A terrain is usually defined as the ensemble of the features of a tract of land. Geographic terrains can be of many types—jungle, mountain, desert, urban, or otherwise—and with our increasing dependence on computers we have seen an entirely new kind of terrain emerge: digital. In fact, digital and physical terrains have more in common than you might think.
As a former US Army Special Forces officer and a lifelong computer scientist, I observed that the fundamentals of military tactics in physical terrain hold true in the digital terrain of cyber security. Cyber security and physical security are merely derivations of the original concept of security; cyber attacks are nothing more than modern versions of the attacks humans have always experienced, only played out on a digital “terrain”.
Cyber security is not an IT problem—it is a security problem.
For this reason, in building Blackpanda, we gathered exceptional individuals from military, law enforcement, and computer forensics backgrounds to develop bespoke and hyper-focused digital forensics and incident response services across APAC. Handling cyber incidents can be extremely stressful, requiring responders to act fast in an environment full of uncertainties. The focus and discipline we bring from our unique backgrounds have taught us to maintain our focus and calm in the worst situations, persevere in times of difficulty, prepare for the worst, and approach complex security challenges with clear, tried, and tested strategies.
The overlap between the physical and digital terrains forms the cornerstone of our approach to incident response. In this article, I delineate the specifics of our unique perspective in the hope that by better understanding the similarities between these terrains, readers will learn more about what we do, how we do it, and who we are as a company.
"Cyber security is not an IT problem—it is a security problem."
The Importance of Terrain Analysis
I consider myself a classically trained military strategist and tactician, both from my time as a West Point cadet studying Cold War-era combined warfare tactics and later as a counterinsurgency battlefield commander in multiple theatres of war.
When I joined the US Army as a commissioned second lieutenant in 2001, I was posted to the DMZ in Korea along the 38th parallel where I patrolled my tank and mortar platoons as part of the 2nd Infantry Division. Being stationed along the border to North Korea was considered a “hardship” tour—the training schedule was very fast-paced, and we had monthly alert sequences to defend against an invasion from the North.
I spent approximately 24 months in the frigid tundra of the Korean peninsula as part of the 2nd Infantry Division. Engineers, infantry, artillery, and attack helicopters all coordinated with my tank platoon and we moved as a single unit, although each had their specific roles and capabilities. We honed our skills with a tremendous amount of training on the combined arms training grounds in the rocky mountains of Korea. There, I practiced complex tactical formations and honed my skills to analyze mountains, rivers, and deep valleys in defensive and offensive positions.
When developing a military plan, whether offensive or defensive, a tactician should first conduct an analysis of the battlefield terrain. Terrain analysis is critical for understanding the “chessboard” before even considering which pieces are in play, from both enemy and friendly elements.
For example, a hilltop spur is a key terrain feature of the Korean mountains that provides a valuable dominant position. From this vantage point, the army can command fields of fire over a valley. In a desert urban scenario such as Mosul in Iraq, one could position troops at a critical four-lane highway intersection of three major throughways. Holding such an intersection could prevent the enemy from moving quickly throughout the region.
In these two examples, one can see that understanding the terrain and using it to your advantage plays a critical role in obtaining an overwatch position that prevents the enemy from freely and quickly advancing past the troops.
Applying Terrain Methodology to Provide Better, Faster Incident Response in APAC
Our experience as an incident response and digital forensics company has taught us that no two cyber terrains are the same. Every organization is a combination of a number of factors including industry, size, geographic location, culture, personnel, and many more. Thus, it would be naive as incident responders to treat every case with a one-size-fits-all approach.
At Blackpanda, we offer our clients on-call digital forensics and incident response services as well as pre-breach response planning, assessment, and consulting. While other incident response companies limit their intervention to showing up in the moment of a breach, our objective is to build long-term relationships and a deep understanding of our clients’ individual cyber terrains.
By doing so, we can provide better, faster incident response based on the mutual and comprehensive understanding of the environment—including both its advantages and vulnerabilities. We do this through seeking enhanced visibility, carrying out manned reconnaissance, and regularly conducting response readiness drills.
Enhanced Visibility | Behavior-based Endpoint Monitoring
One of the most important things we do when we begin working with new clients is to install endpoint technologies that automatically monitor for threats and rapidly gather forensic data following an attack. These tools enhance our visibility across an environment and allow us to respond more effectively to an attack. They can be thought of as the initial scout and ensuring the tactical team that follows close behind can secure the position or, in this case, the endpoint.
Blackpanda additionally deploys SentinelOne, a behavior-based endpoint detection and response (EDR) tool that works as a sentinel, monitoring endpoint processes and holding a position. Typical anti-virus tools simply act as gatekeepers, blocking only processes with known threat signatures. Behavior-based EDR instead works by observing the overall activities of a computer, setting a baseline of normal behavior in the environment, and flagging suspicious behaviors themselves—detecting even new threats with previously unrecognized signatures.
With both tools installed prior to a breach, the enhanced visibility of settings, behavior, and forensic evidence allows our team to not only detect threats faster but also triage, hunt for similar activity across all endpoints, and decommission malware more quickly and efficiently during an attack.
Manned Reconnaissance | Compromise Assessments
Even the most advanced cyber security technologies may be thwarted or evaded as cyber criminals continue to evolve their tactics daily. For this reason, we highly recommend businesses amplify their reconnaissance efforts through regularly conducted human-led Compromise Assessments.
During a Compromise Assessment, our threat hunting specialists perform an inside-out investigative sweep of your cyber terrain for any signs of compromise including dormant, active, or past attacks that other tools may have missed. We use a continuously updated library of thousands of proprietary queries to search for malware on the network and assess the overall security posture of the organization. We also scrape the Dark Web for leaked information and hacker forum chatter about the company that may indicate an existing compromise or foreshadow an upcoming attack.
The human-led, tech-enhanced, and comprehensive nature of Blackpanda’s compromise assessments means that our specialists form a deep understanding of your environment and overall security posture in the process.
We recommend organizations conduct Compromise Assessments at least quarterly, if not weekly or daily, depending on your risk tolerance. By regularly checking internal systems for vulnerabilities and early signs of attacks, our team will come to know an environment like the back of their hand—facilitating faster and more effective response to attacks on your organization and also stamping out early problems before they reach their final form.
Regular Drills | IR Planning and Tabletop Exercises
In the military, one of the most critical factors of mission success is proper planning. Setting up scenarios and running through reaction protocols is the best way to ensure that response is prompt and effective, smoothing out any potential bumps and hiccups before a live engagement.
At Blackpanda, we provide the same level of preparation through our Incident Response Planning and Tabletop Exercises. We work closely with clients to understand their terrain and unique strengths, weaknesses, and requirements, designing detailed action plans for dealing with a range of threats. These Incident Response Plans and Playbooks cover everything from communications, escalation, and handover procedures to technical responses for individual attack types.
We then test those plans by conducting tabletop exercises—live practice runs where relevant actors across the organization are involved in improving the speed and efficiency of response and recovery. Through these efforts, both Blackpanda and your internal team gain a stronger awareness of your digital environment, “terrain” features, advantages, and disadvantages.
In Closing: No terrain is ever 100% secure
The above terrain-focused methodology and pre-breach services allow us to develop greater visibility and deeper understanding of your organization’s digital environment; however, no terrain—whether physical or digital—can ever be 100% secure.
In words taken from the world-class US Army Survival, Evasion, Resistance, and Escape (SERE) Level C School: “Preparation is the key to survival.”
As such, modern organizations must have a plan in place for when defensive measures fail and specialized emergency response is required. The best way to minimize damage and financial loss is by having a trained and professional incident response team on call, with either a Blackpanda Incident Response Retainer or through a comprehensive Cyber Insurance policy (highly recommended).
All Blackpanda retainer clients receive a response within four hours of contact, with typical activation times of two hours at most. Retainers also offer prioritized incident response over non-retained customers and can be used to conduct regular compromise assessments or other pre-breach consulting services, making it the optimal partnership solution for fast and effective incident response. With Pandarecon installed, Blackpanda can guarantee immediate response upon notification since the responders can immediately begin forensic actions through the tool -- every second counts in a crisis.
We also highly recommend all organizations consider purchasing a comprehensive cyber insurance policy, with Blackpanda as the named responder on the policy. In addition to covering all Blackpanda incident response fees, these policies typically cover other residual financial risks of a cyber attack, including business interruption losses, third-party losses, legal fees, notification costs, and more.
Just as each Army division specializes in a particular setting—whether airborne, armored, infantry, or other—we chose for Blackpanda to focus on a “One-Kick Philosophy” of mastering digital forensics and incident response, unmatched in the cyber terrain.
We take a hyper-focused approach in preparing our clients for cyber incidents, ensuring that their networks are secure and intervening promptly when things take a turn for the worst. By contacting us before you are breached, we can help strengthen your security posture ahead of time and be promptly available in a time of crisis.
Our emphasis on preparedness is informed by our military background and terrain-focused methodology, reinforcing our identity as Asia’s premier digital forensics and incident response provider.
To learn more about our white-glove, Asia-focused digital forensics and incident response services, contact Blackpanda today.
- Learn more about Blackpanda Cyber Incident Response
- Learn more about Blackpanda Compromise Assessments