So over the last few years, there seems to be a trend of non-DIB companies starting to build internal threat intelligence teams and a big spike in security companies offering it as a subscription service. Ten years ago a paid service got you vulnerability alerts, some open source geopolitical information, and dated commodity botnet information. This space has matured quite a bit, even though some providers are simply repackaging free indicator feeds and CVEs as threat intelligence. I think the value proposition is there by using intelligence to reduce the dwell time of an adversary and potentially on good day thwarting the attacks from the start. I think the formation of strong, sector specific intelligence sharing groups will be key to being better defenders. Having had access in the past to great intelligence via clearances, I know what a huge advantage it is. Hence my strong interest in the subject. At the same time, I have little traditional intelligence analysis experience. Most of what I do is usually indicator centric. Harvest, hunt, rinse and repeat. What I am listing below are some things I would be interested in learning in the format of a pseudo-conference.
Collect
CIF(Collective Intelligence Framework) Workshop - Building and Integrating into Splunk - Kyle Maxwell
MITRE Analyst for a Day - Deploying & Leveraging STIX, CRITS, ChopShop, CybOX, MAEC, CAPEC, TAXII - Reid Gilman
Diggity Workshop - Monitoring the Interwebs for Company Leaks - Stach & Liu
Mining Chinese Media for Intel Gold - Aaron Wade
Building and Safely Maintaining a CyberPersona - iDefense - Yes I used the term Cyber
Intel Provider 360 - Each intel subscription provider has 6 mins to make the case as to why they are the best
Business DevOps - Case Study on getting business buy-in on sharing M&A, divestitures, JV, etc information with IT Security - Has anyone ever done this?
All UR C2 Belong 2ME - Effective Decoding & Monitoring of CN APT Command & Control - Joe Stewart
Automating Collection of APT malware from Public Sandboxes - Wesley McGrew
Analyze
Prickly Panda - How we build behavior-based attribution - Adam Meyers
Night Dragon Redux - Current TTPs of groups targeting the Energy Sector - Dmitri Alperovich
Intel Fusion Lockheed Style - Finding and tracking Campaigns - Mike Cloppert
Conducting Effective Intelligence Analysis - Richards Heuer
The Advanced Non-Chinese Threat - Survey of RU, IR, IL, KP Activity - Patton Adams
Don't be a victim of Badtribution - Billy Leonard
Burning Sykipot - Jaime Blasco
APT1 Where are they now? - Doug Wilson
How a journalist does research and attribution - Brian Krebs
Disseminate
The Making of "The Report" - Mandiant
CEO Round table - What I want in an intelligence team & report - Moderator - Richard Bejtlich
Counter Intelligence
Deceptions Operations - Fooling the Adversary - PaulDotCom
Honeypots that Sting - Alexey Sintsov
Maintaining OPSEC during an incident - Bamm Visscher
Dox2Pwn - Winner of this contest has made the best new attribution as voted by peers of an individual CN PLA or PLA-sponsored computer network operator
Thursday, March 28, 2013
Friday, March 22, 2013
SANS Cyber Threat Intelligence Summit 2013
I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.
Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of CTI is people, not computers. The problem is actually too complex for technology to solve and requires human analysis. Computers are only tools. The goal of the summit is to educate people on the basic principles of CTI and what the components are. Based on that, I believe they achieved their objectives.
