Tag Archives: Richard Bejtlich

Cybersecurity in Heterogeneous Environments: A Podcast with Tom Hankins of Pacific Northwest National Laboratory

| By | Advanced Threat Trends, Business of Security, Security Perspective |
Comments
0

As technology continues to evolve and become more cutting edge, it may not initially be as secure as it needs to be. When you consider more heterogeneous environments with multiple operating systems, applications, and considerable open source development, a robust cybersecurity initiative becomes a must.

I recently had the opportunity to sit down with Tom Hankins, Cybersecurity Operations Manager at Pacific Northwest National Laboratory, a part of the Department of Energy (DoE), to discuss the cybersecurity challenges faced by national laboratories, and how to effectively deal with them.

To listen to the podcast in full, click here.

In an increasingly hostile cyber environment, Hankins believes that making the case to senior management to take the cybersecurity plunge shouldn’t be all too difficult: “it’s only hard if you don’t get yourself out of your little cyber cage and present your case. You have to write these things down. You have to come up with a marketing plan, and you have to execute it.” Hankins continued, “the typical pushback is that we’re going to interrupt the business. And while you will be somewhat service interrupting - that does happen - you also need to address how you’re going to get that job done with minimal impact and how the impact of losing integrity, losing availability, losing confidentiality is a much larger problem.”

Tom will present his approach to dealing with these challenges at the Gartner Security & Risk Management Summit, June 23-26 in Washington, DC.

A 360° View of Cybersecurity – FireEye Incident Detection & Response Virtual Summit

| By | Advanced Threat Trends, Security Perspective |
Comments
0

The 2014 IDR Summit is officially in the books, and we at FireEye wanted to be the first to say, “thank you,” for making this year’s summit our most successful yet. We brought cybersecurity experts and practitioners from around the world together to learn about and discuss the most pressing cybersecurity issues facing organizations today. Here are some of the highlights:

  • Kicking off the conference on Tuesday, Mark Weatherford shared his unique insights on the changing landscape of cybersecurity. To watch a recording of Mark’s session, click here.
  • Jen Weedon, Manager of Threat Intelligence for FireEye Labs offered attendees insight into the latest threat trends including shifts in the threat landscape, threat groups’ techniques and the activity’s impact. To view the recording of her presentation, click here.
  • Providing an overview of FireEye’s Threat Prevention Platform, CTO Dave Merkel showed how the integrated components of the platform can significantly improve an organization’s security posture. To view the recording, click here.
  • With high profile security breaches, the retail industry has recently captured headlines. Jason Rebholz, senior consultant at Mandiant, a FireEye Company, discussed the tactics that targeted financial attackers use and how you can help protect your network. To view the recording of his session, click here.
  • Richard Bejtlich, chief security strategist, moderated an expert panel discussion entitled, “Beyond SIEM: Enterprise Security Monitoring.” An interactive session focusing on audience interaction, this panel discussed topics like: data collection priorities, deriving context from events and integrating threat intelligence to improve detection and speed response. To view a recording of this panel discussion click here.

If you enjoyed our virtual summit, please join us in Washington, DC on October 7-8 for MIRcon 2014. MIRcon features authorities on incident response, malware analysis, reverse engineering and computer forensics sharing experiences and approaches to benefit each attendee.

Security professionals can expect high-value networking and peer-to-peer engagement. Participants will see new technology demonstrated and discuss ideas and receive recommendations about how best to defend against and respond to sophisticated attackers. Register for MIRcon 2014.

This year’s summit could not have been possible without our sponsors. Thank you to all of our sponsors: Hewlett Packard, Bradford Networks, Imperva, McKinsey & Company, Guidance Software and Accuvant for helping us make this year’s IDR Summit a success.

Sponsors

Introduction to Strategic Thought

| By | Business of Security, Executive Perspectives, Security Perspective, Uncategorized |
Comments
0

I plan to address strategic thought as applied to digital security in a series of posts. Here I would like to briefly introduce the concept and offer a simple example.

Joint Publication 1 (JP-1), Doctrine for the Armed Forces of the United States, helps illuminate the strategic approach to digital security. JP-1 defines three levels of warfare: strategic, operational and tactical. Above the strategic level one can place the overall goal of the digital security program, as one might place the overall goal of a military or political endeavor. Below the tactical level one can similarly place tools or technology – the weapons one might employ when conducting tactical maneuvers. Taken as a whole, the five levels appear as shown in Figure 1.

Figure 1. Five Levels of Strategic Security

Figure 1. Five Levels of Strategic Security

Using a strategic security framework enables a digital defender to build a more effective and durable program. A strategic security system doesn’t start with tools and tactics; instead, it begins by setting one or more overall mission goals. The strategy-minded chief information security officer (CISO) obtains executive buy-in to those goals, which works at a level understood by technicians and non-technicians alike. Next the CISO develops strategies to implement those goals, organizes and runs campaigns and operations to support the strategies, helps his or her team use tactics to realize the campaigns and operations, and procures tools and technology to equip the team.

Figure 2 shows an example of one strategic security approach to minimize loss due to intrusions, using a strategy of rapid detection, response, and containment, along with network security monitoring-inspired operations/campaigns, tactics and tools.

Figure 2. Five Levels of Strategic Security Example

Figure 2. Five Levels of Strategic Security Example

Most security professionals – and by association policymakers and leaders taking advice from those practitioners and engineers – fixate on the tools, and to a lesser degree, the tactics of the digital security problem. Goals, strategies and campaigns aren’t usually a consideration because technicians, administrators, programmers and the like spend their time working with tools. The extent of their tactical involvement is thinking about creative ways to use their tools. The communities that tend to think in terms of goals, strategies and campaigns – think tanks, policy analysts and so on – have traditionally not engaged with the technicians to bring the entire strategic security approach to bear on modern challenges.

