Posts

Showing posts from 2018

Notes on Self-Publishing a Book

Image
In this post I would like to share a few thoughts on self-publishing a book , in case anyone is considering that option. As I mentioned in my post on  burnout , one of my goals was to publish a book on a subject other than cyber security. A friend from my Krav Maga school, Anna Wonsley , learned that I had  published several books , and asked if we might collaborate on a book about stretching. The timing was right, so I agreed. I published my first book with Pearson and Addison-Wesley in 2004, and my last with No Starch in 2013. 14 years is an eternity in the publishing world, and even in the last 5 years the economics and structure of book publishing have changed quite a bit. To better understand the changes, I had dinner with one of the finest technical authors around, Michael W. Lucas . We met prior to my interest in this book, because I had wondered about publishing books on my own. MWL started in traditional publishing like me, but has since become a full-time ...

Managing Burnout

Image
This is not strictly an information security post, but the topic likely affects a decent proportion of my readership. Within the last few years I experienced a profound professional "burnout." I've privately mentioned this to colleagues in the industry, and heard similar stories or requests for advice on how to handle burnout. I want to share my story in the hopes that it helps others in the security scene, either by coping with existing burnout or preparing for a possible burnout. How did burnout manifest for me? It began with FireEye's acquisition of Mandiant, almost exactly five years ago. 2013 was a big year for Mandiant, starting with the APT1 report in early 2013 and concluding with the acquisition in December. The prospect of becoming part of a Silicon Valley software company initially seemed exciting, because we would presumably have greater resources to battle intruders. Soon, however, I found myself at odds with FireEye's culture and managerial...

The Origin of the Quote "There Are Two Types of Companies"

Image
While listening to a webcast this morning, I heard the speaker mention There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked. He credited Cisco CEO John Chambers but didn't provide any source. That didn't sound right to me. I could think of two possible antecedents. so I did some research. I confirmed my memory and would like to present what I found here. John Chambers did indeed offer the previous quote, in a January 2015 post for the World Economic Forum titled What does the Internet of Everything mean for security?  Unfortunately, neither Mr Chambers nor the person who likely wrote the article for him decided to credit the author of this quote. Before providing proper credit for this quote, we need to decide what the quote actually says. As noted in this October 2015 article by Frank Johnson titled Are there really only “two kinds of enterprises”? , there are really (at least) two versions of this quote:...

The Origin of the Term Indicators of Compromise (IOCs)

Image
I am an historian . I practice digital security, but I earned a bachelor's of science degree in history from the United States Air Force Academy. (1) Historians create products by analyzing artifacts, among which the most significant is the written word. In my last post , I talked about IOCs, or indicators of compromise. Do you know the origin of the term? I thought I did, but I wanted to rely on my historian's methodology to invalidate or confirm my understanding. I became aware of the term "indicator" as an element of indications and warning (I&W), when I attended Air Force Intelligence Officer's school in 1996-1997. I will return to this shortly, but I did not encounter the term "indicator" in a digital security context until I encountered the work of Kevin Mandia. In August 2001, shortly after its publication, I read Incident Response: Investigating Computer Crime , by Kevin Mandia, Chris Prosise, and Matt Pepe (Osborne/McGraw-Hill). I ...

Even More on Threat Hunting

Image
In response to my post More on Threat Hunting , Rob Lee asked : [D]o you consider detection through ID’ing/“matching” TTPs not hunting? To answer this question, we must begin by clarifying "TTPs." Most readers know TTPs to mean tactics, techniques and procedures, defined by David Bianco in his Pyramid of Pain post as: How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between. In case you've forgotten David's pyramid, it looks like this. It's important to recognize that the pyramid consists of indicators of compromise (IOCs). David uses the term "indicator" in his original post, but his follow-up post from his time at Sqrrl makes this clear: There are a wide variety of IoCs ranging from basic file hashes to hacking Tactics, Techniques and Procedures (TTPs). Sqrrl Security Architect, David Bianco, uses a concept called the Pyramid of Pain to categorize...

More on Threat Hunting

Image
Earlier this week hellor00t asked via Twitter : Where would you place your security researchers/hunt team? I replied : For me, "hunt" is just a form of detection. I don't see the need to build a "hunt" team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend more time matching. Senior people spend more time hunting. Both can and should do both functions. This inspired Rob Lee to blog a response, from which I extract his core argument: [Hunting] really isn’t, to me, about detecting threats... Hunting is a hypothesis-led approach to testing your environment for threats. The purpose, to me, is not in finding threats but in determining what gaps you have in your ability to detect and respond to them... In short, hunting, to me, is a way to assess your security (people, process, and technology) against threats while extending your automation footprint to better be prepared in the future. Or simply stated, it’s ...

