“ Success depends on sound deductions from a mass of intelligence” -Winston Churchill New threats and new measures to counter them call for a reorganization of IT security teams so that they can focus on defending the organization from targeted attacks. It is only ten years since most enterprises established separate security teams to address vulnerabilities and deploy and maintain patches and virus signature updates as well as configure and maintain firewalls. To ensure that policies were created and enforced most organizations also created the position of Chief Information Security Officer (CISO) who enacted those policies and became responsible for ensuring that the organization was in compliance with standards and regulations. The rise of targeted attacks must be met by similar organizational enhancements. The terminology and titles are not important but the roles and responsibilities described here are required to mount an effective cyber defense. It is interesting to note that the Cheong Wa Dae (Korean President’s “Blue House”) has i nstituted a special Cyber Defense Team in reaction to concerted attacks on the computers of the G20 Summit Committee in Seoul. “ Since June, the government has been running a special cyber defense team to prevent attacks against major private and public computer networks. “ – The Chosunilbo Countering targeted attacks calls for new measures. One of those measures is creation of specialized teams that are not bogged down in the day to day tasks of blocking viruses and cleaning up machines. Here is my proposal for such an organization. Team Lead: Cyber Defense Commander The title may evoke a too martial image. Perhaps cyber defense team lead, or director of cyber defense, will be a better fit. But the idea of one-throat-to-choke in establishing a leadership role is an effective way to motivate a team and its leadership with the seriousness of its task. They must be instilled with the idea that they are targeted, under attack daily, and engaged in a battle to protect the organization from a malicious adversary. The cyber defense team replaces the traditional computer emergency response team (CERT) and will probably incorporate most of the same people. The cyber defense commander is responsible for establishing the cyber defense team, assigning and directing roles, making sure the correct tools and defenses are deployed, putting in place controls and audit processes, and reporting to upper management on the results of those processes, and audits. The cyber defense commander would also be the primary point of contact for communicating to law enforcement and intelligence agencies when the inevitable situation arises that requires outside help or communication. A large organization with divisions spread around the globe or separate large business units may well have cyber defense teams deployed in each division with their own leaders who report up to the cyber defense commander. (Call them lieutenants if you must but I am not going to take the military command structure that far.) The cyber defense team should have three primary roles: an outward looking role, an operational role, and an inward looking role. Each of those roles is described next: Cyber defense analysts are the intelligence gatherers. They study the threatscape with an eye towards emerging threats to the organization. Most organizations assume that because they have so many people in IT security that someone is looking out for the latest attack methodologies or tools, and even keeping tabs on the various groups that engage in cyber attacks. Unfortunately the operational aspects of IT security are too consuming to allow this type of outward looking focus. IT security practitioners are very inquisitive and attempt to keep up with the huge volume of information available to them at conferences, from vendors, and in the news. But their activities are ad-hoc and mostly voluntary. Would TJX have succumbed to an attack that entered through a WiFi access point in a store in Minneapolis if they had had someone staying abreast of the news who would have seen the exact same methodologies used against a Lowe’s store in Southfield, Michigan four years before? A team of cyber analysts working at a mining or oil and gas exploration company would have been alert to the news that the three largest such firms in the US (Marathon Oil, ExxonMobil, and ConocoPhillips) were compromised in 2008 . They would have had contacts within the community who would have given them a heads up. They would then have seen the 2009 attacks against BHP Billiton, Rio Tinto and Fortescue Metals Group , the major natural resources companies in Australia and analyzed those attacks for similarities. They would have raised a red flag that their own organization could be targeted as well and increased the vigilance of the internal teams. Cyber defense analysts assume the role played by counter intelligence agents inside most governments. They gain an understanding of the attackers and their tradecraft and advise those responsible for defending against them. As members of a cyber defense team these analysts will be responsible for: Understanding the state of the art in attack methodologies. They should research and understand the successful and attempted attacks against similar organizations. They do this through monitoring news reports, security research reports from the vendors including McAfee Labs , Versign’s iDefense team , Verizon’s Threat Report, F-Secure’s Mikko Hypponen , Symantec’s threat report , Sourcefire’s VRT , Fortinet Research , Infowar Monitor , IBM X-Force , as well as independent researchers such as Dancho Danchev , Brian Krebs , Nart Villineuve , and hundreds of others. Getting to know potential attackers and monitoring their activity. Is the organization a target for industrial espionage from competitors or state sponsored spies? Could a particular fanatic group, be it PETA, Greenpeace, Islamic Jihad, or a religious faction, be targeting the enterprise? Monitoring known attack sources and distributing the IP addresses of those sources internally for purposes of blocking and alerting. Communicating the threat level to the rest of the cyber defense team. Assisting in evaluating technology for internal deployment. A valuable methodology for the research is being developed by the Infowar Monitor team working at the University of Toronto. They dub their methodology “fusion research”, a combination