Gayblack Canadian Man

Foreign Policy Analysis
USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers

USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers

[ Applause ] JOYCE: Appreciate it. Thanks — thanks
for the welcome. So — so, as David introduced, I’m from Tailored
Access Operations. And I will admit,
it is very strange, right, to be in that position, appear on a stage in front
of a group of people. It’s not something often done. Um, but —
but I’m, uh, I’m in a — a unique position
in that we produce, in TAO, foreign intelligence
for a wide range of missions to include advice to informing policy makers, um, protecting
the nation’s war fighters 24/7. And in that space, um, we’re doing
nation-state exploitation. And so my talk today
is to tell you, as a nation-state exploiter, what can you do
to defend yourself to make my life hard, right? So not many people
will stand on the stage and have the perspective
of an organization that does exploitation and to be able to talk
to those elements that really would disrupt
the nation-state hackers. Um, so in that vein, um, I want you to think about
if there’s something you really, really
want to protect, what do you have to do? So you’ll hear a common theme
throughout my talk. It’ll boil down
to a couple small things. The theme
I want you to take away is if you really want
to protect your network, you really have to know
your network. You have to know the devices,
the security, technologies and the things inside it. So why are we successful? We put the time in
to know that network. We put the time in
to know it better than the people who designed it and the people
who are securing it. And that’s the bottom line. And you’ll kind of hear
that woven throughout the talk. So if you think about
what goes into an intrusion, there’s a series of phases
that happen, right? As you walk down
through these, um, I’ll talk about the things
that can… that — that we focus on. Um, and you could break
the chain throughout that, uh, throughout that compromise by disrupting the transitions
between these elements. So really the first phase during a targeted intrusion
is a reconnaissance phase. Somebody’s got to go out
and understand the target. It starts with
simple things like scanning. Go out and physically
scan the actual target. There’s understanding
important people or e-mail addresses
from that activity. Going out and looking
at the open-source information about that target. So it really is,
what can you learn? What can you understand? As I said earlier,
our key to success is knowing that network
better than the people who set it up. So in that space,
the reconnaissance phase is really important. I’m gonna move my laptop
a little here so I can get to my notes. So another key point
inside this, um, you know the technologies you intended to use
in that network. We know the technologies that are actually
in use in that network. Subtle difference.
Did you catch that? You know what you
intended to use. We know what’s actually
in use inside there. So when we look at that, we will learn
the security functionality of the devices
inside that network. We’ll study them,
understand them, find the vulnerabilities. In fact, we’ve got people who will know
the security functionalities of those devices
better than the people who developed
the actual device, right? So they won’t know
the whole product. They won’t know every feature
that those developers had. But they’ll understand
the security technologies, and they’ll bring that expertise
at a very, very deep level. So inside that, um, it’s minute attention to detail
inside that security layer, again, knowing the network,
knowing that space. So what does that mean? We apply the focus and energy
to look at those details. Um, will you, as people who have
important things to protect and hold dear, will you put in the energy
to understand the network, understand the devices
and configure and use them in the proper way
that would prevent exploitation? So there’s a foundational piece
of advice to countering these kind
of threats, right? You’ve got to have procedures
to evaluate what you’ll use, what you’ll install. You’ve got to lock down and, uh, disable those things
that you’re, uh, that you’re not using, right? Reduce the attack surface. Um, it’s not a new or amazingly insightful piece
of advice. Um, but you’d be surprised, as I said, about the things that are running on a network versus the things that you think
are supposed to be there. So what can you do to understand
that exposure surface? Red team that network.
Bring in pen testers. Poke and prod it,
just like an adversary will do, to find out
what’s inside that space. Um, find out what’s exploitable. Well-run networks really
do make our job hard. So if you go to the trouble of understanding
what’s inside a network, you run that pen test, you’ve got those results,