Greg Rattray led off with his keynote: "Evolution of Cyber Threats and Cyber Threat Intelligence". He wrote Strategic Warfare in Cyberspace 12 years ago and its still relevant today. He referenced a 1991 study that concluded it is impossible to defend a system from an advanced and motivated adversary. Even back then, they knew problems would arise. He reiterated that its not a technology problem, but an adversary problem. Throughout history, espionage has always been a constant. Pre-Internet everything was Public Switched Telephone Network(PSTN) and Signals Intelligence(SIGINT) and Counter SIGINT was the dominant battlefield. The NSA Orange book help lay the foundation for secure computing. In the 1990s, there was more speculation on the national security impact of Computer Network Operations(CNO) and Information Warfare(IW). The use of IW in the 1st Gulf War set the standard other countries are trying to emulate. At time it was predicted that in 10-12 years nation state cyber attacks would emerge. That turned out to be fairly accurate. Journalists have also done a fantastic job of doing attribution of the attacks versus the victims whom typically focus on cleanup. Solar Sunrise was a notable hacking event in 1998 involving an US-based Israeli lead hacking group of teenagers infiltrating many government agencies and EDUs. Moonlight Maze was another news worthy incident never confirmed, but believed to be Russian in origin. With the EP3 collision there was also new focus on patriotic non-government hacking. JTF-CND was one the first network defense groups that started to do predictive analysis. A dark period in cyber occurred after 9-11, when there was a major shift in focus to counter terrorism and supporting Centcom. Cyber took a backseat for a long time. A new area of concern was raised when a Chinese company(China Netcom) tried to buy Global Crossing, which threatened the telecommunications infrastructure and supply chain. Many of the threat assessments of the time were skewed because they focused only on the top tier cyber personnel and not the overall programs. This led to the Intelligence Community (IC) not believing China(CN) was as advanced as they actually were. Eventually we had the rise of APT, and improved attribution capability, and new focus on ICS/SCADA. Today we are in a era of rising fear. To be clear espionage is not an attack or cyber war. However, threats like stuxnet, shamoon, and flame have cause major disruptions. The cyber neighborhood is getting rough, especially for banking and critical infrastructure. DDoS attacks while previously written off, are becoming more agile from the attackers side and are wasting away CIRT resources. He stressed that we need to be careful how we categorize risk and be methodical. Information sharing is improving and we are on the right path. He is a strong advocate for commercial services and doesn't necessarily believe government is the solution. Advises you to attack the various stages of the kill chain to disrupt the adversary, even if you can't do all of them. What's missing today is that cyber teams don't talk to the business operations teams about operational risk. We need full spectrum geeks who are analytical, but still know the business environment and strategic impact. He suggests that we avoid the militarization of cyber space as this will just escalate our problems. He recommended a book called Eating Soup with a Knife. He believes that signal(RF) jamming, while mostly applied to aircraft and boats today, will be applied in cyber conflicts. He also advises leveraging a global outlook, and not clouding your judgement with US-centric viewpoints. In conclusion, he said that to stay competitive we must continue to learn and collaborate In follow up Q&A, it was stated that the media is perpetuating misconceptions by calling espionage cyberwar or cyberattack. The topic of government purchase of exploits came up. Greg believes in the law of supply and demand, and that if the demand goes down, so will the supply.
Rick Holland presented "If it Bleeds, We Can Kill It: Leveraging CTI to take the fight to the adversary". He used a Predator theme, which was awesome. He led off by stating that tools and big data are not your savior He defined CTI as information about external threat actors and active external threats. He referenced the Order of Battle and learning what an adversary looks like. When looking at Intel providers ask them what makes their service unique? Do they have the same indicators that everyone has. In the Intelligence Cycle, its critical to achieve dissemination and get the information to the stakeholders. Otherwise all that work is for not. Always leverage Alternate Analysis: question your judgement & assumptions and apply a high level of rigor to your analysis. Vendors typically don't do this. He made a recommendation for Clancy book - Threat Vector. He also referenced Active Defense Harbinger Edition (ADHD), an active defense toolkit promoted by PaulDotCom. Always focus first on what assets need to be protected. Enable IR teams autonomy to make critical decisions. It takes a long time for an in house intel team to mature, so you must get and maintain your executive buy in. He made a great point that as you thwart the adversary, the adversary adapts. Whereas Dutch(Schwarzenegger) in Predator used mud to hide from the Predator, the next generation predator could detect that and the game changed. Intel sources can be internal, government (DHS, FBI, etc), industry (partners, ISACs, vertical orgs), and providers (iSight, LookingGlass, iDefense, RSA, Seculert). He mentioned that OpenIOC is being picked up by FireEye and PaloAlto. Also a mention of Mitre Cybox & STIX. In conclusion, CTI is a marathon, not a sprint. I couldn't agree more. We need to end the shiny object syndrome in general.
There was a panel on Best Practices in CTI including Rich Barger, Shane Huntley, Chris Sperry, Aaron Wade, and Mike Cloppert. The opening remark was Intel needs to have a customer. You need to know who you support and why? Follow the basic model: Collect -> Analyze -> Disseminate. Present data that can be used to make decisions, not screenshots of IDApro(analyst pr0n). Organizations are their own best source of intel. You need to extract all intel from your own attacks, create threat profiles, and intel priorities. However know your limits. How usable is the intel? Consider the volume, because you have to be able to process and store it. The pivot analysis approach: move across data sets and leverage business knowledge. Capture how adversary behaves in each stage of the campaign. Threat researchers need to understand which attacks are likely based on real intel-driven data, not some esoteric theoretical attack. Aurora forced Google to make a major change from windows, and other platforms. Now that has come full circle and Mac threats have increased. Success is measured in blocks and thwarted attacks. You have to limit CTI efforts to crown jewels, you can't cover everything. You always want first order data, in order to verify analysis. My favorite quote was by Aaron Wade: "Intelligence without context is just data". You need to go back and ask for more information and not trust by default. OSINT can be good, but an internal investment in a threat intelligence team is still ideal. Any hop point monitoring should be done within the law. You should also should coordinate with other organizations hitting the same hop point. There was a repeated theme of a big boys club, develop sharing agreements with organizations that are mature. A major lessons learned is NOT to rush to attribution based on a single source. It is extremely hard to recover from bad intel reports. Its important to assign confidence ratings to analysis to maintain credibility. You should be familiar with the Intelligence Gain/Loss Equation. How risk tolerant is your organization? Can they wait and see to derive more intel or do they adhere to the knee jerk approach.
