Wednesday, August 20, 2014

Lessons from Crumpton's Art of Intelligence

A few months ago, I finished reading Henry Crumpton's book, The Art of Intelligence: Lessons from a Life in the CIA's Clandestine Service. It was simply amazing and I highly recommend it for all the insights it adds to hidden conflicts the public will never fully understand. I will not be writing a review of the book however, but try to mirror some of the key points from the book into what we see today in the information security spectrum. While I would never attempt to equate the life and death struggles of patriots to the things we do in InfoSec, I believe in drawing from other realms to further our understanding of problems.

Diverse Backgrounds

(pg 64) "There was an overwhelming consensus, according to James, that whether in operations or analysis, the best officers were usually those who had accumulated a broad range of diverse and enlightening experiences prior to joining government service. These men and women developed more open, more empathetic views of others. With their accumulated perspectives, they could engage with a broader range of people. The could also recognize, question, and sometimes challenge the status quo." ... "But James noted, to his dismay, that at least prior to 9/11, many thought the CIA emphasized hiring officers with clean, "blank slates", rather than those with unique backgrounds and on-the-edge experiences. It was much easier to admit a new officer who adhered to the status quo, who migrated from parents to college to employment, than an unconventional adventurer."

This should be a no brainer, but surprisingly its not. Hiring managers continue to only want to recruit from their alma mater, or specifically only hire from certain roles like system or network administrators. And the most frustrating of all, they want to hire from their former employers, the Big4, Gartner, and others. It's obvious to the people that get it, that this causes problems, not the least of which missing out on better talent. It reminds me of a story I heard, where this former manager's best hire was a quadriplegic, who typed on his keyboard with a stick in his mouth, but was still more productive than fully able college graduates.

Big Picture, Remember Your Stakeholders Needs

(pg 97) "CIA operations fall into a larger political context, although sometimes CIA officers forget this. Intelligence serves a political purpose and supports policy makers and implementers. Our station was fortunate, because our ambassador understood and respected our work and used our product."

Yes I am guilty as charged. It's all too easy to get mired in tactical enterprise defense issues, and lose sight of the big picture and what your executive leadership really wants. It's important to have that meeting and outline specific goals, otherwise we are making bad assumptions or simply adhering to something generic like "protect the brand and reduce risk".

Cross Functional Teamwork

(pg 98) "To gauge counterintelligence risks, the CIA must understand the plans and intentions of other services, and the best means to do so is via unilateral sources within those services."

Everybody knows the last minute drama created by other teams lack of planning and communication. As InfoSec, we always need to be developing relationships in other departments and learning what is important to that segment of the business.

Lack of Threat Intelligence & Incident Sharing is Bad for Business

(pg 110) "The FBI sought justice, not prevention. Their information was potential evidence, which they had to protect for the prosecutors to use in court. The agents, for the most part, could not envision others outside the DoJ having a legitimate need for FBI-derived information. Sharing evidence as intelligence was anathema to them. Even the FBI's NY field office would not share information with FBI HQS, because of their incentive for a successful prosecution in the DoJ's Southern District of NY." ... "The FBI even referred to the "Chinese wall" constructed to prevent tainting evidence by sharing it with the intelligence community or anybody outside the prosecutor's office."

Companies with more mature IT Security operations need to understand there is more to gain by establishing trusted sharing with peer companies, then by going it alone. What's even more challenging, is when you have internal corporate groups at the same company refusing to share information for various political reasons. At minimum, withhold the context and exchange fresh indicators.

Rally Cry: Existing Methods of Security Aren't Working, Its Time To Innovate

(pg 120) "Conspiracy to Destroy Bureaucracy & Murder of Outdated Ideas and Methods"

If you're not here to improve things and drive change, follow or get out the way. Often times this can be a huge hurdle, when the roadblock in question is a politically connected corporate stooge.

Most Leaders Don't Get It, But Be Ready For When They Do

(pg 143) "It was late January 2000, in the aftermath of the Millennium Plot success. We were proud of our work. Although National Security Advisor Sandy Berger described it as our most successful counter-terrorist operation to date and thanked us, the administration and public seemed oblivious to the scope of the enemy's effort and our global surge to foil their terror plots. The failure of the administration to grasp the enormousness of the enduring threat was disappointing."... "Well, hard for us to fight when our leaders and our nation don't realize we're at war." ... "Listen, the time will come. it will be ugly. And the guys downtown will ask us to respond. We will. There will be blood in the sand."

There it is, plain and simple. The pendulum swings back and forth on IT security relevance within the company and executive attention rarely lasts longer than a fiscal quarter. Be ready to go with your wishlist, plan of action, and elevator speech.

