On today's increasingly militarized Internet, companies, non-profits, activists, and individual hackers are forced to melee with nation-state class adversaries. Just as one should never bring a knife to a gunfight, a network defender should not rely on tired maxims such as “perimeter defense” and “defense in depth”. Today’s adversaries are well past that. This webinar provides:
- Key insights into what we call the Library of Sparta - the collective written expertise codified into military doctrine. Hidden in plain sight, vast free libraries contain the time-tested wisdom of combat at the tactical, operational, and strategic levels.
- Better understanding on how adversaries will target your organization, and it will help you to employ military processes and strategies in your defensive operations.
- Provide you with new approaches and examples about how to translate and employ doctrinal concepts in your current operations.
This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
6 Steps for Operationalizing Threat IntelligenceSirius
The best form of defense against cyber attacks and those who perpetrate them is to know about them. Collaborative defense has become critical to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Threat intelligence sources have varying levels of relevance and context, and there are concerns about data quality and redundancy, shelf life, public/private data sharing, and threat intelligence standards. However, if processed and applied properly, threat intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making.
View to learn:
--The difference between threat information and threat intelligence.
--Available sources of intelligence and how to determine if they apply to your business.
--Key steps for preparing to ingest threat information and turn it into intelligence.
--How to derive useful data that helps you achieve your business goals.
--Tools that are available to make collaboration easier.
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
Ever feel like you spend more time converting security information from one format to another, than actually connecting the dots hidden within it? The Collective Intelligence Framework (CIF) is a data processor for pulling in and normalizing out all these threat intel sources into a single combined dataset. Watch it on-demand http://ow.ly/li8Lf #TTTSec
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Presenters: Jaime Blasco and Santiago Bassett
Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
Join Infocyte's Vice President of Customer and Partner Success, Chris Mills, for Threat Hunting 101: An intro to using Infocyte HUNT to detect, investigate, and respond to advanced persistent threats, file-less malware, and other sophisticated attacks.
Beyond these slides, please reference the video for additional insight and instruction on how to use our Threat Hunting and Incident Response platform.
Discussion on traditional threat intelligence model, explore advanced approaches to reduce manual intervention and convert it into actionable threat intelligence.
Slides of the talk delivered by Chandra Ballabh in the August, 2019 Meetup of Combined OWASP Delhi and nullDelhi at Thoughtworks, Delhi
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
reference:https://www.recordedfuture.com/threat-intelligence-definition/
Speaker at the IDC IT Security Roadshow 2017 in Doha. It was a one day event bringing together some Security Vendors and End User folks to present and discuss security related topics. The event midway was split into two tracks A - Threat Intelligence and B - Securing the Endpoint to the cloud. My End User Presentation (Track A) covered Threat Intelligence. There were some some interesting speakers and audience Q & A discussions followed by a networking lunch to boot. The venue at the Shangri La Hotel in Doha provided a great space and good networking opportunity.
My Presentation on Career Opportunities in Cyber Security presented at the North Cap University during the course inauguration ceremony, where I talked about different career paths to get into the cyber security domain.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
6 Steps for Operationalizing Threat IntelligenceSirius
The best form of defense against cyber attacks and those who perpetrate them is to know about them. Collaborative defense has become critical to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Threat intelligence sources have varying levels of relevance and context, and there are concerns about data quality and redundancy, shelf life, public/private data sharing, and threat intelligence standards. However, if processed and applied properly, threat intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making.
View to learn:
--The difference between threat information and threat intelligence.
--Available sources of intelligence and how to determine if they apply to your business.
--Key steps for preparing to ingest threat information and turn it into intelligence.
--How to derive useful data that helps you achieve your business goals.
--Tools that are available to make collaboration easier.
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
Ever feel like you spend more time converting security information from one format to another, than actually connecting the dots hidden within it? The Collective Intelligence Framework (CIF) is a data processor for pulling in and normalizing out all these threat intel sources into a single combined dataset. Watch it on-demand http://ow.ly/li8Lf #TTTSec
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Presenters: Jaime Blasco and Santiago Bassett
Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
Join Infocyte's Vice President of Customer and Partner Success, Chris Mills, for Threat Hunting 101: An intro to using Infocyte HUNT to detect, investigate, and respond to advanced persistent threats, file-less malware, and other sophisticated attacks.
Beyond these slides, please reference the video for additional insight and instruction on how to use our Threat Hunting and Incident Response platform.
Discussion on traditional threat intelligence model, explore advanced approaches to reduce manual intervention and convert it into actionable threat intelligence.
Slides of the talk delivered by Chandra Ballabh in the August, 2019 Meetup of Combined OWASP Delhi and nullDelhi at Thoughtworks, Delhi
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
reference:https://www.recordedfuture.com/threat-intelligence-definition/
Speaker at the IDC IT Security Roadshow 2017 in Doha. It was a one day event bringing together some Security Vendors and End User folks to present and discuss security related topics. The event midway was split into two tracks A - Threat Intelligence and B - Securing the Endpoint to the cloud. My End User Presentation (Track A) covered Threat Intelligence. There were some some interesting speakers and audience Q & A discussions followed by a networking lunch to boot. The venue at the Shangri La Hotel in Doha provided a great space and good networking opportunity.