Cybersecurity and Class M Planets

Image
I was considering another debate about appropriate cybersecurity measures and I had the following thought: not all networks are the same. Profound, right? This is so obvious, yet so obviously forgotten. Too often when confronting a proposed defensive measure, an audience approaches the concept from their own preconceived notion of what assets need to be protected. Some think about an information technology enterprise organization with endpoints, servers, and infrastructure. Others think about an industrial organization with manufacturing equipment. Others imagine an environment with no network at all, where constituents access cloud-hosted resources. Still others think in terms of being that cloud hosting environment itself. Beyond those elements, we need to consider the number of assets, their geographic diversity, their relative value, and many other aspects that you can no doubt imagine. This made me wonder if we need some sort of easy reference term to capture the essenti...

Have Network, Need Network Security Monitoring

Image
I have been associated with network security monitoring my entire cybersecurity career, so I am obviously biased towards network-centric security strategies and technologies. I also work for a network security monitoring company ( Corelight ), but I am not writing this post in any corporate capacity. There is a tendency in many aspects of the security operations community to shy away from network-centric approaches. The rise of encryption and cloud platforms, the argument goes, makes methodologies like NSM less relevant. The natural response seems to be migration towards the endpoint, because it is still possible to deploy agents on general purpose computing devices in order to instrument and interdict on the endpoint itself. It occurred to me this morning that this tendency ignores the fact that the trend in computing is toward closed computing devices. Mobile platforms, especially those running Apple's iOS, are not friendly to introducing third party code for the purpose of...

Network Security Monitoring vs Supply Chain Backdoors

Image
On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.” From the article: Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have c...

Firewalls and the Need for Speed

Image
I was looking for resources on campus network design and found these slides  (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention: This bothered me, so I Tweeted about it. This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here . Here is the bottom line for their suggested architecture: What do you think of this architecture? My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version? First, let's be clear that I have always differentiated between  visibility and control . A firewall is a poor visibility too...

Twenty Years of Network Security Monitoring: From the AFCERT to Corelight

Image
I am really fired up to join Corelight. I’ve had to keep my involvement with the team a secret since officially starting on July 20th. Why was I so excited about this company? Let me step backwards to help explain my present situation, and forecast the future. Twenty years ago this month I joined the Air Force Computer Emergency Response Team (AFCERT) at then-Kelly Air Force Base, located in hot but lovely San Antonio, Texas. I was a brand new captain who thought he knew about computers and hacking based on experiences from my teenage years and more recent information operations and traditional intelligence work within the Air Intelligence Agency. I was desperate to join any part of the then-five-year-old Information Warfare Center (AFIWC) because I sensed it was the most exciting unit on “Security Hill.” I had misjudged my presumed level of “hacking” knowledge, but I was not mistaken about the exciting life of an AFCERT intrusion detector! I quickly learned the tenets of network...

Defining Counterintelligence

Image
I've written about counterintelligence  (CI) before, but I realized today that some of my writing, and the writing of others, may be confused as to exactly what CI means. The authoritative place to find an American definition for CI is the United States National Counterintelligence and Security Center . I am more familiar with the old name of this organization, the  Office of the National Counterintelligence Executive (ONCIX). The 2016 National Counterintelligence Strategy cites Executive Order 12333 (as amended) for its definition of CI: Counterintelligence – Information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or  assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their  agents, or international terrorist organizations or activities. (emphasis added) The strict interpretation of this definition is counteri...

Why Do SOCs Look Like This?

Image
When you hear the word "SOC," or the phrase "security operations center," what image comes to mind? Do you think of analyst sitting at desks, all facing forward, towards giant screens? Why is this? The following image is from the outstanding movie Apollo 13, a docudrama about the challenged 1970 mission to the moon. It's a screen capture from the go for launch sequence. It shows mission control in Houston, Texas. If you'd like to see video of the actual center from 1970, check out This Is Mission Control . Mission control looks remarkably like a SOC, doesn't it? When builders of computer security operations centers imagined what their "mission control" rooms would look like, perhaps they had Houston in mind? Or perhaps they thought of the 1983 movie War Games? Reality was way more boring however: I visited NORAD under Cheyenne Mountain in 1989, I believe, when visiting the Air Force Academy as a high school senior. I can c...