Dailydave mailing list archives

Cyber Situational Awareness

From: Dave Aitel <dave () immunityinc com>
Date: Wed, 23 Nov 2011 11:17:58 -0500

When you talk about cyber situational awareness you will often find
people talking about large scale scanning or sniffing. This is often
missing the point - it's 90's era thinking applied to the much more
interesting and complex
<http://threatpost.com/en_us/blogs/how-duqu-authors-may-have-erred-112111>
modern cyber world.

An easy metric I find is this: What parts of your situational awareness
program are your opponents _not aware that you have_. And to follow on,
which parts of your situational awareness program can they not possibly
detect? Everything else is simply a denial/deception program waiting to
get started.

The other major thing people talk about with cyber situational awareness
is their ability to do large scale analysis and correlation
<http://www.businessweek.com/printer/magazine/palantir-the-vanguard-of-cyberterror-security-11222011.html>.
This is useful insomuch as the true scale of it is unknown or unknowable
<http://www.cnas.org/blogs/abumuqawama/2011/11/what-you-need-know-about-cia-getting-rolled-lebanon-and-larry-munson-updat>.
But other than that it is simply a way to drive down the obscenely high
costs of analysis which scales as well as all human bound enterprises.

As a concrete example you can look at OS detection over the network:
Useless: TCP/IP options and features, ala NMAP
Useful: NTP OS detection (while that was an unknown)

This works defensively too - do you as a corporation have defensive
instrumentation and analysis on a place in your network/systems the
attacker could not possibly expect you to, or that they cannot possibly
detect?

What we look for in situational awareness toolkits is the "aha!" moment.
Aka "I had no idea you could get that kind of data from that protocol!"
or "I didn't realize I was leaking _that_ in the clear!" Mark's talk at
INFILTRATE is a very powerful example of this concept, for those of you
coming in January. (And if you're not registered yet, you should call
team admin at *+ 1 786 220 0600 *since I think they have some sort of
deal going on right now).

--
INFILTRATE 2012 January 12th-13th in Miami - the world's best offensive information security conference.
www.infiltratecon.com

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Cyber Situational Awareness Dave Aitel (Nov 23)
- Re: Cyber Situational Awareness Carlos Alexandre Queiroz (Dec 01)
- Re: Cyber Situational Awareness Dobbins, Roland (Dec 01)