Realpolitik Often Trumps Logic

(pg 155) "To our frustration in CTC, the president's covert action finding included many caveats, e.g., we could only seek to kill UBL if it was part of a capture operation. Yet there was no apparent problem killing him with a cruise missile. This was silly. UBL had declared a war on the United States, by word and deed. He had partially destroyed our embassies in Nairobi and Dar es Salaam in August 1998 with truck bombs. he had attacked the USS Cole in October 2000. He had planned to kill thousands at the turn of the century, but CTC working with dozens of CIA stations and our foreign intelligence service partners had thwarted him." ... "I wondered how much of the parsed language in the finding was designed to protect their political reputations rather than protect the nation."

China is the largest stealer of intellectual property in the history of the world by volume. And yet companies are relocating their engineering, science, and manufacturing there. Corporate espionage is openly admitted in India, and yet we are off shoring many IT jobs there, that often include privileged user access. This makes zero sense in the long term, but making quarterly numbers and getting bonuses trumps the long term health of the company. This is easily one of the most disheartening aspects of our nations long term economic prospects and vitality of the middle class.

Success Breeds Contempt

(pg 186) "We are completely fucked. If we lose, we're blamed for everything. They hang us. If we win, everybody in this building hates us, and we're finished. They will shoot us in the back of the head. Some already hate us, because we have the resources and the authority. The Near East Division wanted command and control of this war, but the director stuck with us. So forget any career." ... "Do you think I give a rat-fuck about a career. We've got thousands dead. All I want is the mission. You gave it to me. I'm grateful." ... "Good harsh advice as usual. Just consider yourself dead professionally and  politically. Focus on the mission. There is nothing but the mission."

I have seen this too many times to not consider it the norm. New talent comes in and moves the bar more significantly in 6 months than other teams have in 4 years. You can guess what the institutionalized, lazy, bureaucratic reaction to that is. I once had a person, roadblock me so much they got "security" put into their job title to make the red tape even thicker. I would like to say by maintaining strong, friendly relationships with other leaders, this problem goes away, but that just isn't reality.

Don't Under Estimate Your Enemies & Plan For The Unexpected

(pg 226) "Whats the problem?" ... "Our medic, he's detailed to the CIA from DoD, and we're waiting on his clearance to join us." ... "Sir, its a no-go" ... "You have to be shitting me." ... "No sir. The secretary's office has refused his clearance to join us." ... "Why?" ... "I don't know, sir." ... "As the plane began to taxi, I sat in my seat strapped into the four-point belt buckle, wonder how in God's name could we win this war with a DoD so dysfunctional. Or worse, maybe these dickheads were more concerned about their administrative prerogative than saving the lives of our men on the battlefield. Whatever the reason and the motivation, the result was the same. We would be short a medic. The pilot pulled into the clear afternoon air over northern Virgina and turned to the east, toward Tajikistan."

While not really proved, there was some inference in the book that Rumsfeld was a major ruthless prick. This also has been corroborated in other books. I have seen people get clearances in 1 day, and they send these guys into the heart of darkness without a medic due to a clearance? Regardless from an IT context, we should never underestimate our external or internal threats. The one day you ignore or denigrate a threat, the next day your emails are on pastebin. And we need to be prepared to operate at less than full strength. Cross training your team is very important.

Corporate Communications & Public Relations Matter

(pg 244) "By now Massie had arrived in Alabama and informed Mike's parents. Bonk was still en route to California. The Pentagon issued a press statement that the fallen did not belong to the DoD. The statement was not coordinated with the CIA." ... "Why could they not wait another few hours, for God's sake, so we could inform Shannon? What did the Pentagon gain?" ... "Shannon was driving, listening to the radio. She heard the announcement, pulled to the side of the road and called me." ... "I just heard a report on the radio that an officer is down. The Pentagon says it's not one of theirs, so he must be ours. It's Mike, isn't it?" ... "I tried to image her on the side of California road, cell phone in hand, traffic whizzing past. She was now a young widow with three kids."

This story probably had the most emotional impact of any in the book. But it drives home the point, how much the accuracy, timeliness, and coordination of communication matters. While some argue that you want rapid notification, more times than not, its better to wait until all the facts are in and you have answers to the likely questions. You also want to have your playbook ready to go for how your PR & Corp Comms departments will handle breaches. Target and others have learned this the hard way.

Intrusion Fatigue & Professional Development

(pg 276) " Intellectually, I needed to place the last few years in some historical and theoretical context." ... "Professionally, an academic sabbatical would broaden my perspective and make me a better officer. I felt like the guy chopping wood with a dull axe who never took time to sharpen the edge, because he always had more wood to cut. I needed to quite chopping, sit down, take a deep breath, and pull out the file."

