What is in a Name: Information Security Intelligence

One of the more elusive concepts in information security is that of information security intelligence. Often times when discussing intelligence images of shadowy figures conducting espionage are evoked and the truth of the matter is that often times this is not far from the truth.

Building a Lean Forward Approach to Offense as a Defense

Last weekend information security professionals from around the globe gathered in a conference forum for the 2013 Suits and Spooks Conference in Washington, DC. The focus was on offense as a defensive tactic, often referred to as “active defense”. I was both an attendee and a speaker / panel moderator at the conference. The event was awesome. It featured collaboration and intellectually driven discourse on matters of extreme importance to our industry. Heated discussions seemed to be taking place everywhere –hallways, foyers and of course in the session rooms.

New name, Same Game: Red October and the Question of Attribution

Earlier this month, Kaspersky Labs announced the discovery of a new style of cyber espionage campaign. Research on this threat campaign began in October of 2012 according Kaspersksy’s whitepaper. I’m not convinced that it is entirely new but let’s press on and see what the boys there have to say. The researchers there began their investigation by examining the aftermath of a series of attacks conducted against networks belonging to the diplomatic services of various governments and their respective agencies.

The Mayans Were Wrong, Let’s Get Back to Intelligence Collection!

For years risk management types of have been preaching the gospel of establishing CMDBs and promoting asset criticality matrices. If you’ve done this and maintain it regularly, you’re ahead of the game. If your organization has not endeavored toward doing so you may wish to reconsider that point as we progress through this blog. Understanding your organizational asset inventory is of paramount importance to all information security professionals especially those tasked with monitoring the enterprise in reactive and proactive scenarios.

Applying Security Intelligence to Your Enterprise Threat Mitigation Program – Introduction

Intelligence is no longer solely relegated to the world of the clandestine. It is no longer the exclusive domain of roguish characters featured in heart pounding novels nor is it the sole dominion of the prototypical ‘geek’ pounding away on a keyboard at a secret government facility (or van) near you. No. Threat Intelligence is part of our lives and we experience it daily at work, at home and on the go. This is true for you and me and for enterprise organizations.

Keep Calm, Analyze On: The Role of the Analyst in Detecting and Monitoring for Advanced Attacks

I was quoted recently in a piece that was featured in Dark Reading that discussed the idea of monitoring environments to detect persistent adversaries. It was a solid article and I stand behind my contribution especially my comments on the importance that the analyst (not the tools they have or are using – though those are important in their own right) plays in the full lifecycle of triaging these types of threats.

Understanding Indicators of Compromise (IOC) Part III

The IODEF is a standing IETF RFC that is designed to address and define a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. The basic premise is that organizations need help from third parties to mitigate malicious or nefarious activity targeting their hosts and networks. They need to gain additional (presumably absent) insight into these new and exotic threats. The coordination element of this communication seems to be less obvious and natural than one might think hence, the need for a standards-driven framework for coordinating this process.

Understanding Indicators of Compromise (IOC) Part II

Introduction In the first installment of this blog series we discussed several principle ideas and concepts necessary for security analysts as they seek to master an understanding of indicators of compromise (IOC).  We discussed how IOCs relate to observables and how observables tie or relate to measurable events or stateful properties on a host.  We…

Understanding Indicators of Compromise (IOC) Part I

  Introduction Every day security analysts are faced with piecing together disparate parts of complex events of interest related to emerging and sophisticated threats.  These pieces can be simple metadata elements or much more complex malicious code and content samples that require advanced reverse engineering and analysis.  When pulled together, the cumulative result equates to…