What I wanted to point out here is that you can’t have attribution with regards to an attack by only analyzing the tool used, no matter how through the analysis. We all know IP’s can be changed, compromised, rented out….so relying on that wont work. Code can be borrowed, stolen, reversed so that isn’t conclusive either. This especially true if we are talking about Nation State sponsored cyber attacks. The tool is only part of the bigger picture. Attribution requires taking a step back and looking at that this bigger picture.  Who received the email? What is their role at the company? Where did the adversary get their email address? What tools did they use once inside? What order did they use the tools? What time of day, week, month did the carry out the attack? How did they exfil the data? What did they do with the data once exfiltrated? These are just examples of data not directly tied to the code in the malware that needs to be analyzed. Threat actors have patterns that they follow just a criminals have M.O.’s. However these cannot be relied upon completely. Misdirection is your friend when you don’t want to be named.  A lot of data needs to be analyzed before you are in the position to claim attribution. I would argue that few organizations have the expertise and experience to do so and fewer still could say conclusively, outside of Defense and Intel circles.

Also remember that not all advanced intrusion are APT just as not all APT intrusions are advanced. What helps constitute the Advanced in APT is their ability to pick the right tool for the job. They are not going to pull out their 0-days unless they have to, in my opinion anyway.

–Chris

[TAGS] APT, RSA [\TAGS]

–Chris

For those Splunk users out there the 2011 Splunk Users Conference will be August 15 – 17 in San Francisco. http://www.splunk.com/view/SP-CAAAFCW

I’ve been a big fan of Splunk for a number of years. Somtimes you just want to search your logs and create / modify the queries on the fly. Splunk gives you the flexibility to do that. A SIEM is a great log tool but it is not always the right tool for the job. Incident Response is one of those processes that I think Splunk is ideally suited.

–Chris

Technorati Tags: Splunk

Technorati Tags: Defcon

I am curious as to what this will do for their NAC strategy, if anything.

–Chris

Technorati Tags: Juniper, switches, NAC

The good folks at CSI were kind enough to give me a press pass and 2 conference passes for zilch, as they seem to have done with several of my fellow security bloggers. Sorry, I have already given the 2 passes to a couple of security geeks who really wanted to go.

I hope to see you there.

–Chris

Technorati Tags: CSI 2007, security conference, Alexandria

Please stop by and check it out.

–Chris

Technorati Tags: MiketechShow, podcast, ustream, ComputerAmerica

14 August 2007 – 23:58 GMT

With the industry and those in it so seemingly hostile to Whitedust, and
pure apathy from anyone who thinks otherwise. Why bother. This site is
now closed permanently. It’s staff have abandoned the scene and the industry
for real world projects – for good, you won’t be seeing us again. You “Won”.

Good luck out there. You’ll need it.

-The Staff

Hoax, hack or real? I have not noticed anything about them closing down. Anybody know more about it?

–Chris

Technorati Tags: whitedust security, whitedust.net

From a vendor standpoint (where I am now), I am seeing a big jump in awareness of DLP technology in our customer base. Granted we focus on the mid-market….there may be even more awareness in the Fortune 1000 and up. The sales are starting to trickle in for this technology as well.

We are also seeing M&A activity in this space. RSA recently acquired Tablus. This is a natural extension given the information life cycle management offerings that EMC (RSA’s parent company) is selling.

So my question remains, Is DLP the next big security technology? Will it follow in the footsteps of IPS and NAC?

–Chris

Technorati Tags: Data Leak Prevention, DLP, Vontu, Code Green, Reconnex, GTB

I didn’t meet as many people as I wanted to because of my cab ride but still had a great time both during the meeting and especially dinner afterwards. I’ll be like the 10th person to post the attendance list. Thank you to Martin McKeay, Richard Stiennon, Mircosoft and certainly others for making this happen. I am looking forward to this again next year.

–Chris

Amrit Williams – http://techbuddha.wordpress.com/
Brian Krebs – http://blog.washingtonpost.com/securityfix/
Bruce Schneier – http://www.schneier.com/blog/
Ryan Naraine – http://securitywatch.eweek.com/
Thomas Ptacek – http://www.matasano.com/log/
Martin McKeay – http://www.mckeay.net/
Cutaway – http://www.cutawaysecurity.com
Richard Bejtlich – http://taosecurity.blogspot.com/
Richard Stiennon - http://www.fortinet.com/-index.html
Michael J. Santarcangelo – http://www.securitycatalyst.com/
Michael J. Farnum – http://securityplace.blogspot.com/
Michael Dahn – http://datasecurity.wordpress.com/
Adam Shostack – http://www.emergentchaos.com/
Mike Murray – http://blog.ncircle.com/
Andy Willingham – http://andyitguy.blogspot.com/
Scott J. Roberts – http://blog.vulnerableminds.com/
Pete Lindstrom – http://spiresecurity.typepad.com/
Kenneth F. Belva – http://www.bloginfosec.com/
Raffael Marty – http://www.raffy.ch/blog/
Alex Hutton – http://riskanalysis.riskmanagementinsight.com/
George Ou – http://blogs.zdnet.com/Ou/
Mike Rothman – http://securityincite.com/
Anton Chuvakin – http://chuvakin.blogspot.com/
Alan Shimel – http://www.stillsecureafteralltheseyears.com/
Mitchell Ashley – http://theconvergingnetwork.com/
Ron Gula – http://blog.tenablesecurity.com/
Ross Brown – http://technobabylon.typepad.com/
Alex Eckleberry – http://sunbeltblog.blogspot.com/
Stephen Toulouse – http://www.stepto.com/default.aspx
Ryan Russell – http://ryanlrussell.blogspot.com/index.html
Angela Gunn – http://www.computerworld.com/blogs/gunn
Garrett Gee – http://ggee.org/blog/
Samuel Van Ryder – http://www.stillsecureafteralltheseyears.com/ashimmy/
Misha Govshteyn – http://blog.alertlogic.net/
Jeremiah Grossman – http://jeremiahgrossman.blogspot.com/
Chris Harrington – http://infosecpodcast.com/
Ron Woerner – http://www.securitycatalyst.com
Andrew Lark – http://andylark.blogs.com/
Andrew Storms – http://blog.ncircle.com/blogs/sync/
Micheal Wright – http://mcwresearch.com
Jordan Wiens – http://psifertex.com
Autumn Haynes – http://www.rsa.com/blog/
Michelle McLean – http://consentry.typepad.com/blog/
Lori MacVittie – http://devcentral.f5.com/weblogs/macvittie/
Chris Boyd – http://www.vitalsecurity.org/
Wayne Porter – http://blog.spywareguide.com/
David Maynor – http://erratasec.blogspot.com/
Robert Graham – http://erratasec.blogspot.com/
Eric Green – http://www.larstanpodcasting.com/
Ryan Singel – http://blog.wired.com/27bstroke6//
Kevin Poulsen – http://blog.wired.com/27bstroke6//
Andreas Antonopolous – http://www.nemertes.com/blog/andreas_m_antonopoulos
David Kanter – http://www.realworldtech.com
Christopher Hoff – http://rationalsecurity.typepad.com/
Mike Murray http://www.episteme.ca

Technorati Tags: RSA, bloggers, San Francisco, Information Security

Anyone one out there going to the RSA show in San Francisco? If so drop me a line…I’ll be there from Monday to Thursday. I believe this will be my 7th show and it looks to be as interesting as ever.

–Chris

Technorati Tags: RSA, San Francisco, Information Security