Mike Gordon presented "Building and Operating a Cyber Threat Intelligence Team". This was a very polished, well delivered presentation and it felt like it was one he had given to his leadership. I think its clear LM-CIRT is the team everyone wants to emulate. LM sees 1.75 Billion sensor events/day, 30 million emails/week, 1.2 million blocked web requests and holds 1 month of full pcap and operates 572 facilities in 63 countries. There team is broken into 4 units: Investigations (Forensics, eDiscovery), Intrusions (APT, Intel Fusion), CyberCrime (Insider Threat, Commodity Attacks), and Engineering (IT Support). Their model includes Corporate Culture, User Education (Awareness, Training, Security Testing, Metrics, Analysis), Defendable Networks (Reduce gateways, infrastructure hardening, threat driven program), and Trade craft (Intel, Incident Response . They mock phish all 120K of their users, including the CEO. The 1st fail results in training and retesting. The 2nd fail results in a call with their management. The 3rd fail results in some form of HR discipline. I thought that was incredible and indicative of the executive support they have. At some point in their history, they concluded that vendor driven response wasn't good enough. Commercial offerings could not keep up with the pace of threats. They embraced creating their own custom tools. He coined the term memorializing indicators so you don't forget about them, their context and associated metadata. Track your attacks over time and the patterns can reveal a campaign. Intrusions expose behaviors, behaviors suggest linkages, linkages reveal patterns, patterns inform actions, actions determine success. You can measure your success based on how much was stopped due to internal vs. external intel. To track work load, keep count on the number of intel reports that are processed per month. Three models presented were: Tsunami Warning (info sharing, intel consumption, group detection), Farmers Almanac (Campaign tracking, trending, forecasting), and Actual Early Warning (LE & IC have actual knowledge of pending attack). I wish I had taken some pictures of his slides as they were chock full of good concepts and metrics. Hopefully they are shared out at some point.
My favorite talk of the day was hands down, Reid Gilman's "Creating Threat Intelligence: Tools to Manage and Leverage Active Threat Intelligence". The company MITRE is a non-profit, dedicated to federal research. Reid works in MITRE's Cyber Threat Analysis Cell. Some of his keys to success are:
1 - CTI Program - multi-sourced, disciplined warning process, know your enemy in your sector
2 - Strong Malware Analysis program
3 - Dev Ops - a staff of solid programmers, to create custom tools
4 - Incident Response baked into defensive posture aka Assumption of Breach
5 - Workforce culture of Security Awareness
CRITS(Collaborative Research Into Threats) - track adversary artifacts over time. The demo was very impressive, due to its feature set. This tool looks more user friendly then many others I have seen.(MongoDB)
ChopShop - understand how adversaries use tools. The demo included live decoding of gh0st c2 channel. Chopshop has standard libraries like timestamp extraction and XOR decoding for pcaps.
He mentioned that its important to not confuse operator actions vs automated actions.
TTPs: Targeting, Tools, Infrastructure, Kill Chain
Campaign: Intrusion Attempts + TTPs over time
(github - mitre-chopshop, crits@mitre.org, taxii.mitre.org, stix.mitre.org, mitre.org/work/cybersecurity, vortex-ids.org)
Next was the panel "Delivering Actionable CTI as a Solution" with Bejtlich, Destefano, Meyers, Ramsey. Overall this was kind of a slow point in the day, as there wasn't as much energy or enthusiasm. Adam Meyers discussed analyzing and categorizing the human element of malware, such as coding techniques and use of language. It was mentioned that you need to measure the value of sources by how much it reduces your time to detect. John Ramsey had some axioms: "keeping them out is cheaper than getting them out" and "running a cybersecurity group without threat intelligence is like running a business without an income statement". Both of those hit home with me. And Richard Bejtlich had the best joke of the summit by offering to outsource intelligence to Mercyhurst Institute (see Jeff Carr debacle).
Most of the Sans 360 talks, weren't to substantial. And how could they be in 6 mins. My favorites were:
Attribution: Holy Grail or Waste. Billy Leonard covered critical aspects of attribution:
Exercising Analytic Discipline by Patton Adams. He didn't use any slides (Patton++). He discussed 5 key imperatives:
1 - relevance to business
2 - good communication channel with leadership
3 - Confidence - Investigate, Analyze, Don't repeat
4 - Clarity - write for your audience
5 - Timeliness - good intel, can't be late, create a template to be more efficient
Crowdsourcing Threat Intelligence - Adam Vincent, see Threatconnect.com. He did a nice walk through of how their business evolved.
Curating Indicators by Doug Wilson - "humans are always the limiting factor, you need to automate and empower"
Battlefield Intel - Anup Ghosh. Invincea looks promising as it runs certain app in virtual container and gathers indicators. I wish this would get integrated into AV and not require a separate agent.
Detection Timeline - Julie Ryan - She was hilarious and to the point. A good way to end the agenda.
Rob Lee and Mike Cloppert closed it out after this. They did a great job putting this together, and I'm glad I was able to attend. I look forward to another future summit called APPLIED Cyber Threat Intelligence 2014.
Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of CTI is people, not computers. The problem is actually too complex for technology to solve and requires human analysis. Computers are only tools. The goal of the summit is to educate people on the basic principles of CTI and what the components are. Based on that, I believe they achieved their objectives.
Greg Rattray led off with his keynote: "Evolution of Cyber Threats and Cyber Threat Intelligence". He wrote Strategic Warfare in Cyberspace 12 years ago and its still relevant today. He referenced a 1991 study that concluded it is impossible to defend a system from an advanced and motivated adversary. Even back then, they knew problems would arise. He reiterated that its not a technology problem, but an adversary problem. Throughout history, espionage has always been a constant. Pre-Internet everything was Public Switched Telephone Network(PSTN) and Signals Intelligence(SIGINT) and Counter SIGINT was the dominant battlefield. The NSA Orange book help lay the foundation for secure computing. In the 1990s, there was more speculation on the national security impact of Computer Network Operations(CNO) and Information Warfare(IW). The use of IW in the 1st Gulf War set the standard other countries are trying to emulate. At time it was predicted that in 10-12 years nation state cyber attacks would emerge. That turned out to be fairly accurate. Journalists have also done a fantastic job of doing attribution of the attacks versus the victims whom typically focus on cleanup. Solar Sunrise was a notable hacking event in 1998 involving an US-based Israeli lead hacking group of teenagers infiltrating many government agencies and EDUs. Moonlight Maze was another news worthy incident never confirmed, but believed to be Russian in origin. With the EP3 collision there was also new focus on patriotic non-government hacking. JTF-CND was one the first network defense groups that started to do predictive analysis. A dark period in cyber occurred after 9-11, when there was a major shift in focus to counter terrorism and supporting Centcom. Cyber took a backseat for a long time. A new area of concern was raised when a Chinese company(China Netcom) tried to buy Global Crossing, which threatened the telecommunications infrastructure and supply chain. Many of the threat assessments of the time were skewed because they focused only on the top tier cyber personnel and not the overall programs. This led to the Intelligence Community (IC) not believing China(CN) was as advanced as they actually were. Eventually we had the rise of APT, and improved attribution capability, and new focus on ICS/SCADA. Today we are in a era of rising fear. To be clear espionage is not an attack or cyber war. However, threats like stuxnet, shamoon, and flame have cause major disruptions. The cyber neighborhood is getting rough, especially for banking and critical infrastructure. DDoS attacks while previously written off, are becoming more agile from the attackers side and are wasting away CIRT resources. He stressed that we need to be careful how we categorize risk and be methodical. Information sharing is improving and we are on the right path. He is a strong advocate for commercial services and doesn't necessarily believe government is the solution. Advises you to attack the various stages of the kill chain to disrupt the adversary, even if you can't do all of them. What's missing today is that cyber teams don't talk to the business operations teams about operational risk. We need full spectrum geeks who are analytical, but still know the business environment and strategic impact. He suggests that we avoid the militarization of cyber space as this will just escalate our problems. He recommended a book called Eating Soup with a Knife. He believes that signal(RF) jamming, while mostly applied to aircraft and boats today, will be applied in cyber conflicts. He also advises leveraging a global outlook, and not clouding your judgement with US-centric viewpoints. In conclusion, he said that to stay competitive we must continue to learn and collaborate In follow up Q&A, it was stated that the media is perpetuating misconceptions by calling espionage cyberwar or cyberattack. The topic of government purchase of exploits came up. Greg believes in the law of supply and demand, and that if the demand goes down, so will the supply.
