[Security] 2012 DoD Cyber Crime Conference
This was my first time heading to the DoD Cyber Crime Conference in Atlanta. The DoD Cyber Crime Center (DC3) hosts the conference every year. DC3first started as a resource for DoD and Law Enforcement and has grown over the years to include many different organizations that work together to combat Cyber Crime. The conference was a mix of training, plenary sessions, breakout sessions, and a large vendor floor. MANDIANT was a participant in the trade show portion of the conference and hosted a happy hour at one of the neighboring hotels on Wednesday night.
I was able to catch several of the keynote and plenary sessions, as well as several breakouts later on. The published conference theme was “Teaming for Dominance” and “Training for Dominance.” Without public-private collaboration between the entities that are fighting cyber crime throughout the United States victory against determined adversaries is nigh impossible. Also there is a shortage of properly trained professionals for dealing with cyber crime, and only by providing opportunities for training and education could the country pull together and get ahead. This covered not only continuing adult education and formal training, but also initiatives for college and high school students as well. I was more interested in the secondary themes that I saw emerging in presentation or discussion: indeed there is a need to work together, cultivating defensive strengths through collaboration on intelligence and innovation, be it in education or implementation of the practice of forensics and incident response.
At the management and policy level, I listened to Jeff Stutzman of the DCISE, Alan Paller of SANS, and panel discussions from leaders in the FS-ISAC, DHS, DoD/DCISE and DSIE (all organizations that are responsible for coordinating information sharing across large groups of important organizations). Regardless of specific messaging items, most of these leaders seemed to feel that too much was getting lost in the large scope of the problem set, and the path to real progress was by focusing on a few key components. Mr. Stutzman talked about focusing on education and collaboration, Alan Paller spoke about security leaders who were making an impact by committing to only a few simple items that create real change (rather than succumbing to the temptation of lengthy checklists and guidance documents), and as the panel addressed the need for real-time information sharing, they admitted that basics needed mastering before more complex solutions could be attempted.
Several technical presenters put forth the message that Indicators of Compromise (IOCs) that describe complex forensic artifacts and innovative methods are the key to success in rapidly detecting intruders. Rob Lee talked about the state of modern forensics, and the DFIR community success story that has led to projects such as log2timeline. Rob also spoke about the next step in responder evolution: taking the information routinely found in timelines, and creating abstracted, generic patterns that always identified compromise, rather than always looking at specific signatures in a timeline. If that can be realized, organizations will be able to identify incidents as soon as an intrusion occurs, allowing for almost instant detection. At the conference MANDIANT’s Ryan Kazanciyan, Chris Nutt, and Mary Singh all cited the need for looking beyond simple signatures and traditional investigative paths in their presentations, which covered some of our best practices in IR and Disk Forensics. Several other speakers also cited the need for complex indicators as the key to success in large, noisy modern enterprise environments, and IOCswere mentioned in a variety of presentations and post-presentation discussions.
During the tradeshow, we spoke with a variety of representatives from different parts of government. Polling attendees showed that no one particular threat stood-out, but most attendees felt this was the year threat awareness went mainstream. Panelists talking about Information Sharing and Analysis Centers (ISACs) echoed this idea: that the time was now for automating the sharing of threat intelligence. In support of that idea, I was fortunate enough to be able to participate in a Birds of a Feather discussion session about potential for automating information sharing in the DCISE, and presented on OpenIOC and potential uses in creating a method of automated information sharing for threat intelligence.
Several of the DIB contractors that we spoke to talked about how they were making detection a top priority. The debate over prevention versus detection is still lively and undecided in many circles, but more and more vendors are focusing on detection as a critical need. It was encouraging hearing a lot of resonance with themes that we have long believed in:
the ability to describe complex indicators of compromise is necessary for success,
sharing threat intelligence is critical for the evolution of defense,
and that belief in rapid detection as a top priority is gaining ground
I hope that the lessons learned, and discussions had at the conference, empower the responders who work with DC3 in the coming year. And that collectively we can help solve the ever-growing needs for better detection and threat intelligence sharing across so many critical sectors of the enterprise.
If you attended DC3 I’d love to hear your take on the conference and themes you noticed from presenters and attendees. If you were unable to go, slides from the MANDIANT presenters will be up soon.