What Coaching Basketball Has Taught Me About DFIR

In my nonprofessional life I coach a fifth and sixth grade boys basketball team. Basketball has been a love of mine since the summer of 1984. I was 5 years old and my dad let me stay up to watch the Celtics and Lakers in the finals that year. I remember not understanding the rules or purpose of the game but feeling disdain for the thugs in purple and admiration for the heroes in green and white. It started a life long obsession with the game that culminated with being named an All-State basketball player in my senior year in my small New Hampshire high school. I never played beyond high school but I follow the game closely to this day and remain active coaching. Some lessons I've learned coaching seem applicable to infosec.

First and foremost, teach and reteach the fundamentals. Things that seem simple to you are not to everyone. When I first started coaching I thought fifth graders should be able to show up and shoot layups with the proper form. Boy was I wrong. It's the most basic skill and kids often get to high school without learning how to do it properly. Same idea will apply to new analysts. Things that seem obvious to you are not to everyone else. Log analysis, examining memory, parsing an MFT, Bash commands, etc are all things that every responder should be adept at but may have varying level of skills actually doing. Also, with DFIR, there is always more than one way to skin a cat.

The most success I have had with coaching kids is in finding effective drills for doing things such as dribbling, passing, posting up, or  playing man to man defense. There truly is something to practice makes perfect. The key to a good drill is finding something that is engaging, fun, and challenging. Learning through repetition can be exhausting but does produce results. More importantly, the more you do something the better you will become at. This breeds confidence. Confidence breeds success. It becomes a positive reinforcement cycle. This same idea can be applied to network defense. Practice routine but fundamental skills over and over. Collect system memory when there is not an active intrusion. Carve out files. Make a game of it. Challenge your people.

Practice like you play. If you don't take drills seriously then don't expect to do well when the real thing strikes. Might seem silly but it's something I see time and time again on the basketball floor. Kids (even skilled ones) that don't take practice seriously or are joking around before a game and not in the proper mindset fall short when it is time to perform. Practice your response measures with a sense of urgency that you'll need when the bad guys are loose in your environment. Focusing when it doesn't matter makes it much easier to operate when the pressure rises and things start to get real.

You need to simulate full court pressure. In basketball if you are going to beat full court pressure you have to practice against full court pressure. Sure you can diagram plays and press breaks and talk through them but there is something different that happens in the brain when you actually have to physically perform the act. There's really two things at play here. Having the tactical knowledge of breaking the press and then being able to perform under pressure. I mean you only have 10 seconds to get the ball to the front court. In DFIR think of it this way. Imagine a bad intrusion scenario and increase it by an order of magnitude. Can you still respond to it? How will your people handle it? I have responded to breaches that started as a simple compromise of a web server that turned into many dozens of other compromised systems that all needed to be investigated to contain the intrusion. That's when the full court pressure is on. Can your team handle the pressure and break the press?

Finally, don't forget that zone defense is for losers. You should always play aggressive man to man help defense. I hate zone defenses. They teach defenders on the court to be lazy and I think they're a cop out. Man up. Play aggressively. Teach players to play as a single cohesive unit so that if one player gets beat another can help by picking up the free offensive player. Defensive players always need to be talking to each other so people know where the ball is and who needs help. In the infosec world I think of zone defense as having something like a single appliance that doesn't provide full vision into your network architecture. It may be cheaper and make you feel like you're doing something but in reality a good offense will tear it to shreds. Also, don't underestimate the "help" part. If one system or appliance gets beat have overlapping coverage with someone or something else that can pick up the slack. Foster an environment where defenders and defensive systems work in harmony to provide a robust and cohesive network defense.