Category Archives: Conferences

Go home HackMiami you are drunk

Posted on 2013-01-14 | 5 Comments

IMPORTANT UPDATE 2

The official response:

Track Updates

Recently the HackMiami 2013 Hackers Conference received several complaints from individuals within the information security community regarding the chosen titles of the speaking tracks, NewF%27s and OldF%27s.

These complaints indicated that HackMiami may risk alienating the support of a key demographic within the information security community.

We have discussed the issue at length, and decided that we did indeed plan the track titles in haste, without considering the inclusion or opinions of a very vocal minority. As such, have decided to make some changes.

In addition to the NewF%27s and OldF%27s tracks, we will be creating a new third track that tailors specifically to the audience that was offended by the original oversight, and the track will be called MoralF%27s

The MoralF%27s track will feature talks about hacktivism, digital civil liberties, ethics, legal issues, and free speech.

We hope that this correction satisfies our critics, and we invite them to submit CFPs for this track at:

http://www.hackmiami.com/cfp

Regards,

The HackMiami Conference Team

IMPORTANT UPDATE

Thank you for doing the right thing.

Recently, a colleague from a side project contacted me to ask me to submit a talk on the project to HackMiami. Like everybody else in the Western Hemisphere, I immediately thought “sweet, boondoggle!” Even if my employer (who has nothing to do with this post) wouldn’t pay for the trip, I figured I would pay my own way, because, hey! Miami!

Then I read the CFP and… well.

Just in case they change things later, here are the names and descriptions of their tracks:

Track 1 – NewF#gs – A novice track will be available for new hackers who are learning the ropes. If you have a presentation that you believe would be beneficial to the community and will give n00bs a starting point to advance their skillsets, then this is the track for you. Total presentation time is 50 minutes.

Track 2 – OldF#gs – An advanced track for the old school greybeards looking to show off their latest projects and research. If you have any hot research, code drops, vulnerability disclosures, or advanced attack methodologies that you want to present on, then this is the track for you. Total presentation time is 50 minutes.

Now, I recognize the 4chan meme. There is a place in the world for 4chan memes, and that place is 4chan, not a hacker conference with people of all backgrounds. Without really touching the LGBT issues here (which I acknowledge but lie well outside the scope of this blog), the level of unprofessionalism here would stun a rhinoceros. As my buddy and co-worker Kevin asked, what ideas did this beat out? What was worse than this? Did your first draft have “fresh hos” and “used up hos” for the track names and you rejected that for being disrespectful to women? “We need to be more inclusive, guys.”

And hey, if you think any of us want our names and professional reputations hooked up with those terms, you have lost your ever-lovin’ mind.

In sections of the infosec community, we’re having all these discussions about misogyny, privilege, and anti-harassment policies. And then HackMiami decides to name their tracks after childish homophobic little memes from the seedy underbelly of the Internet. Not cool, dudes. Welcome to my list of “conferences I won’t attend because the organizers are scumbags who annoy the crap out of me”.

→ 5 Comments

Posted in Conferences

Tagged , , ,

Thoughts on digital forensics research

Posted on 2012-08-07 | 1 Comment

I always enjoy seeing crossover between statistics and computer science. In fact, one of my very first jobs involved using S+ (the closed-source precursor to R) writing code to support a textbook my professor was writing at the time. These days, machine learning usually comes to people’s mind for that mix, but occasionally digital forensics can make use of these techniques as well.

Stochastic forensics

At Black Hat a few weeks ago, I attended a presentation by Jonathan Grier on stochastic forensics. I had visions of Markov models of user activity and malware Monte Carlo simulations.

As it turns out, this wasn’t too far off. Essentially, the idea is that we can infer certain data from a system by looking at its collective characteristics. In other words, we can measure across a large number of individual members and observe the behavior of the body as a whole to draw conclusions. The initial case related to data exfiltration. A client organization wanted to prove that a user had copied a large number of files containing proprietary data to an external drive. Windows doesn’t normally track this information except to a very limited extent in file access times, but even that only records the last time a file was accessed. So subsequent access to a file will overwrite that time stamp and destroy any previous record. For an individual file, then, we might have significant difficulty proving that someone had copied it. Worse, the user in this case had legitimate access to the data, so any single data point would prove nothing.

