Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Threat Intelligence and Audience Awareness

I find it uncontroversial to claim that content creators – whether in writing, music, or other – at some level must be aware of the needs and capabilities of their audience. While certain types of expression, such as the truly artistic, provide greater leeway in moving against (while trying to push forward) audience taste and understanding, most others are built for a reason: to inform, to entertain, to describe. When the audience or intended target Read more

By Joe, ago

Naming, Necessity, and Activity Group Attribution

The idea of naming or labeling items has a fraught intellectual history. Broadly speaking, we, from an intellectual history standpoint, moved from an Aristotelian approach where names and identifications of objects and such fundamentally mean something based on concrete descriptions, to a perspective rooted in Kantian transcendental idealism where names are merely a collection of observations built into a description divorced from the “thing in itself.” Enter Saul Kripke, who argued that names instead represent Read more

By Joe, ago

Indicators and ICS Network Defense

A previous post on indicators and network defense generated quite a bit of attention, as well as some requests for follow-up items. One item in particular was very interesting to me: comparing an actionable, effective threat intelligence report not relying on indicators with a “bad” example. I think this idea is interesting, but somewhat dangerous simply because I don’t want to be the person to crap on another’s work, which is almost certainly how such Read more

By Joe, ago

The Disappearing IT-IoT Divide

Note: This originally appeared as part of ISACA GWDC’s IoT Security Conference in April, 2018. Original link to content here. Executive Summary Nominally IT-focused threats such as the recent series of wormable, disruptive malware variants from WannaCry through OlympicDestroyer will increasingly impact Internet-of-Things environments. The combination of rapid, automated propagation with multiple capabilities for accessing vulnerable systems – whether through exploit or credential capture – provide adversaries with multiple routes to spread through a target Read more

By Joe, ago

Indicators and Network Defense

When I led incident response operations at Los Alamos National Laboratory, we subscribed to several ‘threat intelligence’ feeds: big commercial providers, secret-squirrel (theoretically) government only information, and other miscellaneous items. Almost without exception, if the feed did not provide reports that detailed how an attack or intrusion took place and oriented this within the broader scope of malicious activity, I took one simple action: I extracted whatever indicators existed in the report, retrieved samples, and Read more

By Joe, ago

Deductive and Inductive Reasoning, and Information Security

The School of Athens is one of the most famous images of Renaissance painting, blending Classical historicism with an increasing appreciation for the intellectual history passed down from Greece to the Western world. The figures at the center of this image represent divergent views in how we reason about and understand the world: the elderly Plato, pointing up to the world of Forms from which all of reality springs, and Aristotle pointing to Earth (level, Read more

By Joe, ago

Cyber Nationalism in the Age of Commercial Defense

Patrick Howell O’Neill and Chris Bing recently dropped a very interesting report on yet another possible action against Kaspersky by the US government. In this specific case, possible sanctions are oriented around larger actions against Russia, home of Kaspersky, but stands as yet another public blow to the security company by US authorities. In many respects, this latest action is almost irrelevant as elements of the US government have strongly advised the private sector for Read more

By Joe, ago

The Art and Science of Threat Profiling

This year I facilitated a discussion – formally, a ‘Peer-to-Peer Session’ – at RSA focused on threat profiling. The concept of ‘threat profiling’ is usually new to infosec practitioners, who are typically used to ‘threat intelligence’, ‘risk management’, and similar terms. Threat profiling as a concept and practice refers to the identification, scoping, and classification of threat vectors facing the defended environment. As you might already suspect, this process is not a ‘one-size-fits-all’ endeavor, but Read more

By Joe, ago

Thoughts on RSAC and Conferences

RSAC Week is upon us, and with it will come a flurry of social media postings emphasizing the lack of value behind the event. Common criticisms include: an overwhelming focus on marketing, a lack of compelling technical content, and overemphasis on glitz. One could describe the event as a gigantic information security ‘sugar rush’ with no real benefit. First, a disclosure: I will facilitate a ‘Peer2Peer’ session at RSAC for the second year in a Read more

By Joe, ago

On Threat Hunting

The information security community is fundamentally no different from any other industry. Whenever a certain feature, concept, or buzzword bubbles to the top of the underlying conversational froth, entities (trying to make money) will attempt to appropriate this idea in some fashion to show that their product ‘fits’ the current zeitgeist. So is the case with ‘threat hunting’, an operational concept mostly (if not solely) applicable to an organization’s procedures (as opposed to its technology) Read more

By Joe, ago