Category Archives: Incident Response

How Nat Prakongpan Found His Home on the Cyber Range

While most kids were bickering with siblings and fawning over the newest toys, young Nat Prakongpan was building an enterprise network for his school.

Before he became senior manager at the IBM Integration and Threat Intelligence Lab and built a state-of-the-art cyber range from the ground up, Nat spent his childhood in Thailand surrounded by computers. He started programming at age five. At 13, he was certified in network security by one of Thailand’s national labs.

Such was his passion for computing that he stopped going to school in grade six to teach himself at home and later earn a GED — though Nat is quick to point out that his old school let him hang around without attending class, so he was “socialized.”

“When everyone was in class, I was building the computer lab,” Nat laughs. “That’s how I gained experience in building an enterprise network when I was in grade seven.”

That’s right — Nat built his school’s entire network, deploying around 500 machines with everything an enterprise network needed at that time. But this was right as the internet was starting to boom, and, of course, the system was compromised.

“That’s how I quickly pivoted to learning security,” says Nat. “I took more certification classes when I was 15 and was ultimately able to secure that network.”

From Wunderkind to Network Security Expert

So how does a Thai child genius end up in Atlanta tinkering with IBM Security products to get them to talk to each other? If you ask Nat, it was a “total fluke” — in fact, he said much of his adult life is comprised of a series of happy accidents that led him to build IBM’s Cyber Range from the ground up.

The way Nat tells it, he had a few months between finishing his home-schooling and starting university, so he came to the U.S. to stay with his brother-in-law (who was then earning his master’s degree at the University of Florida) and attend an English-language school. His mother encouraged him to apply at the same university and, much to Nat’s surprise, he was accepted, so he stayed for the five years it took to earn his degree in computer engineering.

Like many of his classmates, he struggled to land a good job right out of school. Cue the next happy accident: A friend dragged him along to an information session by Internet Security Systems (ISS) at his alma mater. He had a chat with the team, and they called him at 7 a.m. the next day and asked him to come in for an interview “now.” He got the job and moved to Atlanta.

In an alternate universe, Nat would have led a very different life.

“I would probably have gone to a technical school somewhere in Thailand and worked at some corporation,” he says. “The U.S. and the job I’m in right now is more research and development, but a lot of jobs in Thailand or in Asia are more product users — looking for products to buy versus what we need to build to make things happen. It would be a lot less interesting.”

Home on the Cyber Range

Instead, Nat ended up at IBM Security following IBM’s acquisition of ISS. Still in Atlanta, he now leads the team that ensures all the individual products from IBM Security can work with and talk to each other to provide seamless end-to-end security for customers.

“We write the glue for those products that makes them work together,” he says. “None of them work together out of the box, but my team has the knowledge across all their areas of expertise to make one story from end to end.”

But Nat’s proudest achievement is the IBM Cyber Range in Cambridge, Massachusetts, the first-ever commercial cyber simulator offering a virtual environment in which companies can interact with real-world scenarios to bolster their threat protection and response capabilities. It’s his baby; he architected the technology, got the funding and designed the scenarios. Nat’s team then created a fictional global corporation with around 3,000 virtual workers, built an enterprise network and invented threats. The end result is a fully immersive simulation developed solely to help organizations and individuals learn about crisis situations and improve their incident response skills.

“The training in the Cyber Range is the ultimate success that I have so far: to be able to teach people and pass on the knowledge of best practices,” he says.

Nat may be among the few who built the facility, but he certainly isn’t the only one who recognizes its value. With the Cambridge location now booked more than half a year out, the IBM team set about its next challenge: taking the cyber simulator experience on tour.

IBMer Nat Prakongpan Found His Home on the Cyber Range

Taking the Range on the Road

“One of the things we’ve learned is that our customers invest a lot of time and resources to come though the Cyber Range in Cambridge,” Nat reflects. “It is difficult for a client to bring all its high-level executives into the same location on the same day.

“We were also having a hard time deciding which IBM office would be the host of our next cyber range.”

At this point, the team began exploring more flexible options that would allow the greatest number of people to benefit from the cyber simulation experience. Ultimately, Nat and his colleagues built the first-of-its-kind IBM X-Force Command Cyber Tactical Operations Center (C-TOC).

The C-TOC is not just a state-of-the-art cyber simulation on wheels — Nat proudly explains that it is “a real security operations center (SOC) able to serve live events such as high profile conferences and sporting events.” And to top it all off, the C-TOC is designed to respond to a live attack.

“We can drive up to a client’s site and be able to monitor the attack, as well as perform forensic investigation on systems and networks,” Nat says.

Bringing the C-TOC from a dream to reality involved many of the same technical challenges as creating the Cambridge Cyber Range. The C-TOC, however, is a mobile unit built from the ground up, and Nat’s team therefore had a host of additional considerations to account for, including materials, lighting, electrical, air conditioning, ventilation and more. And to top it all off, they had to maintain compliance with motor vehicle regulations in the U.S. and Europe and ensure that all the technology deployed within the unit would be able to survive the twists and turns of the road.

Nat remembers the first time he heard the C-TOC idea mentioned by IBM Security VP Caleb Barlow.

“Obviously my first thought was that this is a great idea and there are so many possibilities for what we can do with this mobile platform,” he recalls. “My second thought, after I had a little more time, was, ‘Wow, I am going to be responsible for making this all happen!'”

To the surprise of none of his teammates, Nat overcame the obstacles associated with the project, and the C-TOC rolled into action in October 2018. This month, the mobile cyber range will begin a tour of Europe, bringing real-world cyber incident training across the continent.

For Nat, the most rewarding aspect of his involvement with both the Cambridge Cyber Range and the C-TOC has been the responses from IBM customers.

“The excitement we have seen over these projects was phenomenal,” he says. “I think the C-TOC especially also inspires the next generation of youngsters and college students to see what’s possible in cybersecurity and how they can be involved.”

Meet X-Force Command Center Creative Director Allison Ritter

The post How Nat Prakongpan Found His Home on the Cyber Range appeared first on Security Intelligence.

Data Breach Fatigue Makes Every Day Feel Like Groundhog Day

The constant string of data breaches isn’t what I’d call funny, but it does make me think about one of my favorite cinematic comedies. The film “Groundhog Day” stars Bill Murray as a grumpy weatherman who travels to the little town of Punxsutawney, Pennsylvania, where a famous rodent supposedly predicts when spring will arrive.

