In this podcast recorded at RSA Conference 2018, Travis Farral, Director of Security Strategy at Anomali, talks about the impact of blue team collaboration. Discover why collaboration is important, and how it can impact your organization.
Here’s a transcript of the podcast for your convenience.
Hi, this is Travis Farral, the Director of Security Strategy with Anomali. In this Help Net Security podcast, I’ll be talking about blue team collaboration. Collaboration is a popular topic in security circles, especially with the advent of ISACs and the popularity of joining an industry vertical sharing, but what I’m talking about is collaboration that goes beyond that. I’m talking about things that go beyond just emails, I’m talking about building relationships with others within the industry, and meeting in person if possible, and lending a hand where possible. Email, Slack, text, you know phone – the mechanisms that this collaboration happens, can certainly be part of these this collaboration. But it’s really about developing these relationships across different boundaries, and making use of those so that we can push the ball forward on the blue team.
I think this requires something very deliberate in order to be successful. First off, who are we collaborating with? We already mentioned ISACs, obviously I think verticals are the first place that we typically start in enterprises when we share that makes sense. You know, these are within our industry and they see a lot of the same threats they run their business a lot of the same way that we do, so this makes sense. But this isn’t where we should stop. We should obviously be sharing also with our internal teams the incident response, SOC, even the operations guys – these are teams that we should have really good communication with and we should be collaborating with them to understand the challenges that they have as well.
I’m talking about also peers and other verticals, you know finding those other analysts that we really click with in other organizations, vendors even, which is something that’s probably not very popular but I think there’s a lot of value in sharing with specifically with vendors that we have a connection with or that we feel like very close with, and our security posture. Also government, this is something that you know is its sort of natural for us to want to share especially when we feel like we’ve been the victim of an attack, we want to reach out to law enforcement perhaps to try to help us with that. But I think we should have those relationships before we get attacked.
Last year we saw a collaboration between many security organizations to take down the WireX botnet. This included Akamai, Cloudflare, Flashpoint, and many others. And I think it highlights what this kind of collaboration amongst blue team players can actually accomplish. I won’t go into the details of that particular takedown, there’s plenty of information online about it. But I certainly want to highlight the fact that this happened that it was very successful, and I think our industry would do well to see more of that type of collaboration in the future.
So, for this to happen though, I think we need to already have these relationships in place. You know relationships with each other, some of these analysts already knew each other between these organizations. And these organizations worked within different verticals, there are even some private organizations that were part of the collaboration that just chose not to be part of the public announcement. Obviously, the FBI was also involved, you know these are things that if we start deliberately making these connections with people when we go to you know various conferences, when we’re interacting with our ISAC, when we’re you know maybe even meeting with the local FBI office. These types of relationships can definitely benefit us going forward.
The other thing I want to point out is the WannaCry that happened last year. During this event we saw a ton of collaboration happening organically on Twitter as the events unfolded. Lots of discoveries were made, the amount of man-hours that were put in and how quickly we were able to dissect the malware, how it operated, what was happening – all these discoveries happened in real time over Twitter. This was collaboration at light speed as far as I’m concerned. And I think this example highlights how well we can operate when we do so with some sort of deliberacy. But I think that we should be able to do this type of collaboration on a more daily basis, and not wait for some big attack like WannaCry to happen.
The amazing thing about WannaCry is that by the end of the day, literally hours later from the start of the attack, we had amazing blogs that had tons of information already in them about the attack, a lot of which happened from the collaboration that happen over Twitter. And I think there’s a lesson here for us that we can collaborate, we see attacks every day and a lot of us see the same attacks every day, and we don’t have to have duplicated effort. At the same time when you know whatever the latest round of Necurs botnet phishing attacks happens, you have exactly the same things happening within teams all around the world, it’s an immense amount of duplicated effort, probably to the tune of thousands and thousands of man-hours.
So, why don’t we try to work through these things in a much more collaborative way? We could share the wealth as far as work to be done and divide and conquer according to our expertise and the tools that we have available to us. So, in the end, I think collaboration can be a killer app for defense it’s really how we move forward. And I think that teams that don’t collaborate well will be at a significant disadvantage in the future.
We have to be deliberate but not overly formal, we shouldn’t board burden our collaboration with lots of processes or anything like that. Relationships matter, so when we make those connections over Twitter or over email, we should deliberately try to seek these people out, and be able to greet them, and share beers with them, and shake hands with them, as we can at conferences or other events. We should embed this collaboration within our daily workflows. We should make it part of our normal day to collaborate both internally with our internal teams but also with some of these external resources. And I think this goes a long way to prepare us all for these big events that come next, because who knows when the next one WannaCry is going to happen.