Rick Holland presented "If it Bleeds, We Can Kill It: Leveraging CTI to take the fight to the adversary". He used a Predator theme, which was awesome. He led off by stating that tools and big data are not your savior He defined CTI as information about external threat actors and active external threats. He referenced the Order of Battle and learning what an adversary looks like. When looking at Intel providers ask them what makes their service unique? Do they have the same indicators that everyone has. In the Intelligence Cycle, its critical to achieve dissemination and get the information to the stakeholders. Otherwise all that work is for not. Always leverage Alternate Analysis: question your judgement & assumptions and apply a high level of rigor to your analysis. Vendors typically don't do this. He made a recommendation for Clancy book - Threat Vector. He also referenced Active Defense Harbinger Edition (ADHD), an active defense toolkit promoted by PaulDotCom. Always focus first on what assets need to be protected. Enable IR teams autonomy to make critical decisions. It takes a long time for an in house intel team to mature, so you must get and maintain your executive buy in. He made a great point that as you thwart the adversary, the adversary adapts. Whereas Dutch(Schwarzenegger) in Predator used mud to hide from the Predator, the next generation predator could detect that and the game changed. Intel sources can be internal, government (DHS, FBI, etc), industry (partners, ISACs, vertical orgs), and providers (iSight, LookingGlass, iDefense, RSA, Seculert). He mentioned that OpenIOC is being picked up by FireEye and PaloAlto. Also a mention of Mitre Cybox & STIX. In conclusion, CTI is a marathon, not a sprint. I couldn't agree more. We need to end the shiny object syndrome in general.
There was a panel on Best Practices in CTI including Rich Barger, Shane Huntley, Chris Sperry, Aaron Wade, and Mike Cloppert. The opening remark was Intel needs to have a customer. You need to know who you support and why? Follow the basic model: Collect -> Analyze -> Disseminate. Present data that can be used to make decisions, not screenshots of IDApro(analyst pr0n). Organizations are their own best source of intel. You need to extract all intel from your own attacks, create threat profiles, and intel priorities. However know your limits. How usable is the intel? Consider the volume, because you have to be able to process and store it. The pivot analysis approach: move across data sets and leverage business knowledge. Capture how adversary behaves in each stage of the campaign. Threat researchers need to understand which attacks are likely based on real intel-driven data, not some esoteric theoretical attack. Aurora forced Google to make a major change from windows, and other platforms. Now that has come full circle and Mac threats have increased. Success is measured in blocks and thwarted attacks. You have to limit CTI efforts to crown jewels, you can't cover everything. You always want first order data, in order to verify analysis. My favorite quote was by Aaron Wade: "Intelligence without context is just data". You need to go back and ask for more information and not trust by default. OSINT can be good, but an internal investment in a threat intelligence team is still ideal. Any hop point monitoring should be done within the law. You should also should coordinate with other organizations hitting the same hop point. There was a repeated theme of a big boys club, develop sharing agreements with organizations that are mature. A major lessons learned is NOT to rush to attribution based on a single source. It is extremely hard to recover from bad intel reports. Its important to assign confidence ratings to analysis to maintain credibility. You should be familiar with the Intelligence Gain/Loss Equation. How risk tolerant is your organization? Can they wait and see to derive more intel or do they adhere to the knee jerk approach.
Mike Gordon presented "Building and Operating a Cyber Threat Intelligence Team". This was a very polished, well delivered presentation and it felt like it was one he had given to his leadership. I think its clear LM-CIRT is the team everyone wants to emulate. LM sees 1.75 Billion sensor events/day, 30 million emails/week, 1.2 million blocked web requests and holds 1 month of full pcap and operates 572 facilities in 63 countries. There team is broken into 4 units: Investigations (Forensics, eDiscovery), Intrusions (APT, Intel Fusion), CyberCrime (Insider Threat, Commodity Attacks), and Engineering (IT Support). Their model includes Corporate Culture, User Education (Awareness, Training, Security Testing, Metrics, Analysis), Defendable Networks (Reduce gateways, infrastructure hardening, threat driven program), and Trade craft (Intel, Incident Response . They mock phish all 120K of their users, including the CEO. The 1st fail results in training and retesting. The 2nd fail results in a call with their management. The 3rd fail results in some form of HR discipline. I thought that was incredible and indicative of the executive support they have. At some point in their history, they concluded that vendor driven response wasn't good enough. Commercial offerings could not keep up with the pace of threats. They embraced creating their own custom tools. He coined the term memorializing indicators so you don't forget about them, their context and associated metadata. Track your attacks over time and the patterns can reveal a campaign. Intrusions expose behaviors, behaviors suggest linkages, linkages reveal patterns, patterns inform actions, actions determine success. You can measure your success based on how much was stopped due to internal vs. external intel. To track work load, keep count on the number of intel reports that are processed per month. Three models presented were: Tsunami Warning (info sharing, intel consumption, group detection), Farmers Almanac (Campaign tracking, trending, forecasting), and Actual Early Warning (LE & IC have actual knowledge of pending attack). I wish I had taken some pictures of his slides as they were chock full of good concepts and metrics. Hopefully they are shared out at some point.
