TaoSecurity Blog

I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011 . And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011. Register now and help Kris and me beat the attendee count from last month's record-setting Webinar. If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh . Tweet

I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut. David Spark asked for my "security tip for 2012," which I listed as: Improve your incident detection and response program by answering two critical questions: 1. How many systems have been compromised in any given time period; and 2. How much time elapsed between incident identification and containment for each system? Use the answers to improve and guide your overall security program. Those of you on the securitymetrics mailing list, and a few other places...

Earlier this year SearchSecurity and TechTarget published a July-August 2011 issue (.pdf) with a focus on targeted threats. Prior to joining Mandiant as CSO I wrote an article for that issue called "Become a Hunter": IT’S NATURAL FOR members of a technology-centric industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures. Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider the “self-defending network” concept to be market...

When an organization like National Public Radio devotes an eleven minute segment to Chinese digital espionage, even the doubters have to realize something is happening. Rachel Martin's story China's Cyber Threat A High-Stakes Spy Game is excellent and well worth your listening ( .mp3 ) or reading time. Rachel interviews three sources: Ken Lieberthal of the Brookings Institution, Congressman Mike Rogers (chairman of the House Intelligence Committee), and James Lewis from the Center for Strategic and International Studies. If you listen to the report you'll hear James Lewis mention "a famous letter from three Chinese scientists to Deng Xiaoping in March of 1986 that says we're falling behind the Americans. We're never going to catch up unless we make a huge investment in science and technology." James is referring to the so-called 863 Program (Wikipedia). You can also read directly from the Chinese government itself here , e.g.: In 1986, to meet the gl...

Dustin Webber just posted a really cool video called Network Security Monitoring with Siri . He shows how he uses his iPhone 4S and SiriProxy to interact with his Snorby Network Security Monitoring platform. The following screenshot shows Dustin asking "Can you show me what the last severity medium event was?" and Siri answering. Later he asks Siri to tell him about "incident 15": Near the end Dustin asks Siri if she likes Network Security Monitoring: This is just about the coolest thing I've seen all year. Ten years ago I thought it was cool to listen to Festival read Sguil events out loud -- now Dustin shows how to interact with a NSM platform by voice command. Amazing! Tweet

Erik Hjelmvik was kind enough to send an evaluation copy of the latest version of his NetworkMiner traffic analysis software. You can download the free edition from SourceForge as well. I first mentioned NetworkMiner on this blog in September 2008 . NetworkMiner is not a protocol analyzer like Wireshark. It does not take a packet-by-packet approach to representing traffic. Instead, NetworkMiner displays traffic in any one of the following ways: as hosts, frames, files, images, messages, credentials, sessions, DNS records, parameters, keywords, or cleartext. To demonstrate a few of these renderings, I asked NetworkMiner to parse the sample pcap from a sample lab from TCP/IP Weapons School 2.0 . I did not need to install it; the software starts from a single executable and loads several DLLs in the associated directory. The following screen capture shows information from the Hosts tab, showing what NetworkMiner knows about 192.168.230.4. Notice that in addition to summarizing inf...

Many of you have probably seen coverage of the 2011 ONCIX Reports to Congress: Foreign Economic and Industrial Espionage . I recommend every security professional read the latest edition (.pdf). I'd like to highlight the key findings of the 2011 version: Pervasive Threat from Adversaries and Partners Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries. • Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible. • Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets. • Some US allies and partners use their broad access to US institutions to acqui...