Director of Reasearch,
Farsight Security, Inc.
We need to field diverse defense teams to protect our assets from adversaries who don't follow the rules that we follow, be they legal, business or social rules. If everyone followed a clear set of rules, the landscape in this space would be drastically different. Every member of a good security team brings their unique perspective and experiences to the table. No two days in the security sector are the same -- the puzzles you face tomorrow will look nothing like what you encountered today. Also, there is no one correct path into this profession, and, once you are here, you can never stop learning or you will quickly lose your edge.
Every workplace should strive to match or exceed the human diversity of their community and customer base. Otherwise a cybersecurity team, for example, will fail to mesh, culturally and otherwise, with those they serve and collaborate with. Note that while a lack of skills diversity will produce negative results instantly, a lack of human diversity will breed a chronic angst that will continue to fester as long as diversity is not made a clear priority. This angst will continue to grow below the surface for quite some time before its negative results are apparent.
In terms of archetypes, my opinion is that a well-rounded team would have a protocol wizard, a tool-smith (coder), a policy wonk, an investigator, and a wildcard (Think A-team). Remember, unless you are stunningly successful, you will _NEVER_ meet the attacker. Malware, attackers and packets don't care about gender, race, color, creed. They don't care what you are wearing and they don't care what school you attended, or what certifications you have. I aim to hire driven, intelligent, learners with diverse backgrounds -- they will quickly work out challenges in ways you didn't expect.
I collect maps. I'm fascinated by the all of ways mankind has invented to communicate information visually about their 3-D physical world in a limited 2-D representation. It is also thought provoking to understand what was important for a given time and place by studying the maps from that period. My approach to security research starts with a big map. In the center, our research team has drawn the parts of the threat landscape that we know well -- this should take up about 80% of the paper. The other 20% is empty space that we have not yet explored. If we fill in too much of the exterior space, we make the map bigger, to maintain the 80/20 ratio. Some elements in the "known" middle area are recorded to every minute detail, while others have a few key features and general ideas and are otherwise mostly empty space.
My goal for a security research team is to slowly, but consistently, move the outer frontier towards the edge of the page, while at the same time making sure we have a solid understanding of everything in the center. My team will spend about 20% of their time outside the comfortable edge of known territory on the map ("Here be Dragons"), they will spend the other 80% of that time filling in the blank spaces within our borders. It is important to make sure that our discoveries are connected back to our known perimeter; getting too far into the unknown makes it hard to develop the context needed to leverage the new discovery.
In short, it can’t. Attribution is hard and passive DNS – like most other technologies -- doesn't make it much easier. If you don't know who is behind the attack, you have no good way to derive a motivation. Yet Passive DNS can, however, provide critical information about the adversary’s infrastructure, which often links one threat to another. DNS is a small slice of a full-scale malware operation.
Occasionally, we get lucky and find clues to attribution and proof that criminals make mistakes too. For example, an adversary using old vanity domains for C2 that, in the past, had been pointed at a personal server. Another useful tool is looking for bread-crumbs in passive DNS that link DNS configurations for domains that might be otherwise isolated, but might have been generated by the same tools.
Let's start with IoT. Connected devices are getting more powerful, cheaper, more "friendly" and more ubiquitous. Users expect just about everything will be controlled by an App. To do that, all of these devices need to be connected to the network and phone home. Unfortunately, the devices are all black-boxes. Short of spinning-up wire-shark, how do I know what connections my new printer is making? Where is my new air-conditioner getting software updates? This has significant implications in the Enterprise. Without universal device management, how do you know your devices are running up- to-date software? How do you know the passwords are properly managed? What happens when an employee with access to a device on your network from their phone gets terminated?
Second: It's often said that the Cloud is just somebody else’s computer. The Cloud is also a powerful tool. Deploying your infrastructure to the Cloud means that you don't need to worry about some of the traditional challenges of running a data-center. Yet there are some new things that you do need to worry about such as: How about configuration or software errors that give others access to your Cloud-hosted data? Is your data encrypted in a meaningful way on the Cloud platform? How can you verify this?
Finally, the easiest to exploit and hardest to fix element in any security system is the human being. Many of the attacks in the news gained their foot-hold into the attacked system when a human took some action that, unbeknownst to them, was against their best interest. We as security practitioners have to draw a laser-thin line between being secure and enabling our employees to be productive. Carefully layered policies, systems and training go a long way. We just have to remember that all of our tools, software and protocols were designed by humans.
I have been extremely fortunate throughout my career to have always found myself in the company of amazing teams of colleagues and peers. Farsight is no exception. We have a top-flight team comprised of some of the best minds in the field; every single day is a new adventure. The highlight of any day has to be that moment when the logic clicks into place and someone suddenly understands how visibility into passive DNS will help them defend their assets.
Stay in touch, subscribe to the Farsight Security Newsletter