My Presentation on Career Opportunities in Cyber Security presented at the North Cap University during the course inauguration ceremony, where I talked about different career paths to get into the cyber security domain.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
Whether they realize it or not, all enterprises have valuable data to protect. Credit card information, trade secrets, and patient data, for example, are all prime targets for cyber criminals.
You can reduce risk to your sensitive data through the use of compliance/segmentation monitoring. But what happens when malicious insiders or external attackers bypass these controls?
Join Lancope’s Consulting Security Architect, Charles Herring, to learn how network behavioral anomaly detection (NBAD) and deep visibility through NetFlow can be used to quickly alert administrators to these violations. Discover how to detect anomalies such as data hoarding and data loss to more effectively safeguard your crown jewels.
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
Learn the five stages of grief that organizations seem to pass through as they come to terms with security risks and how far we’ve come regarding Industrial Control Systems.
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
Whether they realize it or not, all enterprises have valuable data to protect. Credit card information, trade secrets, and patient data, for example, are all prime targets for cyber criminals.
You can reduce risk to your sensitive data through the use of compliance/segmentation monitoring. But what happens when malicious insiders or external attackers bypass these controls?
Join Lancope’s Consulting Security Architect, Charles Herring, to learn how network behavioral anomaly detection (NBAD) and deep visibility through NetFlow can be used to quickly alert administrators to these violations. Discover how to detect anomalies such as data hoarding and data loss to more effectively safeguard your crown jewels.
Presented @ Frederick Linux Users Group (KeyLUG)
May 7, 2016
A presentation on protecting Small Office/Home Office (SOHO) networks that I made at the Frederick Linux Users Group (KeyLUG). I work virtually from my home, and this presentation goes through some of my experiences setting up my home network to be better and more secure. I ditched my consumer-grade NAT router and have installed a firewall, commercial-grade wireless access points, and an intrusion detection system (IDS). I'm not finished yet, but this presentation will give you an idea of some of the things that I've done, where I'm thinking about going, and as some things to consider as you setup your own network.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Network Security and Visibility through NetFlowLancope, Inc.
With the rise of disruptive forces such as cloud computing and mobile technology, the enterprise network has become larger and more complex than ever before. Meanwhile, sophisticated cyber-attackers are taking advantage of the expanded attack surface to gain access to internal networks and steal sensitive data.
Perimeter security is no longer enough to keep threat actors out, and organizations need to be able to detect and mitigate threats operating inside the network. NetFlow, a context-rich and common source of network traffic metadata, can be utilized for heightened visibility to identify attackers and accelerate incident response.
Join Richard Laval to discuss the security applications of NetFlow using StealthWatch. This session will cover:
- An overview of NetFlow, what it is, how it works, and how it benefits security
- Design, deployment, and operational best practices for NetFlow security monitoring
- How to best utilize NetFlow and identity services for security telemetry
- How to investigate and identify threats using statistical analysis of NetFlow telemetry
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Resilient Systems
Industrial Control Systems (ICS) refer to various types of technology that control physical infrastructure ranging from industrial production - like valves in a manufacturing plant, to environment controls - like lighting and cooling systems in an office building. Think you don't have ICS on your network? Think again. Data centers, offices and corporate campuses rely on Industrial Control Systems to operate. In fact, virtually every modern building, and corporate campus around the world plays host to environmental controls, building entry systems, safety systems, and many other automation systems that are considered ICS.
As with any system, ICS have known vulnerabilities, which now that they are network-accessible represent a tantalizing target for attackers. Why bother trying to defeat carefully constructed network security measures if you can more easily turn on the sprinkler system and bring down the entire data center?
This webinar will review ICS basics and then detail their various security risks. It will also recommend general do's and don'ts when dealing with ICS. Our featured speakers for this timely webinar are:
- Billy Rios, Technical Director at Cylance.
Billy is seasoned security professional whose background spans both the military and the private sector. He is a noted expert in ICS security.
-Ted Julian, Chief Marketing Officer at Co3 Systems.
Ted is a serial entrepreneur who has launched four companies during his ~20 years in the security / compliance industry.
2015 Global APT Summit - Understanding APT threat agent characteristics is ke...Matthew Rosenquist
APT attacks originate from people, against a specific target, for an explicit malicious purpose. Attempting to protect all assets from every type of attack is not reasonable or sustainable. Understanding the archetypes of Threat Agents is key to an effective defense. Knowing the capabilities, objectives, and most likely methods of APTs targeting your organization provides predictive insights to where prevention, detection, and response tools and processes will have maximum impact. Such analysis complements the traditional vulnerability management structures which look generically for weaknesses.
