Tag Archives: Lakhani

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration Kekai Kotaki Red Dragon 992x712 Situational Awareness For Cyber Threat Defense

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Cisco ISE 1024x617 Situational Awareness For Cyber Threat Defense

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

NetWitness Situational Awareness For Cyber Threat Defense

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

  • Network reconnaissance
  • Network interior malware proliferation
  • Command and control traffic
  • Data ex-filtration

Lancope Situational Awareness For Cyber Threat Defense

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 2, 2013

Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

This blog is typically dedicated to security topics however I thought I would share about two cool gadgets I’ve been using to a live healthier lifestyle. Check them out and make 2013 a healthier year for you.

Zombies, Run!zombies1 Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

I love playing soccer but HATE running as a form of exercise. The problem I have is my mind concentrates on how uncomfortable I feel. I can run for miles on the soccer field but not around the neighborhood.

Zombies, Run! makes running fun. It’s an iPhone / Android app that puts you in the middle of a Zombie apocalypse. There are too many Zombies to shoot so “runners” like you have to go out and gather supplies without weapons. You start a mission and run like your normally would wearing headphones and listening to music. The app plays music off your mobile device playlist and periodically interrupts with radio transmissions from an operator updating you on your mission status. You also pick up virtual supplies while running to bring back to base. Your actual running route doesn’t matter however the distance and pace determines how you do. You can also use this app on a treadmill.

That’s all cool however the real fun is randomly Zombies will chase you. Zombies, Run! uses your GPS to track your speed and warns you to run faster as zombies approach. You start hearing Zombies moaning over your music as they get close which really makes you push yourself. The app will start beeping when Zombies are nearby and prompt you every mile about your pace. 

photo Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

Run Log shows when Zombies attacked, virtual things I picked up and radio transmissions

photo 5 Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

List of missions I’ve completed and not unlocked Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security

Tagged as , , , , , , , , , , , , , , , , , , ,

October 31, 2012

Cool Tool : FOCA – Network Intelligence Reconnaissance using metadata

My buddy Aamir Lakhani posted about a really cool metadata tool called FOCA. The original post can be found HERE. Below is Aamir’s post about FOCA. 

I would like to introduce you to one of my favorite network reconnaissance tools. It is called FOCA.

Did you know every time you create a document such as PowerPoint presentation, Microsoft Word document, or PDFs, metadata is left in the document?

What is metadata? metadata is data about data. It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected. metadata can be useful to attackers because it contains useful information about the system where the file was created such as:

  • Name of user logged into the system
  • Software that created the document
  • OS of the system that created the document

FOCA is a security audit tool that will examine metadata from domains. It uses search engines to find files on domains, or you can use your own local files.

The first step to use FOCA is to download it.

  1. FOCA can be downloaded at: http://www.informatica64.com/DownloadFOCA (use Google Translate)
  2. You will need to give your email address at the bottom of the screen. You will receive an email with the download link. You will also receive updates on when FOCA is updated.

Using FOCA

  1. FOCA is a Windows only tool. When you install FOCA you may be asked to install .NET Framework or other decencies. 2 Launch FOCA Cool Tool : FOCA – Network Intelligence Reconnaissance using metadata Continue reading
VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

Leave a Comment

Filed under Penetration / Hacking, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 17, 2012

802.1X Challenges For Department of Defense

DISA 802.1X Challenges For Department of DefenseAamir Lakhani wrote a fantastic post on 802.1x for DOD. You can find the original posting at www.cloudcentrics.com

The Department of Defense added a requirement that all network ports, or on-ramps need to be protected. Applications, server, and data are normally protected; however, most network ports are left open. You get on to a network by plugging into a port and a network address is allocated for the connection. Computers without proper are free to launch attacks from the network.  Network port protection lock down restricts anonymous access and prevents these “attacks”.

When network protection is turned on, a machine plugs into the network; no network access is given until the machine is authenticated to the network.

A few years ago, NAC solutions tried to accomplish goals for locking down networks. Most of my customers hated NAC. It added a layer of complexity that made the network behave unnatural and harder to support. It used a variety of ports, protocols, and physical boxes to implement. In short, it was complicated.  NAC supported networks broke down often, causing nightmares for those legitimate users trying to get access and the people supporting those networks.

What are people doing to support port lockdown today at the Department of Defense and other large enterprise organizations? Surprisingly, the solution has been around for a long time to help secure wireless networks. It is called 802.1x. Historically, 802.1x has worked great on wireless networks and has always been a little troublesome on the wired ports. But things have changed with enterprise policy servers (Cisco Identity Services) that make the connection more easily configurable on modern day operating systems such as Mac OS X Mountain Lion and Windows 8.

How does 802.1x work? According to Wikipedia, IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is part of the IEEE 802.1 group of networking protocols.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN.  The term ‘supplicant’ is also used interchangeably to refer to the software running on the clients’ device that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point. And the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. A similar comparison to this would be providing a valid visa at the airport’s arrival immigration booth before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines that the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

3 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,