According to some unexplained movie logic, Murray’s character ends up caught in a time warp so that he wakes up the day after Groundhog Day and it’s — you guessed it — Groundhog Day once again. No matter what he does, he wakes up day after day and the same events happen again and again. As you can imagine, the poor weatherman starts to lose his mind and, for a time, gives up trying to change his fate.

In the world of cybersecurity, things don’t appear to be much different. If it feels like there’s a new data breach reported every day, that’s because it’s more or less true. According to the Privacy Rights Clearinghouse, there have been 9,033 data breaches made public since 2005 — and those are just breaches that were reported in the U.S. or affected U.S. consumers. Spread out over the last 14 years, that averages out to about 1.77 breaches a day.

All told, there were at least 11.6 billion records lost in those breaches. The consequences for the economy and individual businesses and consumers are mounting, and the cost of these breaches is staggering if you consider the average cost per lost record, which was $148 in the U.S. last year.

These data points raise other questions about the human impact of data breach Groundhog Day, if you will. How does the daily barrage of data breaches affect our behavior? Are we responding with urgency to this growing problem as consumers, businesses and security professionals? Or have we given a collective shrug, accepting that this is the new normal?

What Does Data Breach Fatigue Look Like?

One apparent consequence of constant breaches is data breach fatigue — the idea that consumers have become inured to the effects of data breaches and are less motivated to do anything to protect themselves. The data breach fatigue effect is a little hard to calculate, but there is some evidence it exists, and the fallout is harmful to both consumers and the breached organizations.

In one study, researchers measured consumer sentiment on social media in the aftermath of a breach at the U.S. Office of Personnel Management that affected 21.5 million people. According to the study, overall sentiment about the breach was tinged with anxiety and anger, but victims of the breach showed higher levels of sadness. Moreover, social media chatter about the breach dropped off significantly over time. Two months after the breach, engagement was almost nonexistent, which the researchers said showed acceptance, apathy and the onset of breach fatigue.

While there isn’t a lot of data on how people respond to having their personal information breached, there is some evidence in consumer surveys that data breach fatigue is setting in. For example, a significant proportion of users don’t take proactive steps to improve their security after a breach, such as changing their passwords or checking their credit score. Although almost 50 percent of respondents to a 2016 Experian survey said they were taking more precautions to protect their personal information, just 33 percent check their credit scores regularly and only 36 percent review the privacy policies of the companies they do business with.

In another study conducted by RAND Corporation, only half (51 percent) of survey respondents said they changed their password or PIN after a breach, and a scant 4 percent said they started using a password manager. While 24 percent said they became “more diligent” in response to a breach, 22 percent took no action whatsoever.

Finally, a survey conducted by Ponemon Institute in 2014 on behalf of Experian found that many consumers were taking a passive approach to data breach notifications. Of the 32 percent of consumers who had received at least one data breach notification in the prior two years, their concern about breaches didn’t necessarily produce an urgent response. Although 45 percent of breach victims said they were “very concerned” or “extremely concerned” about the potential for identity theft, 32 percent said they ignored the breach notification or took no action, and 55 percent said they did nothing to protect themselves from identity theft.

If data breach fatigue contributes to consumers failing to take the necessary precautions to protect themselves, it could leave those consumers at greater risk of identity theft, damaged credit, financial loss and privacy violations. But before we start blaming the victims for being irresponsible, it’s clear from the Ponemon/Experian study that many breach victims feel powerless or even trapped because the products and services they depend on from breached companies can’t easily be replaced, and nothing they can do as individuals will change the likelihood that their data will be breached.

The Dangers of Data Breach Fatigue

There’s another risk from data breach fatigue that is maybe underappreciated: that organizations will assume their security and privacy practices won’t matter to consumers. We know from surveys that consumers are very concerned about cybersecurity, but constant breaches have caused a steady erosion of trust between businesses and customers.

In another consumer survey from 2018, conducted by The Harris Poll on behalf of IBM Security, only 20 percent of respondents said they “completely trust” organizations they interact with to maintain the privacy of their data, and 73 percent said it is extremely important that companies take swift action to stop a data breach.

People do care about the security and privacy of their information, and some will take their business elsewhere. In the 2014 Ponemon survey for Experian, 29 percent of respondents said they stopped doing business with a company after a breach.

There are some things organizations can do to start rebuilding trust. Consumers expect a certain baseline of activity in a company’s response that includes identity theft protection and credit monitoring, access to customer service to handle questions and, perhaps most importantly, a sincere apology.

According to Michael Bruemmer, a vice president of consumer protection at the Experian Data Breach Resolution Group, the following steps are crucial to effective communications after a breach:

  • Provide timely notification explaining what happened and why.
  • Explain the risks or impact to the customer as a result of the breach.
  • Explain all the facts and don’t sugarcoat the message.
  • Make the communications more personal with less technical and legal jargon.
  • Describe easy-to-follow steps for customers to protect themselves from identity theft and fraud.
  • Consider using other communication channels to reach customers, including social media and a secure website to answer frequently asked questions and a way for customers to enroll in identity theft protection services.

Practice Your Incident Response Plan

Communicating with customers after a breach is just one element of an effective incident response (IR) plan. But most organizations don’t have any plan for responding to a breach.

Caleb Barlow, vice president of threat intelligence at IBM Security, said having an incident response playbook is “just the beginning.” Organizations need to practice for a full-business response and hone the crisis leadership and communication skills of executives, board members and heads of key departments, such as PR and HR.

“In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next,” Barlow wrote in a blog post. “That’s when your training and muscle memory kicks in and you execute your plan. If you don’t practice it, you are exposed to an avoidable disadvantage.”

To stop the cycle of data breaches and data breach fatigue, organizations and consumers alike need to shake off our fatalism and reluctance to change. Cyberattacks and breaches may be inevitable, but we have control over the way we respond, and we can’t afford to accept the status quo.

We can’t keep doing the same things and expect different results. If data breach fatigue keeps organizations stuck in a pattern of passive and uncoordinated breach responses — and if consumers remain reluctant to take security into their own hands — then every day is going to feel like just another Groundhog Day.