of technical analysis, contextual understanding, and field investigations. Translating this into the activities within an organization would mean working with their peers to discover methodologies being used successfully against them, and the tools and defenses they deploy. It would also mean having an understanding of the industry they are in and the value of their information assets to various potential adversaries. Banks, long the target of cyber crime, and casinos, with vast experience fighting insider threats, have had this type of interaction with their peers for years. It is time for manufacturers, non-profits, universities, state and local governments to do the same. The second role within the cyber defense team is the operational role . Members of the cyber defense operations team must: Select and deploy network and host based tools to monitor activity, alert on unusual activity, block attacks, and assist in removing infections that have made it through all of the cyber defenses. Interact with the rest of IT operations to ensure that infections are quickly snuffed out and cleaned up. Engage in forensics activities to perform post mortems on successful attacks, gather evidence, and improve future operations. The members of the internal cyber defense team supplement the rest of IT operations. They are not responsible for the daily updating of servers and desktops or the distribution of AV signatures or maintaining firewalls. Their job is to discover and mitigate attacks as they occur. This is a 24x7x365 job. A primary responder must be identified for each evening, weekend, and holiday shift. They must be able to receive alerts, quickly gain access to the monitoring system, and take defensive action when an attack occurs. The third component of the cyber defense group is the Red Team . They look inward. They scan the network for holes in the defenses and new vulnerabilities. They engage in attack and penetration exercises to test defenses. They evaluate new IT projects to ensure that authentication, authorization, and defenses are included in the initial design all the way through to deployment. Each of these three roles has special tools that they should use to accomplish their duties. The cyber analysts make use of knowledge management tools to categorize and create linkages between disparate data sources. An internal wiki can serve as the basis of communication with the other members of the team. A sophisticated tool from Palantir Technologies can help them track sources of attacks, record data, remember IP addresses and malicious domains, and even keep track of the identities, affiliations, and methods associated with particular groups or individuals. The cyber defense operations team will use advanced packet capture, network behavior monitoring, application monitoring, and endpoint protection tools. Netwitness provides the best tool for capturing network traffic and applying filters that contain knowledge of attack sources, and other cross correlation capabilities. By deploying a network flow monitoring solution from Arbor Networks they can see changes in traffic patterns that are indicative of an attack. Guidance Software , known for its forensics tool kits has a cyber defense product that leverages the end point protection of HBGary to identify and remediate infections. FireEye is a network gateway defense against zero hour malware and blocks attempts to communicate with command and control servers operated by attackers. The cyber defense Red Team makes use of many open source tools to act as surrogate attackers. Nessus can be used for scanning for vulnerabilities it is open source and the basis of several commercial products most notably Tenable . Vulnerability scanning is also a function of the regular IT operations so it is important that the Red Team use a different set of tools than those used by operations. Core Impact is the most advanced commercial attack and penetration tool. The organization and duties of the Cyber Defense Team arise from the new threat of targeted attacks. There is a fundamental difference between defending against random attack from viruses, worms, and botnets and targeted attacks. When the viruses and worms are written to specifically infect an enterprise’s system and gain control of internal processes, communications, and data, traditional tools are ineffective and traditional organizations are at a loss. By assigning responsibility to a core team of cyber defense specialists the enterprise can begin to address their vulnerability to targeted attacks. This post is an excerpt from Cyber Defense: Countering Targeted Attacks (Government Institutes, 2011)
Product DescriptionThis IDC study delves into the different flavours of IP VPN services available in the Australian market and their corresponding uptake. The study analyses key trends, drivers, and inhibitors affecting the uptake, and provides sizing and forecasts for the Australia IP VPN services market from 2004 to 2009. IP VPN has been gaining traction worldwide as the choice for WAN connections particularly with the continued deployment of IP multiprotocol label switching (MPLS)… More >> Australia IP VPN Services 2005-2009 Forecast and Analysis: Connecting with Class
There is a disturbing tendency on the part of the US Congress to legislate the Internet. A case in point is HR 2271 backed by eleven US Represntatives and submitted to review by the House Energy and Commerce and Foreign Affairs Commitees last May(2009). Thankfully, there has been no serious deliberation on this proposed measure which intends to somehow regulate the Internet to promote, ironically, freedom of speech. In its preamble the intent is well articulated: To prevent United States businesses from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance, to fulfill the responsibility of the United States Government to promote freedom of expression on the Internet, to restore public confidence in the integrity of United States businesses, and for other purposes. Reading between the lines you can discern that this bill was proposed in part in a reaction to Google, Yahoo! and Microsoft engaging in less than ethical collusion with the Chinese government; activities that have led to incarceration of bloggers and restrictions on access to information. The Bill has sections devoted to: Creating an annual report that identifies those countries that engage in restrictive Internet activity (105.) Would this