Being a native Kentuckian, it’s no secret that I bleed blue. As I write this, my Kentucky Wildcats are towards the end of what I hope will continue to be a historic season. All of the prestige that comes with being a tournament favorite also brings copious amounts of media coverage. A recent article by the Wall Street Journal caught my eye. I’ve always known that Head Coach John Calipari isn’t a big fan of exposing his players to game tape, but I’ve never known exactly why until now. The WSJ article addresses this exact topic. The article is worth a read, but this section sums up a lot of Coach Cal’s philosophy:
Kentucky touches on its opponents in the days before a game with a series of walk-throughs in which the Wildcats’ scout team apes the upcoming opponent’s strategy. By the time Kentucky’s players watch film, they have already seen the opponent’s sets on the court, often several times. Even then, though, they aren’t looking for specific plays.
“You see the idea of their offense,” Kentucky guard Aaron Harrison said. “We don’t need to watch every single play. We need to know the options off each set they have. After that we just have to defend.”
The article goes on to mention that assistant coaches responsible for video typically only allow a maximum of eight minute of video review. This is astonishing, because it goes against the grain of what most teams do. The majority of teams in college basketball place extreme focus on film review, often devoting multiple hours a day to it and even sending players home with iPad’s to review game tape away from team facilities. Coach Cal instead makes the players focus heavily on their own strengths and weaknesses, helping them understand that with their talent level, they can beat most anyone if they play as the best version of themselves. In this approach, Kentucky’s losses often have just as much to do with the team beating themselves as it does with them being beaten by their opponent.
Of course, limiting exposure to game tape isn’t a completely new concept. Another coach that practiced this, albeit in an era where obtaining video of teams performances was much harder, was legendary UCLA coach John Wooden. Coach Wooden won an unmatched 10 national championships during his tenure and is widely accepted by many to be the greatest college basketball coach of all time.
Given the audience of my blog, you can probably guess that this post isn’t purely about basketball. This got me thinking about how the Wooden/Calipari approach to limiting game tape applies to using “game tape” in information security. In our case, game tape is more commonly known as threat intelligence. In most cases, this is explicit knowledge about an adversary based derived by researching previous compromises and malware samples. While I can’t possibly argue that threat intelligence should be abandoned, it does make me wonder about the emphasis placed on it in certain environments. In the right situation, might it actually be preferable to decrease focus on threat intelligence and instead focus inward to ones own network to perform effective detection? Perhaps it’s possible that threat intelligence can sometimes be used as a crutch that substitutes for understanding your network as well as you should. That’s a bit radical, but it’s food for thought.
Coach Cal and Wooden both had the benefit of having very good players as their disposal. In the same manner, I think selectively limiting reliance on threat intelligence requires an “A team” of players in your SOC. Having the capability to monitor your network assets and relationships on a very granular basis requires talent and resources, and that simply isn’t something most organizations can do. As information security takes a more mainstream role in our society, this may change as new research and tooling is built to support this line of thought. It might also be positively impacted as the general skill gap between established and amateur defenders narrows.
This approach also requires forward thinking viewpoint on the fundamental nature of breaches. It requires that you accept that prevention eventually fails, and that you don’t consider breaches to exist in a binary state of being. An attacker who breaches your network will have a set mission or series of goals, and the degree to which they succeed and the impact to your business or data determines the nature of the breach. There isn’t simply a breach, there are degrees of breaches. Just like a basketball team can’t expect to keep the opposing team from scoring any points at all, the network defender can’t expect their network to remain forever unbreached. At the end of the day, it’s all about making sure you have more points than your opponent/adversary.
All in all, this might be a bit of a stretch. That said, it does have me thinking quite a bit about the reliance on threat intelligence in defending networks, and what can be done to better understand my own network so that I can focus my defense, detection, and response around where critical data exists and where potential weaknesses exist. Ultimately, having great threat intelligence is not a panacea and there are a lot of ways to think about defending networks that exist independently from detailed knowledge of attacker tools, tactics, and procedures.