My favorite talk of the day was hands down, Reid Gilman's "Creating Threat Intelligence: Tools to Manage and Leverage Active Threat Intelligence". The company MITRE is a non-profit, dedicated to federal research. Reid works in MITRE's Cyber Threat Analysis Cell. Some of his keys to success are:
1 - CTI Program - multi-sourced, disciplined warning process, know your enemy in your sector
2 - Strong Malware Analysis program
3 - Dev Ops - a staff of solid programmers, to create custom tools
4 - Incident Response baked into defensive posture aka Assumption of Breach
5 - Workforce culture of Security Awareness
CRITS(Collaborative Research Into Threats) - track adversary artifacts over time. The demo was very impressive, due to its feature set. This tool looks more user friendly then many others I have seen.(MongoDB)
ChopShop - understand how adversaries use tools. The demo included live decoding of gh0st c2 channel. Chopshop has standard libraries like timestamp extraction and XOR decoding for pcaps.
He mentioned that its important to not confuse operator actions vs automated actions.
TTPs: Targeting, Tools, Infrastructure, Kill Chain
Campaign: Intrusion Attempts + TTPs over time
(github - mitre-chopshop, crits@mitre.org, taxii.mitre.org, stix.mitre.org, mitre.org/work/cybersecurity, vortex-ids.org)
Next was the panel "Delivering Actionable CTI as a Solution" with Bejtlich, Destefano, Meyers, Ramsey. Overall this was kind of a slow point in the day, as there wasn't as much energy or enthusiasm. Adam Meyers discussed analyzing and categorizing the human element of malware, such as coding techniques and use of language. It was mentioned that you need to measure the value of sources by how much it reduces your time to detect. John Ramsey had some axioms: "keeping them out is cheaper than getting them out" and "running a cybersecurity group without threat intelligence is like running a business without an income statement". Both of those hit home with me. And Richard Bejtlich had the best joke of the summit by offering to outsource intelligence to Mercyhurst Institute (see Jeff Carr debacle).
Most of the Sans 360 talks, weren't to substantial. And how could they be in 6 mins. My favorites were:
Attribution: Holy Grail or Waste. Billy Leonard covered critical aspects of attribution:
- how they operate
- who and how they target
- what tools, order of use, how they customize
- how the move laterally
- when do they operate
- how do they take your data
- are they good?
Exercising Analytic Discipline by Patton Adams. He didn't use any slides (Patton++). He discussed 5 key imperatives:
1 - relevance to business
2 - good communication channel with leadership
3 - Confidence - Investigate, Analyze, Don't repeat
4 - Clarity - write for your audience
5 - Timeliness - good intel, can't be late, create a template to be more efficient
Crowdsourcing Threat Intelligence - Adam Vincent, see Threatconnect.com. He did a nice walk through of how their business evolved.
Curating Indicators by Doug Wilson - "humans are always the limiting factor, you need to automate and empower"
Battlefield Intel - Anup Ghosh. Invincea looks promising as it runs certain app in virtual container and gathers indicators. I wish this would get integrated into AV and not require a separate agent.
Detection Timeline - Julie Ryan - She was hilarious and to the point. A good way to end the agenda.
Rob Lee and Mike Cloppert closed it out after this. They did a great job putting this together, and I'm glad I was able to attend. I look forward to another future summit called APPLIED Cyber Threat Intelligence 2014.
Monday, December 10, 2012
The Broken 1.0
So
as we are about to close out 2012, many of us in the IT Security community look
around and try to assess where we were, what we have accomplished this year,
and what is next. I’ve been working in IT since the late 90s, with a focus on
security for much of that time. Most of my work has been in large private
sector companies, with a brief, but very rewarding stint working for the
government. To me while much has changed, many of the core issues remain today
as they were back then. Our security condition has actually worsened in many
cases. While that is up for debate, no one can argue the pace, sophistication,
and impact of major cyber events related to nation-sponsored, organized crime,
and hacktivism threats has increased exponentially in the last 4-5 years. This new
normal has been applicable to the government and defense industrial base for a
long time, but really surfaced in the private sector around ~2007. You would
assume that with all that increased attention, dollars and executive support at
the highest levels would be making things happen. Well they are, but we as an
industry are still losing in the never ending cat and mouse game with our
adversaries. Why?