Matthew Rosenquist's Understanding APT Threat Agent Characteristics is Key to Prioritizing Risks presentation at the 2015 Global APT Defense Summit in Los Angeles. Prioritizing risks is critical for any sustainable security capability. Understanding the abilities, methods, and objectives of advanced attackers is key in identifying the most critical vulnerabilities and the proper allocation of resources to manage risks.
How to keep your head (and your job) when the worse case scenario happens.
Due to the increasing frequency of security breaches, defining an action plan is critical for every security practitioner. Getting breached doesn’t determine whether or not you’ve got a good security program in place – but how you respond to one does.
Join security expert Conrad Constantine of AlienVault, for an in-depth discussion on things you and your team should do today to prepare for information security breaches. You’ll get practical, lessons learned advice on:
- The inevitability of security breaches
- Preparing to survive security breaches
- Threat identification and containment
- Handling the aftermath so it’s not worse than the breach itself
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
Practice makes perfect. And unfortunately for security professionals, attackers have realized that persistence is a powerful approach to breaching an organization's defenses.
Focusing on prevention alone is no longer a sufficient strategy for securing your organization against the business risks of a breach. Our current security environment demands an approach less centered on ideal prevention and more focused on reality. During this webcast, we discussed key strategies that limit your risk and exposure to unrelenting threats.
Some highlighted topics include:
- How the shift in attacker motivations has impacted today's threat landscape
- Why preventative techniques alone can no longer ensure a secure environment
- Which strategies need to be considered for a holistic approach to security
- What next steps you can take towards identifying your best strategy against attacks
This Solution Overview approaches the threat landscape from a holistic viewpoint and identifies strategies and techniques to establish a good defense. It discusses the concept of a "kill chain" and identifies key indictors for attack events with a focus on network analysis.
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
Digital Forensics for Artificial
Intelligence (AI ) Systems:
AI systems make decisions impacting our daily life Their actions might cause accidents, harm or, more generally, violate
regulations either intentionally or not and consequently might be considered suspects for various events. In this lecture we explore how digital forensics can be performed for AI based systems.
Improve Your Threat Intelligence Strategy With These IdeasRecorded Future
Threat intelligence is a massive subject, and it’s natural to want to produce the most comprehensive range of intelligence possible … but that’s not always useful. In fact it’s usually not.
By concentrating intelligence efforts on highly specific business objectives (e.g., to maintain or improve profitability), this broad subject can be narrowed down to the point where a small amount of highly valuable intelligence is produced.
With this principle firmly in mind, let’s look at some ways to enhance your threat intelligence strategy.
Cyber Space Operation- Offensive Cyber Space OperationRubal Sagwal
Cyber Space, Cyber Space Operation, Defensive cyber space operation, offensive cyber space operation, objectives and techniques of cyber space operations.
Solving the Visibility Gap for Effective SecurityLancope, Inc.
Network visibility is a vital component of an effective security strategy, but many organizations lack the ability to identify threat activity in their environment. At Cisco, we have assessed the networks of thousands of organizations, and in nearly every instance, we discovered undocumented hosts, risky user behavior, or malicious activity.
Whether it is rogue servers, unauthorized connections, or ongoing data breaches, we’ve harnessed the power of network visibility to identify a variety of suspicious and malicious activity. Now let us share our knowledge with you.
Join Jeff Moncrief, Systems Engineering Manager at Cisco, to learn:
- The reality of how vulnerable enterprise networks are from endpoint to edge
- The security benefits of end-to-end network visibility
- Common problems solved with network visibility
- Stories of real-life threats hidden on networks we’ve assessed
- How to turn your network into a security sensor to gain critical visibility and threat detection capabilities
The idea of a more connected world is an exciting prospect. The proliferation of Internet-enabled cars, appliances, medical devices, thermostats, and so on has already changed the way we live and will only continue grow. Unfortunately, these devices are expanding an already large attack surface, and cybercriminals are eager to exploit them.
If we do not prepare for this influx of new, specialized devices on our networks, the Internet of Things (IoT) will leave gaping holes in our cybersecurity practices. But securing these many devices is a daunting task for even the bravest security professional.
Join Keith Wilson of Cisco Security for a webinar to discuss the security challenges related to IoT. Topics covered include:
-Why IoT devices can be difficult to secure
-Industries already affected by this trend such as health care, manufacturing, financial services and retail
-The various approaches to securing these devices
-How you can best keep IoT devices from becoming a security liability
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
When Edward Snowden leaked classified information to the mainstream media, it brought the dangers posed by insider threats to the forefront of public consciousness, and not without reason. Today’s agencies are drowning in fears surrounding sophisticated cyber-attacks but perhaps the most concerning type of attack out there – the insider threat. According to Forrester, abuse by malicious insiders makes up 25% of data breaches. Learn about the best practices and technologies you should be implementing now to avoid becoming the next victim of a high-profile attack.
- Become aware of the different types of insider threats, including their motives and methods of attack
- Understand why conventional security tools like firewalls, antivirus and IDS/IPS are powerless in the face of the insider threat
- Gain clarity on the various technologies, policies and best practices that should be put in place to help detect and thwart insider threats
- Discover how network logs, particularly NetFlow, can be used to cost-effectively monitor for suspicious insider behaviors that could indicate an attack
- Know about emerging attack methods such as muleware that could further escalate insider threats in the coming years
While the current threat landscape is full of sophisticated and well-resourced adversaries, one of the most dangerous is the insider because they already have access to the sensitive data on your network.
According to a report from Forrester Research, nearly half of technology decision makers who experienced a data breach in the year studied reported that an internal incident was the source of their compromise.
Since firewalls and perimeter defenses are largely incapable of addressing insider threats, organizations must turn to internal network monitoring and analytics to identify threats based on their behavior.
Join us for a free webinar on the Five Signs You Have an Insider Threat to learn what to look for to protect your organization from this challenging attack type. The webinar will cover topics including:
- Insider threat prevalence
- Major signs of insider threat activity
- How to detect these signs
- How to identify an insider threat before they impact your organization
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ISE and TrustSec
Recent breaches have demonstrated that insider threats and determined attackers are effectively able to operate on the network interior where they can wreak havoc on an organization. As a result, it has become necessary to implement security policies inside the network. This webinar describes a data intelligence-driven approach to dynamically segmenting the network to control threats and protect the enterprise through the use of NetFlow and Lancope’s StealthWatch® System in combination with Cisco ISE and TrustSec.
This webinar will cover:
• design and deployment scenarios
• use cases
• best practices
• configuration examples
• forward-leaning vision
The primary takeaway of this webinar is a methodology for leveraging StealthWatch to drive segmentation policies and control threats on the network interior.
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
A common theme in data breach investigations is the deficit between the time it takes an attacker to compromise a system and the time it takes for the defender to detect the attack. In many cases, victim organizations do not know they have been breached for weeks or months after the initial compromise, while attackers can gain access in a matter of minutes or hours.
The StealthWatch® System can drastically reduce the time to identify threats, giving security personnel a window of opportunity to mitigate an attack before valuable data is lost. This webinar will cover how StealthWatch quickly detects a variety of malicious activity, using threat information from the Verizon 2015 Data Breach Investigations Report as a backdrop.
Participants will learn how StealthWatch can quickly detect:
- Crimeware
- Insider threats
- Point-of-sale (POS) intrusions
- Cyber-espionage
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
Today’s advanced threats and targeted attacks necessitate the collection, analysis and use of threat intelligence for effective cyber security. What was once the realm of government organizations is now something that all organizations should be focusing on, but few know where to start.
Join Gavin Reid, Lancope’s Vice President of Threat Intelligence, for a complimentary webinar to learn the ins and outs of threat intelligence and best practices for incorporating it into your security strategy. Topics covered will include:
What threat intelligence is
Best practices for developing a threat intelligence function
Common pitfalls to avoid when setting up a threat intelligence practice
How threat intelligence fits into the other components of an enterprise security strategy
Extending Network Visibility: Down to the EndpointLancope, Inc.
In today’s world of constantly evolving security threats and attack vectors, organizations need to be vigilant about monitoring their network infrastructure. The network perimeter and security infrastructure is often challenged with the adoption of mobile devices, cloud, and BYOD policies. The need for visibility into endpoint activity has become more important than ever.
Join Josh Applebaum (Ziften), Matthew Frederickson, (Council Rock School District) and Peter Johnson (Lancope) for a complimentary webinar to learn how you can achieve real-time network visibility and intelligence for improved incident response.
Discover how you can:
- Achieve additional visibility and context to network activity
- Enhance your existing security investments (NetFlow, Firewall, SIEM, threat intelligence)
- Improve incident response by obtaining real-time and historical endpoint data
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
As recent events have proven, manufacturing organizations are especially vulnerable to cyber-attacks due to the amount of valuable data they maintain. With advanced attacks becoming so ubiquitous, how can manufacturing organizations protect their data and avoid becoming the next high-profile victim in the headlines?
The answer lies in network visibility. Manufacturing providers and others are invited to join this complimentary webinar to learn how to:
- Cost-effectively transform their network into a sensor grid for detecting sophisticated attacks
- Quickly uncover suspicious behaviors associated with zero-day attacks, APTs, insider threats and other risks that frequently evade conventional defenses
- Protect their reputation by thwarting attacks before they lead to devastating data loss
The Seven Deadly Sins of Incident ResponseLancope, Inc.
According to a recent study from Cisco, organizations show high levels of confidence in their security policies; but when it comes to their ability to scope and contain compromises, their confidence drops significantly.
Such statistics demonstrate that organizations continue to struggle with incident response.
Join Lancope’s security researcher, Brandon Tansey, and 451 Research’s senior analyst, Javvad Malik, to learn how to avoid The Seven Deadly Sins of Incident Response, and what you can do to improve your organization’s security posture.
