All metal, no manpower

2023-02-21

infosec

TL;DR: It occured to me that there are uncomfortable similarities between some major issues the armed forces of the Russian Federation suffer from and the issues a lot of Blue Teams have to deal with. This is an attempt to come up with a comparison that doesn’t sound entirely insane.

Disclaimer: Modern warfare and military issues such as doctrines or logistics are complex topics. Because I’m neither an expert nor did I want to make this post any longer than it already is I had to massively simplify and shorten explanations throughout this post. If I got anything blatantly wrong, please let me know.

Much has been said already about the performance of the Armed Forces of the Russian Federation during their February ‘22 invasion.

Without even taking into account the strategic loss the country incurred by invading their neighbor in the first place, the deeply flawed assumption about an easy victory and the severe lack of effective force employment, their performance against a seemingly weak Ukraine was abysmal at the start of the conflict.

Among a whole lot of other things, one - in my only reasonably educated opinion - of the reasons for that is that Russia is not the Soviet Union.

When Nazi Germany launched Operation Barbarossa in June of 1941 the Soviet Union, after Stalin was done burying his head in the sand, began activating the mobilizable manpower of 12 million people in order to push back the German armies.

By the same time a year later, the Soviet Union had nearly ten million people under arms, with close to 5.5 million soldiers assigned to military forces fighting at the front. They were willing and able to throw everything and everyone at the Germans.

The Red Army was, at the time, designed for that kind of warfare. The more the war progressed, the more emphasis was placed on tanks (because armoured vehicles like APCs weren’t really that much of a thing back then), with infantry doing the things only they can do, focussing on supporting the tanks.

To this day, the Russian Armed Forces still places huge stock in armoured vehicles. And those tend to not do all that well without infantry support in modern conflics, something that has strongly been proven in recent conflicts such as the Syrian Civil War.

What has changed though is that the high reliance of conscripts was changed towards a model that turned the Russian army into a so-called tiered readiness force. This means that during peacetime the units are a mixture of conscripts and conscript soldiers,

But: Those reservists can only be called up in case of a mobilization, which happens during a war. And while a formally declared war isn’t technically required for the deployment of conscripts in conflicts, doing so without a war being ongoing is going to cause massive internal outrage.

You might have an idea where I am going with this, and you’re right. There’s the tiny issue of this war in Ukraine, according to the acting Russian president, not being a war, but instead a “special operation”. You know, the famous “three day special operation” which has been ongoing for a year now.

(As much as I’d love to take another detour, this is an entire topic in itself - this article on warontherocks.com is an excellent introduction)

On paper, a lot of Russian formations looked impressive at the start of the war. But because of the situation I just mentioned this means that, in the best of cases, units were staffed at 90% of their capacity at the beginning of the war.

On top of that there is a high likelihood of at least 25% of those soldiers in a unit being conscripts. That means that there is a not insignifcant likelihood that a brigade that nominally consists of 3000 soldiers has, in reality, only 1500 combat-ready troops.

But is equipped in a way that would befit its full strength of 3000 troops (If systemic corruption isn’t interfering in that department, .. which is one more, entirely different & lengthy topic that I want to keep myself from ramblinb about - if you’re interested in these things, Perun has made an excellent video about this).

And while I’m decidedly neither a soldier nor a military expert, I feel confident in my assumption that only having half of your supposed forces available is really not what you want when you are about to invade another country.

This has lead to absurd situations where modern air defence systems were left entirely unguarded because all of the available personnel was needed to operate the radar.

Or to abominations such as mechanised infantry units that consisted of squads of five people, with the crew of their vehicle being included in that cound. That’s going to be fun, attacking a trenchline with *checks notes* two people.

These shortages has significantly hampered combined arms operations by the Russians, and forced them to resort to excessive shelling before they could launch an attack - which, in many cases, were then performed by proxy forces recruited from the separatists regions or national guard formations. And those aren’t ’t exactly shock troops. In some areas of the front the fighting has devolved into WW1-esque artillery duels and trench warfares. Only with the horrible addition of drones to the mix.

You might now be asking yourself where I’m going with this, because in the short summary at the beginning I was talking about comparing the Russian Army to a lot of Blue Teams.

The (very, very simplified) essence of the 1000+ words you just read is: The Russian army is using equipment, such as artillery or air support, as a crutch to counter their shortcomings in quantity and quality of their manpower, rather than using it as a tool to amplify and enhance their existing capabilities.

Coincidentally, that over-reliance on “metal” (in our case, tools and services) and the sometimes severe lack of manpower is exactly what happens to and is hurting a lot of security teams.

Computer networks have grown incredibly complex, we are no longer tasked with securing three boxes in an office who store documents on a single tower in the closet.

