SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, June 6, 2009

Digital Situational Awareness Methods

Posted on 11:03 AM by Unknown
I've written about digital situational awareness before, but I wanted to expand on the topic as I continue my series of posts on various aspects of incident detection and response.

Here I would like to describe ways that an enterprise can achieve digital situational awareness, or a better understanding of their security posture. What is interesting about these methods is that they do not exclude each other. In fact, a mature enterprise should pursue all of them, to the extent possible allowed by technical and legal factors.

  1. External notification is the most primitive means of learning the state of the enterprise's security posture. If all you do is wait until law enforcement or the military knock at your door, you're basically neglecting your responsibilities to your organization and customers.

  2. Vulnerability assessment identifies vulnerabilities and exposures in assets. This is necessary but not sufficient, because VA (done by a blue team) typically cannot unearth the complicated linkages and relationships among assets and their protection mechanisms. You have to do it however, and knowing your vulnerabilities and exposures is better than waiting for a knock on the door.

  3. Adversary simulation or penetration testing identifies at least one way that an adversary could exploit vulnerabilities and exposures to compromise a target or satisfy a related objective. AS (done by a red team) shows what can be done, moving beyond the theoretical aspects of VA. Many times this is the only way to really understand the enterprise and prove to management that there is a problem.

  4. Incident detection and response shows that real intruders have compromised the enterprise. If you think it's bad to see your red team exfiltrate data, it's worse when a real bad guy does it. Knowing that intruders are actively exploiting you is almost the best way to achieve digital situational awareness, and it's usually the highest form an enterprise can practice since it's closest to the ground truth of the state of the enterprise.

  5. Counterintelligence operations are the ultimate way to achieve digital situational awareness. As I wrote in The Best Cyber Defense, this means finding out what the enemy knows about you. I covered this extensively in the referenced post, but now you can see where counterintelligence fits in the overall digital situational awareness hierarchy.



Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.
Email ThisBlogThis!Share to XShare to Facebook
Posted in counterintelligence | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...
  • Sguil 0.7.0 on Ubuntu 9.10
    Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubl...
  • Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs
    Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected So...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • Human Language as the New Programming Language
    If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think ...
  • DNI Blair Leads with APT as a "Wake-Up Call"
    AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Bla...
  • SANS Forensics and Incident Response 2009
    The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speakin...
  • NYCBSDCon 2010 Registration Open
    Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ►  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ▼  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ▼  June (21)
      • Simpler IP Range Matching with Tshark Display Filters
      • Effective Digital Security Preserves Long-Term Com...
      • Posts to Read Elsewhere
      • Black Hat Budgeting
      • Being a Critic Is Easy, So What Would I Do?
      • Ugly Security
      • SANS Forensics and Incident Response 2009
      • DoD Creates USCYBERCOM
      • Free .pdf Issue of BSD Magazine Available
      • The Problem with Automated Defenses
      • You Know You're Important When...
      • The Centrality of Red Teaming
      • Offense and Defense Inform Each Other
      • Response to the Möbius Defense
      • How Much to Spend on Digital Security
      • Counterintelligence Options for Digital Security
      • Crisis 0: Game Over
      • Extending the Information Security Incident Classi...
      • Department of Defense Digital Security Job Opportu...
      • Digital Situational Awareness Methods
      • Incident Detection Paradigms
Powered by Blogger.

About Me

Unknown
View my complete profile