By taking a statistical view of the system, however, particularly looking at entire directory trees, we can plot a histogram of last access times and compare to control data (from other directory trees not under suspicion). The observed pattern for normal usage might look one way, with most files not touched and recent accesses limited to a small set of files. But if a tree has been copied wholesale, such as via a drag-and-drop operation or zipping it up or some other recursive copy, then the access times would look different. You would (hopefully) have a clear delineation of all the files accessed at some particular time and then a sort of power law distribution following from that showing normal access patterns.

As I listened to the presentation, I noted a few weaknesses in his approach: manipulation of time stamps, for example, or perhaps other feasible explanations for this type of pattern. In particular, the file system simulator he wrote as an initial test did not strengthen his argument at all, because it essentially only verified the model he coded into the simulation rather than tell us something useful about “real” systems. In addition to explaining improved testing methods he used later, his responses mostly mollified me: this won’t always work, so you need to test carefully on a system (e.g. test to see if the AV software overwrites time stamps, etc.) And the most it will give you is circumstantial evidence pointing to the fact that something happened on the system at that time. Perhaps the user took a legitimate backup, for example. But now you have something to investigate further.

Forensic research

This led me to muse on the nature of research in information security. Sometimes we have a tendency toward the perfectionist fallacy: if it’s not perfect, then it’s worthless. In forensics in particular, this occurs for understandable because we have definitive standards of proof to meet (e.g. “preponderance of the evidence” in civil trials or “beyond a reasonable doubt” in criminal trials). So of course we really do need to look at the weaknesses of a system or an approach.

But if we find weaknesses, that shouldn’t be the end of the story. Instead, perhaps it can point the way for future research: if you think antivirus scanning will overwrite the time stamps, then test and report it. If you think that comparing access timestamp patterns only identifies anomalies, then say so and identify what sorts of anomalies might generate this pattern. Partial results can still provide value, even if not as much as we’d like. And of course further testing to invalidate a hypothesis or show problems with an approach provides great research value.

The research on stochastic forensics I discussed above will not revolutionize digital forensics. No long-standing large-scale theories will topple. On the other hand, we have an incremental result for other researchers to consider and try to validate or invalidate. We also have an idea that we can try to apply in other areas like network forensics.

Most scientific research advances, not in great leaps of intuition and revolutions that wipe the slate clean with an entirely new look at things, but in small evolutionary steps that work us closer to our goals of knowledge and information. We must treat our discipline as a science and not just an art to emulate the progress other fields of science have enjoyed.

→ 1 Comment

Posted in Conferences

Tagged , , ,

Black Hat conversation with Neal Stephenson and Brian Krebs

Posted on 2012-07-31 | 1 Comment

Like a lot of hackers, I have always found Neal Stephenson‘s works (especially Snow Crash, Diamond Age, Cryptonomicon, and REAMDE) particularly resonant. So when Black Hat announced that Stephenson would attend as a keynote speaker / interviewee, that provided half the reason I originally wanted to attend the conference. In my excitement, I didn’t even realize that they’d asked Brian Krebs to lead the conversation with him, so for me that resulted in a pleasant surprise. I noticed that Stephenson really warmed up when Krebs got off of the standard questions for authors and more into things that reflected the specific interests of the Black Hat audience.

Krebs and Stephenson

So I decided to post my notes here. These do not represent a transcript, only a paraphrase of what I got out of the conversation. I alone take responsibility for any mistakes and inaccuracies, but I did my best to capture things as well as I could.
Continue reading

→ 1 Comment

Posted in Conferences

Tagged , , , , , ,

Shame and sexism in Las Vegas

Posted on 2012-07-30 | 2 Comments

Last week, what I saw in Las Vegas made me sick. And I blame RSA for that.

I’m not a prude and there is a time and place for everything under the sun, so let’s establish context for this. Our expectations for, say, cocktail waitresses in a Las Vegas nightclub, will differ materially from marketing staff and engineers in a daytime business function. I enjoyed my time at the RSA party Wednesday night, because the nature of the setting matters. I’m grateful to the company and its employees for inviting me in. That said. in 2012 at a professional conference such as Black Hat, we must not accept blatant sexism on the conference floor on the part of an official sponsor. What I saw this year disgusted me as a professional, and everyone at RSA involved with Black Hat should be ashamed of themselves for letting this happen.

RSA booth at Black Hat 2012

Of course, part of human nature includes the idea that some people will always attract attention because of their good looks and charisma. (I’m idealistic but not naive.) As adults and not adolescents, however, we all can distinguish between a woman’s physical attractiveness and her professional value, not to mention as a human being in general.

Yes, I said “women” in particular. In IT and information security, the inappropriate sexism nearly always occurs against women. We should not pretend that turnabout is fair play, of course: male strippers on the conference floor would also draw our ire, as it should. But our society has held women to a different standard for a very long time. Pretending otherwise would be disingenuous.

So while we can have a separate debate about charisma and professionalism, including for marketing and sales professionals, what happened last week offended on a lower threshold: women dressed in a sexually provocative manner for the sole purpose of attracting the classic “male gaze” and drawing in visitors not based on anything remotely related to the company’s offerings.

RSA should think about the message they send when they do this. Maybe they have so little confidence in their public image that they believe they need to drop down to this level just to stay relevant somehow. Maybe they still haven’t figured out a good PR response after they so badly botched the handling of last year’s compromise. Or maybe they just feel like this is still okay because, after all, security nerds are a bunch of nerdy boys just happy to be able to see girls anytime our bosses let us out of the data centers and cube farms. I can only imagine what the highly qualified women at the conference felt when they saw a major security company essentially affirming that this industry is a boys’ club where the only exception to the “NO GIRLS ALLOWED” sign is a stack of their dads’ Playboy magazines in the corner.

Others noticed, of course:

Money grab and booth babes at RSA’s #BlackHat booth by Neil Rubenking

RSA wasn’t the only offender here. Foreground Security and SecureNinja also provided booths with women in scant attire just to draw in visitors. But RSA went over the top here as a major sponsor of the conference, not to mention as a subsidiary of a large publicly held company and the organizer of a similarly sized large security conference every year.

I have no doubts that many people at RSA did not feel good about what their organization did last week. In fact, RSA certainly has policies about hostile work environments and sexual harassment that set a different tone from their public behavior. Thus I hope that they’ll have a vigorous and honest exchange of views internally and then join the rest of us in the 21st century the next time they sponsor a conference. An apology would be even better, but despite the “corporations are people too” meme, that’s not true. Corporations are made up of people, and the people who let this happen are unlikely to take public responsibility for their inappropriate decisions – but they could give us all a pleasant surprise by standing up and showing integrity. Apologize and show us what you’ve learned from this. Set an example.

Shame on the people who did this, and shame on RSA. You can do better, and next time I hope you do.

→ 2 Comments

Posted in Conferences

Tagged , , ,

NAISG DFW talk: Evolution of an IRT

Posted on 2012-03-31 | Leave a comment

Last Tuesday, I gave a talk at the DFW chapter of NAISG on “Evolution of an IRT”. Apparently I disappointed the organizers, as my talk didn’t actually have anything to do with Ice Road Truckers.

Caught in a fleeting "hands-in-my-pockets" moment by Joseph Sokoly

Note that I presented how I would build an IRT now, not necessarily how I did it last time. I’d do some things the same, but over the last 2.5 years I’ve learned a lot that would change how I’d do it in the future.

While the slides are available, they don’t really work outside of the context of a live presentation: mostly funny Internet pictures to illustrate a point and keep the audience slightly entertained. The outline will make much more sense, I hope. Really, I work from this first, and then riff on it based on what seems to get a reaction and elicit questions, which I happily accept throughout the talk. I don’t think we have a recording, but perhaps I’ll get someone to record a future version of the talk or even do a web-focused one.

→ Leave a comment

Posted in Conferences

Tagged , , ,

MIR training class

Posted on 2011-12-09 | Leave a comment
"School" by Jim Potter

Last week, I took the MIR class from Mandiant. Primarily consisting of product training (as expected and desired), this turned out to be one of the better vendor classes I’ve taken in my career. While I’ve used MIR for close to six months now (and its free predecessor for considerably longer), I still got plenty out of it.

The class runs four full days and starts off with the expected topics like installation, deployment, using the admittedly difficult UI, and related tasks. From there, we delved into responding simulated intrusions. While I learned a few investigative tips, in general this mostly highlighted the platform’s strengths. The class also briefly covered counter-forensics and malware analysis, but at a very high level[1]. The art of writing IOCs and sweeping your enterprise took an entire day and included lots of detail and practice.

I appreciated the instructors’ background: professional IR types with good teaching skills rather than career trainers who pretend to know something about what we really do every day. Slide reading just didn’t occur, and the hands-on exercises take up at least half of the class.

More than anything else, I liked the collection of students in the class. We had about eight “outside students” and four to six Mandiant employees on any given day. But unlike some classes that never engage during the “lecture” portions and go their own way during breaks and lunch, we had lots of great back-and-forth during class, informative lunches, and I like to think that I made several solid professional connections that week.

A few things could improve, some of which have more to do with the product than the course. The room felt a little cramped, for example, and we probably could have used even more time dedicated to searching, filtering, and writing IOCs.

In general, I found the class really valuable and will send more of our staff to the class in 2012. Mandiant doesn’t like it when we talk about when they might offer the class again, so keep an eye on their Twitter feed and web site if this seems like something you could use.

1: I have taken the Black Hat edition of their malware analysis crash course and it’s worthwhile for responders who need to understand the basics and have some background.

→ Leave a comment

Posted in Conferences

Tagged , , , , ,

DFIR fundamentals with Mandiant updates

Posted on 2011-11-22 | Leave a comment
Chew-bach-a

Chewbacha revisits the classics

Today, I had the opportunity to listen to the latest installment of Mandiant’s web series “Fresh Prints of Mal-ware”: The Nutts and Boltz of APT Persistence Mechanisms, hosted by Chris Nutt and Jason Rebholz. (The puns are strong with this one!)

The first part of this discussion consisted of some DFIR fundamentals, like looking at the file system timeline. This should include all eight time stamps in Windows / NTFS (file times and system information metadata). Rather than just start “looking for evil,” the investigator needs to start with a question. My favorite, where applicable, is to look at all system activity around the time of whatever other suspicious activity caused me to look at the system in the first place (e.g. network traffic). Another colleague mentioned using Splunk for forensic timeline research. I’ve not used this technique myself but the concept is solid.

The second part discussed persistence mechanisms in more detail, like autoruns and the various locations. On Twitter, the #m_fp discussion pointed me to two resources, one from Silent Runners and another from Trusted Signal. But they spent a good amount of time on DLL search order hijacking also, given that it doesn’t get a lot of attention but they’ve seen it in use by targeted (as opposed to opportunistic) malware.

I think this approach of revisiting fundamentals with a few new twists to keep things fresh works really well, and I hope to see more of this sort of thing from Mandiant (and whomever else!) in the future.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , ,

BSidesDFW 2011

Posted on 2011-11-08 | Leave a comment

Awkward hug with @kylemaxwell #BSidesDFW on TwitpicThis past weekend, we had the local BSides DFW conference. Overall, I’d classify it as a great success, but I also want to analyze a few bits here.

The Good

Microsoft provided a really nice facility at their Dallas Technology Center. We had lots of room, good wireless signal, friendly staff (even including the security guards). I’ve criticized Microsoft heavily for years due to their technology and business practices, so I have to note that they did this very well.

Some of the talks had some first-rate stuff. Andrew Case had a particularly outstanding talk on data exfiltration. I can’t wait to see the slides and maybe mess around with Registry Decoder as well. I certainly intend to submit a talk next year, now that I have a feel for what the conference covers and the sort of audience that shows up. We also had a lock pick village and lots of presence from the EFF as well as a table from Hackers For Charity.

I should note that any security conference with kegs and kegs of beer, drink tickets, and homemade barbecue knows its audience. Being sort of a wimp, I didn’t stay for the after party but I heard it was great. And of course I loved seeing some of my friends, or in some cases meeting them in person for the first time. The volunteers and coordinators did a first-rate job, without question.

The Bad

Really, there wasn’t much. Some of the speakers lacked presentation skills, but I think that many of them simply had never done this before. And as much as I loved the facility, shuttling between the first and fourth floors lacked a bit of convenience.

But those are the largest things I could mention about the conference itself, which I think speaks volumes for how well it actually went.

The Ugly

First, I’ll note that what I say below should not reflect in any way on BSides or the hard-working coordinators who did a great job organizing this conference for no compensation other than grinning faces and a few awkward hugs.

In 2011, and for a very long time before now, overtly sexist presentations have no place whatsoever at a technical conference. One of the speakers gave a presentation in an informal style, which fits BSides perfectly. This isn’t a government-sponsored academic conference on national defense in the cyber domain or something. It’s a community-organized thing that sprouts from the grass roots.

So throwing out a bunch of slides that demean women and treat them as sexualized objects doesn’t work. I’m not a prude, and there’s a place for unsophisticated locker-room humor. This wasn’t it. As one example out of many from the same talk, a deck that includes images like one of panties on a woman’s crotch with the words “ALL YOU CAN EAT” printed on them would get most of us fired from our day jobs, and rightfully so. Showing same-sex affection for titillation and digitally altered images of (clothed) breasts does nothing but demean women and the speaker, though in different ways.

All of this detracted from what would otherwise have been a really good presentation with some interesting things to say. I hope the speaker reconsiders his actions, and I don’t plan to attend his talks in the future. This is not the sort of thing that we want to encourage in any way.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , ,

Michael Chertoff: Addressing APT at MIRcon 2011

Posted on 2011-10-12 | Leave a comment

NB: The below are my notes from Michael Chertoff’s keynote speech at MIRcon 2011. They do not necessarily represent my views, and in some cases are completely opposed to my views.

The Internet was not built with security in mind, and net culture today believes that it’s inimicable to how the Internet works. But we need rules of the road, just like the actual roads. We’ve seen credit card numbers stolen from Wifi networks, and plans stolen from US countries to reproduce our stuff. DDOS attacks on Estonia and Georgia go hand-in-hand with hacktivism against organizations whose politics the attackers don’t like. Most disturbing is the possibility of a disruptive or destructive attack on an industrial control system or key piece of infrastructure. Stuxnet provides a good example though he’s basing his comments on what’s been reported in the newspapers, which he’ll accept as accurate for the sake of argument. If that can be done to Iran, what can be done to the US or its allies?

So everyone’s at risk: not just the above-mentioned groups, but anyone who does business anywhere in the world. Mine companies negotiating with the Chinese found that they had been “peeking into” their systems for additional leverage. This concept can be used to attack trading or financial platforms in order to gain market advantage. If there’s a widespread belief that some folks have that advantage, it will have an overall negative impact on the performance of the entire market. The challenge is that it seems complicated and expensive to those running mom and pop businesses, who don’t think of themselves as targets of “cyber criminals” even though they are. Identifying steps they can take to reduce their risk and deal with this type of fraud is highly valuable.

There isn’t one problem; there are a whole set of problems. There’s not one piece of software or a Maginot line that will fix things, but focusing on those things to the exclusion of all else ignores other key parts of a possible solution set. Layered defense, not a single point of defense, matters, and he doesn’t just mean hardware and software. Airline security has improved tremendously despite the fact that no one part is perfect (screening, airplanes, customs, etc.).

We’re facing threats from different actors: fraud, IP theft, DDOS attacks, destructive attacks. Different groups of people pursue different sorts of objective. Our approach to criminals centers around prosecution, although this fails somewhat for overseas attackers. Others are trying to “rob us of the birthright of our intellectual property”. So part of the solution set isn’t just arresting people (you can’t arrest nation states). You have to implement deterrence to prevent them, unlike with ordinary criminals. Nation states may have to respond at that level, rather than how we deal with criminals.

The vectors for these attacks are in three categories: over the network (the most imagined); the hardware and software in devices and systems (from fabrication of chips all the way to assembly); and the human factor (negligence or malice). Get away from the proposition that there’s a simple fix; there will never be perfect security. Concentrate on risk mitigation and risk management. You have to array all your tools against all your attackers, recognizing that not every tool works against every attack.

This requires a doctrine of cybersecurity. It has to map the landscape, the attackers, the toolset (across all possible actors, including technical, legislative, etc.). These must exist with the boundaries of the Constitution, but Congress can change specific laws subordinate to that. You won’t stop everything, so your best way of mitigating these threats is to live on the network, being aware of what’s going on and knowing what’s problematic. Information sharing also matters, particularly as we get more sophisticated about understanding our attackers. They have “tells”, including simple indicators like IP addresses and more complex indicators like particular techniques. The collection of information about these things is a critical part of building that series of layered defenses. We need to share within and among enterprises.

What role should the government play in this? Americans don’t want the government to have same sort of control that the Chinese government has. But there are certain tools that the government has. How do we share this information in ways that don’t compromise intelligence sources and methods? There’s a unique relationship between the defense contractors and the government. Sharing exists there, but it needs to get better. In other areas, that particular relationship doesn’t exist: power grid, water grid, transportation, financial services, etc. Chertoff advocates a “private party function” for firms who understand what’s going on in many clients and can then provide information. This could include, not just addresses and signature, but techniques. It’s about people, not just bits, and it’s really a counter-intelligence problem.

How do we train people and build the architecture so it’s easier for people to comply with the rules (and find the people who aren’t)? Social engineering defeats some of the verification questions used when passwords are forgotten. Golden questions allow the user to pre-define the questions and answers themselves. Chertoff sees this as an elegant solution, and therefore a good part of the overall solution set along with the things we already do (firewalls, secure software, etc.). Leaving laptops in hotel rooms needs just as much attention, but it requires another set of solutions.

So take a counter-intel approach and focus on the human domain, not just the tech domain. The threats won’t go away, because the value is online now. The notion of destructive and disruptive tools embedded in our control systems will be an important part of warfighting in the decades to come. Intelligence – knowledge about things and people – and sharing of that intel is the key tool in mitigating the risk.

Addressing my question on responding to civil liberties and intelligence failures for national defense in the cyber domain: an Internet kill switch for the President would probably not work, cause more damage, and be unacceptable. The harder issue is what the private sector can do in the area of civil liberties. Some advocate a series of different networks (like .secure that has no anonymity versus .wildwest with plenty of anonymity and no financial transactions). Are privacy and security opposite to each other? Security is an indefensible civil liberty. If the government is unable to secure our tax records, the promise of privacy there is worthless. People need to understand that, without security, they won’t have privacy. Understand that there will be a government on your network: will it be ours or a foreign government?

Naming and shaming can be counterproductive to information sharing. DHS could create a set of standards or metrics, and critical infrastructure organizations that don’t achieve them would suffer some form of disclosure. This has to be crafted in a way not to disclose that a company has had a breach but that they’ve not addressed underlying issues. Don’t penalize somebody for failure but for not trying or taking reasonable steps.

The rules are different for multinational enterprises, because their rules of the road are very different. So the entry point of a compromise can strongly affect how an investigation proceeds. In Europe, this is a challenge because protecting the privacy of one employee may put the privacy of all the other employees at risk. Europeans are historically fixated on data protection against the government and big institutions, not networks or criminals or terrorists, and they need to change.

We can’t take offense: you can’t go follow a burglar back to his house, break in, and take your stuff back. On the Internet, the attribution problem makes this particularly difficult as the hops from which you see the attacker could be a victim itself. This leads to problems with deterrence policies, since you can’t go to war every time you find a spy. But if you suffer an actual attack (disabling the power grid), you might want to respond, but against whom? This requires more discussion leading to public policy. You tend to get wars when you misread the other side, like Saddam Hussein misreading the US when he invaded Kuwait. Developing doctrine and policy in advance helps with that issue.

→ Leave a comment

Posted in Conferences

Tagged , , , , , ,

Tony Sager: The Future of Cyberdefense

Posted on 2011-10-11 | Leave a comment

Tony Sager joined the NSA in the mid to late 70s when it was far more secretive, with a college background in mathematics. At the time, he confused NSA with NASA because nobody really knew what it was. He went in as a ComSecIntern doing cryptography and what we now call “cybersecurity”. Coworkers joined the National Softball Association so they could get NSA caps to wear. He switched to math and computer science because the government would buy him an Apple II+. For the last seven years, he’s run the IAD focused on computer defense and vulnerability. Threats are about adversaries, but not the only part of the risk equation.

1: The optimal place to solve a problem is never where you found it. The NSA Red Team does a great job and will work with you to understand how they got in, how to stop it, et cetera. But knowing what patch to install isn’t good enough and doesn’t solve the real underlying operational issue. If you can’t manage configuration changes and patches at the enterprise, you’re doomed. But red teams can’t actually fix and redesign complex networks; that’s not their expertise. And the information you get is usually not in the optimal form to help you solve the problem. Pen test reports aren’t scalable, in other words. The purpose of red teaming is to help someone else understand and fix their problems quickly, not just to get better at it.

