Re: Cyber Situational Awareness

[Carlos Alexandre Queiroz <caxqueiroz () gmail com>]

Hi there, 

I think you missed the point and you have shown a very narrow view of what Situation Awareness is, and Cyber 
Situational Awareness, for that matter. 

Of course Instrumentation is important. Without the raw data there is not much to be done. However, the analysis of the 
data is much more important. Without analysis there is a huge potential that the data will be missed, as nowadays we 
are collecting more and more data. 

Just because we are using an instrumentation and the "attackers" do not know about it does not guarantee you will make 
good use of it. 

For example, we all know that DHS flags suspicious airplane passengers. The suspected bomber that tried to blow up the 
northwest airlines flight 253 was flagged in one of the "three letters" agencies databases but no analysis was carried 
on and he successfully boarded the plane. The data was there, the instrumentation worked, but the analysis failed. 

Cheers,
cq

On 24/11/2011, at 3:17 AM, Dave Aitel wrote:

> When you talk about cyber situational awareness you will often find people talking about large scale scanning or 
> sniffing. This is often missing the point - it's 90's era thinking applied to the much more interesting and complex 
> modern cyber world.
>
> An easy metric I find is this: What parts of your situational awareness program are your opponents _not aware that 
> you have_. And to follow on, which parts of your situational awareness program can they not possibly detect? 
> Everything else is simply a denial/deception program waiting to get started.
>
> The other major thing people talk about with cyber situational awareness is their ability to do large scale analysis 
> and correlation. This is useful insomuch as the true scale of it is unknown or unknowable. But other than that it is 
> simply a way to drive down the obscenely high costs of analysis which scales as well as all human bound enterprises.
>
> As a concrete example you can look at OS detection over the network:
> Useless: TCP/IP options and features, ala NMAP
> Useful: NTP OS detection (while that was an unknown)
>
> This works defensively too - do you as a corporation have defensive instrumentation and analysis on a place in your 
> network/systems the attacker could not possibly expect you to, or that they cannot possibly detect? 
>
> What we look for in situational awareness toolkits is the "aha!" moment. Aka "I had no idea you could get that kind 
> of data from that protocol!" or "I didn't realize I was leaking _that_ in the clear!" Mark's talk at INFILTRATE is a 
> very powerful example of this concept, for those of you coming in January. (And if you're not registered yet, you 
> should call team admin at + 1 786 220 0600 since I think they have some sort of deal going on right now). 
>
> -- 
> INFILTRATE 2012 January 12th-13th in Miami - the world's best offensive information security conference.
>
> www.infiltratecon.com
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave