The Mayans Were Wrong, Let’s Get Back to Intelligence Collection!

Categories: Advanced Security,FirstWatch

So Where Do You Begin

For years risk management types of have been preaching the gospel of establishing CMDBs and promoting asset criticality matrices.  If you’ve done this and maintain it regularly, you’re ahead of the game. If your organization has not endeavored toward doing so you may wish to reconsider that point as we progress through this blog.  Understanding your organizational asset inventory is of paramount importance to all information security professionals especially those tasked with monitoring the enterprise in reactive and proactive scenarios.

Knowing the proverbial lay of the land is key largely due to the fact that first rule of intelligence analysis is being able to ask ourselves what do we know based on the information we have at our disposal?  Not being able to answer that question is akin to flying blind and no one wants to go through that type of experience.  So understanding what we know unequivocally in the absence of speculation or conjecture is a good thing and should be embraced.  How do we get there?  We begin by evaluating every piece of technology we have at our disposal for its value in terms of being an intelligence collection agent.  This may seem like a daunting task but it’s important nonetheless.

Understanding what is occurring on the host foot print for example of every user in your enterprise will aid in narrowing the gaps of your knowledge as you begin to compare that activity to that which is occurring within systems, servers, infrastructure etc.   So understanding what you have to work with as part of your asset inventory becomes increasingly valuable.  Network defenses are also huge fonts of intelligence data.  Firewall logs tell us who is doing what on a transaction-by-transaction basis via rules.  IDS / IPS tell us what if any vulnerabilities are experiencing either anomalous activity on the wire or exploitation.   Web and Mail gateways empower us with knowledge related to HTTP and SMTP communications respectively while SIEMs tie this all together in a cohesive package for the analyst to view in a composite form factor.  But does this give or provide true visibility into what is occurring within (and outside) our enterprise footprints?  The answer may surprise you.

Where we need to begin

No.  We need more insight into transaction-oriented communications at the packet level in order to see what is truly occurring on a host-to-host level and host-to-network level.  We need to be able to reconstruct sessions based on what we are seeing and make decisions (driven by information security policy) with respect to the results.   We also need data to feed platforms powerful enough to collect information security intelligence data to feed these tools and platforms ultimately seeing their value increase and be realized exponentially.

Honeypots for example, are not new but are becoming increasingly viable solutions within network security infrastructure.  Why?  Because they enable the analyst to see who is coming toward them and what their TTPs might be with respect to malicious code promulgation.   Sinkholes are also becoming increasingly viable though there is more complexity involved with them than with traditional honeypots.  The point is that without greater insight that can only be derived from a greater vantage point one will struggle with the application of information security intelligence achieving mixed results at best as they struggle to contend with advanced adversaries ready to strike without warning.

Will Gragido
Author:

Mr. Gragido possesses over 18 years of information security experience. A former United States Marine, Mr. Gragido began his career in the data communications information security and intelligence communities. After USMC, Mr. Gragido worked within several information security consultancy roles performing and leading red teaming, penetration testing, incident response, security assessments, ethical hacking, malware analysis and risk management program development. Mr.Gragido has worked with a variety of industry leading research organizations including International Network Services, Internet Security Systems / IBM Internet Security Systems X-Force, Damballa, Cassandra Security, HP DVLabs, and now RSA NetWitness. Will has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and strong desire to see the industry mature and enterprises & individuals become more secure. Will is a long-standing member of the ISC2, ISACA, and ISSA. Mr.Gragido holds the CISSP and CISA certifications, as well as accreditations in the National Security Agency's Information Security Assessment Methodology (IAM) and Information Security Evaluation Methodology (IEM). Additionally, Mr.Gragido is a Faculty Member of the IANS Institute where he specializes in advanced threat, botnet, and malware analysis. Mr.Gragido is a graduate of DePaul University and is currently preparing for graduate school. He is the co-author of Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats and is currently hard at work on a new book due out in the summer of 2012.