A lot of ink (or pixels) have been spilled in the last few years about the information security skills gap and the related staffing shortages, a conversation where we turn to a discussion of soft skills.
SANS recently released a whitepaper on the “Top Skills Analysts Need to Master,” by Ismael Valenzuela. Amid the industry’s hand-wringing about the problem, it’s helpful to hear concrete specifics from practitioners and those who train tomorrow’s defenders.
Valenzuela discusses several models such as the Observe-Orient-Decide-Act (OODA) Loop and Analysis of Competing Hypotheses, as well as industry models such as Time-Based Security and the MITRE ATT&CK framework. Most security pros have at least some familiarity with several of these. But familiarity does not equal mastery, and since we’re hearing so much about the gap, how do we close it?
Use frameworks to build soft skills
Here are two frameworks security teams can use to develop a stronger strategy:
ATT&CK: The ATT&CK matrix has become one of the most powerful tools the industry has gained in recent years. There are various ways to use it, but when it comes to soft skills, I offer this: Use the matrix as a self-certification framework. Pull up a favorite rendering of it, and then go through all of the cells, asking: do I understand what this is, how I would detect it, how I would mitigate it, how relevant is it to my current threat model, and what it portends for earlier or subsequent adversary behaviors if I do detect it? Where gaps exist, skill up on them. In doing so, security pros can develop a framework around their own learning. Putting some structure to learning and mastering new material is a soft skill that can pay big dividends over the course of a career.
Analysis of Competing Hypotheses (ACH): Many years ago, I misdiagnosed a car problem, thinking it to be much more severe than it actually was. It turned out that I might well have saved stress and towing costs if I had applied ACH-style rigor to the troubleshooting process. The lesson here: Don’t wait for a moment when a serious incident seems to have occurred to practice using ACH reasoning. Apply it to low-stakes situations, and develop a habit of reaching for more analytical rigor before events force the security team to master it with insufficient practice. To learn more about ACH in the cyber realm, this blog by Digital Shadows in the aftermath of WannaCry illustrates well how it was applied.
Here are a few tips on how to implement these frameworks:
- Avoid linear thinking.
Pop quiz: What do MITRE ATT&CK and the children’s game Chutes and Ladders have in common? Adversaries rarely will linearly progress along the ATT&CK techniques. In any given situation, the adversary may well take a “ladder,” or bypass, that skips various of the techniques on the matrix, or stumble down a “chute” with an error that causes a setback. In an IR situation, ask where are the ladders? Threat modeling can help here since it can offer insights into what routes are available to an adversary from a given place on the “board.”
- Leverage tabletop exercises.
Great performers in real-time fields (athletes, entertainers, pilots, firefighters) become proficient through countless hours of practice and drills. Nobody becomes excellent at any of those fields just by reading books or watching videos, so it’s hard to overstate the importance of drills and exercises. Tabletop exercises (TTX) are all too often put on the back burner because of competing priorities. While this is understandable, it has real and detrimental consequences. If your organization doesn’t do TTXs, then do the following: advocate as vigorously as possible for them; and design and carry out a “personal” TTX. Set up a scenario, determine what actions to practice, and then use a stopwatch to create real-time constraints. Be creative, but make the TTX as realistic as possible, too.
- Use checklists.
Pilots have relied on checklists almost as long as flying has been a human activity. Increasingly, surgeons do, too—because research proves that they work. Create checklists for activities that are more complex, or where forgetting a step in an emergency, high-stress situation could make things worse. Checklists themselves are not a soft skill, but being (or becoming) a checklist-maker and -user is.
In his conclusion, Valenzuela points out that analysts are developed, not born. While it’s true, don’t forget all of the natural gifts that can make good security people even better. Security pros have that incredible pattern-matching machine between their ears; they have curiosity, intelligence, judgment, and creativity. Most have all the ingredients, and perhaps the ideas above represent recipes that can put those ingredients to effective use. Go explore!
Tim Helming, security evangelist, DomainTools