act on it. So NSA, in our information
assurance side, will do red team
testing against, uh, against government networks. So we’ll, inevitably, find things
that are misconfigured, things that shouldn’t be set up inside that network,
holes and flaws, and we’ll produce reports
telling the network owner things they need to fix. Cycle comes around to the point
where we’ve got to get back and redo a red team
against that same network. It is not uncommon for us to find
the same security flaws that were
in that original report. That’s the first place we go
is to the original report. Did the things we pointed out
previously get fixed? So, um, inexcusable,
inconceivable, but returning
a couple years later, the same holes
and vulnerabilities exist. I’ve seen it
in the corporate sector, too. I’ve seen it
in our targets, right? People tell you
you’re vulnerable in a space, close it down and lock it down. So if you’ve invested
the resources to do that kind of discovery
and red team space, um, go ahead and follow through. Another key point,
don’t assume a crack is too small to be noticed
or too small to be exploited. So if you go through
and do that pen test, and you say, “We look great
on these 97 things, but these three things
over here, they’re kind of esoteric. They probably don’t matter much. We’ll probably
ignore them,” right? That’s what we need.
We need that toe hold. We need that first crack,
that first seam, um, and we’re gonna look
and look and look for that esoteric kind
of edge case to break open and crack in. So pay attention
to those results. Same thing in this discussion about —
about the, uh, the — the temporary security
vulnerabilities. So if you own a network, and you got trouble
with an appliance inside your trust zone, inside your network boundary, and you’re talking to the vendor and just can’t quite
make it work. And they say, “Well,
open it up for me. I’ll come in.
We’ll poke around. We’ll take some logs.
We’ll fix it for you. We’ll do it over the weekend.
Don’t worry,” right? Are you gonna open that door
for that 24, 36 hours? So I’ll tell you,
the nation-state attackers, there’s a reason it’s called
advanced persistent threats because we’ll poke
and we’ll poke. And we’ll wait and we’ll wait and we’ll wait, right? We’re looking
for that opportunity, that opening, and that opportunity to —
to — to finish the mission. Another big area, I’d say,
in this reconnaissance phase is figuring out
about the network boundaries. So I talked earlier
about you know the things you intend to have
in your network. We look for the things that
are actually in your network. Well, that’s becoming
harder and harder these days as the network boundary
gets more amorphous, gets more porous or gets more inclusive
of other things. Um, think about trends
like bring your own devices, um, Internet of things,
work from home access. Um, these have really
created situations where Internet —
interconnected network elements are under varying administration
control, right? I even see the case where leased facilities
come with a leased network that is under the control
of that — that physical location and trusted in Internet… interconnected
to your domain, right? So think about the things that are now a component
of your domain, your trust zone. Cloud computing, right? Cloud computing is really a fancy name
for somebody else’s computer. If you have your data
in the cloud, right, you’re trusting
the security protocols, the physical security, all of the other elements
of trust in an outside entity, maybe done right.
It may not. You may have varying degrees
of understanding about what’s inside that cloud. But they are now part
of your risk and liability. So I see a growing trend
that are really making it hard and diffusing
the network boundary. Um, trust boundaries now
extended to partners, um, personal devices, right? All of us love to have
our iPhones, Androids, tablets,
devices come and go, right? You’re trusting
those onto the network. Um, there’s even the heating
and cooling systems, right? Other elements of building
infrastructure and more. So what are you doing to really
shore up the trust boundary around the things
you absolutely must defend? And that, for me,
is what it comes down to. Do you really know what the keys
to the kingdom are that you must defend, right? Instrument, defend, pay attention
to those crown jewels, um, because that attention and rigor
really makes our job hard. So after reconnaissance, the next phase is getting
that initial exploitation. Got to find a way to get
energy inside that network. Can you go ahead
and get some opportunity? Um, these things
can happen from spear fishing. They can happen
from water holing. Is there a, uh,
weakly defended site that everybody goes to? Um, exploiting
a known CVE, right, there’s already a vulnerability, and there’s a recipe
