The moment you all have been waiting for has arrived- I have finally posted another Expo speaker summary. This is another content post of my summary of the day’s events at the DGI Cyber Security Conference and Expo. Click here for the overview post of the conference.
The third speaker was equally as interesting and entertaining as Mr. Chun’s presentation. The third speaker was Rick Mellendick who is the Senior Architect of the Cyber Operations Lead at Bearing Point. His topic was detailing a proactive approach to develop a road map of cyber security. The title of the presentation was “Offensive Capabilities for Defensive Posturing.”
Mr. Mellendick touched on the fact that security professionals must think outside the box when it comes to strategy. Now, in my opinion, that phrase is pretty overused, especially when it comes to the IT industry. He does, however, make a good point as our current security strategies are not sufficient enough to get the job done.
He makes the following assumptions about network security:
- Our networks are attacked regularly.
- There are vulnerabilities that we don’t mitigate because it is either too expensive or not worth it to fix them.
- The enemy is within and is taking data and bandwidth.
- The enemy isn’t the “traditional” adversary.
- Concerning mobile communication devices:
- People use Blackberries for normal work operations
- Normal work operations involve some “sensitive” data.
- Blackberries have code running on them that is secure.
- 10 % of you have handhelds that are broadcasting, and 2 are insecure. (Presumably, he scanned the conference room for Blackberry/Smartphone connections)
As for the current methods of defense, most fall short. Firewalls can only stop what they are set up to stop, and they allow authenticated traffic, which can be exploited by hackers. An additional problem is that administrators need a high level of training which, as it turns out it very expensive. The fact that networks are changing all the time, but the network’s configuration are not is a huge problem. The current solution to handle an issue with a firewall is to open a port, which basically defeats the whole purpose of a firewall in the first place. Two additional attack vectors are what are known as IPS and IDS. These are used to create an abnormal amount of administrative trusted connections on the network. Often times, these attacks are brought upon by improperly configured appliances and the utilization of old and outdated signatures.
The current issues with cyber operations are numerous. Mr. Mellendick chose to focus on a few. First, cyberspace is finally being realized as a legitimate battlefield. Cognizant of this fact, people are finally realizing that protecting this new battlefield is critical to global operations and that current implementations of info assurance are too passive. The proposals are as numerous as the problems. He suggests that security professionals must work together to create a unified framework for the consolidation of Cyber Operations. Sidenote: almost every speaker at the conference talked about how requirements and strategies need to be consolidated and fleshed out. We must test both infrastructure and tools, and reverse engineer malware and attacks. He urges that we encourage agile development for CND RA tools, and altering our present practices to enable proactive defenses. As it turns out, the benefits are numerous as well. The migrations from passive to active postures lead to both offensive and defensive security positioning. Under these new practices, networks have become more stable and serve as effective baselines, while at the same time defensive modules are becoming more unified. A powerful tool (which has worked wonders for the military) is providing a proactive defensive strategy using the adversary’s tactics against them. Coupled with active malware detection, mitigation and response, this change in posture will result in a lot less headaches.
In the future, the exemplary speaker noted that we must protect more than just IT networks. Using active defenses and holistic approaches, we can triumph over present day security issues. Additionally, security professionals will take Black Team concepts and use them to make agressive network assessments. Using the right tool for the right job, and the right people for the position can make all the difference in the world. Modern day attacks on non-IT networks systems like transportation, water and electricity have clearly shown the world that there is a need for the expansion of security procedures and methods.
Mr. Mellendick made a few particularly awesome statements in the second half of his presentation. He discussed the topic of active defense. In this scenario, the nature of the beast is much like the Cold War between the U.S. and U.S.S.R. A show of force, mixed with a preemptive (rather than reactive) response goes a long way to deter enemies. In this way, we are able to use offensive capabilities for defensive actions. He went on to explain that in the future of network security, professionals will use three tactics to defend networks. First, is Network Fast Flux DNS. This technique alters the internal DNS records of the server environment and allows for the avoidance of DNS based DDoS attacks. Since malware can change its DNS information on the fly, servers are particularly susceptible to concurrent attacks. If the server in question is in a fast flux, that is to say always changing, it means we are fighting fire with fire. The next tool we can use is Network Tool Recording or NTR. This practice essentially employs basic tools like SSH and NMAP. These tools record information on the network and is logged by a central database. Even though this means that there is a boatload of new data, people can use simple analytics and basic heuristics to manage the flood. An important feature of this concept is that the tools reside in a tool repository that is accessible to users. And lastly, reverse proxies can be used to great effect. Essentially, the reverse proxy is a proxy server that is placed within a network DMZ which dispatches in-bound network traffic to a set of predetermined servers. This strategy has many benefits. First, it can optimize and compress content to deliver it to users faster. It pinpoints separated connections to add an additional layer of non-traditional defense. Even though, the end-user sees a single interface, the traffic is randomized.
The net view of cyber operations was displayed in a cyclical manner during the presentation. This is a transcription from the original:
Full Spectrum of Cyber Ops:
- High Assurance
- FR Protect
- Security Mobile Code
- Boundary Controllers
- Embedded Systems
- IA Wrappers
- Early Warning
- Data Hiding/Marking
- Network Tool Recording
- Stronger Policy Enforcement
- Data Mining
- Intelligent Agents
- Effective Enterprise Defense
- Rouge Wireless Detection
- Situational Awareness
- Decision Support
- IO Planning
- Response Actions
- Active Exfiltration Prevention
- Active Response
- Fault Tolerant Networks
- Effects-Based IO
I will quote Mr. Mellendick’s presentation as I cannot say it better myself:
The New Paradigm:
Open source tools and tool boxes tend to be a mixed collection ranging from very professionally developed and supported tools, to scripts developed on the fly to perform a specific task.
Through a deeper knowledge of defensive and offensive techniques, along with a shift from current penetration testing techniques, many new vulnerabilities can be and are found and mitigated in advance.
The need for determining new zero day and unpatched vulnerabilities is the best defense against the adversary.
Use of offensive techniques gives the network defenders the best chance to protect their soon to be deployed appliances, processes and currently administered networks.
It was really great to hear his perspective on all these topics. He covered a lot of ground (as you can probably tell) but made everything really enjoyable to listen to. Leave your comments below.