Cyber Security Challenges: A Law Enforcement Perspective

1
Cyber Security ChallengesA Law Enforcement
Perspective

• CS Jennifer Kolde / jennifer.kolde_at_ic.fbi.govSan
  Diego FBI National Security Cyber Squad
• Conference on Innovation Support for National
  Security
• June 9, 2009

2
The Problem

• we face a long-term challenge in cyberspace
  from foreign intelligence agencies and
  militaries, criminals, and otherslosing this
  struggle will wreak serious damage on the
  economic health and national security of the
  United Stateswe are currently running behind,
  and the ability to operate in cyberspace and to
  defend against the operations of others will be
  crucial for our nation to prosper
• Source Center for Strategic and International
  Studies, Securing Cyberspace for the 44th
  Presidency, December 2008
• http//www.csis.org/media/csis/pubs/081208_securin
  gcyberspace_44.pdf

3
The Potential Loss

• Survey examined whereintellectual property
  originates, where it is stored globally, how it
  is transferred and lost
• Companies surveyed estimated
• They lost a combined 4.6 billion worth of
  intellectual property last year alone
• They spent approximately 600 million repairing
  damage from data breaches
• Based on these numbers, McAfee projects that
  companies worldwide lost more than 1 trillion
  last year.
• Responses from gt 800 CIOs worldwide
• How do you measure national security losses?
• Source Purdue CERIAS / McAfee 01/29/2009
• http//www.mcafee.com/us/about/press/corporate/200
  9/20090129_063500_j.html

4
Perspective

• FBI San Diego
• National Security Cyber Squad
• Cyber counterterrorism / cyber counterintelligence
  
• Technical analysis support to case agents
• Prior experience defending Navy networks
• We deal primarily with victim companies
• Compromise / data loss has already occurred
• Post-mortem / lessons learned
• Work proactively when we can to identify threat
  activity

5
How Security Works
Right Personnel
Effective Security
Right Tools
Sufficient Time
6
Personnel /Time Tradeoffs

• Security products have become increasingly
  complex
• Problematic with unskilled or less-skilled
  personnel and / or lack of sufficient time
  dedicated to security tasks
• For personnel outsource the smart person to
  the vendor (built-in in-depth analysis,
  vendor-provided templates)
• For time increased efficiency, simpler user
  interface, ease of customization, plenty of
  canned reports

7
Where Can We Intervene?

• Initial Compromise
• Host (AV, firewall, HIDS / HIPS, host / device
  logs)
• Network (IDS / IPS)
• Application (logs)
• Ongoing Intrusion
• Host (as above)
• Network (internal IDS / IPS, netflow data)
• Application (logs)
• Backchannel / Outbound Communications
• Network (IDS / IPS, analysis of outbound traffic,
  network logs e.g., DNS)
• Combination of the above
• SIM / SIEM

8
Where Tools Fail

• Signature-based
• Most effective, but always retroactive
• Relatively easy to defeat
• Hard to define known good / known bad hard
• Best bet simplify ability for users to add
  custom signatures
• Heuristic
• Moderately effective
• Risk of false positives
• Who reviews / deconflicts?

9
Where Tools Fail

• Anomaly Detection
• Less effective
• Hard to train (relies on well-defined set of
  normal behavior)
• Assumes bad traffic will not look normal
• Statistical Analysis
• Moderately effective
• Limited use
• Often limited to canned reports (Top 10)

10
Improvements for Tools

• What is the new model for antivirus?
• Alert on file characteristics?
• Automatic unpacking?
• Sandbox execution?
• Memory monitoring / protection?
• Simplify ability to add signatures once
  identified
• Incorporate WHOIS lookup into detection /
  protection

11
Improvements for Tools

• Write signatures for anomalies
• Non-RFC protocols
• Incorporate better reporting and analysis
• Improved statistics
• Anomaly detection per host / device
• Changes / differences since last report
• DNS lookups, traffic volume, destination IPs

12
Key Features (Wish List)

• Improve existing tools (reduce noise to focus
  on really important stuff)
• Incorporate novel detection methods
• Improve existing detection methods
• Canned templates for common apps / protocols
• Statistical analysis / reporting
• Tools based on real world incident data
• Instead of (or in addition to) compliance with
  arbitrary list
• Simplify tool customization
• Simplify all aspects of tool lifecycle for less
  experienced or time-pressed staff

13
Questions?