July 27, 2012, Las Vegas, NV—The Feds were heavy at the BlackHat Security Briefings and at DEFCON this week. Held in Las Vegas, DEFCON is celebrating 20 years of bringing together more than 15,000 hacker researchers in elaborate, fun-filled trainings and exercises. BlackHat Briefings also celebrated a 15th anniversary with 6,500 under a more professional conference.
During these historic conferences, the feds this year appeared in more force than ever to tell just how severe the problem of cyber espionage and cyberwar has become, and to recruit private sector IT security professionals and researchers into what will ultimately be a combat-ready cyber units prepared to react and respond to attackers in our networks.
Senior officials from the FBI, U.S. Cyber Command, and the DHS all described an inside view of unimaginable volumes of intellectual property and network security data flowing out of what should be highly protected networks. Some, like former FBI Assistant Director Shawn Henry, advocate taking direct action against attackers discovered in or attempting to penetrate networks by usging obfuscation, confusion and other subterfuge (within the bounds of law) against them.
Henry recently accepted a position as president of CrowdStrikr Services, a subsidiary of CrowdStrike, Inc. CrowdStrike is one of a growing number of companies that offer victimized organizations a means to track and monitor criminal activity and take action based on the types of actions the attackers attempt.
“Companies like CrowdStrike are part of the larger solution,” he said during an interview after his keynote at BlackHat Wednesday morning. “There are a growing number of technical services and strategies to make networks more resilient and harder for bad actors to penetrate.”
Another such company, Mykenos (recently acquired by Juniper), also has the capability to commit subterfuge and to track back web attackers to their specific IP addresses. While the tool only works on attackers attempting to penetrate through websites (one of the largest attack vectors aside from email), the merger with Juniper will ultimately put tools like this in the heart of the network at routers and switches.
“Today’s intrusion systems aren’t working,” says Mykenos founder David Koretz, now a Juniper VP and general manager for the Mykenos Software division of Juniper. “So what we’re doing is intrusion deception: Let the bad guys think they’re getting something on us when we’re really getting the goods on them.”
Deception may be a new means to help keep bad actors out of networks, but the reality is many networks are already owned and deception tools are new, so they are barely used in private sector and are not yet proven to be globally effective.
The other means most talked about at the conferences was to use network intelligence – we’re talking HUGE volumes of data – to track attackers inside the network and contain the damage. During RSA’s afterparty on Wednesday night, Invincea CEO Dr. Anup Ghosh, had some strong opinions about taking any approach to network security that admits defeat and ‘ownership.’ As such, Invincea’s tools combine traps (virtual sandboxes) and intelligence for protection and investigation.
“It is UnAmerican to accept that our networks are owned and infiltrated by outside parties,” said Dr. Ghosh during an RSA afterparty on Wednesday night. “There are ways to block bad actors before they infiltrate the network, and ways to use intelligence to block them.”
It is this intelligence that the federal agencies are asking for from the private sector to help identify terroristic trends and stop them from spreading and creating crisis. General Keith Alexander, director of the National Security Association and DoD’s U.S. CyberCommand, described how Congress is debating several bills for information sharing between sectors that would protect privacy.
“Without shared intelligence, we have no insight into whether or not WallStreet is going to be attacked,” he said during a noon session at DEFCON Friday. “All we need is the attack signature and the IP address to identify trends.”
Barriers exist to automating this process to occur in real-time as the feds would hope for. If we do get to this level of automation for real-time sanitized threat information sharing, some of this may be coming from tools discussed here that are being built today for better identification of threats and the actors behind them.