Learn how to build your breach response plan

The post Data Breach Fatigue Makes Every Day Feel Like Groundhog Day appeared first on Security Intelligence.

#MyInfoSecStory Contest: Win The Course Of Your Choice

Has eLearnSecurity or one of our training courses helped you or your career? We’d love to know that story! Get a chance to win your favorite course this month with our #MyInfoSecStory LinkedIn contest. Discover how to enter and the guidelines for your chance win below.

Reading from a mobile? Click on the Infographic to enlarge it.

Get your keyboards in order — Ready, set, go!

Click the links below to share this contest with your friends and colleagues:

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Employee Data Compromised in Airbus Breach

Aircraft maker Airbus on Wednesday revealed that information on some of its employees was compromised as a result of a data breach.

According to the company, it detected an intrusion on systems associated with its Commercial Aircraft business, but claims that the incident has not impacted its commercial operations.

read more

SecurityWeek RSS Feed: Employee Data Compromised in Airbus Breach

Aircraft maker Airbus on Wednesday revealed that information on some of its employees was compromised as a result of a data breach.

According to the company, it detected an intrusion on systems associated with its Commercial Aircraft business, but claims that the incident has not impacted its commercial operations.

read more

SecurityWeek RSS Feed

SecurityWeek RSS Feed: Yahoo Breach Settlement Rejected by Judge

A U.S. judge has rejected the settlement between Yahoo and users impacted by the massive data breaches suffered by the company, citing, among other things, inadequate disclosure of the settlement fund and high attorney fees.

read more

SecurityWeek RSS Feed

Social Engineering Training: Why Getting Hacked Is a Security Advantage

It was one of the highest phishing rates I had ever seen: Almost 60 percent of employees clicked the malicious link. Yet the client, a chief information security officer (CISO) of a Fortune 100 company, asked a question that caught me completely off-guard.

“So what?” he said, clearly unimpressed.

As a “people hacker” for X-Force Red, IBM Security’s team of veteran hackers, I’ve performed social engineering exercises for companies around the world. There seem to be a lot of misconceptions about my job and the usefulness of social engineering assessments in security audits.

Confronted with that CISO’s indifference, I tried to explain exactly how serious our findings were and what the consequences might mean for the business.

During this assessment, my team started off by getting several payloads through the company’s email filters undetected. We identified that only two of the 300 employees reported the phishing email. The incident response (IR) team didn’t start its investigation until two days later; during those two days, we managed to infiltrate some of the legal team’s email accounts, where we discovered that the company was the target of a lawsuit that wasn’t yet public. If that lawsuit were to leak, it could significantly hurt the company’s reputation.

Additionally, by reusing some of the passwords we had compromised, we were able to log in to multiple employee payroll accounts, where we had access to direct deposit information — again, undetected. A criminal attacker could have changed direct deposit account numbers to siphon funds from employee paychecks.

My answer seemed to surprise the CISO and his team. In the end, they acknowledged that I provided a lot more information about their security posture than they expected to receive from the assessment.

Learn more at the Jan. 29 webinar

Components of a Quality Social Engineering Assessment

If you ask someone to define a social engineering assessment, they would most likely say it tests the human aspect of security. However, if done correctly, it evaluates much more than that. Yes, assessments track how many times employees click a link, open an attachment or divulge sensitive information to a suspicious recipient on the phone. However, they can also assess if and how employees are reporting suspicious activity, and the effectiveness of IR and security awareness training programs.

With a well-designed assessment, the client should have a better understanding of how their IR team handles social engineering attacks. Many components of IR programs can be analyzed by answering questions such as:

  • How much time did it take for the IR team to respond to the social engineering activity?
  • Did the IR team follow any playbooks?
  • Did the team determine which employees knowingly or unknowingly divulged credentials, and did they issue password resets for those users?
  • If employees provided their credentials, did the IR team investigate whether those credentials were being used elsewhere as part of a suspicious activity?

In this type of engagement we test more than just people and processes; we can assess the effectiveness of security technologies too. Many of the actions performed — such as emailing a malicious payload, having an employee open a malicious USB device on their workstation, etc. — attempt to bypass different types of technologies in places such as email filters, intrusion detection systems (IDSs), antivirus software and more. Social engineering attack vectors test deployed technology to determine whether the social engineer can bypass them.

Effectiveness and Ethics of Social Engineering

Some critics have argued that social engineering assessments are pointless, as they know employees will always fail against such an attack. But these assessments provide valuable metrics, which are important to track over time to identify how employees are performing and identify any major deviations. Often, individual employees fall victim repeatedly. It’s important to identify these users so they can receive additional training, and the company should ensure those accounts have limited access.

Others have pointed to social engineering tests that went too far, such as targeting employees’ personal accounts. Each social engineering consultancy tests differently. That’s why it’s important for security leaders to define what’s acceptable for the company, so that testers don’t cross any ethical lines. This conversation between security leaders and testers typically happens during the scoping process.

Here’s another common refrain: “We already have a security awareness training program in place, and it covers social engineering.” But how do you know the program is effective? Without properly testing it, there is no way to determine whether it could efficiently and successfully contain an attack. Plus, employees should have continuous opportunities to identify social engineering activities. It is not a one-and-done exercise. Social engineering exercises are the most realistic training employees can get outside of an actual attack.

How a Box of Doughnuts Can Breach Your Defenses

Some of the social engineering assessments performed by X-Force Red include physical tests, such as walking into a building carrying a box of doughnuts to get past security, and remote tests, such as impersonating an auditor to trick employees into divulging sensitive corporate data over the phone. For each test, only a limited amount of company insiders know we are coming, and we scope the project ahead of time to ensure it is effective and ethical.

I can’t give away all our tricks of the trade, but you’ll have an opportunity to hear from five X-Force Red hackers, including me, when we share our greatest hits and best practices during a one-hour webinar on Jan. 29 at 11:00 a.m. EST. You may be surprised by some of the many ruses that get us through the door.

Register for the Jan. 29 webinar

The post Social Engineering Training: Why Getting Hacked Is a Security Advantage appeared first on Security Intelligence.

