This post is also authored by Matt Sisk, the lead author of each of the tools detailed in this post (bulk query, autogeneration, and all regex).
The number of cyber incidents affecting federal agencies has continued to grow, increasing about 1,300 percent from fiscal year 2006 to fiscal year 2015, according to a September 2016 GAO report. For example, in 2015, agencies reported more than 77,000 incidents to US-CERT, up from 67,000 in 2014 and 61,000 in 2013. These incident reports come from a diverse community of federal agencies, and each may contain observations of problematic activity by a particular reporter. As a result, reports vary in content, context, and in the types of data they contain. Reports are stored in the form of 'tickets' that assign and track progress toward closure.
This blog post is the first in a two-part series on our work with US-CERT to discover and make better use of data in cyber incident tickets, which can be notoriously diverse. Specifically, this post focuses on work we have done to improve useful data extraction from cybersecurity incident reports.
In a previous post, I discussed the Pharos Binary Analysis Framework and tools to support reverse engineering of binaries with a focus on malicious code analysis. Recall that Pharos is a CERT-created framework that builds upon the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics, and more. Pharos uses these features to automate common reverse engineering tasks. I'm pleased to announce that we've updated our framework on GitHub to include many new tools, improvements, and bug fixes. In this post, I'll focus on the tool-specific changes.
When I was pursuing my master's degree in information security, two of the required classes were in cognitive psychology and human factors: one class about how we think and learn and one about how we interact with our world. Students were often less interested in these courses and preferred to focus their studies on more technical topics. I personally found them to be two of the most beneficial. In the years since I took those classes, I've worked with people in many organizations in roles where it is their job to think: security operations center (SOC) analysts, researchers, software developers, and decision makers. Many of these people are highly technical, very intelligent, and creative. In my interactions with these groups, however, the discussion rarely turns to how to think about thinking. For people whose jobs entail pulling together and interpreting data to answer a question or solve a problem (i.e. analyze), ignoring human factors and how we and others perceive, think, and remember can lead to poor outcomes. In this blog post, I will explore the importance of thinking like an analyst and introduce a framework to help guide security operations center staff and other network analysts.
The crop of Top 10 SEI Blog posts in the first half of 2017 (judged by the number of visits by our readers) represents the best of what we do here at the SEI: transitioning our knowledge to those who need it. Several of our Top 10 posts this year are from a series of posts on best practices for network security that we launched in November 2016 in the wake of the Dyn attack. In this post, we will list the Top 10 posts with an excerpt from each post as well as links to where readers can go for more information about the topics covered in the SEI blog.
During the wars in Iraq and Afghanistan, insurgents' use of improvised explosive devices (IEDs) proliferated. The United States ramped up its development of counter-IED equipment to improve standoff detection of explosives and explosive precursor components and to defeat IEDs themselves as part of a broader defense capability. One effective strategy was jamming or interrupting radio frequency (RF) communications to counter radio-controlled IEDs (RCIEDs). This approach disrupts critical parts of RF communications, making the RCIED's communication to activate ineffective, saving both warfighter and civilian lives and property. For some time now, the cyber world has also been under attack by a diffused set of enemies who improvise their own tools in many different varieties and hide them where they can do much damage. This analogy has its limitations; however, here I want to explore the idea of disrupting communications from malicious code such as ransomware that is used to lock up your digital assets, or data-exfiltration software that is used to steal your digital data.
This blog post is coauthored by Jose Morales and Angela Horneman.
On May 12, 2017, in the course of a day, the WannaCryransomware attack infected nearly a quarter million computers. WannaCry is the latest in a growing number of ransomware attacks where, instead of stealing data, cyber criminals hold data hostage and demand a ransom payment. WannaCry was perhaps the largest ransomware attack to date, taking over a wide swath of global computers from FedEx in the United States to the systems that power Britain's healthcare system to systems across Asia, according to the New York Times. In this post, we spell out several best practices for prevention and response to a ransomware attack.
When it comes to network traffic, it's important to establish a filtering process that identifies and blocks potential cyberattacks, such as worms spreading ransomware and intruders exploiting vulnerabilities, while permitting the flow of legitimate traffic. In this post, the latest in a series on best practices for network security, I explore best practices for network border protection at the Internet router and firewall.
The network time protocol (NTP) synchronizes the time of a computer client or server to another server or within a few milliseconds of Coordinated Universal Time (UTC). NTP servers, long considered a foundational service of the Internet, have more recently been used to amplify large-scale Distributed Denial of Service (DDoS) attacks. While 2016 did not see a noticeable uptick in the frequency of DDoS attacks, the last 12 months have witnessed some of the largest DDoS attacks, according to Akamai's State of the Internet/Security report. One issue that attackers have exploited is abusable NTP servers. In 2014, there were over seven million abusable NTP servers. As a result of software upgrades, repaired configuration files, or the simple fact that ISPs and IXPs have decided to block NTP traffic, the number of abusable servers dropped by almost 99 percent in a matter months, according to a January 2015 article in ACM Queue. But there is still work to be done. It only takes 5,000 abusable NTP servers to generate a DDoS attack in the range of 50-400 Gbps. In this blog post, I explore the challenges of NTP and prescribe some best practices for securing accurate time with this protocol.