watch list contain Australia which is setting up a massive filtering infrastructure to protect its citizens from the less tasteful content on the Internet? Would it include Germany which has attempted to ban hacking tools ? Or the EU which has considered blocking searches that include certain key words like “bomb”? Would it identify the US which, thanks to widespread eavesdropping on ATT’s network by the NSA has frightened businesses away from ever hosting data in a country where they perceive that data to be unsafe from snooping? Setting up the Office of Global Internet Freedom reporting to the Secretary of State and led by a Director(104.) I suspect just the name of this department will create additional work for the State Department to smooth ruffled feathers of those that may take umbrage to the US unilaterally setting Global policies of any sort. Ironically the only defined task for this Office will be to “ identify key words, terms, and phrases relating to human rights, democracy, religious free exercise, and peaceful political dissent..” an activity that in itself smacks of thought control. Section 203 requires any US company that imposes changes to their search results at the behest of one of the listed countries must report it to the Director of The Office of Global Internet Freedom (DOGIF). Section 204 has similar regulatory burdens for any US company that hosts information. This is obviously targeted at Google, Microsoft, and Yahoo, but there are thousands of online content and search engine companies that could fall under these requirements. HR 2271 also points out in its preamble: “ A number of United States businesses have enabled the Internet censorship and surveillance of repressive governments by selling these governments or their agents technology or training.” Luckily it stops short of proposing the restriction of sale of that technology. It is hoped that the backers realized the tremendous damage they could inflict on the US’s networking industry if they attempted to restrict commerce to the extent necessary to stop the sale of all technology that can be used for restricting access to information. It would include all firewalls, routers, and content inspection technology. There seems little danger of HR 2271 ever coming to a vote but…We must keep a wary eye on this 111th Congress that has over 40 measures under consideration that bear on highly technical issues. A misstep could be costly and have debilitating consequences for a fragile economy. Global Internet Freedom will be best served by governments of all types avoiding any meddling in the still young Internet.
There is a disturbing tendency on the part of the US Congress to legislate the Internet. A case in point is HR 2271 backed by eleven US Represntatives and submitted to review by the House Energy and Commerce and Foreign Affairs Commitees last May(2009). Thankfully, there has been no serious deliberation on this proposed measure which intends to somehow regulate the Internet to promote, ironically, freedom of speech. In its preamble the intent is well articulated: To prevent United States businesses from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance, to fulfill the responsibility of the United States Government to promote freedom of expression on the Internet, to restore public confidence in the integrity of United States businesses, and for other purposes. Reading between the lines you can discern that this bill was proposed in part in a reaction to Google, Yahoo! and Microsoft engaging in less than ethical collusion with the Chinese government; activities that have led to incarceration of bloggers and restrictions on access to information. The Bill has sections devoted to: Creating an annual report that identifies those countries that engage in restrictive Internet activity (105.) Would this watch list contain Australia which is setting up a massive filtering infrastructure to protect its citizens from the less tasteful content on the Internet? Would it include Germany which has attempted to ban hacking tools ? Or the EU which has considered blocking searches that include certain key words like “bomb”? Would it identify the US which, thanks to widespread eavesdropping on ATT’s network by the NSA has frightened businesses away from ever hosting data in a country where they perceive that data to be unsafe from snooping? Setting up the Office of Global Internet Freedom reporting to the Secretary of State and led by a Director(104.) I suspect just the name of this department will create additional work for the State Department to smooth ruffled feathers of those that may take umbrage to the US unilaterally setting Global policies of any sort. Ironically the only defined task for this Office will be to “ identify key words, terms, and phrases relating to human rights, democracy, religious free exercise, and peaceful political dissent..” an activity that in itself smacks of thought control. Section 203 requires any US company that imposes changes to their search results at the behest of one of the listed countries must report it to the Director of The Office of Global Internet Freedom (DOGIF). Section 204 has similar regulatory burdens for any US company that hosts information. This is obviously targeted at Google, Microsoft, and Yahoo, but there are thousands of online content and search engine companies that could fall under these requirements. HR 2271 also points out in its preamble: “ A number of United States businesses have enabled the Internet censorship and surveillance of repressive governments by selling these governments or their agents technology or training.” Luckily it stops short of proposing the restriction of sale of that technology. It is hoped that the backers realized the tremendous damage they could inflict on the US’s networking industry if they attempted to restrict commerce to the extent necessary to stop the sale of all technology that can be used for restricting access to information. It would include all firewalls, routers, and content inspection technology. There seems little danger of HR 2271 ever coming to a vote but…We must keep a wary eye on this 111th Congress that has over 40 measures under consideration that bear on highly technical issues. A misstep could be costly and have debilitating consequences for a fragile economy. Global Internet Freedom will be best served by governments of all types avoiding any meddling in the still young Internet.