As organizations add more tools, gain more visibility, generate more alerts, it becomes quite common to get overloaded with incidents. Being stuck putting out fires all the time, isn't good for the company or you. You are more likely to miss things when your in constant crises mode. Also, not having time for researching, testing, learning, etc keeps your skill sets from being improved or your processes from being refined.

Vet your InfoSec Thought Leaders

(pg 276) "Policy wonks jawboned about the diplomatic gridlock of nation-states in the region.  Some counter-terrorism experts, many of them unfamiliar to me, predicted death and destruction for Central Asia, the Middle East, and the U.S. homeland. Hardly anybody commented on the intellectually corrupt ideology of AQ or on the people of Afghanistan. I thought of my discussion with Masood in early 2000 when he had stressed the importance of his people in any conflict. I wondered if any of these pundits had asked any Afghan what he or she thought."

There is no shortage of talking heads willing to repeat buzzwords on a big stage at conference or on the web. It's critical for industry to avoid group think and demand legitimacy out of our so called thought leaders. Pay close attention to the work experience and track record of anyone you are relying on for strategy.

Rapid, Adaptive Threats And Intelligence Driven Detection & Response

(pg 277) "That is to say, it is a definition of war that has neat beginnings and decisive endings, waged against a state, or more precisely, against its armed forces, accompanied by clearly defined objectives, 'end states', and 'exit strategies'." ... "Yet we are facing an era of war unrestricted by conventional boundaries. Cohen argued that we will face "wars that resist neat classifications of those who impart military doctrine at war colleges, or of politicians and generals who seek clarity and order when all is obscurity and confusion." ... "This war, unlike most others, has the potential to take new and dangerous forms with great speed and little warning." ... "This is why intelligence will be so critical, to help us diminish the "obscurity and confusion" and to understand the "new and dangerous forms".

The speed of innovation on the attackers side and the sheer number of increasing threats keep making our world even more asymmetric than years before. One of the best ways to make things more symmetric is to have a robust threat intelligence program. This is easier said than done, and it isn't just a data feed and some actor reports. We need to hunt those adversaries and implement security controls, not based on a cool vendor ranking, but by your specific actors TTPs.

Threat Intel is a Shiny Object

(pg 281) "The first is how ambivalent, cynical, or ignorant the U.S. public and many policy makers are about intelligence." ... "Policy makers were seeking to drive intelligence conclusions rather than letting intelligence collection and analysis inform policy." ... "Second, I was struck by the changing nature of warfare and the growing importance of intelligence in the is strategic context." ... "This was reflected in huge budget increases in the intelligence community and a proliferation of agencies with intelligence functions but little real strategic leadership or clarity. The intelligence community seemed unsure of its future direction, in large part because the policy makers failed to provide requirements and guidance. They needed to be responsible customers of intelligence."

We all know Threat Intel is the current hotness, but it's important to define concrete objectives and outputs from the stakeholders. I once had a boss ask that we hire a Threat Intel person because he saw a presentation at conference. I said it was too much of a jump in maturity when over a third of the corporate systems had various forms of known malware on them. Lets be clear, while there is tremendous value in Threat Intel, many orgs have no business attempting it until they build a stronger operational foundation.

Always Pursue Knowledge & Don't Be Afraid To Ask "Dumb" Questions

(pg 298) "A good intelligence officer cultivates an awareness of what he or she does not know. You need a dose of modesty to acknowledge your own ignorance - even more, to seek out your ignorance. Then the harder part comes, trying to do something about it. That often requires an immodest determination."

Lets face it, everyone is ignorant about something. No matter how much you think you know, someone always knows more. We should be so lucky to be in a field, where things are always changing and there is always something to learn. Also don't become accustomed to always getting corporate paid training with travel. In times of budget cuts, you have to take your own education into your hands. There are plenty of free and low cost ways to learn more and up your InfoSec game.

The Blame Game

(pg 310) "Moreover, why had the commission looked only at the intelligence failures? Why not the policy failures? Perhaps, I figured, because politicians and policy makers had set the rules and they constituted the entire commission. There were no incentives for policy makers to blame themselves. They were protecting their tribe. Not a single intelligence professional held one of the commission's seats. It was sort of like assembling a blue-ribbon commission to review a health care crisis without any doctors participating."

If you are not empowered to shape security strategy and operational processes, then it's pretty much a one way street. You are there to take the blame when things go wrong. The best approach is to take copious notes about all your efforts to reduce risks, especially when they were rebuffed. That just might save your job and those of your employees.