for exploiting that — that activity already done. SQL injection, um, exploiting a zero day, other technologies,
ways to get in. I think a lot
of people think, you know, the nation-states, they’re running
on this engine of zero days. You go out
with your master skeleton key and unlock the door,
and you’re in. It’s not that. Take these big corporate
networks, these large networks, any large network,
I will tell you that persistence and focus
will get you in, um, will achieve
that exploitation without the zero days. There — there’s
so many more vectors that are easier, less risky, and — and, quite often,
more productive, um, than going down that route. So to ward off a persistent,
um, vector, you really need to invest
in continuous defensive work, right, because if the CVE world is continuously rolling
and pumping out new information about cracks and holes
in existing products and services, you’ve got
to be continually updating and defending inside that space. So most —
most intrusions come down to one of three
initial vectors, right? E-mail, where a user
opened an e-mail, clicked on something
that they shouldn’t have. Um, a website, where they’ve gotten
to a malicious website and they’ve gone ahead,
and it’s either executed, or they’ve — they’ve run
content from that website. Or removable media, where a user inserted
contaminated media, um, sometimes even bridging
an air gap network, right? But those three
are the big three. Where do you need
to go in this space? You really need to get
the networks not to rely on the users to automatically make
the right decisions. Um, sometimes
even the experts get it wrong. So how can we build and ensure the policies
and the technical enforcement of those written policies
keep, uh, accidents and slip ups
from occurring, right, because I don’t care
how many times you train people about not clicking
on those unsolicited e-mails, um, people do. And even when you get
to the nation-state advanced persistent level, um, sometimes those e-mails can be
really well crafted to the point where it’s not an unreasonable
thing for somebody to click on. So how do you prevent that
from detonating? Can your architecture
and your policies defend against
those user actions that are gonna take place? Can they stop
those threat vectors because if they can,
it really makes my job hard. So one thing
I’d absolutely recommend, um, is things
like anti-exploitation features, Microsoft EMET. Everybody ought to be turning
that on, right? It really does slow down, um, the — the —
the amount of vectors that are available for something
to execute in that space. So I’d look at NSA’s information
assurance directorates. They have
a host mitigation package. So it’s best practices
for locking down and mitigating
at the host level. Um, EMET is only one
of those recommendations. There’s a whole series
of things, um, that really do
lock things down well. That’s the guide.
Those are the specificity. There’s not the secret sauce that goes beyond that
inside the protection of classified material
for the U.S. government, right? Look at that guide.
It really, really is solid. Um, the other thing
you’ve got to do, you’ve got to take care of — take advantage
of software improvement, right? I — I mentioned
CVEs and vulnerabilities. Boy, if there’s a known bug in a software
that’s exploitable, um, you ought to be fixing that
and getting it off your network. So I think, uh, um, you know, tip of the hat
to the software industry that is making upgrades
and automatic patching a background activity that’s beyond the user control.
Right? That is
an outstanding security practice where it is just taking care of, every time
there is a new, um, there is a newly closed
vulnerability, it becomes part
of your ecosystem. That’s an outstanding thing. And that cuts down
the opportunity window between known vulnerability
and execution. And if that patch window
is months or years…um, again, an inexcusable practice. So the other thing I’d encourage
is use a secure host baseline. So, again, that kind of goes
like the host mitigation plan, um, the — the IED product. Um, secure host baseline
is the current best practices for locking down configurations. Um, again, there’s some out on the NSA Information
Assurance website to look at. So I’ll tell you, our organization teaches
and trains. That’s one thing we do really,
really well, right? We institutionalize
that knowledge. We teach people to get them
to the next level so that they can work
and exploit. So we train best practices. We pass those on.
We use those best practices. So I’m gonna use best practices
for exploitation. Are you gonna
use best practices for defense? Again, it — it really
comes down to that. If you have
something somebody’s coming at and you need to defend it, you need to be looking at
what is that apex predator gonna be doing to come