Security for startups: why early-stage businesses can’t neglect this risk

In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from
fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

Pragmatic approach

Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

Strategy vs execution

The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

Starting on security

Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

DHS Warns Federal Agencies of DNS Hijacking Attacks

The U.S. Department of Homeland Security (DHS) on Tuesday issued an emergency directive instructing federal agencies to prevent and respond to DNS hijacking attacks.

read more

It’s oh so quiet: get ready for stealthy malware in 2019

It’s unlikely we’ll ever look back fondly to a time when ransomware would announce itself noisily. But at least victims knew they were under attack. Now, the signs are that malware’s adopting sneaky tactics to avoid detection.

Fileless malware looks set to be a significant security threat in 2019, and that could be bad news for anyone using traditional antivirus tools. In the past, most infections involved installing malicious software on a target’s hard disk. But in doing so, it left a signature that alerted security software to its presence. Fileless malware, on the other hand, exists only in memory. It leaves none of the traces that traditional infections do, making it much harder to identify, stop, and remove.

That’s leading to a potential gap in security defences that attackers seem to be exploiting in growing numbers. SentinelOne tracked a 94 per cent rise in fileless attacks during the first half of last year. Research from the Ponemon Institute and Barkly found fileless attacks accounted for 35 per cent of all attacks during 2018.

Under the radar

Now, most leading security software companies like Symantec, Trend Micro and McAfee Labs recognise this type of undetected malware. It was also the subject of a recent webinar by Malwarebytes. Its senior product marketing manager Helge Husemann namechecked SamSam, Sorebrect, Emotet and TrickBot as some of the biggest fileless malware types from 2018.

Emotet is the biggest example of this type of “under the radar” malware. It’s been around since 2014 and it acts as a downloader for other malware. It uses leaked NSA exploits and it comes with a built-in spam module that allows it to spread to other systems. The attack often starts as an email that pretends to come from a government service, like the tax office.

Husemann said Emotet’s primary focus has been English-speaking, Western countries. Many of its targets were in the US, while the UK had more Emotet infections than any other European country in 2018. Last October, Emotet was used to spread ransomware to the North Carolina Water Authority.

Malwarebytes categorises the SamSam ransomware as semi-fileless. Husemann said attackers usually install it manually through patch scripts once they have already broken into a victim’s network. The city of Atlanta, which suffered a major outbreak of SamSam in March 2018, has spent around $2.6 million on recovery.

A common attack vector for fileless malware is via PowerShell, which is a legitimate Windows scripting tool but is also popular with cybercriminals. “It provides an opportunity for the attacker to hide the malware and make system modifications if they need to. We will definitely see the usage of PowerShell happening much more,” Husemann said.  

Watching for weak points

Another way to get an infection is by visiting a compromised website. The site’s code then exploits a vulnerability like an unpatched browser or an unsecured Flash plugin on the user’s computer.

Rebooting a system will usually get rid of a fileless infection – but you would need to know you’re infected in the first place. What’s more, rebooting creates challenges for digital forensics investigations because of how fileless malware operates in-memory. Once the infected system is turned off, it leaves no evidence behind.

With thousands of new malware variants coming out every day, it won’t be enough to rely only on signature-based security tools to spot threats. “Malware may be hiding in the one place you’re not checking, which is process memory. After years of loud and obvious ransomware we are entering the stage of quiet information stealers,” Husemann said.  

An effective endpoint solution should consist of three components, Husemann said. First is the ability to prevent a cyberattack through multiple protection layers including web protection, application hardening and behaviour, exploit mitigation, and payload analysis. The second component is the ability to detect threats, using advanced techniques. The third element concerns response: being able to remediate an incident in the fastest possible time, to minimise disruption to business and reduce the impact on end users.

BH Consulting is independent so we don’t have ties to any one product vendor. No matter which security tool you use, it’s clear that the software we used to call “antivirus” still has an important role in protecting organisations’ valuable data.

The post It’s oh so quiet: get ready for stealthy malware in 2019 appeared first on BH Consulting.

Need a Sounding Board for Your Incident Response Plan? Join a Security Community

Incident response teams face myriad uphill battles, such as the cybersecurity skills shortage, floods of security alerts and increasing IT complexity, to name just a few. These challenges often overwhelm security teams and leave security operations center (SOC) directors searching for strategies to maximize the productivity of their current team and technologies to build a capable incident response plan.

One emerging solution is a familiar one: an ecosystem of developer and expert communities. Collaborative online forums have always been a critical part of the cybersecurity industry, and communities dedicated to incident response are growing more robust than ever.

How to Get Involved in a Developer Community

Incident response communities can be a crucial resource to give security analysts access to hands-on, battle-tested experience. They can deliver highly valuable, lightweight, easy-to-use integrations that can be deployed quickly. Community-driven security can also provide playbooks, standard operating procedures (SOPs), best practices and troubleshooting tips. Most importantly, they can help foster innovation by serving as a sounding board for your team’s ideas and introduce you to new strategies and techniques.

That all sounds great, but how do you know what community can best address your incident response needs? Where do you begin? Below are a few steps to help you get started.

1. Find the Communities That Are Most Relevant to You

To combat new threats that are being coordinated in real time, more and more vendors and services are fostering their own communities. Identify which ones are most relevant to your industry and business goals.

To start, narrow down your search based on the security products you use every day. In all likelihood, you’ll find users in these product-based communities who have faced similar challenges or have run into the same issues as your team.

Once you’ve selected the most relevant communities, make sure you sign up for constant updates. Join discussion forums, opt in to regular updates, and check back frequently for new blogs and other content. By keeping close tabs on these conversations, you can continuously review whether the communities you’ve joined are still relevant and valuable to your business.

2. Identify Existing Gaps in Your Security Processes

Communities are disparate and wide-ranging. Establishing your needs first will save you time and make communities more valuable to you. By identifying what type of intelligence you need to enhance your security strategy and incident response plan ahead of time, you can be confident that you’re joining the right channels and interacting with like-minded users.

Discussion forums are full of valuable information from other users who have probably had to patch up many of the same security gaps that affect your business. These forums also provide a window into the wider purpose of the community; aligning your identified gaps with this mission will help you maximize the value of your interactions.

3. Contribute to the Conversation

By taking part in these conversations, you can uncover unexpected benefits and give your team a sounding board among other users. As a security practitioner, it should be a priority to contribute direct and honest information to the community and perpetuate an industrywide culture of information sharing. Real-time, responsive feedback is a great tool to help you build a better security strategy and align a response plan to the current threat landscape.

Contributing to a community can take various forms. Community-based forums and Slack channels give developers a voice across the organization. By leveraging this mode of communication, you can bring important intelligence to the surface that might otherwise go under the radar. Forum discussions can also expose you to new perspectives from a diverse range of sources.

A Successful Incident Response Plan Starts With Collaboration

For its part, IBM Security gathers insights from experienced users across all its products in the IBM Security Community portal. Through this initiative, IBM has expanded its global network to connect like-minded people in cybersecurity. This collaborative network allows us to adapt to new developments as rapidly as threats evolve.

Collaboration has always been cybercriminals’ greatest weapon. It creates massive challenges for the cybersecurity industry and requires us to fight back with a united front of our own. With the support of an entire security community behind you, incident response tasks won’t seem so overwhelming and your resource-strapped SOC will have all the threat data it needs to protect your business.

Discover Community Day at Think 2019

The post Need a Sounding Board for Your Incident Response Plan? Join a Security Community appeared first on Security Intelligence.

Security newsround: January 2019

We round up interesting research and reporting about security and privacy from around the web. This month: the security year in review, resilience on rails, incidents in depth, phishing hooks millennials, Internet of Threats, and CISOs climbing the corporate ladder.

A look back at cybercrime in 2018

It wouldn’t be a new year’s email without a retrospective on major security incidents over the previous 12 months. Credit to CSO Online for assembling a useful overview of some of last year’s most common risks and threats. To beef up this resource, it sourced external research and stats, while adding plenty of links for further reading. Some of the highlights include the massive rise in cryptocurrency mining. “Coin miners not only slow down devices but can overheat batteries and sometimes render a device useless,” it warned.

The article also advises against posting mobile numbers on the internet, because criminals are finding ways to harvest them for various scams. CSO also advises organisations about knowing the value of their data in order to protect it accordingly. Threatpost has a handy at-a-glance guide to some of the big security incidents from the past year. Meanwhile, kudos to Vice Motherboard for its excellent ‘jealousy list’ which rounds up great hacking and security stories from 2018 that first appeared in other media outlets.

Luas security derails tram website

The new year got off to a bad start for Dublin’s tram operator Luas, after an unknown attacker defaced its website in a security incident. On January 2nd, the Luas site had this message: “You are hacked… some time ago i wrote that you have serious security holes… you didn’t reply… the next time someone talks to you, press the reply button… you must pay 1 bitcoin in 5 days… otherwise I will publish all data and send emails to your users.”

The incident exposed 3,226 user records, and Luas said they belonged to customers who had subscribed to its newsletter. News of the incident spread widely, possibly due to Luas’ high profile as a victim, or because of the cryptocurrency angle.

The tram service itself was not affected, nor was the company’s online payments system. While the website was down, Luas used its Twitter feed to communicate travel updates to the public, and warned people not to visit the site. Interviewed by the Irish Times, Brian Honan said the incident showed that many organisations tend to forget website security after launch. As we’ve previously blogged, it’s worth carrying out periodic vulnerability assessments to spot gaps that an attacker could exploit. With the Luas site not fully back six days later, Brian noted on Twitter that it’s important to integrate incident response with business continuity management.

One hacked laptop and two hundred solemn faces

When an employee of a global apparel company clicked on a link in a phishing email while connected to a coffee shop wifi, they unwittingly let a cybercrime gang onto their corporate network. Once in, the attackers installed Framework POS malware on the company’s retail server to steal credit card details. It’s one real-life example from CrowdStrike’s Cyber Intrusion Casebook. The report details various incident response cases from 2018. It also gives recommendations for organisations on steps to take to protect their critical data better. In addition to coverage in online news reports, the document is available as a free PDF on CrowdStrike’s site.

Examples like these show the need for resilience, which we’ve blogged about before. No security is 100 per cent perfect. But it shouldn’t follow that one gap in the defences brings the entire wall crumbling down.

Digitally savvy, yes. Security savvy, not so much

Speaking of phishing, a new survey has found that digital natives are twice as likely to have fallen victim to a phishing scam than their older – sorry, we mean more experienced –  colleagues. Some 17 per cent in the 23-41 age group clicked on a phishing link, compared to 42-53 years old (6 per cent) or 54+ (7 per cent). The findings suggest a gap between perception and reality.

Out of all the age groups, digital natives were the most confident in their ability to spot a scam compared to their senior peers. Yet the 14 per cent of digital natives who weren’t as sure of their ability to spot a phish was strikingly close to the percentage in the same age bracket who had fallen for a phishing email. The survey by Censuswide for Datapac found that 14 per cent of Irish office workers – around 185,000 people – have been successfully phished at some stage.

OWASP’s IoT hit list

Is your organisation planning an Internet of Things project in 2019? Then you might want to send them in OWASP’s direction first. The group’s IoT project aims to improve understanding of the security issues around embedding sensors in, well, anything. To that end, the group has updated its top 10 list for IoT. The risks include old reliables like weak, guessable passwords, outdated components, insecure data transfer or storage, and lack of physical hardening. The full list is here.

The number’s up for CISO promotions

Why do relatively few security professionals ascend to the highest levels of business? That’s the provocative question from Raj Samani, chief scientist with McAfee. In an op-ed for Infosecurity Magazine, Samani argues that security hasn’t yet communicated its value to the business in an identifiable way. Proof of this is the fatigue or indifference over ever-mounting numbers of data breaches. Unlike a physical incident like a car accident where the impact is instantly visible, security incidents don’t have the same obvious cause and effect.

“The inability to determine quantifiable loss means that identifying measures to reduce risk are merely estimated at best. Moreover, if the loss is rarely felt, then the value of taking active steps to protect an asset can simply be overlooked,” Samani writes. “We can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way.”

The post Security newsround: January 2019 appeared first on BH Consulting.

Incident Response In The Public Eye

Cyberattacks happen constantly. Every day organizations are attackers online whether they realize it or not. Most of these attacks are passing affairs. The mere fact that systems are on to the internet makes them a target of opportunity. For the most part, these attacks are non-events.

Security software, bugs in attack code, and updated applications stop most attacks. With 20 billion+ devices connected to the internet, it’s easy enough for the attack to move on.

But every couple of weeks there is a big enough attack to draw headlines. You’ve seen a steady stream of them over the past few years. 10 million records here, thousands of systems there, and so on.

When we talk about these attacks, for most people, it’s an abstract discussion. It’s hard to visualize an abstract set of data that lives online somewhere.

The recent attack on the Tribune Publishing network is different. This attack had a real world impact. Around the United States, newspapers arrived late and missing significant sections of content.


Late Thursday, some systems on the Tribune Publishing network were inaccessible. This is not an uncommon experience for anyone working in a large organization.

Technology has brought about many wonders but reliability isn’t typically one of them. When a system is inaccessible, it’s not out of the question to first think, “Ugh, this isn’t working. Call IT.”

Support tickets are often the first place cyberattacks show up…in retrospect. All public signs in the Tribune Publishing attack point this way. Once support realized the extent of the issue and that it involved malware, the event—a support request—turned into an incident. This kicks off an incident response (IR) process.

It’s this process that the teams at Tribune Publishing are dealing with now.


“Who is behind the attack?” Is the first question on everyone’s mind. It’s human nature—doubly so at a media organization—to want to understand the “who” and “why” as opposed to the “how”.

The reality is that for the incident response process, that’s a question that wastes time. The goal of the incident response process is to limit damage to the organization and to restore systems as fast as possible.

In that context, the response team only needs to roughly classify their attacker. Is the attacker:

  1. A low level cybercriminal who got lucky with an automated attack and has few resources to continue or sustain the attack?
  2. A cybercriminal intending on attacking a specific class of organization or systems?
  3. A cybercriminal targeting your organization?

Knowing which class of cybercriminal is behind the attack will help dictate the effort required in your response.

For a simple attack, your automated defences should take care of it. Even after an initial infection, a defence in depth strategy will isolate the attack and make recovery straight forward.

If the attack is part of a larger campaign (e.g., WannaCry, NotPeyta, etc.), incident response is more complex but the same principles hold true. The third class of attacker—specifically targeting your organization—is what causes a change in the process. Now you are defending against an adversary who is actively changing their approach. That requires a completely different mindset compared to other responses.

The Process

Incident response processes generally follow six stages:

  1. Prepare
  2. Identify
  3. Contain
  4. Eradicate
  5. Recover
  6. Learn

On paper the process looks simple. Preparation begins with teams gathering contact information, tools, and by writing out—or better yet, automating—procedures.

Once an incident has started, teams work to identify affected systems and the type of attack. They then contain the attack to prevent it from spreading. Then work to eradicate any trace of the attack.

Once the attack is over, the work shifts to recovering systems and data to restore functionality. Afterwards, an orderly review is conducted and lessons are shared about what worked and what didn’t.

Easy, right?

Any incident responders reading this post, can take a minute here having enjoyed a good laugh. The next section slams everyone back to the harsh reality of IR.


The six phases of incident response look great on paper but when you’re faced with implementing them in the real world, things never work out so cleanly.

The majority of a response is spent stuck in a near endless loop. Identifying new areas of compromises to try to contain the attack. Hopefully allowing responders to eradicate any foothold to recover the affected systems.

This is what most organizations struggle with. The time spent preparing is often insufficient because it’s all theoretical. Combined with the rapid pace of change on the network means that teams are struggling to keep up during an active incident.

With an organization like Tribune Publishing, things are even more difficult. By it’s very nature, it’s a 24/7 business with a wide variety of users around the country. This means there are a lot of systems to consider and each hour of downtime has a very real and significant impact on the bottom line.

As the incident progresses, the response team will make critical decision after critical decision. Shutting down various internal services to protect them. Changing network structures to isolate malicious activity. And a host of other challenges will pop up during the incident.

It’s difficult, hard driving work. Made doubly so with the eyes of senior management, customers, and the general public looking on.


As a CISO or incident response team leader, you need to focus on the IR process, not on attribution. That’s why it’s worrisome to see early attribution during an incident.

In the Tribune Publishing attack, it was publicly reported that the attack came from outside of the United State. This led to speculation around motivation. It’s likely that statement was based on the malware reportedly found and simple IP address information.

Early in the IR process, evidence like this will be found. It’s easily accessible but also highly unreliable. Malware is often sold in the digital underground and IP addresses are easily spoofed or proxied. The response team knows this but pressure from higher up may demand some form of answer…whether or not it helps resolve the situation.

The team must stay focused on resolving the incident, not spending valuable time and energy getting side tracked. Attribution has its place. It’s definitely not in the middle of the response to an incident.


The one hard truth of incident response is that nothing can substitute for experience. Given the—hopefully obvious—fact that you don’t actually want to be attacked, this leads to the concept of a game day or an active simulation.

Popular in cloud environments—AWS runs game days at their events—these exercises provide hands on experience. Usually held for the operations team, they are are of critical importance to the security team as well.

Security doesn’t operate in a vacuum, especially during an incident. Working with other teams during an incident is key. Practicing that way is a must. This type of work is a huge effort but one that will pay off significant when an organization is attacked.

Next Steps

Tribune Publishing was hit by a cyberattack with real world impact. This level of visibility is a stark reminder of how challenging these situations can be. The most critical phase of incident response is the first one: preparation.

As a CISO or senior security team member, you need to prepare not only the incident response plan. With a plan in hand, you need to get other teams on board and make it clear to senior management how this process works. Critical to success is making sure that management knows that the priority is recovery…not attribution.

Combine that with a lot of practice and when the next incident hits, you’ll have put your team in a reasonable position to respond and recover quickly.

The post Incident Response In The Public Eye appeared first on .

Our Amazing 2018, Thanks To You

Before 2018 has officially come and gone, let’s take a quick trip down memory lane and see the events that made up this amazing year.

Reading from a mobile device? Click on the infographic to make it bigger.

That’s a wrap! The team would like to thank each and every one of you for trusting eLearnSecurity to advance your careers, always being an active part of our community, and for helping us reach new heights every year.

Happy New Year, everybody!

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Security Incidents: Incident Handling vs Incident Response

Security incidents continuously make our morning headlines and cause enormous damages and reputational harm to organizations worldwide. It’s inevitable that stronger and costlier incidents will happen. To be prepared, companies rely on their computer security incident handling and response teams. But — what do the terms Incident Handling and Incident Response mean? Find out.

What Is A Security Incident?

According to the Computer Security Incident Handling Guide by NIST, only events with a negative consequence are considered security incidents. Such events can be system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data and execution of destructive malware. Malicious insiders, availability issues and loss of intellectual property all fall under the scope of incident handling and incident response as well.

Incident Handling VS Incident Response

  • Incident Response is defined as the summary of technical activities performed to analyze, detect, defend against and respond to an incident.
  • Incident Handling is defined as the summary of processes and predefined procedural actions to effectively and actionably handle/manage an incident.

Oftentimes, Incident Handling and Incident Response are synonymous. NIST’s Computer Security Incident Handling Guide also mentions the same, and probably for the best.

Choosing to differentiate the two functions can result in incident miscommunication and mishandling, due to lack of technical knowledge from the incident handlers’ side.

Preferably, the two functions should be indistinguishable on an organization and manned with trained, or at least knowledgeable, IT professionals. Not only that, but the transition from handling to response and the incident communication, in general, should be an extremely fine-tuned and silky-smooth process. This means, that the incident handling and incident response functions should work in such a cooperative, communicative and actionable manner, so as to look like one function.

Aspiring to become the IR professional companies wish they had? Read more about how the IHRP training course can help advance your blue teaming career here.

Learn hands-on and up-to-date incident handling and response skills with the IHRP course.

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Advance Your Blue Teaming Skills with IHRP

The Incident Handling & Response Professional (IHRP) training course is now available for enrollment. Discover this course’s details and see how you can benefit from it to better your defensive skills and become the IR professional companies wish they had.

In today’s hyper-connected world where everyone is a target to cybercriminals, organizations are fighting tooth and nails to find skilled cybersecurity professionals. While it’s a great asset to have red-teaming skills, companies expect their IT Security teams to not only know how to defend and assist in cases of malicious intrusions but also to have the right skills to hunt and secure them from such events in the first place. If you’re reading this because you’re interested in learning more and/or switching to the blue side of security, then IHRP might just be the right training course for you.

Incident Handling & Response Professional (IHRP) 

The Incident Handling & Response Professional (IHRP) training course is self-paced and highly hands-on. Here are some of the benefits of this course modules:

  • Documents how to set up an incident handling & response capability
  • Analyzes in-detail how attackers operate and how to detect each Technique, Tactic, and Procedure they use
  • Covers detecting intrusions or intrusion attempts during all stages of the Cyber Kill Chain
  • Showcases a variety of different intrusion detection techniques such as: analyzing traffic, flows, and endpoints, as well as performing correlations and endpoint or protocol analytics
  • Covers how to effectively utilize and fine-tune open-source IDS solutions (Snort, Bro, Suricata etc.)
  • Makes students capable of making the best of open-source SIEM solutions (ELK stack, Splunk, Osquery etc.)
  • Showcases how tactical threat intelligence can enhance your detection capabilities
  • Documents how to leverage baselines for effective intrusion detection
  • Provides students with real-life incident response scenarios

Want to know more? Discover the detailed syllabus here.

Why You Should Consider IHRP
  • Hands-on and real-life scenario labs: There is no substitute for learning IT Security hands-on, just like learning how to drive a car. You have to sit in it to fully learn the skills. All the labs of this training course simulate real-life scenarios.
  • Hours of video course materials: Videos help illustrate and understand complicated topics from the course slides more easily
  • Thousands of course slide materials: Interactive learning at your own speed, skipping back and forth to fully understand each topic before practicing labs and/or taking your exam. Slides will always be available to you in your member’s area.
  • Lifetime access to the course materials: Nobody can remember everything, you can always come back to double check on something you learned.
  • Exam voucher to get certified included: There is no additional cost or headache to get certified. Your course content in the Full and Elite Editions covers everything that is needed to pass the exam.
  • Online learning: You can obtain both the theoretical and practical skills from the comfort of your own home or office. A major benefit is that you can decide when to learn, and you can do so at your own speed. This also saves time and additional cost for travel and accommodation.

Get Early Access & 50% Off Your Course Fees

Interested in learning everything blue-team? Enjoy 50% off the new IHRP training course fees in Elite Edition when you enroll before December 31, 2018.  This early access offer will grant you immediate access to the first two modules, ‘Incident Handling Process’ and ‘Intrusion Detection by Analyzing Traffic’, and hands-on labs in which you will be tasked with detecting real-world attacks and malware. New content will be added automatically in your member’s area every two weeks, as it becomes available. Enrollments after January 1st will be closed until the final release of this training course in March.

Interested in this blue teaming course? Enroll before December 31st and get 50% off your course fees discounted automatically on the checkout page 😉


Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

The 4 Steps Of Incident Handling & Response

An estimated 3.6 billion records were breached in the first 9 months of 2018 alone. While these numbers show some improvement, cyber incidents will inevitably continue to happen. For that, security professionals need to know the Incident Handling and Response processes.

According to NIST’s Computer Security Incident Handling Guide, the Incident Response (IR) life cycle is made of 4 phases, as shown below.

1. Preparation

In this initial phase, organizations plan to handle incidents and attempt to limit the number of potential incidents by selecting and implementing a set of controls based on the results of risk assessments. This step involves outlining everyone’s responsibility, hardware, tools, documentation, etc. and taking steps to reduce the possibility of an incident happening.

2. Detection & Analysis

In this phase, the IR team analyzes all the symptoms reported and confirms whether or not the situation would be classified as an incident.

3. Containment, Eradication, and Recovery
In this phase, The IR team now gathers intel and create signatures that will help them identify each compromised system. With this information, the organization can mitigate the impact of incidents by containing them and countermeasures can be put in place to neutralize the attacker and restore systems/data back to normal.
4. Post-incident Activities

This is more of a ‘lesson learned’ phase. Its goal is to improve the overall security posture of the organization and to ensure that similar incidents won’t happen in the future.

When incidents happen, we tend to panic and wonder “what now?”. It’s important to remain calm and follow best practices and company procedures. For this reason, NIST has published its Computer Security Incident Handling Guide to lead you through the preparation, detection, handling, and recovery steps of Incident Handling & Response.

Interested in learning how to professionally analyze, handle, and respond to security incidents on heterogeneous networks and assets? Check out our new Incident Handling & Response Professional – IHRP – training course.

Connect with us on Social Media

Twitter Facebook LinkedIn Instagram

Introducing Incident Handling & Response Professional (IHRP)

We are introducing the Incident Handling & Response Professional (IHRP) training course on December 11, 2018. Find out more and register for an exciting preview webinar.

No matter the strength of your company’s defense strategy, it is inevitable that security incidents will happen. Poor and/or delayed incident response has caused enormous damages and reputational harm to Yahoo, Uber, and most recently Facebook, to name a few. For this reason, Incident Response (IR) has become a crucial component of any IT Security department and knowing how to respond to such events is growing to be a more and more important skill.

Aspiring to switch to a career in Incident Response? Here’s how our new Incident Handling & Response Professional (IHRP) training course can help you learn the necessary skills and techniques for a successful career in this field.

Incident Handling & Response Professional (IHRP) 

The Incident Handling & Response Professional course (IHRP) is an online, self-paced training course that provides all the advanced knowledge and skills necessary to:

  • Professionally analyze, handle and respond to security incidents, on heterogeneous networks and assets
  • Understand the mechanics of modern cyber attacks and how to detect them
  • Effectively use and fine-tune open source IDS, log management and SIEM solutions
  • Detect and even (proactively) hunt for intrusions by analyzing traffic, flows and endpoints, as well as utilizing analytics and tactical threat intelligence

This training is the cornerstone of our blue teaming course catalog or, as we called it internally, “The PTP of Blue Team”.

Discover This Course & Get An Exclusive Offer

Take part in an exciting live demonstration and discover the complete syllabus of our latest course, Incident Handling & Response Professional (IHRP), on December 11. During this event, all the attendees will get their hands on an exclusive launch offer. Stay tuned! 😉

Be the first to know all about this modern blue teaming training course, join us on December 11.

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

M-Trends 2018

What have incident responders observed and learned from cyber attacks in 2017? Just as in prior years, we have continued to see the cyber security threat landscape evolve. Over the past twelve months we have observed a number of new trends and changes to attacks, but we have also seen how certain trends and predictions from the past have been confirmed or even reconfirmed.

Our 9th edition of M-Trends draws upon the findings of one year of incident response investigations across the globe. This data provides us with insights into the evolution of nation-state sponsored threat actors, new threat groups, and new trends and attacker techniques we have observed during our investigations. We also compare this data to past observations from prior M-Trends reports and continue our tradition of reporting on key metrics and their development over time.

Some of the topics we cover in the 2018 M-Trends report include:

  • How the global median time from compromise to internal discovery has dropped from 80 days in 2016 to 57.5 in 2017.
  • The increase of attacks originating from threat actors sponsored by Iran.
  • Metrics about attacks that have retargeted or even recompromised prior victim organizations, a topic we previously discussed in our 2013 edition of M-Trends.
  • The widening cyber security skills gap and the rising demand for skilled personnel capable of meeting the challenges posed by today’s more sophisticated threat actors.
  • Frequently observed areas of weaknesses in security programs and their relation to security incidents.
  • Observations and lessons we have learned from our red teaming exercises about the effectiveness and gaps of common security controls.

By sharing this report with the security community, we continue our tradition of providing security professionals with insights and knowledge gained from recent breaches. We hope that you find this report useful in your work to strengthen your security posture and defend against the ever evolving threats.

Richard Bejtlich on His Latest Book, “The Practice of Network Security Monitoring”

Practice of Network Security MonitoringThe Practice of Network Security Monitoring

Everyone wants to know how to find intruders on their networks. I learned one approach when I served in the Air Force Computer Emergency Response Team (AFCERT) as a captain from 1998 to 2001. When I left the service and brought my refinements of network security monitoring (NSM) to the commercial world, I decided that at some point I would explain what I knew in book form for the good of the computer network defense community.

In July 2004, I published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection . Although I had published material on NSM in 2002 in Hacking Exposed, 4th Edition and in 2003 in Incident Response, 2nd Edition, the Tao was my first major contribution to the field of detecting and responding to intrusions using network-centric tools and tactics. I wrote two other books in the following two years, namely Extrusion Detection and Real Digital Forensics, the latter as a co-author. I wrote for the intermediate-to-advanced level audience, and people seemed to find the works useful.

I began teaching multi-day classes on NSM and related subjects in 2004, and in 2007 brought new classes on NSM to Black Hat. Over the years I kept my material at the intermediate-to-advanced level because I thought that sort of viewpoint was most needed. In late 2012, however, teaching for Black Hat in Dubai, I realized that for every intermediate-to-advanced student in my class, there were probably 100 or more introductory-level students trying to better understand security and their networks. By writing for people who I thought already "got" NSM, I ignored thousands of deserving readers and students.

In late December 2012 I decided it was time to a write a book for people who knew something about computers, networking, and security, but little to nothing about NSM or incident detection and response. I submitted a proposal to No Starch and began writing a new book the first week of January 2013, with the goal of having it in print for Black Hat in July 2013. Thanks to the fine work of No Starch's team and my editors and contributors, The Practice of Network Security Monitoring arrived in time for Black Hat last month.

If you want to know how to use network-derived evidence to detect and respond to intrusions, my new book is for you. I teach you why NSM matters, where and how to obtain visibility, how to collect and analyze traffic, and what to do when you find something suspicious or malicious. Although you may be able to use your existing tools and data to accomplish these goals, I demonstrate NSM using the amazing open source NSM distro Security Onion by Doug Burks and Scott Runnels. With nothing more than the investment in some reading time and downloading free software, you can start learning how intruders are abusing your network.

In addition to writing the new book for those at the introductory level of NSM practice, I also wrote a new class titled "NSM 101." I taught the material at Black Hat last month, and feedback was positive. I intend to teach the same course in Seattle for Black Hat on December 9-10, 2013 and again in 2014 in Vegas and elsewhere with Black Hat. I find that my network-centric approach nicely complements the powerful endpoint- and log-centric tools and capabilities available from Mandiant's products and services.

If you have questions about how NSM can help defend your organization, please feel free to send me a tweet via @taosecurity. I am happy to respond to thoughtful questions.