As shown in Figure 2, “detecting intruders” is actually shorthand for a rich strategic security program – one whose goal is minimizing loss through a strategy of rapid incident detection, response and containment. Security teams run operations to match threat intelligence against security event data and hunt for novel intruders as needed. They tactically collect, analyze, escalate and resolve incidents and the related data using tools suited for those functions.

It is crucial, however, that the ultimate goals and strategy remained linked with the tools at the bottom of the process. If that chain decouples, the outcome could be disastrous, where technical reality makes strategic theory obsolete. For example, a program built on monitoring the network will fail if all network traffic is encrypted. The tools at the bottom of the process will not be able to “see” the contents of network traffic and will be less effective when trying to identify suspicious and malicious activity. In this dysfunctional case, the tools’ inability to deliver required data to the personnel conducting tactical endeavors and operational campaigns will prevent the program goal from being achieved.

In future posts, I will elaborate on these concepts to demonstrate how they improve enterprise security.

Note: This post is adapted from a research paper by the author, published through The Brookings Institution as Strategy, Not Speed: What Today’s Digital Defenders Must Learn From Cybersecurity’s Early Thinkers.

Introducing the Digital Security Strategy Series

| By | Executive Perspectives, Security Perspective |
Comments
2

This is the first in a monthly series of blog posts I will write on strategic digital security. My goal is to introduce, or reinforce, concepts that are not often emphasized in the field of computer network defense. Our community is dominated by discussions of tools and tactics – such as software and how to use it to counter our adversaries. These are important elements of digital defense, but they should not constitute one’s entire security program.

I studied history and political science at the United States Air Force Academy (USAFA). At USAFA, the instructors were mostly officers; some of whom had fought in the first Gulf War. As a freshman cadet, I learned that prior to the Gulf War, Air Force planners concentrated on quickly deploying assets to conflict zones and fighting tactical engagements (often close air support or combat air patrols) once directed to do so. They seldom adopted a more strategic view of their contribution to national goals because they focused on one-on-one tactical engagements, relying on their individual skills and technical superiority to prevail.

Several officers contributed substantially to a change in the Air Force’s approach to warfighting just in time to prevail during the first Gulf War. These officers included John Boyd, John Warden, David Deptula, and others who sought to employ airpower as a strategic asset. They didn’t think solely in terms of tactics and tools; they planned for airpower to conduct campaigns and operations in support of strategy that ultimately realized national goals. By linking national policy and goals with strategy, operations, tactics and tools, they created a much more effective Air Force and changed the way the service postured itself in future conflicts.

I share this story because I see the same need for change in the digital security community. Yes, we need to have the best tactics and tools, but we must employ them to conduct campaigns and operations that embody strategy and contribute to organizational goals. In the coming months, I will write more about this topic, and I look forward to your questions.

Please leave a comment below on topics you would like me to discuss.

DoJ Indicts Chinese Military Hackers: First Impressions

| By | Advanced Threat Trends, Business of Security, Security News, Security Perspective |
Comments
0

Today, the US Department of Justice (DoJ) took actions previously unseen in the world of computer security. The press release announcing the activity noted the following:

“A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.”

The accompanying indictment begins with the following excerpt:

“From at least in or about 2006 up to and including at least in our about April 2014, members of the People’s Liberation Army (“PLA”), the military of the People’s Republic of China (“China”), conspired together and with each other to hack into the computers of commercial entities in the Western District of Pennsylvania and elsewhere in the United States.”

These two sentences are packed with meaning for anyone who has been working to counter the Chinese digital threat, either within, or on behalf of, victim organizations. First, the indictment zeroes in on the military aspect of the threat. DoJ isn’t talking about nebulous “Chinese hackers,” perhaps working as contractors for hire. These are PLA troops, some of whom are pictured in the indictment wearing their uniforms. Second, these sentences confirm the temporal span of the activity, roughly an eight year period. This is a sustained, persistent, resourced campaign. Third, they emphasize economic espionage against commercial American targets, not targets in the US military or intelligence communities. The US government has always been clear that it will not tolerate Chinese hacking to financially and scientifically accelerate Chinese economic growth.

For those of us who worked on exposing this threat over the years, the indictment contains many other relevant details. We read that the five defendants “worked together and with others known and unknown to the Grand Jury for the PLA’s General Staff, Third Department (“3PLA”), a signals intelligence component of the PLA, in a Unit known by the Military Unit Code Designator 61398 (“Unit 61398”), and in the vicinity of 208 Datong Road, Pudong District, Shanghai, China.” This is exactly the same unit, designation, and location identified in the 2013 Mandiant report, APT1: Exposing One of China’s Cyber Espionage Units. This statement is the first open, unclassified, official confirmation of the core attribution element in the Mandiant report. It shows that APT1 aka United 61398 aka the Second Bureau of the Third Department of the General Staff Directorate of the PLA is a threat to US economic and security interests.

There are many other aspects of the indictment that I find fascinating, but in the interest of time I will mention one other. Paragraph four states the following:

“During the period relevant to this Indictment, Chinese firms hired the same PLA Unit where the defendants worked to provide information technology services. For example, one SOE involved in trade litigation against some of the American victims mentioned herein hired the Unit, and one of the co-conspirators charged herein, to build a ‘secret’ database to hold corporate ‘intelligence.’”

This is a remarkable statement, because it may answer one of the burning questions those of us analyzing the problem have often asked: how does stolen Western data pass from the Chinese military to the Chinese private sector? According to the indictment, a State Owned Enterprise (SOE) simply hires Unit 61398 to provide IT services, and the military hackers leave the “intelligence” behind in a “database” for the benefit of the SOE.

As the story develops over the coming days, I will keep an eye on it and report back as newsworthy items appear.