We are dealing with hundreds, thousands, hundreds of thousands of machines which are all interconnected in a plethora of, sometimes obscure, ways. That’s not something we can manage ourselves anymore.

To be able to effectively monitor our networks for threats, and analyse them when they pop up, we pretty much have to rely on technology to support us.

Because of this fact it’s often times possible to make a compelling case for spending money on technology, which means that allocated budget gets spent on log management solutions, threat intelligence feeds, canary tokens, security appliances and whatever else that’s out there.

After all the ordered goods have been delivered somebody in our team, or higher up in the chain of command, asks how much the resilience of the network against attackers has been improved, now that all this money has been spent.

And chances are: Not all that much. Because one might now have a couple of new, exciting ~~toys~~ tools, and a few newly ticked boxes on the checklist of ones least disliked auditor, but the actual improvements to the security of a network are probably cosmetic.

A post I read a couple of weeks ago (that I unfortunately can’t seem to find in my history - if I do end up finding it I’ll make sure to credit them here) put it perfectly: When you buy a new tool without having any clue how to use it, it’s like having an fancy, expensive car sitting in your driveway.

It’s definitely pretty to look at, and will get other people excited, but if all you can do with it is drive in first gear, then it’s the most expensive compact car on the market. And a very expensive accident waiting to happen.

All the tools in the world won’t really do anything to improve your security posture in a meaningful manner when you lack what I would call the “Triumvirate of Tooling” - people, processes, playbook.

People are vital to be able to utilize tools, and to make sure that issues that affect them are sorted out. There is the need to ensure that no misconfigurations are present, they need to be optimized to be able to perform as best as they can - and they need to be fine-tuned to avoid issues with covering all parts of the network. Plus, even with a managed service, there’s always some maintenance work.

They are also vital in order to ensure the information, alerts and output these tools and services produce are consumed and put to action. Yes, technology has advanced significantly in the past couple of years, and the results that are produced from a large number of aggregated, correlated and evaluated inputs are often excellent.

But still, if the output causes trouble - for example, a SIEM-alert turning into a full-blown incident - then technology can’t really do all that much without people anymore.

Technology can’t, in most cases, assess a fluid emergency situation, then think efficiently and creatively about the problem at hand and make sure that both internal and external relevant parties are kept informed and coordinated in their actions. Or perform said actions in the first place.

This is where the second and third parts of the trifecta come to play, processes and playbooks.

No matter how much we try our best, and no matter how much experience we have with handling incidents, we will make mistakes when we just try to wing it. Especially when an incident is ongoing, and 2 - 4 hours turn into 2 - 4 days, or weeks even.

Prepared processes help with dealing with detected incidents, support efficient analysis, allow for quick containment and eradication, provide a roadmap for recovery and map out post-incident activities. Playbooks make sure that, as much as possible, all of those steps follow specific, pre-defined patterns.

But, for reasons that I’m unable to understand, because I’m (at least pretending to be) an IT-guy, not a finance or management person, there’s often an unwillingness to spend money on people. That applies to both ensuring that you manage to compensate the employees that you have, as well as being able to hire new ones in order to be in the continued position to tackle threats and avoid having your people burn out and fade away.

And it’s not just that there is no money to invest in people, which in turn would allow for investing into processes and playbooks, after the approved budget has been spent on expensive software or services. It’s that often there isn’t even budget for personnel allocated in the first place. Or if there is, it’s laughable.

This, in turn, sometimes leads to a repetitive cycle, where the root cause of a problem is thoroughly misidentified and the suggested solution is more spending on not-humans - when the tools that are already there would perfectly suffice. There’s no point in generating more alerts when nobody is looking at the alerts currently popping up.

Don’t get me wrong, as much as I scream “HIRE PEOPLE!” from the top of my lungs here, I’m not advocating on just hiring people. As with many things in life, balancing those two ends of the budgetary spectrums will give you the greatest results.

Because neither an expensive car that’s sitting idly in front of your garage, nor a team of master carpenters with a single hammer shared between them is an ideal situation.

(Please, don’t judge. It took me seventeen minutes to come up with this I’m-somewhat-okay-with-it analogy. If I think about a better one any longer my head will probably explode.)

I have to admit, at the end of ~~the day~~ this article I don’t really have an actual point. Nor do I have recommendations or any (novel) ideas how to solve this problem.

What I have are a few hundred words that air out the frustration that has been built up because grants, project funding and budgets all too often have plenty of money allucated for buying tools in all shapes and sizes.

But when it comes to paying people who actually use the tools to the best of their abilities, ensuring that they are useful and support the overall mission, the willingness to shell out hard currency is lacking all too often. And it’s hurting us.