Just Another Terrain
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.
A terrain is usually defined as the ensemble of the features of a tract of land. Geographic terrains can be of many types—jungle, mountain, desert, urban, or otherwise—and with our increasing dependence on computers we have seen an entirely new kind of terrain emerge: digital. In fact, digital and physical terrains have more in common than you might think.
As a former US Army Special Forces officer and a lifelong computer scientist, I observed that the fundamentals of military tactics in physical terrain hold true in the digital terrain of cyber security. Cyber security and physical security are merely derivations of the original concept of security; cyber attacks are nothing more than modern versions of the attacks humans have always experienced, only played out on a digital “terrain”.
Cyber security is not an IT problem—it is a security problem.
For this reason, in building Blackpanda, we gathered exceptional individuals from military, law enforcement, and computer forensics backgrounds to develop bespoke and hyper-focused digital forensics and incident response services across APAC. Handling cyber incidents can be extremely stressful, requiring responders to act fast in an environment full of uncertainties. The focus and discipline we bring from our unique backgrounds have taught us to maintain our focus and calm in the worst situations, persevere in times of difficulty, prepare for the worst, and approach complex security challenges with clear, tried, and tested strategies.
The overlap between the physical and digital terrains forms the cornerstone of our approach to incident response. In this article, I delineate the specifics of our unique perspective in the hope that by better understanding the similarities between these terrains, readers will learn more about what we do, how we do it, and who we are as a company.
"Cyber security is not an IT problem—it is a security problem."
The Importance of Terrain Analysis
I consider myself a classically trained military strategist and tactician, both from my time as a West Point cadet studying Cold War-era combined warfare tactics and later as a counterinsurgency battlefield commander in multiple theatres of war.
When I joined the US Army as a commissioned second lieutenant in 2001, I was posted to the DMZ in Korea along the 38th parallel where I patrolled my tank and mortar platoons as part of the 2nd Infantry Division. Being stationed along the border to North Korea was considered a “hardship” tour—the training schedule was very fast-paced, and we had monthly alert sequences to defend against an invasion from the North.
I spent approximately 24 months in the frigid tundra of the Korean peninsula as part of the 2nd Infantry Division. Engineers, infantry, artillery, and attack helicopters all coordinated with my tank platoon and we moved as a single unit, although each had their specific roles and capabilities. We honed our skills with a tremendous amount of training on the combined arms training grounds in the rocky mountains of Korea. There, I practiced complex tactical formations and honed my skills to analyze mountains, rivers, and deep valleys in defensive and offensive positions.
When developing a military plan, whether offensive or defensive, a tactician should first conduct an analysis of the battlefield terrain. Terrain analysis is critical for understanding the “chessboard” before even considering which pieces are in play, from both enemy and friendly elements.
For example, a hilltop spur is a key terrain feature of the Korean mountains that provides a valuable dominant position. From this vantage point, the army can command fields of fire over a valley. In a desert urban scenario such as Mosul in Iraq, one could position troops at a critical four-lane highway intersection of three major throughways. Holding such an intersection could prevent the enemy from moving quickly throughout the region.
In these two examples, one can see that understanding the terrain and using it to your advantage plays a critical role in obtaining an overwatch position that prevents the enemy from freely and quickly advancing past the troops.
The Value of Cyber Terrain Analysis
From this terrain-focused perspective, one should first and foremost understand that the digital “terrain” of cyber attacks and cyber security can be analyzed similarly to physical terrains. In the same way one might analyze a mountainous, desert, urban, or jungle terrain before conducting a military operation, our team of incident response specialists analyze the digital terrain and use its characteristics to our advantage when responding to breaches or performing a compromise assessment.
For example, an admin account provides a vantage for good network visibility. By securely holding this key position, attackers may not be able to approach the network with the same ease they would have otherwise, as they can be spotted and caught before causing any damage.
A network gateway—just like a physical passageway—sits between different networks or applications and offers external agents and networks access to internal data. As something that is necessarily porous for normal business operations, if improperly protected, this may prove a critical weakness in your environment that must be carefully monitored, so as not to allow attackers to penetrate the network and gain access to sensitive data.
