SANS Digital Forensics and Incident Response Blog: Author - mikecloppert

The Rights and Wrongs of the Google Hack

This is an op-ed. I have mixed feelings about op-eds on a blog dedicated to a rigorous discipline that should be more precise and scientific. However, I also have some insight into this domain, so I thought I would grant myself an exception. Opinions expressed here are my own, and do not represent any other organization or entity.

I don't think I need to even provide a single hyperlink describing the recent Google hack, so-called Aurora by McAfee after a common directory name used by the perpetrators. But I will. There are many fascinating elements to this story - some good, and some bad. Here I'll discuss a few in each category.

Detection, Bandwidth, and Moore's Law

A Call to Arms for Intrusion Detection Software Innovation

For over a generation of professionals, Moore's Law has guided strategic planning related to computer hardware and software development. The security industry is no exception. However, there is a looming cataclysmic shift in the manifestation of this reality; one that requires the focus and attention of our vendors, lest our network analysis be left in the digital dust.

Network analysis is hard. Be it the real-time analysis expected of IPS devices, or the cached analysis which is badly needed but never provided by our vendors, our ability to detect hostility is constrained by four fundamental factors: what we look for, how we look for it, the amount of data we need to sift through to find it, and the computational power available to execute said detections. It is the interdependence of these last components that stands to most immediately and severely impact our ability to analyze network

... Continue reading Detection, Bandwidth, and Moore's Law

Security Intelligence: Attacking the Cyber Kill Chain

Coming in much later than I'd hoped, this is the second installment in a series of four discussing security intelligence principles in computer network defense. If you missed the introduction (parts 1 and 2), I highly recommend you read it before this article, as it sets the stage and vernacular for intelligence-driven response necessary to follow what will be discussed throughout the series. Once again, and as often is the case, the knowledge conveyed herein is that of my associates and I, learned through many man-years attending the School of Hard Knocks (TM?), and the credit belongs to all of those involved in the evolution of this material.

In this segment, we will introduce the attack progression (aka "kill chain") and briefly descibe its


Security Intelligence: Introduction (pt 2)

Yesterday, I introduced Security Intelligence in the first part of the introduction with some definitions and a rough problem statement. Today, I will get into more details of this domain, beginning with understanding risk and when to apply SI techniques.

Understanding Risk

As I like to say, we are in the business of risk management. In order to understand security intelligence, it is imperative that we properly scope and carefully define this concept. Different fields define risk in different terms, but in security, Risk is the product of three primary components: Vulnerability, Impact, and Threat.

Figure 1: Information Security Risk Components.

Vulnerability - Vulnerability

... Continue reading Security Intelligence: Introduction (pt 2)

Security Intelligence: Introduction (pt 1)


As the focus on information security by the US Government heats up, you will likely see a lot of professionals writing more about topics that touch on information warfare. The same day I began writing this, I also found myself reading some of GreyLogic's excellent analysis on some current events, for example. And as I was enjoying a beer in between completing the outline of this series and beginning this entry, I was both encouraged and disappointed to see Richard Bejtlich writing on part of the subject I plan to cover in Part 2: encouraged that other thought leaders were very much in line with our approach, and disappointed that Richard once again beat me to the punch! Richard is a professional whom I respect greatly; I think you'll find our opinions on this topic very much complementary. Just as is the case for so many aspects of