Posted August 2, 2016
By Allan Thomson, CTO
For this week’s Black Hat 2016 conference, an article was published that provided tips on how to stay safe while at the conference. One of the primary tips was to ‘not to connect to the network’ while at the show.
What troubles me about this advice is that it lays open a sad assessment of an entire security industry’s ability to protect communications and the devices involved at a show aimed to provide security.
Has the adversary become so successful that tradeshow attendees must now avoid the very networks provided for that event?
For many years, the security industry has approached the adversary as something that can be easily blocked from entering the protected zones.
We have firewalls blocking bad actors based on originating IP or domain name and intrusion protection systems blocking intruders based on signatures – all of which are attempting to identify the adversary that’s trying to breach the protected zone’s perimeter.
However, this ‘keep the bad guy out’ approach is insufficient in stopping a determined adversary.
Let’s face it, many sophisticated adversaries are knowledgeable about the techniques used to protect their targets.
The physical world has similar examples where a determined adversary can breach a wall, open a locked door, or crack a safe. Just like how bank robbers often know what physical defenses exist in banks but still attempt to rob them, cyber adversaries understand that machines running firewalls, IPs, anomaly detection systems, etc. are all programmed to identify based on identifying parameters typically from human beings. The more sophisticated adversary knows to avoid behavior or approaches that someone would look for and flag as suspicious.
What is the lesson to be learned here?
That we cannot solely rely on a few ‘identifying’ communication attributes that can be easily obfuscated or changed as they do not provide sufficient evidence of intent or objective.
Again, the same is true in the physical world where a person’s name, religion, skin color or any other identifying characteristics is not a mechanism to determine their intent or objectives in life.
In the cyber world, we must look beyond the basic attributes.
Identifying and understanding the adversary’s intentions and targets, including their tactics and goals, is key to stopping attacks in the physical as well as in the cyber world.
Behavioral analysis and anomaly detection provide insight into potential adversaries. But these techniques are limited by how sophisticated their programmed detection model is and by the fact that many traffic communications do not follow well defined patterns even when they are nascent.
Even the most sophisticated behavioral analysis capabilities will require human review and assessment.
In the physical world, having information that an adversary has shared about a potential target, or information about how they would approach an attack is useful intelligence for protection.
However, in the cyber world, there needs to be a deeper level of analysis. Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. provides us with similar insight but due to the vastness of the Internet, we must learn to refine and prioritize what information is pertinent to protecting our assets.
If Black Hat is to ever truly be a safe enclave, then we must know:
- The adversaries coming to the event with the intent of disrupting the tradeshow
- Their objectives
- The techniques they may employ
Only then will we be informed enough to stop them.
Visit LookingGlass Booth #939 to chat with our security experts about how threat intelligence can help your organization to better understand adversaries and to develop a stronger security posture.