I was able to catch several of the keynote and plenary sessions, as well as several breakouts later on. The published conference theme was “Teaming for Dominance” and “Training for Dominance.”  Without public-private collaboration between the entities that are fighting cyber crime throughout the United States victory against determined adversaries is nigh impossible. Also there is a shortage of properly trained professionals for dealing with cyber crime, and only by providing opportunities for training and education could the country pull together and get ahead.  This covered not only continuing adult education and formal training, but also initiatives for college and high school students as well. I was more interested in the secondary themes that I saw emerging in presentation or discussion: indeed there is a need to work together, cultivating defensive strengths through collaboration on intelligence and innovation, be it in education or implementation of the practice of forensics and incident response.

At the management and policy level, I listened to Jeff Stutzman of the DCISE, Alan Paller of SANS, and panel discussions from leaders in the FS-ISAC, DHS, DoD/DCISE and DSIE (all organizations that are responsible for coordinating information sharing across large groups of important organizations). Regardless of specific messaging items, most of these leaders seemed to feel that too much was getting lost in the large scope of the problem set, and the path to real progress was by focusing on a few key components. Mr. Stutzman talked about focusing on education and collaboration, Alan Paller spoke about security leaders who were making an impact by committing to only a few simple items that create real change (rather than succumbing to the temptation of lengthy checklists and guidance documents), and as the panel addressed the need for real-time information sharing, they admitted that basics needed mastering before more complex solutions could be attempted.

Several technical presenters put forth the message that Indicators of Compromise (IOCs) that describe complex forensic artifacts and innovative methods are the key to success in rapidly detecting intruders. Rob Lee talked about the state of modern forensics, and the DFIR community success story that has led to projects such as log2timeline. Rob also spoke about the next step in responder evolution: taking the information routinely found in timelines, and creating abstracted, generic patterns that always identified compromise, rather than always looking at specific signatures in a timeline. If that can be realized, organizations will be able to identify incidents as soon as an intrusion occurs, allowing for almost instant detection. At the conference MANDIANT’s Ryan Kazanciyan, Chris Nutt, and Mary Singh all cited the need for looking beyond simple signatures and traditional investigative paths in their presentations, which covered some of our best practices in IR and Disk Forensics. Several other speakers also cited the need for complex indicators as the key to success in large, noisy modern enterprise environments, and IOCswere mentioned in a variety of presentations and post-presentation discussions.

During the tradeshow, we spoke with a variety of representatives from different parts of government. Polling attendees showed that no one particular threat stood-out, but most attendees felt this was the year threat awareness went mainstream. Panelists talking about Information Sharing and Analysis Centers (ISACs) echoed this idea: that the time was now for automating the sharing of threat intelligence. In support of that idea, I was fortunate enough to be able to participate in a Birds of a Feather discussion session about potential for automating information sharing in the DCISE, and presented on OpenIOC and potential uses in creating a method of automated information sharing for threat intelligence.

Several of the DIB contractors that we spoke to talked about how they were making detection a top priority. The debate over prevention versus detection is still lively and undecided in many circles, but more and more vendors are focusing on detection as a critical need. It was encouraging hearing a lot of resonance with themes that we have long believed in:

• the ability to describe complex indicators of compromise is necessary for success,
• sharing threat intelligence is critical for the evolution of defense,
• and that belief in rapid detection as a top priority is gaining ground

I hope that the lessons learned, and discussions had at the conference, empower the responders who work with DC3 in the coming year. And that collectively we can help solve the ever-growing needs for better detection and threat intelligence sharing across so many critical sectors of the enterprise.

If you attended DC3 I’d love to hear your take on the conference and themes you noticed from presenters and attendees. If you were unable to go, slides from the MANDIANT presenters will be up soon.

I look forward to seeing everyone at the conference. Rob Lee has put together what I believe everyone will find is an informative show. Do not forget to catch Kris Harms’ talk and see if you can find evil or not.

Speakers: Jamie Butler and Peter Silberman
Date: Tuesday, July 7, 3:10pm – 3:50pm
Title: Memory Forensics and Analysis

The memory in today’s business desktops is now larger than the hard drives that were in systems just a few years ago. Traditionally, forensic analysis has meant taking an image of the hard drive and sifting through files. This is only half of the story and can no longer be considered sufficient. Attackers are writing less to disk and hiding more in the ample memory users now enjoy. Memory analysis – once a niche function performed by only the most advanced forensic investigators – is now mainstream and common in professional investigations. Tools have been written to make memory analysis as easy for the investigator if not easier than hard drive analysis and in a fraction of the time. In this talk, we will show you how to quickly identify suspicious things in memory without having to be a reverse engineer. This talk will feature research, use cases, and real world examples.

Speaker: Kris Harms
Date: Tuesday, July 7, 9:30am – 10:30am
Title: Evil or Not? Rapid Confirmation of Compromised Hosts Via Live Incident Response

During this presentation, attendees will learn practical, tried, and true methods to review live incident response information. You will obtain the skillful eye required to quickly confirm or dispel if a system is compromised. Recent case data from PCI credit card breaches as well as the Advanced Persistent Threat (APT) will be used as samples. Armed with this knowledge, you will excel as an initial responder to any incident.

I think that the team came up with a really good list of weaknesses that cut across programming languages and platforms. I am also a big fan of the way that the list was written. The discussion of each item on the list is informal, not preachy, and very easy to read and understand.

The Top 25 is general in nature in that it tried not to be specific to any application type, language, or platform (though it did end up including a couple web application specific issues). While this general nature makes the list useful in some situations (such as in a University course), it does limit the usefulness of the Top 25 in other circumstances. For example, if you want to educate web developers or incorporate security into procurement of a web application, the OWASP Top Ten is certainly more applicable than the CWE Top 25.

Unfortunately, the limitation of the list to 25 items meant that some pretty important security issues got left off, particularly weaknesses that primarily affect unmanaged code (such as C or C++). For example, format string vulnerabilities are not mentioned in the Top 25 at all (though they could be seen as a child of CWE-20: Improper Input Validation and/or CWE-116: Improper Encoding or Escaping of Output). Weaknesses related to the parsing of data files or streams (the source of so many web browser and desktop application vulnerabilities) are also absent (unless those issues are considered part of CWE-682: Incorrect Calculation).

Overall, I think that the Top 25 does a good job working within the parameters that it was given, but it suffers from trying to be too many things to too many people. What the process highlighted for me, however, is that there is not a concise, generally accepted, security reference available for development in unmanaged languages. So much of software security is focused on the web and managed languages, but there is still a lot of unmanaged code in use and being written today. There are excellent books available on writing secure software, and SANS provides some materials that could be used as a reference on the GIAC Secure Software Programmer (GSSP) Certification web site, but I think that the community would be well served by a short, easily digestible list similar to the OWASP Top Ten or the CWE/SANS Top 25 focused on security issues in unmanaged code.

Anyone interested in creating that list?

Chuck