after your information? Um, they’re gonna be using
the best practices for offense. You’ve got to be using
best practices for defense. In almost any intrusion at this initial
exploitation space, people are trying
to get credentials, right? Often legitimate credentials
are compromised, enabling intruders to get in
and masquerade as legitimate users, um, coming after the network. And — and it’s imperative that you have some processes
and plans to understand what normal
is inside your network. So if somebody’s
got credentials, are they operating
under the norms for those credentials? Are they going to the places
that they should be? Are they trying things, um, that they shouldn’t
be doing, right? Better-defended networks, um,
require specific methods for accessing
the resources of that network. They —
they monitor credential uses. They look
for anomalous behaviors. Um, two-factor authentication, right, making it
that much harder, uh, to, uh, steal credentials. And — and it — it really is important
to make sure that that small crack
of a lost credential doesn’t get turned into a pivot in a later stage
into a large access. Um, there’s been
numerous security best practices that have been recommended
over the years. Um, but some of the things
like making sure lease privileges
for accounts, right? There are only
a very small handful of accounts that have
the keys to the kingdom. And you only give
the privileges needed, um, to specific users. Um, not everybody’s happy living
in that world, right? Why can’t I have admin
to my server or my boxes, those kind of pieces? Those are the kind of
wide-ranging credential reuses that wind up turning in
to large-scale compromises. Um, segmenting off
portions of the networks rarely implemented,
whitelisting, things like that. If you care about your things,
consider those, right? They really
do make your hard — Make our life hard. We also really love it
when administrator credentials or other system-wide credentials are hard coded into scripts or accessible on the devices. You know, so I think
people are starting to understand the pass
the hash vulnerability, right? If you haven’t
learned about that, if you don’t know what pass
the hash is, go — go understand it. So that’s something
where you can get, you know, uh,
a domain credential. And you —
you can grab a credential and move laterally
onto other machines and just pivot like mad
throughout the network. So one of the —
the key activities is really thinking about, um, how you manage
those capabilities so that you can
protect against, uh, against pass the hash. I mentioned that if things
are hard coded and included in scripts, you know, they’re vulnerable
and — and likely, um, to be pulled. Most of the — most of the modern protocols
these days are not passing credentials
in the clear. But do you think nation-states
are taking advantage of the ones that are, right? So you got to look
for those older protocols, drive ’em out of your networks. Um, it — it — it’s not enough to know
about things like pass the hash and making sure
that all of the authentications are done only
with more modern protocols that keep the passcodes and passwords out of, uh,
out of plaintext. Um, but think about
where you’ve hard coded and — and enabled one box to log in through an account
to another to do an activity. Um, it really
does make yourself vulnerable. The other big thing
I’d recommend, enable those logs
but also look at the logs. You’d be amazed
at incident response teams go in and, you know, there’s been
some tremendous breach. Yep, there it is
right there in the logs. Great.
You’ve got logs. It’ll tell you
that you’ve been had. Um, enable those logs.
Look at those logs. I’ll tell you,
one of our worst nightmares is that out of band network tap that really is capturing
all the data, understanding
anomalous behavior going on. And somebody’s
paying attention to it. So rewind all the way
back to the beginning of my talk where I said you’ve got
to know your network, understand your network because we’re going to, right? Those logs, they are
just the rock bottom bedrock foundation
of understanding if you’ve got a problem or if you’ve got
somebody rattling the doorknobs
to give you a problem. All right? So somebody’s cracked
open the door. They’re —
they’re on the threshold. Um, the next thing
they’ve got to do is they want
to establish persistence. It’s not good enough
just to be in a network. But if — if
you’re really there to exploit, you want to dig in, um,
and hold, right? So work happens at this point. Privilege escalate, maybe, so that you can get down
some tools, um, finding run keys, um, getting into scripts, other technologies to ensure
that persistence, um, onto those computers
so that you can stay. One of the things
we run into here, um, things that have, uh, implemented
