Last weekend information security professionals from around the globe gathered in a conference forum for the 2013 Suits and Spooks Conference in Washington, DC. The focus was on offense as a defensive tactic, often referred to as “active defense”. I was both an attendee and a speaker / panel moderator at the conference. The event was awesome. It featured collaboration and intellectually driven discourse on matters of extreme importance to our industry. Heated discussions seemed to be taking place everywhere –hallways, foyers and of course in the session rooms.
Earlier this month, Kaspersky Labs announced the discovery of a new style of cyber espionage campaign. Research on this threat campaign began in October of 2012 according Kaspersksy’s whitepaper. I’m not convinced that it is entirely new but let’s press on and see what the boys there have to say. The researchers there began their investigation by examining the aftermath of a series of attacks conducted against networks belonging to the diplomatic services of various governments and their respective agencies.
For years risk management types of have been preaching the gospel of establishing CMDBs and promoting asset criticality matrices. If you’ve done this and maintain it regularly, you’re ahead of the game. If your organization has not endeavored toward doing so you may wish to reconsider that point as we progress through this blog. Understanding your organizational asset inventory is of paramount importance to all information security professionals especially those tasked with monitoring the enterprise in reactive and proactive scenarios.
Intelligence is no longer solely relegated to the world of the clandestine. It is no longer the exclusive domain of roguish characters featured in heart pounding novels nor is it the sole dominion of the prototypical ‘geek’ pounding away on a keyboard at a secret government facility (or van) near you. No. Threat Intelligence is part of our lives and we experience it daily at work, at home and on the go. This is true for you and me and for enterprise organizations.
I was quoted recently in a piece that was featured in Dark Reading that discussed the idea of monitoring environments to detect persistent adversaries. It was a solid article and I stand behind my contribution especially my comments on the importance that the analyst (not the tools they have or are using – though those are important in their own right) plays in the full lifecycle of triaging these types of threats.
The IODEF is a standing IETF RFC that is designed to address and define a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. The basic premise is that organizations need help from third parties to mitigate malicious or nefarious activity targeting their hosts and networks. They need to gain additional (presumably absent) insight into these new and exotic threats. The coordination element of this communication seems to be less obvious and natural than one might think hence, the need for a standards-driven framework for coordinating this process.
Introduction In the first installment of this blog series we discussed several principle ideas and concepts necessary for security analysts as they seek to master an understanding of indicators of compromise (IOC). We discussed how IOCs relate to observables and how observables tie or relate to measurable events or stateful properties on a host. We [...]
Introduction Every day security analysts are faced with piecing together disparate parts of complex events of interest related to emerging and sophisticated threats. These pieces can be simple metadata elements or much more complex malicious code and content samples that require advanced reverse engineering and analysis. When pulled together, the cumulative result equates to [...]
War and Peace One of my favorite Latin sayings was one that was considered common during the height of the Roman Empire. In pace, ut sapiens, aptarit idonea bello or for those of you who do not speak Latin: In peace, like a wise man, he appropriately prepares for war. Many information security professionals laugh [...]
As part of routine security research, the RSA Advanced Threat Intelligence Team identified a new hacking attack this week that uses a technique that we’ve termed “Watering Hole”. In the new attack we’ve identified, which we are calling “VOHO”, the methodology relies on “trojanizing” legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate. This results in a wholesale compromise of multiple hosts inside a corporate network as the end-users go about their daily business, much like a lion will lie in wait to ambush prey at a watering hole.