Sins include:
- Lack of visibility/not understanding your environment
- Inability to separate the signal from the noise
- Modeling use cases on defenses, not attackers
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
As recent events have proven, healthcare organizations are especially vulnerable to cyber-attacks due to the amount of valuable data they maintain. With advanced attacks becoming so ubiquitous, how can healthcare organizations protect patient data and avoid becoming the next high-profile victim in the headlines?
The answer lies in network visibility. Healthcare providers and others are invited to join this complimentary webinar to learn how to:
-Cost-effectively transform their network into a sensor grid for detecting sophisticated attacks
-Quickly uncover suspicious behaviors associated with zero-day attacks, APTs, insider threats and other risks that frequently evade conventional defenses
-Protect their reputation by thwarting attacks before they lead to devastating data loss
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
Driven by the mobility, cloud computing, and Internet of Everything megatrends and fueled by increasingly sophisticated cybercriminals, today’s information landscape is more dynamic and more vulnerable than ever before.
Join Cisco and Lancope for a complimentary webinar to learn how you can implement a comprehensive, network-enabled approach to cybersecurity.
During the webinar we will discuss:
Using the Network as a Security Sensor with Lancope’s StealthWatch System and Flexible NetFlow and to obtain visibility at scale, monitor network activity efficiently, discover security incidents quickly, and help achieve compliance.
Using the Network as a Security Enforcer with Cisco TrustSec to ensure policy-based access control and network segmentation for containment of the network attacks, assist compliance and reduce risks of data-breaches.
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
Every time a new information technology finds its way into production, it seems as though we end up repeating the same process – security vulnerabilities will be discovered and disclosed in that technology, and users and vendors will deny that the risks are significant. Only after major attacks occur do we really start to see efforts to address the inherent risks in a systematic way.
We’re falling into this exact same trap again with Industrial Control and SCADA systems, but in this case the problem is worse, because the inherent nature of control systems prevents us from applying many of the strategies that have been used to protect other kinds of computer networks.
Join Lancope’s Director of Security Research, Tom Cross, for a look at the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems.
Hear about:
The state of Control Systems security vulnerabilities
Attack activity that is prompting a change in perspective
The unique, long-term challenges associated with protecting SCADA networks
How anomaly detection can play a key role in protecting SCADA systems now
Signature detection of attacks requires an understanding of what is “bad” traffic. Unfortunately, advanced attackers are crafting innovative and persistent attacks that create a new brand of “bad” that has no signature. Today’s organizations must instead embrace more forward-thinking security measures such as behavioral analysis in order to identify threats that bypass conventional defenses.
Join this complimentary webinar to learn how real-world breaches over the last couple of years were detected by looking at traffic deviating from normal patterns via metadata/NetFlow analysis.
Discover how:
- Sophisticated attackers are bypassing conventional, signature-based security solutions
- NetFlow analysis can detect both known and unknown threats by identifying anomalous behaviors that could signify an attack
- Leveraging flow data can significantly improve threat detection, incident response and network forensics
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
Cisco CSIRT uses NetFlow to collect 16 billion flows from Cisco’s 175TB of traffic observed daily. The data is used to monitor, investigate, and contain incidents using 3 key playbook “plays” each day.
Two leaders from Cisco's Computer Security Incident Response Team (CSIRT) will review a real cyber incident and the resulting investigation leveraging NetFlow collected via the StealthWatch System.
Participants will learn how to use NetFlow and the StealthWatch System to:
Investigate top use cases: C&C discovery, data loss and DOS attacks
Gain contextual awareness of network activity
Accelerate incident response
Minimize costly outages and downtime from threats
Protect the evolving network infrastructure
Provide forensic evidence to prosecute adversaries
Protecting Financial Networks from Cyber CrimeLancope, Inc.
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
Join us as we step through the reverse engineering of CryptoLocker, identifying important functionality and weaknesses. We'll demonstrate how we were able to use this information to help protect our customers months ago, the weaknesses that the Department of Justice took advantage of, and how you can do the same for other types of malware down the line.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Leading Change strategies and insights for effective change management pdf 1.pdf
The Library of Sparta
1. The Library of Sparta
David Raymond
Greg Conti
Tom Cross
http://upload.wikimedia.org/wikipedia/commons/0/08/Jean-Jacques-Fran%C3%A7ois_Le_Barbier_-_A_Spartan_Woman_Giving_a_Shield_to_Her_Son.jpg
0
2. Why, So What, and Who Cares…
You used to be fighting individuals . . .
now you are defending yourselves against nation-states 1
4. Foundations of Military Doctrine
Everything in war is very simple. But the simplest thing is difficult.
- Karl Von Clausewitz
3
5. Sources of Military Thought
● Military Theorists
● Doctrinal Manuals
● Print and Online Journals
§ Small Wars Journal
§ Parameters
§ Military Review
§ SIGNAL
§ … many more
● Policies
4
6. An Anathema to Some
“The most difficult thing about planning
against the Americans, is that they do not read
their own doctrine, and they would feel no
particular obligation to follow it if they did.”