application whitelisting makes this world hard. Um, application whitelisting,
it is difficult for generic users
in a large network to know exactly
what applications you’re gonna run,
what should be permitted. There’s some good work going on, um, to make this a little
more generic and understand what’s — what’s routine and what’s not
inside an organization. But, again, as I said, you know, figure out early
what you need to protect, segment that off. And that’s the place you maybe want to think
about whitelisting, right? Make sure that in that space
they can’t run a piece of mail where something new or unusual. Um, your goal needs to be to — to restrain
that malicious behavior, um, keep it from launching
in the interim. So then after you’ve gotten
into the network, um, install some tools, right? Usually, the first tools
down are lightweight, small beaconing things. Their intent is
to establish that beachhead and then bring down the tools that are actually
gonna do the work. Um, so —
so there are things, I think, the AV industry, at times, gets a bad rap
for their ability or inability to keep things off. You know, if your AV
is a list of bad things that shouldn’t run
on your computer, um, that’s not a great technique because that just means
the unique thing you need to run on that computer
needs to be unique, and it will never be
in that list. Um, but the research
and the technology’s evolving now where, um, reputation services are more
the — more the norm. So every piece of, uh, software that wants to execute
on your machine gets hashed, pushed up
into the cloud. Um, let me tell you, if
you’ve got a reputation service, and it says that
interesting executable that you think you want to run in the entire history
of the Internet has been run one time, and it’s on your machine, be afraid, right,
be very afraid. So reputation services
are — are — are a growing technology, um, that can make our life hard. Similarly, most of these tools want to talk out
to a domain to get those, um,
those further modules. Um, they want to talk out, um, and, uh, and call back home. They want to report
success or bring data back. So — so they’ll be wearing
a domain name, right? Reputation services work
probably even better in
the domain name world, um, because the domain names, um, if — it’s not enough
to block bad known bad domains, right?
That’s important. But usually that’ll
get you the crime where you’ve got
to block the things that are not known good. It’s really hard
for an exploiter to get a website created and established
that has good reputation. It’s not hard to —
to register a domain and make something
call out to it. But — but if something
is evaluating that reputation, and nobody else is going to it, or the content’s stale,
it’s not updated, um, it will have neutral
or negative domain — neutral or negative reputation. So, again, reputation services,
looking at that, that’s a hard thing
to overcome in domain names. So after you’re in a network, rarely do you land
where you need to be. At this point, it’s important
to move laterally and find the things
you need to find. So, um, the big question
you need to think about is if you have an intrusion
somewhere in your network, can you then defend
against this lateral movement? If you think about it,
most networks, big castle walls,
hard, crunchy outer shell, soft, gooey center. How do you get to the point where you know
you have an intrusion, and you’re gonna keep somebody
and make it difficult for them to move from the place they landed, uh,
to the — to the place
they need to be? And so, again, network segmentation,
monitoring, uh, caring about your, um, the accesses
that allow these privileges, they’re all really
important pieces. Um, so advanced attackers really
go for the crown jewels, right? They’re gonna go
for those domain admins, um, to control the entire network. You really need to limit
the administrator privileges, segment the accesses, enforce
two-factor authentication. Um, nothing is really
more frustrating to us than to be inside a network, know where the thing is
you need to go get to and not have a path
to get over to find that. So the other thing
is, um, you know, poorly considered
trust relationships. I talked earlier
about the amorphous edge of your networks, um, allowing any network — any user or any net
computer with, uh, with valid credentials to access the network
from anywhere. Um, that’s a poor idea,
a huge risk. Better networks employ things like comply to connect
for remote access. Um, they connect, um, and assure the security
of the remote connections, maybe even figuring out
physical locations, um, where you’re calling
from in, um, seeing some really interesting
things with dynamic privileges, thinking about you can access
pieces of information from inside your network but not from out, inside the state but not out. Um, so —
