Cyber Smokejumping is a decades-old practice of intentionally investing time with peers to help them overcome cyber risk. Our global, massively interconnected Digital Society requires increased cybersecurity capabilities, capacity, habits, and practices spread worldwide. Putting up cyber walls and layers of defense will not help if other parts of the world are getting infected and then used to wear down the “defensive capabilities.”
Cyber Smokejumping is a powerful tool that leverages global public risk data, such as that provided by the Shadowserver Foundation. This data can be instrumental in assisting organizations, peers, and national cybersecurity agencies in their efforts to combat cyber threats. The ultimate goal is to empower the local teams with public benefit tools, access to a peer community, and collaborative assistance to reduce their cyber risk rapidly.
The cybersecurity community derived the smokejumping principles from the forest industry. Cybersecurity experts in Security Trust Groups would become volunteer “Smoke Jumpers.” As defined in Wikipedia ….
Smokejumpers are specially trained wildland firefighters who provide an initial attack response on remote wildfires. They are inserted at the site of the fire by parachute. This allows firefighters to access remote fires in their early stages without needing to hike long distances carrying equipment and supplies.[1] Traditional terrestrial crews can use only what they can carry and often require hours and days to reach fire on foot. The benefits of smokejumping include the speed at which firefighters can reach a burn site, the broad range of fires a single crew can reach by aircraft, and the larger equipment payloads that can be delivered to a fire compared to pedestrian crews.
Since the late 1990s, “Cyber Smokejumpers” have been volunteers working within vendors or other institutions. This approach worked when the volume and intensity of cyber risk were manageable. Today, our global Digital Society is too large, complex, and critical to depend on “volunteer cyber smokejumpers.”
Examples of Cyber Smokejumping
Imagine a group of peers working on a malware investigation. That investigation maps the malware’s command and control to a data center. The team at that data center is unknown. Cyber Smokejumping would NOT assume the data center is doing anything wrong. The assumption is:
- Peers at the data center have no idea the malware’s C&C is in their network.
- We assume the data center team is overworked, does not have budgets for cybersecurity, and is getting hit with daily requests.
- The data center peers do not know where to start their cyber security risk reduction experiences.
- Often, peers in the data center have tried to do the right thing, cleaning up their network, only to have threat actors attack their network in retaliation.
We do not assume they are peers who would be open to help. We seek first to understand, then be understood. Effective Cyber Smokejumpers seek to understand the “hair on fire” pain points in that infected data center before making any “ask” for help.
“We have these issues with a malware C&C in your network, but we first want to understand your overload. It is unfair to ask for your help when buried with work. We’re all overloaded. How can we help? We might be able to collaborate to help each other.”
Build Trust to Facilitate the Speed of Trust
This Cyber Smokejumping approach takes time. We use the Frankly-Covey model outlined in the Speed of Trust that starts with honesty, communicates respect to the peers in the infected data center, fosters transparency, helps peers clear the path of their “hair on fire” issues, and maintains engagement (consistency) that builds the trusted relationship.
While the current issue is the malware command and control, the long-term gain is the operational trust between peers that clears the path for all future synergistic security activities.
Long Term Impact
All Cyber Smokejumping exercises have long-term trust combined with the short-term incident risk in mind. The ideal impact is where the immediate risk is mitigated with a consistent and persistent decrease in the overall risk. The results in an organization (a data center in this case), better able to safely serve their customers with a less cyber risk in their environment.