• United States



Real-time, Actionable Intelligence I Can Have Today!

May 15, 20115 mins
Business ContinuityCareersData and Information Security

It started oddly enough while sitting in a helicopter overlooking the busy Washington DC beltway during rush hour. Six lane parking lots going both ways as feeder traffic spills onto the beltway from major spurs such as 270, 95, the BW and George Washington Parkway, Route 50, 295, 395, and a plethora of other smaller feeders that fill the roads with cars, trucks, motorcycles and every type of 2 to 8 wheeled vehicle you can imagine. I flew around the beltway from above looking at the vehicles and started imagining them as data packets. It was the evening rush hour and most of the traffic was outbound from Washington, DC. All those cars, all that data exfiltrating DC carrying with it massive amounts of information in packets detected on the beltway network but not identified for content. As I hovered above one interchange, I tried to imagine the sheer magnitude of sensitive information flowing from DC. Unimpeded, undetected, unprotected. The sensitive information illegally flowing from DC on a daily basis was physically apparent. The picture of how to detect what was illegal in this mass of metal and fossil fuels, still unclear.

It was truly trying to find a needle in a haystack. This led me to start looking into the security marketplace for products and solutions that could solve my problem. How do I determine the illegal flow of information exfiltrating environments? How do I determine covert malware and botnet activity by looking from above? How can I passively extract this information without touching or impeding someone else’s infrastructure?

I looked at products like Wireshark and NetWitness but I found that their method of finding the needle in the haystack was to bend every piece of straw trying to find the needle. If you have ever been in a barn, try to imagine the number of strands of straw you would have to bend and the time and effort it would take just to find the needles much less determine what the needle was for (not to mention all the allergic reactions and itchy arms). If I decided to go with NetWitness I would need to buy hardware, install it, understand what rules to turn on and periodically tune it. I decided to continue looking. 

I came upon LookingGlass that provides an analyst interface. The interface consumes a variety of data, not specifically botnet data. My research led me to believe that this tool would appeal to a researcher or investigator of sorts. What struck me as very interesting was one particular feed into the product that demonstrated real-time botnet activity much like the cars flowing out of Washington DC during the evening rush hour. The information could track illegal information flow exfiltrating from corporate and government entities. It even told me from what IP the illegal flow was emanating. It was like sitting in the helicopter, seeing each vehicle, and knowing exactly where it had come from. It also told me for example that every red vehicle contained illegal information. Not only that, but all red cars started flowing down the same information avenue. Just like flowing through the Dulles Toll Road. All the red cars flowed down that road and the information could tell me where they were going. This was not bending the straw to find the needle; it was using a magnet to extract all needles without touching the straw! Ephiphany!! Where did the data come from?

I found it in the Unveillance platform. This platform provides real-time actionable, compromise intelligence. I could tell when an IP was compromised, where the data was flowing and potentially attribute the source. Attribution being one of the most difficult issues in investigations of perimeter penetration. I instantly knew the Security Operations Centers, incident response groups, the CISO and the business would want this type of information. Timely, actionable, real. I had active information easily tracked and at my fingertips.

Unveillance is a situational awareness platform that rates data loss and leakage with an intelligence quotient that gives the user a quantifiable metric enabling actionable intelligence. Actionable intelligence that I could use to quickly neutralize the threat. I started to dig deeper. I was afforded access to the dashboard. I was floored at the amount of data exfiltrating hundreds of the largest government and commercial organizations in the US and the world.

In my research and analysis of Unveillance, I began to realize that there is an offensive capability within the solution. It can take over command and control of the exfiltrating botnet. If you can take over command and control, then you virtually own (or pwn) that entity. The possibility of redirecting the botnet as a DDoS starts to become real. The ability to determine sources is eased.  The potential of driving active offensive actions is an actuality. Could I even redirect the botnet back upon its masters?

Many times when you wake up in the morning you can remember some of your dreams and most are not based in reality. That morning I awoke and found the dream to be real. I found I could stand in a field and extract needles from all the surrounding barns and haystacks without entering the barn or touching nary a strand of hay. I found that I could do that today without adding hardware or software to my infrastructure. I found I did not have to wait several days or weeks to get old data. I found it in Unveillance.