DerbyCon 5.0 has officially started, and it didn’t take long before the halls were flooded with hackers looking to catch-up with their peers as they headed to the first talk of the day.
On Thursday, I had the chance to catch-up with a number of people who resonated with the thought process of yesterday’s post. The point being, insider threats aren’t what you think they are, and the core issue isn’t a malicious user – it’s a clueless user. In addition, when dealing with insider-based issues, policies that prohibit or hinder workflow will create more problems than they solve.
Today, the topic is threat intelligence. I learned something interesting recently, if you gather a group of hackers and researchers around a table and ask them to define threat intelligence, the conversation will quickly spins into a rage fueled discussion about sales-driven security (meaning InfoSec products that are pitched and sold with no real security value).
Sadly, real threat intelligence isn’t here yet. What most vendors offer are data feeds, and raw data isn’t really actionable. Plus, most organizations have no idea what to do with this information once they get it. The result is always the same, a company spends tens of thousands of dollars for data that’s almost certainly in their logs – and they’ll still get compromised.
“It’s nice to have feeds from someone else who’s willing to do the grunt work of analyzing all the data to pull out real threats in the wild. But unless you have an infrastructure of people and other security appliance perspectives, that data feed is useless,” commented one of the hackers.
Another threat intelligence gripe is that the data feeds are all the same, no matter what organization is getting them. There are feeds for various markets and verticals, but the data is the same in many cases.
So the question is, and feel free to comment with your opinions below (or stop me in the halls at Derby to chat), if threat intelligence isn't intelligent, and isn't all that useful, why is it so popular? Why do executives want it?
Another topic that cropped up in conversations was a recent Air Force demo. The idea is to use a modified EC-130 aircraft jam enemy transmissions and compromise their air gapped networks.
"We've conducted a series of demonstrations” said Maj. Gen. Burke Wilson, commander of the 24th Air Force, in recent presentation at the Air Force Association conference. "Lo and behold! Yes, we're able to touch a target and manipulate a target, [i.e.] a network, from an aircraft.”
The initial report from Breaking Defense doesn’t go into much detail, but it’s an interesting read.
Using DNS to stop phishing
Mike Saunders will be presenting an interesting take on Phishing defense here at DerbyCon. He wrote a python program that consumes the output of dnstwist and urlcrazy, before comparing them against a baseline created by the user. The aim is to detect typosquatting, such as what happened at WellPoint in 2014.
Once the script is setup, “if any new typosquatting variation of the source domain is registered, my script will recognize this and notify the user that a new typosquatted domain has been registered,” he explained.
He blogged about the process earlier this year, after his talk, all updated code will be available online. While the script won’t stop all types of Phishing attacks, it does help defend against some of the more common ones.