Black Hat Briefings Justify Supporting Retrospective Security Analysis

One of the tenets of Network Security Monitoring, as repeated in Network Monitoring: How Far?, is collect as much data as you can, given legal, political, and technical means (and constraints) because that approach gives you the best chance to detect and respond to intrusions. The Black Hat Briefings always remind me that such an approach makes sense. Having left the talks, I have a set of techniques for which I can now mine my logs and related data sources for evidence of past attacks.

Consider these examples:

  • Given a set of memory dumps from compromised machines, search them using the Snorting Memory techniques for activity missed when those dumps were first collected.

  • Review Web proxy logs for the presence of IDN in URIs.

  • Query old BGP announcements for signs of past MITM attacks.

You get the idea. The key concept is that none of us are smart enough to know how a certain set of advanced threats are exploiting us right now, or how they exploited us in the past. Once we get a clue to their actions, we can mine our security evidence for indicators of that activity. When we find signs of malicious activity we can focus our methods and expand our view until we have a better idea of the scope of an incident.

This strategy is the only one that has ever worked for digital intrusion victims who are constrained to purely defensive operations. A better alternative, as outlined in The Best Cyber Defense, is to conduct aggressive counterintelligence to find out what the enemy knows about you. Since that tactic is outside the scope for the vast majority of us, we should adopt a mindset, toolset, and tactics that enable retrospective security analysis -- the ability to review past evidence for indicators of modern attacks.

If you only rely on your security products to produce alerts of any type, or blocks of any type, you will consistently be "protected" from only the most basic threats. Advanced threats know how to evade many defenses because they test and hone their techniques before deploying them in the wild.

NSM has always implemented retrospective security analysis, but the idea applies to a wide variety of security evidence.

Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.


dre said…
richard, sometimes your blog posts are quite fascinating.

question for the intelligence/DoD/ts-sci community:

Why do routeviews and other sources show that China Telecom announced a 0/0 at about the same time period that Code Red begun it's eventual destructive path across the entire Internet infrastructure?

Popular posts from this blog

Five Reasons I Want China Running Its Own Software

Cybersecurity Domains Mind Map

A Brief History of the Internet in Northern Virginia