Dailydave mailing list archives
Re: Cyber Situational Awareness
From: Carlos Alexandre Queiroz <caxqueiroz () gmail com>
Date: Thu, 1 Dec 2011 15:43:19 +1100
Hi there, I think you missed the point and you have shown a very narrow view of what Situation Awareness is, and Cyber Situational Awareness, for that matter. Of course Instrumentation is important. Without the raw data there is not much to be done. However, the analysis of the data is much more important. Without analysis there is a huge potential that the data will be missed, as nowadays we are collecting more and more data. Just because we are using an instrumentation and the "attackers" do not know about it does not guarantee you will make good use of it. For example, we all know that DHS flags suspicious airplane passengers. The suspected bomber that tried to blow up the northwest airlines flight 253 was flagged in one of the "three letters" agencies databases but no analysis was carried on and he successfully boarded the plane. The data was there, the instrumentation worked, but the analysis failed. Cheers, cq On 24/11/2011, at 3:17 AM, Dave Aitel wrote:
When you talk about cyber situational awareness you will often find people talking about large scale scanning or sniffing. This is often missing the point - it's 90's era thinking applied to the much more interesting and complex modern cyber world. An easy metric I find is this: What parts of your situational awareness program are your opponents _not aware that you have_. And to follow on, which parts of your situational awareness program can they not possibly detect? Everything else is simply a denial/deception program waiting to get started. The other major thing people talk about with cyber situational awareness is their ability to do large scale analysis and correlation. This is useful insomuch as the true scale of it is unknown or unknowable. But other than that it is simply a way to drive down the obscenely high costs of analysis which scales as well as all human bound enterprises. As a concrete example you can look at OS detection over the network: Useless: TCP/IP options and features, ala NMAP Useful: NTP OS detection (while that was an unknown) This works defensively too - do you as a corporation have defensive instrumentation and analysis on a place in your network/systems the attacker could not possibly expect you to, or that they cannot possibly detect? What we look for in situational awareness toolkits is the "aha!" moment. Aka "I had no idea you could get that kind of data from that protocol!" or "I didn't realize I was leaking _that_ in the clear!" Mark's talk at INFILTRATE is a very powerful example of this concept, for those of you coming in January. (And if you're not registered yet, you should call team admin at + 1 786 220 0600 since I think they have some sort of deal going on right now). -- INFILTRATE 2012 January 12th-13th in Miami - the world's best offensive information security conference. www.infiltratecon.com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Cyber Situational Awareness Dave Aitel (Nov 23)
- Re: Cyber Situational Awareness Carlos Alexandre Queiroz (Dec 01)
- Re: Cyber Situational Awareness Dobbins, Roland (Dec 01)