so there’s ways to limit and consider
the segmentation in a creative way. Um, if you really want
to make my life hard, you segment,
you manage the trust to the most important places. Um, you consider
who really needs that trust and who should be able
to access those things. I think another key thought
that people don’t have is consider how, um, consider that you’re already
penetrated, right? Do you have the means
and methods to understand if somebody’s
inside your network? If you —
if you read statistics, Verizon does a great intrusion
report every year. Look at the statistics for how
long intrusions go undetected, months or years, right,
after people are inside. So what do you have
to understand and contain, um, after that first —
first pieces? Um, so monitoring and detection
inside the networks is just as important
as that network boundary. And — and many networks, they
don’t have incident responses — response plans. And if they do, they rarely
exercise them, right? Have you ever
seen incident response plan exercised inside your network? So the Internet of things, the boundary conditions,
all bringing things that are probably untrusted
inside your network. Um, why go after the professionally administered
enterprise network when people
are bringing their home laptops that their kids
were going out and go and downloading Steam games
the night before, right, inside your network
and trust unit. What’s that trust boundary? Um, and then
as we mentioned earlier, the Internet of things, there is now getting to be
a whole SCADA network running in parallel,
sometimes interconnected, to your whole corporate network. Have we thought about those, uh,
those security elements? Ron Rivest, you know, made
a great point earlier today. Um, have we got
those things right? Do we need to invest more
in those — those technologies
to secure and defend there? Absolutely. So at that point, we own you. All that’s left to do
is collect, exfil and exploit, right? So once inside a network, the main focus
is getting what you need, getting it out and,
uh, leaving undetected. So data theft is one arena, um, but I challenge you to think
about a new one, right? In the wake of Sony attacks, everybody’s got
to think about, right, I’ve got my basket of eggs. I’ve got my most
important things. I’ve defended them.
I’ve instrumented them. I’ve packed them
ever so carefully in that bubble wrap
and kept it off to the side with my best security practices. Um, what about
the destructive attack? Um, so off-site backups need
to be part of your plan. Figuring out how you’re
gonna deal with data corruption, data manipulation
or data destruction. Um, it —
it really needs to be something you’re thinking about now. Don’t be that Saudi Aramco,
that Sony, um, that learns about it afterwards
and then is improving. Um, you’ve got
to think about it now. So the other thing I’d point out is you’ve got to differentiate
between the cyber criminals and the nation-state intruders. So last weekend we had
the huge snowstorm on the east coast. Turns out my neighborhood,
in the middle of the night, one guy walked
through the neighborhood, came through the whole court, checking every car door
to see what was unlocked. Took anything that wasn’t
nailed down in unlocked cars. Didn’t break a window.
Didn’t pick a lock. Just took, opportunistically,
whatever he could, right? Um, that’s a lot of
the Internet malware or badware. It’s looking for credit cards and opportunities
to use your machine to send spam and make money, to do crypto locker
and lock down and extort you for money. But at that point, um,
you know, they’re opportunistic. They’re looking for the back,
weak gazelle in the pack to pick off, right? If you’re looking
at the nation-state hackers, we’re gonna be persistent. We’re gonna keep coming
and coming and coming. So you’ve got to be
defending and improving and defending and improving and evaluating
and improving, right? The static person is gonna float
to the back of the pack and not for the crimeware, but for the nation-state
advanced hacker, um, they’re gonna find those CVEs, those things
that are not patched. They’re gonna find ways in
that aren’t monitored. They’re gonna steal credentials. They’re going
to get to those pieces. So don’t be that easy mark. Anybody holding up the camera? Who’s gonna scan the QR code
from the NSA guy? All right. [ Applause ] So that is a link.
It’s a real link. It’s not a rickroll, I promise. Trust me. Um, so — so — so I’d encourage you to go
to the NSA website. There is some awesome material that keeps you from being
at the back of the herd, right? It — it is tough to defend against that nation-state
advanced persistent threat. But — but you really can make
a huge, huge difference. So you ought to be
tightening down and learning
some of these lessons, right? So thank you for your time
and attention.