Remote desktop protocols (RDPs) are another inherent weakness in an otherwise protected network, allowing users from the outside to access secure networks, like a physical door or passageway. With the rise of remote work, RDPs are increasingly used or even essential to normal operations. However, few companies adequately protect themselves while using them. Without fully understanding this terrain vulnerability and educating users on security policies surrounding the use of RDPs, organizations leave themselves open to attack.
Other “key terrain” features of a network include endpoint detection and response (EDR) technology, a security settings monitor, and a network sensor. The first acts as a sentry, the second as an observation post, the third as a lookout tower. These three features have weaknesses—just like a security camera has blind spots—but each complements the other. By controlling all three, one can hold an advantageous position in a network and catch trespassers early.
Therefore, it is just as critical to fully understand the cyber security terrain in general as well as the unique terrain features specific to an individual organization’s environment, defenses, vantage points, and blind spots.
Applying Terrain Methodology to Provide Better, Faster Incident Response in APAC
Our experience as an incident response and digital forensics company has taught us that no two cyber terrains are the same. Every organization is a combination of a number of factors including industry, size, geographic location, culture, personnel, and many more. Thus, it would be naive as incident responders to treat every case with a one-size-fits-all approach.
At Blackpanda, we offer our clients on-call digital forensics and incident response services as well as pre-breach response planning, assessment, and consulting. While other incident response companies limit their intervention to showing up in the moment of a breach, our objective is to build long-term relationships and a deep understanding of our clients’ individual cyber terrains.
By doing so, we can provide better, faster incident response based on the mutual and comprehensive understanding of the environment—including both its advantages and vulnerabilities. We do this through seeking enhanced visibility, carrying out manned reconnaissance, and regularly conducting response readiness drills.
Enhanced Visibility | Behavior-based Endpoint Monitoring
One of the most important things we do when we begin working with new clients is to install endpoint technologies that automatically monitor for threats and rapidly gather forensic data following an attack. These tools enhance our visibility across an environment and allow us to respond more effectively to an attack. They can be thought of as the initial scout and ensuring the tactical team that follows close behind can secure the position or, in this case, the endpoint.
As a first step, a military scout would carry out reconnaissance of a location—checking for enemies in hiding, potential points of entry, and other threats—before the rest of the team arrives. Similarly, Blackpanda’s proprietary risk analysis tool, Pandarecon, is deployed on client systems to carry out an initial appraisal of their security posture.
Pandarecon proactively inspects non-active processes on an endpoint, identifying “low-hanging fruit” vulnerabilities that can be easily remediated such as unpatched software, open ports, and outdated passwords. Potential attackers will take advantage of any exposed points of entry to breach a system; therefore, these amendments, while small, can have an outsized impact on the security of both the endpoint and the organization as a whole.
Furthermore, for clients who have Pandarecon pre-installed as a result of a pre-breach service—like our Compromise Assessment offering—the tool allows clients to instantly gather and securely transfer critical forensic data back to the Blackpanda Cyber War Room for immediate investigation and rapid response.
Blackpanda additionally deploys SentinelOne, a behavior-based endpoint detection and response (EDR) tool that works as a sentinel, monitoring endpoint processes and holding a position. Typical anti-virus tools simply act as gatekeepers, blocking only processes with known threat signatures. Behavior-based EDR instead works by observing the overall activities of a computer, setting a baseline of normal behavior in the environment, and flagging suspicious behaviors themselves—detecting even new threats with previously unrecognized signatures.
With both tools installed prior to a breach, the enhanced visibility of settings, behavior, and forensic evidence allows our team to not only detect threats faster but also triage, hunt for similar activity across all endpoints, and decommission malware more quickly and efficiently during an attack.
Manned Reconnaissance | Compromise Assessments
Even the most advanced cyber security technologies may be thwarted or evaded as cyber criminals continue to evolve their tactics daily. For this reason, we highly recommend businesses amplify their reconnaissance efforts through regularly conducted human-led Compromise Assessments.
During a Compromise Assessment, our threat hunting specialists perform an inside-out investigative sweep of your cyber terrain for any signs of compromise including dormant, active, or past attacks that other tools may have missed. We use a continuously updated library of thousands of proprietary queries to search for malware on the network and assess the overall security posture of the organization. We also scrape the Dark Web for leaked information and hacker forum chatter about the company that may indicate an existing compromise or foreshadow an upcoming attack.
The human-led, tech-enhanced, and comprehensive nature of Blackpanda’s compromise assessments means that our specialists form a deep understanding of your environment and overall security posture in the process.
We recommend organizations conduct Compromise Assessments at least quarterly, if not weekly or daily, depending on your risk tolerance. By regularly checking internal systems for vulnerabilities and early signs of attacks, our team will come to know an environment like the back of their hand—facilitating faster and more effective response to attacks on your organization and also stamping out early problems before they reach their final form.
Regular Drills | IR Planning and Tabletop Exercises
In the military, one of the most critical factors of mission success is proper planning. Setting up scenarios and running through reaction protocols is the best way to ensure that response is prompt and effective, smoothing out any potential bumps and hiccups before a live engagement.
At Blackpanda, we provide the same level of preparation through our Incident Response Planning and Tabletop Exercises. We work closely with clients to understand their terrain and unique strengths, weaknesses, and requirements, designing detailed action plans for dealing with a range of threats. These Incident Response Plans and Playbooks cover everything from communications, escalation, and handover procedures to technical responses for individual attack types.
We then test those plans by conducting tabletop exercises—live practice runs where relevant actors across the organization are involved in improving the speed and efficiency of response and recovery. Through these efforts, both Blackpanda and your internal team gain a stronger awareness of your digital environment, “terrain” features, advantages, and disadvantages.
In Closing: No terrain is ever 100% secure
The above terrain-focused methodology and pre-breach services allow us to develop greater visibility and deeper understanding of your organization’s digital environment; however, no terrain—whether physical or digital—can ever be 100% secure.
In words taken from the world-class US Army Survival, Evasion, Resistance, and Escape (SERE) Level C School: “Preparation is the key to survival.”
As such, modern organizations must have a plan in place for when defensive measures fail and specialized emergency response is required. The best way to minimize damage and financial loss is by having a trained and professional incident response team on call, with either a Blackpanda Incident Response Retainer or through a comprehensive Cyber Insurance policy (highly recommended).
All Blackpanda retainer clients receive a response within four hours of contact, with typical activation times of two hours at most. Retainers also offer prioritized incident response over non-retained customers and can be used to conduct regular compromise assessments or other pre-breach consulting services, making it the optimal partnership solution for fast and effective incident response. With Pandarecon installed, Blackpanda can guarantee immediate response upon notification since the responders can immediately begin forensic actions through the tool -- every second counts in a crisis.
We also highly recommend all organizations consider purchasing a comprehensive cyber insurance policy, with Blackpanda as the named responder on the policy. In addition to covering all Blackpanda incident response fees, these policies typically cover other residual financial risks of a cyber attack, including business interruption losses, third-party losses, legal fees, notification costs, and more.
Just as each Army division specializes in a particular setting—whether airborne, armored, infantry, or other—we chose for Blackpanda to focus on a “One-Kick Philosophy” of mastering digital forensics and incident response, unmatched in the cyber terrain.
We take a hyper-focused approach in preparing our clients for cyber incidents, ensuring that their networks are secure and intervening promptly when things take a turn for the worst. By contacting us before you are breached, we can help strengthen your security posture ahead of time and be promptly available in a time of crisis.
Our emphasis on preparedness is informed by our military background and terrain-focused methodology, reinforcing our identity as Asia’s premier digital forensics and incident response provider.
To learn more about our white-glove, Asia-focused digital forensics and incident response services, contact Blackpanda today.
Interested in speaking to a DFIR specialist?