Admiral Sergey Gorshkov
Commander, Soviet Naval Forces, 1956 - 1985
5
7. Kill Chain
Find
Fix
Track
Target
Engage
Assess
● US Air Force targeting methodology dating
to late 1990’s
● Also referred to by clever acronym:
F2T2EA
"In the first quarter of the 21st century,it will become possible to find, fix or
track, and target anything that moves on the surface of the Earth."
GEN Ronald R. Fogleman, USAF Chief of Staff
October 1996 6
8. Cyber Kill Chain
● Cyber Kill Chain first proposed in a 2010 Lockheed-Martin whitepaper:
“Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains”, by Hutchins, et. al.
*Image source: NoVA Infosec, “Cyber Kill Chain 101.” May 2013, https://www.novainfosec.com/2013/05/29/cyber-kill-chain-101/
7
9. The Value of the Kill Chain
● Drives the defender to take a comprehensive view of the
lifecycle of an attack rather than focusing on a single
stage.
● Provides a framework for organizing artifacts of an
attack collected during an investigation.
● Turns asymmetry on its head – the attacker must
remain covert through each stage of their operation –
each stage presents the defender with an opportunity to
detect the attack.
8
10. Cyber Terrain Analysis
(OCOKA)
● Observation and Fields of Fire
What portions of my network can be seen from where?
● Cover and Concealment
What can I hide from observation?
● Obstacles
How can I make my network harder to attack?
● Key Terrain
Cyber terrain that can provide a ‘marked advantage’
● Avenues of Approach
Don’t just think of routers and cables . . .
9
11. Cyberspace Planes and Cyber
Terrain
● Supervisory plane
o Command and Control
● Cyber persona plane
o Persons or ‘accounts’
● Logical plane further divided into top 6
OSI layers (data link – application)
o Operating system and application programs
o Services – web, email, file systems
o Logical network protocols
● Physical plane == OSI PHY layer (layer 1)
o Network devices – switches, routers
● Geographic plane == physical location
o Location in which an info system resides
Most references to
cyber terrain
consider only the
physical plane.
For more on cyber terrain and cyber key terrain, see Raymond, et. al, “Key Terrain in Cyberspace: Seeking
the High Ground,” in 6th Annual NATO Conference on Cyber Conflict, Tallinn, Estonia, June 2014. 10
12. Leveraging Cyber Key Terrain
An approach to leveraging key terrain emerges
from considering the terrain analysis as an
attacker and as a defender.
As a defender:
o Identify Potentially Targeted Assets
o Enumerate Avenues of Approach
o Consider Observation and Fields of Fire
o Place Obstacles, Cover, and Concealment
11
13. Observation and Fields of
Fire
What does an attacker need access to in order to observe or attack a
particular interface associated with a potentially targeted asset?
This is an iterative analysis. For example, if the attacker needs
access to a particular network in order to reach a critical asset, how
can that network, in turn, be accessed?
It is through this iterative analysis that a picture of Key Terrain
begins to emerge, which include highly interconnected resources as
well as resources with connectivity to critical assets.
Its important to consider terrain that your organization doesn’t
control – attacks on supply chain integrity, waterhole attacks, etc…
12
14. Lessons from Cyber Terrain
Analysis
● Battlefield Terrain Analysis maps fairly closely to the
sort of analysis that network security people perform
when thinking about a network’s exposures.
● Defenders know the terrain they are defending –
attackers must discover it through iterative
reconnaissance.
● Defenders can exploit an attacker’s lack of knowledge of
the terrain.
13
15. Denial*
● Denial includes those measures designed to
hinder or deny the enemy the knowledge of
an object, by hiding or disrupting the means
of observation of the object.
● The basis of denial is dissimulation, the
concealing of the truth.
* Counterdeception Principles and Applications for National Security, Bennett & Waltz
14
16. Deception*
● Deception is actions executed to deliberately mislead
adversary military, paramilitary, or violent extremist
organization decision makers, thereby causing the
adversary to take specific actions (or inactions) that will
contribute to the accomplishment of the friendly
mission.
● The basis of deception is simulation, the presentation
of that which is false.
* JP 3-13.4, Military Deception, 26 January 2012, available at https://publicintelligence.net/jcs-mildec/
15
17. Network Denial & Deception
On the Internet, there is no way to tell whether or not
something is actually real.
● Denial
o Hidden file systems
o Real services on unusual ports
● Deception
o Fake database records (Canaries)
o Fake employees or user accounts
o Phoney systems and services
Remember - what is important to you isn’t necessarily
what is important to your adversary.
16
18. Exploiting the Human
● It is often observed that the human is the
weakest link in any network defense.
● Often, the human is also the weakest link in
any network offense.
● What are you doing in your network defense
to exploit the human behind the attacks that
are targeting you?
