Creating a Cyber Defense Team Part Two

Tuesday, November 16, 2010

Richard Stiennon


Creating a Cyber Defense Team Part One Here

A valuable methodology for the research is being developed by the Infowar Monitor team working at the University of Toronto.

They dub their methodology “fusion research”, a combination of technical analysis, contextual understanding, and field investigations.

Translating this into the activities within an organization would mean working with their peers to discover methodologies being used successfully against them, and the tools and defenses they deploy.

It would also mean having an understanding of the industry they are in and the value of their information assets to various potential adversaries.

Banks, long the target of cyber crime, and casinos, with vast experience fighting insider threats, have had this type of interaction with their peers for years. It is time for manufacturers, non-profits, universities, state and local governments to do the same.

The second role within the cyber defense team is the operational role. Members of the cyber defense operations team must:

1. Select and deploy network and host based tools to monitor activity, alert on unusual activity, block attacks, and assist in removing infections that have made it through all of the cyber defenses.

2. Interact with the rest of IT operations to ensure that infections are quickly snuffed out and cleaned up.

3.Engage in forensics activities to perform post mortems on successful attacks, gather evidence, and improve future operations.

The members of the internal cyber defense team supplement the rest of IT operations. They are not responsible for the daily updating of servers and desktops or the distribution of AV signatures or maintaining firewalls. Their job is to discover and mitigate attacks as they occur. This is a 24x7x365 job.

A primary responder must be identified for each evening, weekend, and holiday shift. They must be able to receive alerts, quickly gain access to the monitoring system, and take defensive action when an attack occurs.

The third component of the cyber defense group is the Red Team. They look inward. They scan the network for holes in the defenses and new vulnerabilities. They engage in attack and penetration exercises to test defenses. They evaluate new IT projects to ensure that authentication, authorization, and defenses are included in the initial design all the way through to deployment.

Each of these three roles has special tools that they should use to accomplish their duties.

The cyber analysts make use of knowledge management tools to categorize and create linkages between disparate data sources. An internal wiki can serve as the basis of communication with the other members of the team.

A sophisticated tool from Palantir Technologies can help them track sources of attacks, record data, remember IP addresses and malicious domains, and even keep track of the identities, affiliations, and methods associated with particular groups or individuals.

The cyber defense operations team will use advanced packet capture, network behavior monitoring, application monitoring, and endpoint protection tools. Netwitness provides the best tool for capturing network traffic and applying filters that contain knowledge of attack sources, and other cross correlation capabilities.

By deploying a network flow monitoring solution from Arbor Networks they can see changes in traffic patterns that are indicative of an attack. Guidance Software, known for its forensics tool kits has a cyber defense product that leverages the end point protection of HBGary to identify and remediate infections. FireEye is a network gateway defense against zero hour malware and blocks attempts to communicate with command and control servers operated by attackers.

The cyber defense Red Team makes use of many open source tools to act as surrogate attackers. Nessus can be used for scanning for vulnerabilities it is open source and the basis of several commercial products most notably Tenable. Vulnerability scanning is also a function of the regular IT operations so it is important that the Red Team use a different set of tools than those used by operations. Core Impact is the most advanced commercial attack and penetration tool.

The organization and duties of the Cyber Defense Team arise from the new threat of targeted attacks. There is a fundamental difference between defending against random attack from viruses, worms, and botnets and targeted attacks.

When the viruses and worms are written to specifically infect an enterprise’s system and gain control of internal processes, communications, and data, traditional tools are ineffective and traditional organizations are at a loss. By assigning responsibility to a core team of cyber defense specialists the enterprise can begin to address their vulnerability to targeted attacks.

This post is an excerpt from Cyber Defense: Countering Targeted Attacks (Government Institutes, 2011).

Cross-posted from Threat Chaos

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Security Strategies Cyber Security Advanced Persistent Threats
Post Rating I Like this!
Ray Tan It is reasonable and necessary.
For network analysis, I would like to recommend Wireshark and Capsa free, besides the function you have mentioned, they can provide a deeper insight into the packet decoding.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.