In the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with negative technical incentives, such as practices that monitor employee behavior, detect and punish misbehavior, and otherwise try to force employees to act in the best interest of the organization. In contrast, this blog post highlights results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat: one that incorporates human involvement. In particular, positive incentives can produce better balance and security for organizations by complementing traditional practices to insider threat programs. This post also presents three practices to increase positive incentives that organizations can use to reduce insider threat.
As cyber-physical systems continue to proliferate, the ability of cyber operators to support armed engagements (kinetic missions) will be critical for the Department of Defense (DoD) to maintain a technological advantage over adversaries. However, current training for cyber operators focuses entirely on the cyber aspect of operations and ignores the realities and constraints of supporting a larger mission. Similarly, kinetic operators largely think of cyber capabilities as a strategic, rather than a tactical resource, and are untrained in how to leverage the capabilities cyber operators can provide. In this blog post, I present Cyber Kinetic Effects Integration, also known as CKEI, which is a program developed at the SEI's CERT Division that allows the training of combined arms and cyber engagements in a virtual battlefield.
Distributed denial-of-service (DDoS) attacks have been dominating the IT security headlines. A flurry of reporting followed the September 2016 attack on the computer security reporter Brian Krebs's web site KrebsonSecurity when he reported attack traffic that was at the unprecedented scale of gigabytes per second. In November, my colleague Rachel Kartch wrote "DDOS Attacks: Four Best Practices for Prevention and Response," outlining what we can do to defend against these attacks. In this blog post, I tell the story of the Mirai powered botnet that's been harnessed in some of these recent attacks and which has also received its own share of press. My purpose is to explore the vulnerabilities that Mirai exploits and describe some simple practices that could help transform our Internet devices to mitigate the risk posed by botnets.
The Domain Name System (DNS) is an essential component of the Internet, a virtual phone book of names and numbers, but we rarely think about it until something goes wrong. As evidenced by the recent distributed denial of service (DDoS) attack against Internet performance management company Dyn, which temporarily wiped out access to websites including Amazon, Paypal, Reddit, and the New York Times for millions of users down the Eastern Seaboard and Europe, DNS serves as the foundation for the security and operation of internal and external network applications. DNS also serves as the backbone for other services critical to organizations including email, external web access, file sharing and voice over IP (VoIP). There are steps, however, that network administrators can take to ensure the security and resilience of their DNS infrastructure and avoid security pitfalls. In this blog post, I outline six best practices to design a secure, reliable infrastructure and present an example of a resilient organizational DNS.
DDoS attacks can be extremely disruptive, and they are on the rise. The Verisign Distributed Denial of Service Trends Report states that DDoS attack activity increased 85 percent in each of the last two years with 32 percent of those attacks in the fourth quarter of 2015 targeting IT services, cloud computing, and software-as-a-service companies. In this blog post, I provide an overview of DDoS attacks and best practices for mitigating and responding to them based on cumulative experience in this field.
Cyber threat modeling, the creation of an abstraction of a system to identify possible threats, is a required activity for DoD acquisition. Identifying potential threats to a system, cyber or otherwise, is increasingly important in today's environment. The number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased by 1,121 percent from 5,503 in fiscal year 2006 to 67,168 in fiscal year 2014, according to a 2015 Government Accountability Office report. Yet, our experience has been that it is often conducted informally with few standards. Consequently, important threat scenarios are often overlooked.
Given the dynamic cyber threat environment in which DoD systems operate, we have embarked on research work aimed at making cyber threat modeling more rigorous, routine, and automated. This blog post evaluates three popular methods of cyber threat modeling and discusses how this evaluation will help develop a model that fuses the best qualities of each.
Network flow plays a vital role in the future of network security and analysis. With more devices connecting to the Internet, networks are larger and faster than ever before. Therefore, capturing and analyzing packet capture data (pcap) on a large network is often prohibitively expensive. Cisco developed NetFlow 20 years ago to reduce the amount of information collected from a communication by aggregating packets with the same IP addresses, transport ports, and protocol (also known as the 5-tuple) into a compact record. This blog post explains why NetFlow is still important in an age in which the common wisdom is that more data is always better. Moreover, NetFlow will become even more important in the next few years as communications become more opaque with the development of new protocols that encrypt payloads by default.
This post is also authored by Matt Sisk, the lead author of each of the tools detailed in this post (bulk query, autogeneration, and all regex). The number of cyber incidents affecting federal agencies has continued to grow, increasing about...