17
19. Operations Security
(OPSEC)*
● The OPSEC process is a systematic method
used to identify, control, and protect critical
information and subsequently analyze friendly
actions associated with military operations.
● The purpose of operations security (OPSEC) is to
reduce the vulnerability of US and
multinational forces from successful adversary
exploitation of critical information. OPSEC applies
to all activities that prepare, sustain, or employ
forces.
● There is an entire Joint Publication on OPSEC...
Joint Publication 3-13.3
* JP 3-13.3, Operations Security, 4 January 2012, available at https://publicintelligence.net/jcs-opsec/
18
20. So How Can Good OPSEC
Help Me?
Attackers:
● Secrecy of the fact of the operation
o Avoiding detection
o When detected, appear to be something else
● Secrecy of information about the operation
o Protect details of the operation
o Prevent defenders who are aware of the operation from being
able to stop it
o C&C addresses, vulnerabilities, malware samples, etc…
● Secrecy of the identity of the operators
o Prevent defenders from directly striking the attacker
o Is it possible to connect aspects of your operation to your real
identity and location?
19
22. So How Can Good OPSEC
Help Me?
Defenders:
● What can attackers learn about your organization
through open sources?
o Material for Spear Phishing attacks
o Aspects of your Information Security Program
o What products do you use?
o What do your IT staff say on their resumes,
linkedin profiles, and twitter accounts?
● Its hard for large commercial organizations to
maintain good OPSEC - focus on the most important
secrets.
21
23. The OPSEC Process from
JP3-13.3
1. Identification of Critical Information
What are you trying to protect?
2. Analysis of Threats
Who is trying to get it?
3. Analysis of Vulnerabilities
How might they get to it?
4. Assessment of Risk
Risk=threat X vulnerability; what are you willing to accept?
5. Application of Appropriate Operations Security
Countermeasures
Plug the holes!
22
25. Doctrinal Definition of
Intelligence
● Joint Publication 2-0, Joint Intelligence*:
“The product resulting from the collection, processing,
integration, evaluation, analysis, and interpretation of
available information concerning foreign nations,
hostile or potentially hostile forces or elements, or
areas of actual or potential operations.”
● In practice, it is a thorough analysis and
understanding of the threat’s capabilities,
strategy, and tactics and how they can be used on the
cyber terrain comprising your operational
environment.
* Definition from JP 2-0, Joint Intelligence, 22 October 2013, available at http://www.dtic.mil/doctrine/index.html
24
26. The Intelligence Cycle
Planning and direction
Collection
Processing and exploitation
Analysis and production
Dissemination and integration
Evaluation and feedback
Nothing is more worthy of the attention of a good general than the
endeavor to penetrate the designs of the enemy.
Niccolò Machiavelli
Discourses, 1517
25
http://armypubs.army.mil/doctrine/DR_pubs/dr_a/pdf/adrp2_0.pdf
27. Characteristics of Effective
Intelligence
Information Quality Criteria
● Accuracy
● Timeliness
● Usability
● Completeness
● Precision
● Reliability
Additional Criteria
● Relevant
● Predictive
● Tailored
Commanders’ Considerations
include
Reducing operational uncertainty
Determine appropriate balance
between time alloted for collection
and operational necessity
Prioritize finite resources and
capabilities, including network
bandwidth
Employing internal and supporting
intel assets as well as planning,
coordinating, and articulating
requirements to leverage the entire
intelligence enterprise.
26
http://armypubs.army.mil/doctrine/DR_pubs/dr_a/pdf/adrp2_0.pdf
28. Tactics, Techniques, and
Procedures (TTPs)
Tactics - The employment and ordered arrangement of
forces in relation to each other
Techniques - Non-prescriptive ways or methods used to
perform missions, functions, or tasks
Procedures - Standard, detailed steps that prescribe how
to perform specific tasks
The term TTP is used to refer broadly to the actions that one
might take in a particular problem domain.
27
* JP 1-02, DoD Dictionary of Military and Associated Terms, 8 Nov. 2010, available at http://www.dtic.mil/doctrine/
29. Risk Analysis
Intel Gain/Loss Calculus
● You’ve discovered an attacker in your network. You
could kick them out, but they’d notice that.
● How do you decide when to kick them out and when to
let them continue?
● Counter-intuitively, the risk of allowing them to
continue increases the more that you know about them.
28
30. The OODA Loop
● COL John Boyd, USAF
● Writings can be found at
http://dnipogo.org/john-r-boyd/, provided by the
Project on Government Oversight
29
Image from http://crossvale.com/blog/boiling-ocean-analysis-paralysis-and-ooda-loop
31. Simplified OODA in the
Context of Time
● Intelligence
o Observation
o Orientation
● Execution
o Decision
o Action
30
32. OODA for Cyber Security
Conflict: Red vs. Blue
Spin your loop faster than your adversary
31
33. OODA Loop Summary*
● Observation and Orientation (OO) increases your
perceptive boundaries.
