Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

The Art and Science of Threat Profiling

This year I facilitated a discussion – formally, a ‘Peer-to-Peer Session’ – at RSA focused on threat profiling. The concept of ‘threat profiling’ is usually new to infosec practitioners, who are typically used to ‘threat intelligence’, ‘risk management’, and similar terms. Threat profiling as a concept and practice refers to the identification, scoping, and classification of threat vectors facing the defended environment. As you might already suspect, this process is not a ‘one-size-fits-all’ endeavor, but Read more…

By Joe, ago

Thoughts on RSAC and Conferences

RSAC Week is upon us, and with it will come a flurry of social media postings emphasizing the lack of value behind the event. Common criticisms include: an overwhelming focus on marketing, a lack of compelling technical content, and overemphasis on glitz. One could describe the event as a gigantic information security ‘sugar rush’ with no real benefit. First, a disclosure: I will facilitate a ‘Peer2Peer’ session at RSAC for the second year in a Read more…

By Joe, ago

On Threat Hunting

The information security community is fundamentally no different from any other industry. Whenever a certain feature, concept, or buzzword bubbles to the top of the underlying conversational froth, entities (trying to make money) will attempt to appropriate this idea in some fashion to show that their product ‘fits’ the current zeitgeist. So is the case with ‘threat hunting’, an operational concept mostly (if not solely) applicable to an organization’s procedures (as opposed to its technology) Read more…

By Joe, ago

On Public Disclosure And Other Items

Kaspersky recently released a new public report on a group they refer to as ‘Slingshot’ (https://securelist.com/apt-slingshot/84312/). Aside from being a fairly complex adversary based on the description, one thing immediately struck me in the first paragraph: “This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.”   For those watching at home, Project Sauron and Regin – Read more…

By Joe, ago

Attribution Confusion

The idea of attribution has been on my mind a lot lately – so much so that I’ll talk to the issue twice in the next couple of months, on both sides of the Atlantic (BSidesCharm and X33Fcon). To recap my position and preview my upcoming presentations: the most practical and useful form of attribution in operational network defense focuses on ‘how’ and not ‘who’. Essentially: defenders are best served by identifying a set of Read more…

By Joe, ago

Learning Lessons from Navy Missile Defense for Infosec Planning

Prior to embarking on a full-time information or network security career, I served as a US Navy Information Warfare Officer (IWO) for five years. While ‘cyber’ took up the majority of my time, I also spent a large amount of time and effort on one of the original IWO reasons for being: anti-ship missile defense (ASMD) through electronic warfare (EW). When it comes to anti-ship missiles, there are multiple layers of defense up to and Read more…

By Joe, ago

Threat Analytics and Activity Groups

Originally Published at Dragos Computer and network defense has typically focused on ‘indicators of compromise’ (IOCs) to drive investigations and response. Anomaly detection and modeling (e.g., machine learning approaches) are also increasingly used for alerting purposes, but due to the lack of context of adversary activity, they are of limited utility in tracking threats or informing investigations – thus, they will not be discussed in-depth here. Returning to IOCs, while they have value, the name indicates Read more…

By Joe, ago

It’s Dangerous to Go Alone!

I’ve played with blogging platforms and efforts previously, but have done so while in especially ‘non-public’ roles – as a US Navy Officer, as a member of Los Alamos National Laboratory, etc. Now that I’ve embarked on this grand private sector experiment with a subsequent increase in public interaction and appearance, it seems only natural to branch out into deeper discussion than that afforded by Twitter and LinkedIn posts. So, this site exists to present and distill my thoughts on information security, ICS security, and the occasional random strategic thought into something (hopefully) valuable to the wider Read more…

By Joe, ago