Over
the years, I have sat through countless “you’re doing it wrong” or “were
screwed’ type presentations. Some of them were very informative, and I
absolutely have a level of respect for anyone publicly voicing their opinions
and ideas, knowing they will be criticized and nitpicked for things taken out
of context. However, I often leaving conferences with a desire for a way to fix
what we all know is broken. So what is stopping us? That is where I would like
to focus some energy. What are the key road blocks and stumbling points that are
keeping the security industry from truly raising the bar and not being stuck in
a continual state of catch up?
The
ideas that follow are not all my own and I’m sure I have subconsciously absorbed
them or knowingly added them to my mantra. I have a set of wise men that I
learn from constantly, however I won’t list them out or directly associate them
to this posting out of respect. These ideas shouldn’t be taken as a statement
of fact either, as they are only my humble opinions. My goal is to start a real
discussion and starting point for documenting and overcoming our greatest
challenges.
Preamble
First
off, any high level discussion that focuses on technical solutions is
inherently flawed. That is the equivalent of trying to fix and improve the
Maginot Line. To paraphrase the Matrix, “You’ve been down that road, you know
that road, and you know exactly where it ends”. We shouldn’t be looking for
point solutions, because just as you achieve them, the game changes. If we can
all agree to “take the red pill”, we can start addressing the behavioral issues
and misconceptions that are keeping us in a reality distortion field.
In
no particular order, here we go:
Obstacle 1: No incentive or penalty
for correctly managing IT Security Risk
How
many times have you had a business leader accept an enormous, unmitigated risk,
despite the misgivings of their security department? I agree that security
should not disrupt any business revenue generating activities; however at a
certain point sometimes the risk actually outweighs the profit. There are many
factors that contribute to this behavior. The most talked about is the fact
that technical security people often don’t correctly describe the risk in
business terms. There absolutely is a need to have the right people, who can
translate the lack of encryption, or the outsourcing of critical applications
to what that may mean in business terms. So let’s say, we are already doing
that. That is a big if, I know. The next challenge we have is a short-term
fiscal quarter thought mentality that most c-levels have. They are incentivized
to deliver results quarterly or annually to meet their bonus potential. By the
time this risk they have accepted goes south; they have cashed the bonus check
and may have been promoted into a different role or left the company all
together. One thing is clear though, short term strategy rules the day. Hmm,
just maybe the Chinese are right about one thing (See 5 year plan). Actually they
are right about many things, but that is a different story. I don’t see an easy
way to incentivize something that may take years to play out. For me the most
direct solution, is available by modeling what you see implemented in the
sports, legal and medical professions. Sometimes a pro athlete for a number of reasons
creates a situation where they have violated the terms of their contract and their
bonuses are subject to forfeiture. Imagine a world, where a senior leader that accepts
a risk and then is found to have been negligent. That bonus achieved by cutting
security corners should be returned even if they have left the company. I’m not
sure if this was ever implemented, but I think this line of thought was
discussed for SOX and FINRA regulation for CEO’s that sign off on financial
results. Similar to medical boards and the Bar association, that failure should
be recorded and follow them throughout their career. If you choose to for
example, put your M&A or Intellectual Property data in a 3rd party
cloud despite documented warnings, then all your future employers should know
that. I’m not saying this would be easy to achieve or likely, but it would
definitely modify behaviors. It’s also right to consider, that this might swing
the pendulum too far to where we become too risk adverse.
Obstacle 2 – Field Validated Results
Uber Alles
At
the business level, the ultimate driver is audit compliance and the potential
for fines by a governing body. Due to the punitive nature of the compliance
racket, it makes perfect sense that this always stays high on the radar. What
clearly needs to change is the thought that IT Security compliance somehow
equates to real world security. It doesn’t and almost never has. Some of the
guidance contains very reasonable controls, however much of it, particularly
FISMA is creating a massive amount of overhead that actually detracts from
improving security. Pro Tip: Stop funding auditing, if you’re not funding actually
fixing the findings. I feel for the people placed in the horrible spot of
having to write a single, snapshot in time, document to cover every possible
deployment or IT environment imaginable. It’s a losing proposition by any
measure. You can’t be all things to everyone all the time, unless your $deity.
What is lacking is the concept of field validated results, correlated with
threats to drive your overall security strategy. This has been discussed by
many people and nobody with experience really disagrees with this. My
suggestion is not to eliminate, but lessen the importance of static, one size
fits all IT compliance. What should really be audited is the results of your incidents
& pen tests and specifically whether or not you have closed the gap. Kevin
Mandia used the term “Attack the gap” recently. That couldn’t be timelier. One of
your primary jobs as an information security professional is ultimately reduce
your attack surface. And to do that properly you have to have to know what the
mostly exploitable points in your environment are to real threats, not outdated
security guidelines.
Obstacle 3 – IT Security is a
competitive advantage
Now
that more stories are becoming public about companies literally getting hacked
out of business, this strategy becomes easier to sell. I think its common place
for leaders in non-tech industries to view IT as a cost center and not
something that drives profits. I believe in the majority of cases this is not
true. Never the less, a Fortune 100 company in my town actually told their IT
workers we don’t value IT and you should look for work elsewhere if you want to
be valued. Wow, well the guy who delivered that message is a straight shooter with
upper management written all over him. If you’re reading this right now,
chances are you will agree that information and the speed with which you can
analyze and act on it is a competitive advantage. Hence the availability,
integrity, and confidentiality of that information are also an advantage.
(CISSP credits ;-)). There is no leap in logic here. So what is lacking is
getting c-level leadership to understand this. We have to sell this better. We
have to speak in business terms. We have to make a well defined, quantitative,
business plan as to how this makes the company better. Everyday your company is
either getting stronger or weaker in the market place. It’s a zero sum game in
your vertical. If you suffer brand damage, loss of intellectual property, or a
complete business disruption and your competitor doesn’t, guess who wins?
Obstacle 4 – Talent Gap from the
Keyboard to Boardroom
DHS
needs 2000 Cyber Warriors in the next 5 years! The lack of IT security skills
has been covered AD nauseum by the tech media. This is a real issue, but it’s
easier to fix than one would think. But I’m not going to discuss the key skills
we need from DFIR people, which is another great discussion. Where I see this biggest
deficit of talent is in the CISO/Director level security positions. I won’t say
that to be great at this role you have to have been a skilled technical person,
because I don’t believe that to be true. Certainly that is desired and helps,
but it’s hard to detail a prototypical background. I’ve definitely seen people
come out of the DoD or other 3 letter agency with the perfect resume and fall
completely on the their face. To be honest, I’m not the best person to outline
this problem because I’ve spent more time at the keyboard then I have in
meetings with c-levels. I just know a problem when I see it. It has impacted me
personally on multiple occasions. My biggest issue is that you don’t want
someone in this role who is trying to climb the ladder or use it as a stepping
stone. You have to be willing to put your career on the line and say no to the
people in power. If you can’t do that, and your more of a yes man, then I beg
of you, get into marketing, HR, finance, or some other part of the company. If
you don’t have a track record of rocking the boat and want to merely coast till
your retirement, please step aside. You also at the same time need to be an
astute politician, because having great success or striving for greatness often
brings up a myriad of consequences. Clearly for me though, the biggest required
skill goes back to being able to show in understandable business terms the
risks associated with not establishing or improving IT security. These people also
need copious amounts of patience and a strong passion for security. If you can
get one of these people in short supply, keep them happy because they are in
very high demand. People want to work for these types of leaders and you will
likely reap many rewards.
Obstacle 5 – IT Agility for Security
What
is the number one reason high performers leave for another job? Is it money?
What about power? I can’t say I have an answer for this and everyone is
different on their expectations for a job. I can tell the type of people I like
to work with are problem solvers and enthusiastic about at least one aspect of
IT or IT security. What I tend to see a lot of, is people leaving because they
are either pigeonholed into one area or have a sense of frustration because
they can’t accomplish what they want to. It’s very common for an IT
organization to resist and delay changes that support security because IT
objectives are at odds with IT Security objectives. That’s not the only reason
of course, but it’s a reoccurring theme that people are fighting a slow moving
process to make change happen. This could be something as simple as
instrumenting your network, collecting logs, or even product selection. My
proposal is to fast track all security related projects. Yes beat me with a
stick now, as I know this is totally unrealistic. That doesn’t stop me from
selfishly wanting this. I firmly believe that turnover in your security
department would come down if we simply move quicker on security projects. I
also believe that these delays often take so long that by the time a given
changes is operationalized it’s no longer cutting edge and attackers have
circumvented it. We need to become more agile and responsive as a whole and I
think there is consensus for that. How we get there is still an unanswered
question.
Conclusion
So
there you have it. My Top 5 suggestions to raise the bar in security and
actually end the year being more secure than the year before. In case you’re
wondering, number 6 would have been Applied Threat Intelligence. I am hoping
for some more maturity in this space and to make people understand it’s not
simply paying for a 3rd party threat feed. I think if we can eject
the vendors and the Gartner’s of the world from our strategy process, things
will start to improve. My message is stop following the crowd and start doing
the hard work of building a security program that is right for your business. A
program that is cognizant of the behaviors mentioned above. A program that not
only enables the business, but is accountable to the business. A program that
rewards and develops security talent. In short, a program that you can be proud
of. Let’s do this.
Subscribe to:
Posts (Atom)
Posts
