2. On Shared Purpose (Part 2)
In the field
Looking for Part 1? Click Here!
Part 1 Summary: The shared lessons learned from Operation Rhino, Gen Jim Mattis, and how they were applied to cybersecurity teams, specifically offensive security teams.
Updated Thinking
Context: In 2001 the United States received a shared purpose: to defeat adversaries that would do them further harm. Anxious to help defend his country, Jim Mattis offered to get his Marines into the fight as quickly as he could.
The request was denied by Central Command (CENTCOM) because the location of where the help was needed was 400 miles inland. More-so, because Marines are amphibious: there's no beach to land on!
The offer to help in a time of need was turned away. But Mattis kept his eyes open for any opportunity to help, and when he finally saw one a month later - Operation Rhino happened.
Here’s why Mattis wasn’t able to help: the people in charge still thought the term amphibious meant water only, a definition from an outdated lexicon. The past 50 years of warfare had provided advancement in technology and tools that redefined exactly what amphibious meant. Unfortunately and all too often, those at the top were giving their best effort at making critical decisions with outdated data.
“…those at the top were giving their best effort at making critical decisions with outdated data.”
For a modern expeditionary force that could launch from ships to be anywhere in the world at any time, amphibious had evolved from “water only” to “water optional.” Mattis found a way to help a month later by letting his network work for him, waiting for an opportunity to step in at the right time. He found a champion in the form of Admiral Willie Moore.
More accurately though, the champion found him. Admiral Moore pitched a rough concept that Mattis would expound on, and turn into, Operation Rhino.
Cyber Thinking
The implications of “updated thinking” for cyber hit me immediately. Tools and technology, like people, adapt and change over time, and that requires that the people that make the strategic decisions also need to adapt and change over time. Blind spots in strategy happen when a team stops training.
Training has different meanings to different people, especially for cyber:
Taking a certification course
Mentoring sessions with a trusted engineer or leader
Friendly group working sessions where people can talk shop that involves leaders observing and interacting
“Blind spots in strategy happen when a team stops training”
The act of defining your expertise establishes the limitations of that expertise. Example: “I am a red teamer.” We draw a box around what we can and cannot do, what we should focus on, what we should do to max ourselves out as a red teamer.
Another example: “I am a hacker.” Notice the contrast in this statement versus the one that limits yourself to only red teaming. Every profession can use a hacker, someone willing to push the boundaries to solve a problem.
We define the boundaries of a skill based on our expertise, telling ourselves at some point “I have achieved the required success for this skill” and happily move one while the world evolves around us. As people grow and take on additional responsibilities, pushing the boundaries of our older outdated skills becomes less important, which doesn’t stop us from relying on that “expertise” to make decisions.
Remember, Amphibious means water only.
“Every profession can use a hacker”
Pushing Boundaries
Without a constant stream of new ideas, even bad ones, the cyber leader stagnates.
Do adversaries stagnate? I think not.
Threat Actors have unbound and unchecked resources to achieve their goals. We as cybersecurity professionals are limited by budgets, OPEX, hiring limitations, and self imposed rules. Cyber teams define the boundaries of our defenses and expect threat actors to obey the rules of our game. Which is a problem because we play by the rules when our opponents are not.
As a leader, I struggle to find proper type training for myself to help with my outdated thinking. I wasn't on-keyboard anymore, and technical training made less sense as a place to spend my limited extra time. I focus on fixing strategic problems now, why would I take another hacking course when I could be building relationships instead?
“For the expertise!”, you say.
“Learning advanced technical skills will make you understand the threats better!”, you decry.
Friend, it wasn’t Jim Mattis’ skill with a rifle that led to Operation Rhino. No, what led to Rhino was the relationship with Willie Moore that gave Mattis the opportunity for action.
The best training for leaders isn't done in a classroom: it's done in the field. Whatever and wherever the field is, that’s where we need to be. To adapt a famous quote about German General Erwin Rommel, “Where the leader is, there is the front.”
Don’t bring the field to you. Bring yourself to the field: it’s where the rest of your team is.
Fieldwork
Leaders get training by doing. We learn how to talk by making mistakes in conversations. Leaders learn how to listen by being active in conversations. Leaders learn new ways to apply tools by having diverse thinkers on staff, trusted, and highly motivated. We can expand the boundaries of our outdated skills through the uplifting of others, with the added benefit of providing an opportunity for growth to others by stepping out of the way.
Leaders train by doing. Simple, easy to understand.
“Leaders train by doing”
I had at my disposal access to countless Slack channels, Discord groups, and skilled leaders on Twitter and LinkedIn. All the training I ever wanted or needed was right at my fingertips. I should budget my own training time by seeking out and engaging in conversations with peers, leaders, and front line troops far removed from my command center, right? Why should I expect the team to take training seriously if I wasn’t in the field training myself?
Was an hour a week connecting with people too much for me to bear? Was an hour a week my breaking point?
No, it wasn’t my breaking point. I could bear it. I can do an hour a week.
“…as a cyber leader my ops are building relationships instead of throwing exploits”
Requirements for training and growth has evolved as my career and responsibilities has evolved. I was on course to ensure that when it came time to make critical decisions, I had updated thinking to give us the best chance at the right decision.
That got me to thinking about what other boundaries I had tucked away that now need to be updated? What it meant to be “on-keyboard” or “doing an op”? Well…maybe as a cyber leader my ops are building relationships instead of throwing exploits.
My ops: people.
My loot from ops: relationships, established and strengthened.
My thinking: updated.
What’s up next?
Part 3 of “On Shared Purpose”
2 min podcast summary of Part 2 of “On Shared Purpose, Part 2”