Superior Situational Awareness
● Sampling Rate of the OO is relative to the rate of change
Fast enough to represent change
● Decision and Actions raise the cost to your adversaries’
Observation/Orientation
● Operate at a faster tempo or rhythm than our
adversaries
Ultimately you are making it more expensive for the
adversary to operate and hide
32
* TK Keanini - The OODA Loop: A Holistic Approach to Cyber Security - https://www.youtube.com/watch?v=RBv82THpBVA
34. Targeting
Targeting: The process of selecting
and prioritizing targets and matching
the appropriate response to them.
Target: An entity or object considered
for possible engagement or action . . .
to support commander’s objectives.
Purpose: integrate and synchronize
fires into joint operations.
Joint Publication 3-60 Joint Targeting http://www.dtic.mil/doctrine/new_pubs/jointpub_operations.htm
Army FM 3-60 The Targeting Process http://armypubs.army.mil/doctrine/DR_pubs/dr_a/pdf/fm3_60.pdf 33
35. What is Targeting good for?
● Targeting is a continuous cycle
that begins with an analysis of
the effects the commander
wants to achieve
● Can be lethal or “non-lethal”
Effects might include
o Deceive
o Degrade
o Destroy
o Influence
● Gives commanders a
continuous process to
influence their battlespace
Targeting Methodology
DECIDE
Scheme of Maneuver/Fires, High-
Payoff Target List
DETECT
Execute Intelligence Collection
Plan
DELIVER
Execute Attack Guidance Matrix
ASSESS
Combat Assessment
34
36. How Does This Apply to
Cyber Ops?
Computer-based effects can be used as part of,
or instead of, lethal military action.
● Israeli cyber attack on Syrian air defense systems (2007)
● Russia’s coordinated virtual attack and physical
invasion of Georgia (2008)
● Stuxnet (2010)
35
37. Resources on Foreign
Doctrine and Strategy: China
● Timothy Thomas’ trilogy and Chinese
Information Warfare doctrine, published
by the Army’s Foreign Military Studies
Office at Fort Leavenworth.
o Dragon Bytes, 2003
o Decoding the Virtual Dragon, 2007
o The Dragon’s Quantum Leap, 2009
● Liang, Qiao and Xiangsui, Wang.
Unrestricted Warfare. Summaries and
translations abound on the web;
extensively covered in Thomas’ Chinese
IW trilogy.
36
38. More Foreign Doctrine and
Strategy: Russia
Russian Military Publications:
● “Doctrine of Information Security of the Russian
Federation” (2000)
● “Conceptual Views on the Activity of the Russian
Federation Armed Forces in Information
Space” (2011)
American Foreign Policy Council’s Defense Dossier:
● “How Russia Harnesses Cyberwarfare,” by David J.
Smith.
37
39. Great Resources for More
Information
DoD and Military Branch doctrine:
● Intelligence and Security Doctrine (including DoD and all military
branches) Federation of American Scientists’ Intelligence Resource
Program http://www.fas.org/irp/doddir
● DOD Dictionary. http://www.dtic.mil/doctrine/dod_dictionary/
● Joint Doctrine. http://www.dtic.mil/doctrine/doctrine/
● Army Doctrine. http://armypubs.army.mil/doctrine/Active_FM.html
Publications:
● Small Wars Journal: http://smallwarsjournal.com (all online content)
● Military review: http://militaryreview.army.mil (online and print)
● Parameters: http://strategicstudiesinstitute.army.mil/pubs/parameters
(online and print). US Army War College quarterly journal.
● Army Branch Magazines (Armor magazine, Infantry magazine, Artillery
magazine, ArmyAviation magazine, etc.
● Combined Arms Research Digital Library: http://cgsc.contentdm.oclc.org
38
40. More resources
Military Theorists:
● Clausewitz, Carl von. On War, [available at www.clausewitz.com], 1832
● Jomini, Antoine Henri. The Art of War, [available at www.gutenberg.org],
1862
● Mitchell, William. Winged Defense: The Development and Possibilities of
Modern Air Power--Economic and Military. The University of Alabama
Press, Tuscaloosa, AL. 1925
● Coram, Robert. Boyd: The Fighter Pilot Who Changed the Art of War.
Little, Brown and Company, 2002
● Mao Zedong. On Guerilla Warfare, [Online]. Available at
http://www.marxists.org/, 1937
● Mahan, Alfred Thayer. The Influence of Sea Power Upon History: 1660 -
1783, Little, Brown and Co. 1890
● Lots more . . .
39
41. Yet more . . .
Conferences:
● NATO Conference on Cyber Conflict (CyCon):
http://ccdcoe.org/cycon/home.html
● IEEE/AFCEA Annual Military Communications Conference (MILCON):
http://www.milcom.org/
Other:
● Center for Army Lessons Learned: http://usacac.army.mil/CAC2/call/
[See our whitepaper for lots more references!]
40