Small Teams and CND ToolsJune 10, 2013
Over the past couple of months I've heard things like, "ChopShop is a great tool, but how can we use it in our CND shop when we only have a small team?" I'd like to take some time to address this, because this question isn't really about ChopShop, nor is it specifically about team size. Instead, it's a symptom of a broader question, namely, "How do I bring a new tool or technique into my organization and get immediate benefit from it?"
When deciding how best to utilize a single tool, the primary factor is not the size of your team, but assessing whether you have the expertise and time to bring the tool to bear on whatever problem you are trying to solve; it's not solely about the tool itself. The hallmark of any good tool is if a person without expertise in the field can understand how to maximize its potential.
ChopShop is still maturing. By its very nature it's trying to tackle a hard problem: parsing undocumented—and constantly changing—protocols. If only the malware authors were nice enough to provide RFCs for their protocols. ;)
At this time, leveraging ChopShop's full potential requires someone with a good understanding of the technologies involved, because when things go wrong, you have to be able to debug the module. One area that I would like to see ChopShop improve on is making it easier to tell what went wrong. This will make it easier to diagnose and debug the problem, especially since most bugs, at this point, originate in the add-on modules.
So, how do you bring any new tool or technique into your team's toolbox given the various maturity levels of tools? First, consider the amount of time you can dedicate to addressing a particular aspect of your CND, including bringing creative thinking and problem-solving skills along with the technical know-how. Then find the right person with the best technical fit and problem-solving skills. You also need to give him or her adequate time to understand the tool so it can be brought to bear on the problem at-hand. This isn't about finding a person with time, but rather finding the right CND person with time.
Lastly, bringing new tools into your team requires flexibility. Things will not go exactly as planned while your team works on integrating the tool or technique into their workflow to address your organization's defensive posture.
Once you experience a gain from the intelligence or data from a new tool or technique, you'll have all the incentive you need to continue to pursue the integration. Making a difference in CND is about putting the right expertise and technical understanding to work on CND challenges.
The team I lead at MITRE is not only flexible but also agile in bringing in new technologies and adapting them to our goals. We've got the right level of talent to address current and long-term CND challenges. Plus, MITRE's culture allows us to maximize our time on addressing the cyber adversary's changing tactics and techniques.
So, when I'm asked how to integrate a new tool, I always stress it's about the right people with the right amount of time in an enabling organizational culture. Not all technologies are going to fit in perfectly, and when they don't, you have to be willing to bend them to your will in order to get the most benefit from them. :)