30 comments on “USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers

  1. Whoever convinced the head of TAO at Ft. Meade to give a conference presentation on thwarting nation-state attacks is the person I want handling booking if I ever hold a conference on anything. Damn. One very slight ding: from a news report re. this talk (that actually led me to look for this clip in the first place) it appears that there was a bit of Q & A after the end of the presentation that isn't shown here. Still, thanks very much for uploading this, as well as other presentations from the conference.

  2. One problem with security is the companies like to think of it as insurance.
    They want to pay off a fixed rate to some contractor and be done with it.
    Whereas what they need to do is: whenever a new exploit comes out on the news, they need to have everyone pulling all-nighters, their contractor, their in-house staff, sys admins, developers etc to update everything that's needed to run on a properly patched system.
    But in reality, they're more like… still using java 6 and internet explorer to run some offshore-developed app from 11 years ago. Unless it's mandated by law, that behaviour is unlikely to change soon. Hopefully the recent ransom-ware pay-offs that have been happening push companies to upgrade to using more open-source solutions that are frequently patched/upgraded.

  3. I never trust about what he is talking about. NEVER! If security is your business, you don´t talk about how you do it! NEVER!

  4. Uses military terms like exfil etc., I stopped paying attention. Anyone think this guy is anything but a bureaucrat without hands on?

  5. Gee, I wonder if they pen tested Dept of State's network and found Hillary's email server? I wonder is China or Russia did.

  6. The NSA along with the GCHQ in the UK are just a bunch a criminals whose main job is to spy for the multi national corporations and the elite. A very big crime that they are both involved in is called organized stalking or gang stalking. I'm sure most of you have never heard of it and I'm not surprised. It's a covert psychological harassment program that is going on to this day and millions of people worldwide have been targeted by it.

  7. The process and remediations the guy presents are nothing new, any good pen testing outfit will be doing the same, difference is the NSA have virtually unbounded resources to do it. That said, still an interesting talk, shame about the q & a

  8. Just finished watching.  A great presentation covering a host of topics everyone responsible for IT security should consider.If you want a technical "how to" manual this is not the presentation for you.  If you're not a techie and especially if you are actually vested with security responsibility and authority beyond clacking on a keyboard, this is a must see for you.

  9. Understand that the cyber security field is pretty tight knit. People share their practices and failures because that makes everything more secure as a whole. What is shown in this video isn't some trick to get you to shift your attention, it is there to get you to understand where people how failed and how to correct it. The more people understand, the better off everyone is.

    Understanding is lacking on many levels. Whitelisting is mentioned as an incredible wall that is hard to break down. Why doesn't everyone implement it? It is hard. It is hard because not only do you need to fully understand your network, but the average user fights this change because it makes their ability to change the baseline difficult. If these practices were better understood, the average user may be more accepting of whitelisting.

    Anomaly detection is difficult for the same reason. People do not want you to monitor them and their devices. However, administrators have to know everything happening in their network to really make these methods work and they need to investigate everything out of the ordinary.

    So the problem we really have is discomfort. The administrators have enough of their plate without having to review logs constantly (or write signatures to help automate this), the business does not want to lose productivity waiting for baseline changes to occur, and the end user does not want to give up the ease of use they have when they are free to do, use, and transfer whatever they want.

    More users need to understand the level of threat that is present and how the organization's policies and practices are protecting them. They need to understand that their work, information, livelihood is at risk when security is weakened for comfort. They also need to understand that all of their devices and accounts are pivot points. An attacker can wait as long as necessary waiting for an opportunity to elevate privileges. Every "crack" as described in this talk is an opportunity to move one step closer to a goal. Understanding these risks will hopefully change the perspective of those resisting this change for the better. All network users should understand the basics of the topics in this video.

  10. this is a load of crap. No government man knows more than the developers. Code writers are not developers.
    All I can say is honey pot

  11. Know Thyself: it is an olympic ideal to either become or sustain competitive greatness. This use of Know Thyself for InfoSec Defense is spot on. The model of three attackers: opportunist, advanced persistent and destructive is excellent also. From this talk alone, a world class InfoSec program could be built.

  12. HAHA at 30:40 he mentions Steam games and this was 2 years before the Steam RCE was found ! Don't give away our secrets accidentally Rob 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *