compensating – A control that provides an alternative means when another control isn’t/can’t be used.

In the CISA we often talk about compensating controls but we don’t list them as a specific functionality. However, I like the CISSP breakdown a lot better. Basically, we get a matrix between the 3 types and the first 5 functionalities, with compensating controls being understood to protect an asset when the primary control is unavailable or too costly.

The key takeaway is to understand how our controls are implemented and why they work. Classification helps us better understand what we’ve got protection-wise and it will allow us to spot gaps.

Developing Presence

At SQL Saturday Nashville, I didn’t do a good job explaining the concept of presence. This is in reference to the Women in Technology presentation at lunch. Part of the discussion was around how height can influence being noticed. I agree that it does play a huge role. At 5’7″, I know that it’s easy to “fly under the radar.” However, I also know that folks are able to overcome that physical trait.

I was trying to explain how my mom, who is 4’8″ on a good day, and her sister (even shorter), have a presence that when they mean business, they command immediate respect. Not only are they very short by our American standards, but they are both very obviously Japanese. And, of course, they are female. So they both fit that 3 strikes against when it comes to being noticed, respected, and listened to. Yet I’ve seen both in the midst of a crowd of complete strangers and immediately command the group. They have presence.

If you think about it, you’ve likely come across folks who seem to be able to command the room, even a room where no one knows them. They come in and it’s as if everyone immediately takes notice. When I was at The Citadel and was part of the training cadre, I had to have that sort of presence from the moment matriculation began for the freshmen. It’s not natural for me but due to lessons I learned from my freshman and sophomore years at The Citadel, I was able to step into that role as a junior.

As a result, I know from experience that people can develop their presence. Some seem to come by presence naturally. For instance, my teen daughter, who is still under 5′, is someone who hasn’t needed much training. She takes after my mom, not me. She DMs Dungeons and Dragons regularly and most of the time there are only adults at her table. There’s no question who has command, like this picture from a convention where she was DMing (the one reaching over the screen).

Her brothers, who are both at or about 6′ and in college, don’t naturally and instinctively command the same presence. They have to think about doing so. My oldest son, who is the tallest and most physically imposing member of our immediate family, is more often than not overlooked or missed if he isn’t thinking about his presence. He has to rely on lessons learned from martial arts, The Citadel, and military training to do so. When he consciously does, he can command a room, as he has had some great, great teachers. However, he has to expend intentional effort to do so. His brother, who has had martial arts training as well, has to do the same thing.

You don’t have to go into the military to learn how to have presence. I’ve cited my sons and lessons learned from the martial arts. Solid martial arts instructors and schools do teach presence. After all, as you progress towards black belt, you will likely be given increased responsibility in teaching less experienced students. Both of my sons have earned black belts and are now expected to be able to teach in their respective schools. That requires presence.

If martial arts aren’t your thing, there are also organizations like Toastmasters who work on the same concept and provide training to help you develop presence and the appearance of comfort in a public setting. I say appearance because if you’re like me, a solid introvert, there’s always discomfort. However, those organizations’ training help you deal with that discomfort, increase your ability to reach others, and be accessible. You may have to consciously focus on doing so, but it’s possible.

Now, will there still be times when you’ll be dismissed or ignored? Absolutely. There’s plenty of folks with strong, illogical bias against you, whether it’s the fact you’re short, you’re female, you’re obviously of foreign descent, or something else. There are also people who can’t see past themselves. And then there are folks who are dealing with life situations that make them less attuned to what’s going on around them. The best parable I have heard is the guy who gets on the subway with his small kids and the young ones begin terrorizing the car but the man doesn’t intervene. Finally, one person intercedes and asks the man if he can do something about his children. Then the punchline hits: he has come from the hospital where his wife has just passed away from cancer and none of them are dealing with it well.

Those specific and unusual cases aside, if we work on developing our presence, for a large number of people, we can overcome factors that would normally exclude us from notice or push us out of the conversation. It’s definitely a soft skill to develop, regardless of your industry or profession.

Webinar: Identify and Eliminate SQL Server Performance Issues

I’m giving a webinar tomorrow, March 22, 2018, at 3 PM Eastern.

Free Registration Link

Here’s what I’ll be covering:

Are you struggling with pesky SQL Server performance issues that are impacting your business? Are you not sure where to turn next to focus your efforts to resolve the issue?

In this session we’ll look at what built-in tools are available through SQL Server and the OS. We’ll consider both performance and security auditing. We’ll also investigate built-in options to manage multiple servers to ease the workload. Finally, we’ll discuss how to report on the metrics and information we have gathered. We’ll conclude on alerting and notifications to keep you in the loop when something goes outside of your desired thresholds.

In this session you will learn about:

  • How to start monitoring SQL Server
  • Key scripts for SQL Server Performance Monitoring
  • Best Practices to address both SQL Server and Windows issues
  • Proactive alerting to minimize the issues to the business

MSSQLTips Webcast on Security

On February 11, 2016, at 3 PM EST, I’ll be giving a security webinar for MSSQLTips. It’s titled Performing a SQL Server Security Risk Assessment. Here’s the abstract:

You have one or more SQL Servers and you want to assess the security of each. What’s a priority? What puts your organization at the greatest risk? What should you attack first?

In this presentation, we’ll look at how to do a security risk assessment of SQL Server. We’ll cover all the common big ticket items, the ones that could lead to a server breach, data loss, or a system becoming unavailable due to mismanagement. Also, we’ll discuss how to assess other items which you may find and how to rank and prioritize them. Armed with this information, you’ll be better equipped to provide a to do list to your management with justifications and relative impact for each proposed change.

If you’re interested in attending the webinar, it’s free but you’ll need to register.

Midlands PASS February 2016 Meeting

Midlands PASS has changed its meetings from the 2nd Thursday to the 2nd Tuesday of each month. This takes effect with this month’s meeting. We are still meeting at the same location in West Columbia, SC. However, the name of the organization has changed: Microstaff IT has become We Know IT!

For this month’s meeting on February 9th we are looking at improving queries. Here’s the abstract:

We want queries to run fast. The faster queries run, the less likely they are to get in the way of other queries (blocking). The faster queries run, the less likely they are to collide where one will have to be rolled back (deadlocking). And the faster queries run, the more queries we can pump through the system, thereby improving performance. In this presentation we’ll look at how the SQL Server query engine works: how it breaks down a query, how it uses indexes, and how it puts all this together to produce an execution plan. By understanding how the engine works, we’ll understand how to improve our queries.

If you can make it out, please RSVP so we’ll know how many refreshments to bring.

Midlands PASS Meeting: 2016 SQL Server Security Refresher

The Midlands PASS Chapter will hold its next meeting on January 14, 2016 at Microstaff IT. We start the meet and greet at 5:30 PM and the main topic usually kicks off around 6 PM.

2016 SQL Server Security Refresher

Midlands PASS Chapter’s annual SQL Server security refresher! This is an open-ended discussing hosted by Data Platform MVP and resident SQL Server security expert, Brian Kelley. Bring your scenarios and questions and we’ll work through the best ways to build security solutions for and using Microsoft SQL Server.

You can RSVP here so we know how much food and refreshments to bring.

Getting the Degree and Debt

Yesterday I said to just get the four year degree. It’s a checklist item and I’ve had several folks comment about how it is a limiting factor in job searches.

One of my friends asked an important question: should you go into debt to get that four year degree?

My initial thought is, “No.” If you’re already gainfully employed, not having the degree isn’t worth going into debt over. Avoiding debt is generally a good idea, as espoused in sites like Mr. Money Moustache. Stop and think about the fact that we’re complaining about crippling student loan debt here in the United States. Debt and having to pay interest on that debt hurts.

But what if your company reimburses? Should you put the course(s) on your credit card or get a second mortgage? The problem with depending on the reimbursement is it might not be there at the end or you may choose not to take the reimbursement. There’s a whole host of reasons why that I won’t get into here. So if it’s not there, you’re stuck with that debt. Better to save up and have the money to pay up front for the hours and if you can and choose to get the reimbursement, you’re in the clear (and can use that money to help with the next round of courses).

Get the Degree

Fake diplomaRecently, a friend of mine with a lot of experience in her field was back on the job search. She is good at what she does, the local community (related to IT) knows she is a senior-level professional, but there was one big problem: she didn’t have a four year degree. As a result, there were some folks who wanted to hire her but couldn’t get past the mandatory HR checklist. She has a good job now, but her job search took longer than it should have because of that degree requirement. And it wasn’t that she didn’t have a degree at all. She had a two year degree. But the HR checklists all said, “Bachelor’s degree.”

I’ve asked a few other friends who don’t have four year degrees and their experience has been the same. Yes, they’ll eventually land a great job, but they’ve been turned down for opportunities because they don’t have a bachelor’s level degree. Keep in mind that rarely does the subject of the degree matter. I happen to have two technically related degrees: B.A. Mathematics and B.S. Physics. I don’t have a computer science degree. That has never come up as an issue. The fact that I have the four year degree is enough to check the check box and continue on. I know others who have a degree in music, in public administration, in elementary school education, and in other fields that aren’t “cousins” with computers. The subject hasn’t mattered. The fact that they had a four year degree did.

When it comes to who I work with, I don’t care if you have a degree. I care about whether or not you can do the job. Most IT pros I know feel the same way. However, we’re not the entry point in the hiring process. As a result, my perspective has changed on whether or not to get a degree. Before, I was of the opinion that if it’s meaningful to you, if you want to go into management, etc., then go ahead and get the degree. However, given my friend’s case, my opinion has changed to recommend folks get the four year degree, period.

The degree isn’t just about having better prospects on the job market. I know of specific cases where not having a degree meant a lower salary for excellent professionals, even architecture-caliber folks. Even if you’re gainfully employed now, you could be leaving money on the table by not having a four year degree. Yes, in my opinion this is unfair, but it’s the reality in a lot of organizations.

So should you try and get a computer science degree if you’re in the IT field? You’ll certainly pick up things you likely won’t come across in day-to-day work but which could influence things if you knew about them (like O(n) notation and algorithm analysis). However, whether or not you have a bachelor’s degree, any bachelor’s degree, is what is on the checklist the vast majority of the time. Therefore, get a degree in what you’re interested in (and what work will pay for, if you have that option and choose to take it), and get it done as quickly as possible. Simply get the checklist item out of the way. Hopefully, you’ll have fun and learn some interesting things along the way, but the main thing is to get the degree.

Previous Older Entries