As our societies becomes more and more reliant on digital technologies Cyber Security is becoming part LEA daily duties to enforce laws in the cyber space as well as in real life. Cyber space can not be left untouched any longer.
Adapting to cyber security requires new skills and tools that are sometimes hard to acquire. LEA and companies in general tend to “buy” equipments and solutions but this is a strategy that can not really fly with cyber security. One is quickly outrunned when posing as a customer in a fast-paced environment.
In cyber security more than anywhere success relies people, and how an organisation can support them acquiring the required skills for the task at hand. LEA already provide such support to their officers in their core activities but we believe progress can be made regarding cyber security. The main goal of neolea is therefore to help transitioning from what is done by LEA now to what already works for security practitioners: gaining and retaining skills and knowledge by building tools instead of buying them.
Indeed, security practitioners, by philosophy, and by necessity, tend to build the tools required to do their job in the course of their daily activities. There is no off-the-shelf solution for cyber-security that works. Threat Intelligence, Incident Response, as well as Investigation in the cyber realm require to engage with the material at hand to gain a deep understanding of adversaries’ techniques and a create a tailored answer.
Building software, often open source, therefore became increasingly important for security practitioners. The tools they write enact from a need to thwart fast evolving adversaries in a timely manner. Transposing this philosophical stance to Law Enforcement Agencies and other Blue Light Agencies is a challenge because of their culture shaped by the stability of their missions and objectives. Fighting cyber-crime has often more resemblance to intelligence in this methods, techniques and ways to deal with uncertainty, rather than fighting crime in the streets.
Security practitioners developped a craftsmanship and a stance towards software that can be transposed to LEA. We discuss here in more details the methods we use to determine the gaps in LEO training and tooling, their training needs, as well as how we involve LEA in security communities to keep them sharp in their fight against cyber crime.
What is required - what they know = training needs
they, in this context, means LEA or affiliated
Performing a training need analysis to understand gaps in LEO training appears straightforward in theory but in practice there are several challenges:
upfront, we usually only have access to line managers of the people that will be trained: LEA have hierarchies strictly defined and the people who decide about trainings are not the one taking the trainings. This mismatch often lead to discrepancies between what the trainers intend to convey and the trainees’ expectations. Remediation is to be found in the PMF loop explained below.
even if not ideal, several agencies can take part to training sessions. This is actually the most challenging part of training planning and delivery as the trainer has to accommodate everyone while trainees have different goals, skills and motivations. Again, remediation is to be found in the PMF loop explained below.
colliding philosophies: sometimes cyber security training requires to teach skills and knowledge that are frowned upon by LEO because of prejudices or because these are used by criminals and are part of what LEO have to fight against on a daily basis. This sometimes pose problems as trainees tend to reject the subject whereas mastering these skills can bring benefit. (Cryptography in one such subject for instance)
intel officers: some people may keep their participation private and no background information will be provided by their hierarchy beforehand.
One main aspect of training preparation is the selection of use-cases to be presented during the training, and use-cases on which trainees will take a bite at. These need to be engaging and display the usefulness of the tools. That is why the best is usually to start from use-cases that trainers stumbled upon during their daily jobs and found interesting. Also showing why certain use-cases called for the development of new software features, and how the said features makes a difference is a must.
Then comes the selection of use-cases that are part of trainees’ daily jobs. This may be sometimes challenging to define but trainers usually have an good guess of what the trainee do by this time and can find several uses-cases the trainees should be able to relate to.
In this preparation phase, the best is to develop additional features in the tools to treat the specific use-cases. This software development is usually continued during training in a PMF manner to display the agility of open source software to the trainees (more on this in the PMF loop section below).
In neolea the training workflow is not foreseen to follow a script and be linear but more to adapt continuously to the audience (see PMF loop below). Therefore, the “ideal” agenda could be the following, but a fruitful training usually branch out towards the trainees’ interests and questions:
The Programming Methodology Framework (PMF) describes a natural approach to software engineering with a strong focus on the act of programming. In this framework the management process is meant to be supporting the programming one without impeding its progress.
The overall concept of PMF methodology follows the following process:
In security, solving a problem almost always requires to write a piece of software, or to articulating several piece of software together. Writing scripts helps grasping the problem at hand by formalizing it. Therefore, learning how to go into a PMF loop in one of the training objectives, regardless of the specific matter at hand. LEO should engage in this process each time the bump into issues, writing and bending software to achieve their goal, and sharing their progress with their pairs and the community.
Training can therefore be adapted in a PMF manner during the sessions: assessing the crowd to understand how the tool could be changed to better accommodate trainees’ need, what are the requirements, and how to change the software to help solving it. The tool changes during the training and trainees get the keys to jump into this PMF loop when back at the job.
LEA’s environment is continuously evolving and training must be reassessed continuously. This fact is what calls for a trial and error creation process as described in the PMF loop. This model tries to formalise the constantly evolving nature of cyber security training.