2: If a bad thing is happening to you today, it almost certainly happened to someone else yesterday. There aren’t really that many new things in this business. New twists and variations on a theme, certainly, but not truly new. And tomorrow it’ll happen to someone you care about. You almost certainly don’t know who the somebody is from yesterday and don’t have a relationship to share that information.

3: After you figure out what happened, you’ll notice plenty of obvious signs in your environment that would’ve helped. But you didn’t understand it to do the right analysis. The information that has that value might not be what we call cyberdefense information today, or even be accessible to the defenders. Think of VMs crashing at a much higher rate than normal, possibly because an attacker with imperfect information is trying to install something bad. Security people don’t usually see those logs because nobody sees them as defensive data. Similarly, license management can tell you if you suddenly have old versions of software running that weren’t running before. Don’t think of management tools and security tools as wholly separate. Think about how to bring the data into your analytic environment.

The future of cyberdefense is an information and action problem. Think about the movement of information from place to place. Only two kinds of people survive in this business: incredible cynics or hopeless optimists. Sager is the latter but knows that the problem has gotten worse, not better. The bad guys have a better business model than we do, better information sharing, adapt more quickly to new technologies, and have very high efficiencies: a very tight OODA loop. In theory, we’re protecting everything all the time from everything.

The vast majority of problems are known problems with known solutions. You can possibly draw the terrible conclusion that you have lazy front-line defenders who don’t care, but think about who that defender is. Typically, he’s an underpaid tech school graduate pulled in many different directions without appropriate equipment and training. But apply the Pareto Principle: what’s the 20% of input with 80% of the output? Network hygiene, user administration, and other things that help you get control and visibility of your environment. But we’re spending 90% of our resources on that effect, which is a bad way to go. You need better automation and approaches. The 20% output, though, matters because that’s the determined adversaries like nation-states and other really bad guys. When nations compete, they cheat. So not everything is “cyber” (or IO or CNO). Lots of stuff still happens in the real world with real people. It’ll actually be a happy day when the only adversary that concerns you is a nation-state, rather than drowning in information and processes now.

In the intelligence business, they talk about needing to “look over the horizon”. We need to get there and look beyond our own enterprise, because otherwise we’ll never solve our problems. One way is to have friends outside your borders who have the technical capability and willingness to share the data in a regular, methodical way. The other way is to have an intelligence service that looks in ways not limited to yourself and your friends, forward and backward and all around.

Don’t make the mistake that the adversary is perfect. He’s kind of like us, except he’s bad. Their tools don’t appear as if by magic, but have to get developed and acquired and deployed too. If I can look and see those things happening, I can tune my defenses to what’s coming down the road. And don’t separate the two problems (80% and 20%), making them different, unique, and independent. Everybody hides in the 80% noise, so if you ignore it, then you’ll miss it. And the 80% stuff is actually pretty clever and can teach you new tradecraft, the tools and techniques that you want to know about.

When a threat intel analyst, how do we get that information into a form and location that will make it usable to defenders? PDFs and all-upper-case DoD message formats don’t lend themselves to the usages we need them. A human being has to take it, read it, and go through a complex process to turn that into an actual defense (e.g. write a script, deploy a new policy, etc.) Why can’t I send an open file, such as XML, to share this information and let systems process it? Think about how the information will be used and get closer to a native language for that usage. Vendor lock-in is a terrible defensive strategy, compared to standards.

Professional “bad guys” (at least those who work for the US government) all agree that a well-managed network is a hard target. Doing the core things matters: patches, visibility, appropriate change control, etc. This doesn’t make it impenetrable, but it does harden the network and force the adversary to think and plan and cheat.

They also fear uncertainty: they like knowing the specifics of the target, like its behaviors and components and people. “Defense in depth” on its own has become a crutch. Throwing another layer of defense on something ‘because you can’ adds cost and complexity unless you do it for known reasons and integrate properly with the rest of your layers. Clever attackers, like clever users, find ways around your defenses, so put them in with purpose according to a data-based model. But building this model of adversaries requires sharing information in an automated, standardized, trusted way. So how do we extend these ideas? Look at the stuff that already has standards and work off of that. Threat information has lots of rich data, though, that we want to pump into our tools and not just read.

This is the new frontier: finding and sharing threat data.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , ,