Ok someone asked me about the TAR's....my basic problem with security right now is that we sit waiting for attacks....hiding behind a firewall. We have to use the internet and each other as the watchtowers, giving us a greater view of what is happening. That is what the TAR's are all about. If we see reports from 10 universites all showing an attack on web servers....maybe we will be next. Maybe it will give us the heads up we need to spot the attack and capture what it is doing. Feeding our capture back in....This is a tactical picture in action.

At present  there is little global correlation that exists. (cisco have added an interesting feature to their IPS global correlation) im keeping my eye on it, they do great things usually.

Modern day attacks are global. Patterns constantly change. Automated responses are not adequate, they provide way too much information ...the point the fire hydrant and the teacup problem.

I think rather than keep adding to the defenses and sitting waiting for attacks, we have to be more pro active. Im not advocating counter attacks, but simply the Greek 500 approach. If attacks are coming from all directions we will fail to defend against them. We cannot round up the wagons and pretend to continue doing business as usual. Ask Custer...It doesn't work. At the very least we should  limit the attacking sources to our sphere of influence. Sure allow yout web server (cahching web server hosted elsewhere) to be accessed if you feel the need to promote yourself to the world...but your network infrastructure??? Why? Save yourself some grief and limit the internet inbound to your sphere of influence.

The Greek 500 defeated a much larger army by mitigating the number of attackers using a funnel technique...basically forcing a large army to fight on a small front. Lets at least make it harder for attackers to just bounce off of China/North Korea...force them on to our turf and play by our rules....

I've been toying around with creating an open source version of sphere of influence for some time now. The only real barrier that stops soi from being open source is our database from maxmind has to be licensed for commerical redistrubution. I'm in talks with them right now and probably will go with one suggestion. That is to have an open source version (using geolite from maxmind) which will be recompiled by me each month so the .exe will have that months latest maxmind database and also to have a "professional" version. The professional version will ship with geolite but have a link for users to upgrade to geoip (maxminds commercial dataset). The profession version will also contain a new idea I have for a communication system for security analysts.

The BASIC (stress basic...im going to update it...) SOI lite is available open source on sourceforge under the GPL license at

http://www.sourceforge.com/projects/soilite


The idea is that we can all communicate any scans/activity via TAR's (Tactical Awareness Reports)...we can feed our TARS into a cerntralized database, anonymously if needed, and can take a feed from that database and populate our own soi via a encrypted RSS feed that is dynamicaly built from our requirements (filters). We can upload images or any other data to support our findings in our TAR.  I like this idea a lot....

Professional versions will, as always, be available to edu's, government agencies etc for free.

I was watching CNN's report of the cyberwarfare scenario....a piece of malware infected phones, that started to download video's from a russian web server....it clogged the network and ground humanity to a halt. Interesting but not really fatal I thought...a simple ACL outbound would have blocked it (unless they used a FQDN rather than IP..but still even the malware would have been easy to spot as they didn't mention the worm was polymorphic ..)
AND of course using SOI ...it would have been easy to spot....your entire phone network tracking off to Russia...would be a nice visual

So although attackers use our differences against us, we can use this knowledge to spot them. After all they know its pretty hard for me to call up a chinese ISP to tell them they have been conducting a scan against me for 2 days. The Chinese machine may not even be the people responsible for the attack, they are being used because the attackers know that it will be harder to trace an attack coming from China. (language barrier, political differences, expertise level etc). But although they may not be the source of the attack, the fact that they are coming from outside my sphere of influence makes them easier to spot. If the attacker moves to hide from this fact they will be moving to a country that I may be able to track them better.

The example is that if im a health company in the US. I see scans from China. Now I block China. The attacker has to move to another country, Maybe they try and hide inside or sphere of influence. But if the attack is spotted, not only can i possible mitigate it, but now I can liase with law enforcement to get the real attackers.

That is what I like about SOI.....its simple...

Im kinda interested in peoples response to an idea I may put on SOI. What if we could sign up to a website (hold on stay with me...I know it sounds doomed) as an anonymous "station"- if we wish to remain anonymous that is....analysts are freaky about sharing sources etc., or maybe even company policy doesnt allow it...... In sphere of influence we would have the ability to create reports, publish these reports to the website....THEN...via a secure RSS feed....feed our report to other users.....

An analyst would subscribe to a feed that is of interest to him/her....the feed would be dynamically create based upon a particular filter the user would be interested in....eg North Korean scans against  webservers in the health industry....

The reason behind this is that humans are so much better at identifying attacks....sometimes......but generally we are....


I have not forgotten about augmented reality....were ARE doing it...its looking good!!!

The website would look something like this....





Here is the report ...kinda....

 Who Am I?

Darren Manners is CEO of Manntech Computers, Inc and an Information Security Officer in the Virginia Community College System. He has over 17 years of security experience in the private/government sector as a solution provider/Information Security Officer, and the Royal Navy as a Chief Petty Officer Communication Technician (Analyst). He is an industry-recognized specialist in threat analysis and Geo location/organization visualization. Darren was one of the top 3% in the specialized world of government communication intercept, traffic pattern analysis and threat detection. Darren holds advanced certifications such as CCIE (Security), CISSP, GCIA, GCWN, GCIH and CCVP. Darren designed the analysis tool Sphere of Influence and RadiusCP.

Lets talk about Information Security and how we can change it to be more tactical. Before Sphere of Influence and RadiusCP I had this idea.....this was about a year ago.

Future Security Trends 1.Dynamic Security Posture. - Based upon either an overall threat or a directed threat a system will automatically alter its security posture. The present approach to security limits the interaction between systems and does not take into account the need for the network or end machines to be aware that a threat is occurring. Current IPS/IDS systems can reactively block threats to systems, but usually this is limited to an all or nothing approach. While this may be fine for atomic attacks that just require a single packet, collective threats tend to left to blocking, limiting or shaping at the network level. Due to the amount of false positives occurring, blocking, limiting and shaping may not be activated as it may interfere with daily operations. An example would be the ability of an IPS/IDS system to automatically block ports. A hacker may use this to conduct a denial of service attack, using the security response to create block rule that would limit the operations of an organization. Imagine if a hacker spoofed an IP address from Google. The attack was noisy scanning known ports. He knows that an IPS system at the organization will respond by blocking this IP address. Sure enough the system instructs the firewall to block Googles IP. Users can no longer use Google. Although simple in its nature, the hacker has managed to use the organizations own security posture against itself. The answer that many security analysts use is not to switch on automatic blocking. In the future systems will need to be aware that a threat exists or may potentially exist. If we look to nature we may find a solution to the all or nothing approach which limits security policy enforcement. As an example let us use the analogy of Humans. We work for a company. It has 100 employees. Each day 1 employee goes missing. After a week or so someone comments that 10 people have disappeared and no one can contact them. Would we become suspicious? You bet. Would we start to pay more attention to what was going on. You bet. We have raised our security posture. We may start looking for strange people, we may start to monitor what other people are saying about it. Now imagine a computer or network of computers. What if one computer a day went missing or started to spout strange non comprehensible information? At present maybe the IPS would notice and try to take appropriate action. But what if the machines could become paranoid? What if they could raise their own security posture? Maybe switch off certain services, start to note what services and applications are running. Perhaps we need to address the collective. If we put humans in a line and starting hitting each one moving down the line to the next human each time, would the people at the end of the line be more aware? You bet. At present machines on a network are individual. They dont care that 200 out of the 1000 machines are infected. Theyre eternally optimistic that they will be fine. If an IPS is to be the central paranoid system, then they need to communicate to machines that there is a possible threat. Maybe not to that specific machine yet.but that the machine needs to know that something is not right. It needs to alter its security posture. Sure IPS can still continue to block bad traffic. But what if something just doesnt feel right? What if we just got scanned on all ports by a hacker? Surely if someone was outside our window we would raise our own security posture? Collectively machines need to know that a threat is occurring. The IPS must tell them. They must respond by running through some checks based upon the severity of the threat. Maybe after a set period of time or after checks they can relax their security posture. In the old days of defending a castle it was based upon defense in depth. This phrase is widely used to slow down or stop hackers if they breach the initial perimeter or OSI layer. What if our assets were mobile? What if our organization had the ability to restructure itself based upon threats? What if we could not only change the IP address of all the internal systems, but change the VLANS and logical networks based upon a current threat. What if, with the new versions of Blade centers and VMware, we can move servers/switches around to dynamic change the network topology? Using the high availability/redundancy for the benefit of security, not just if something fails The analogy here would be the castle keep. A network was attacked, breached and system security posture discovers an ongoing attack. At this instance the security posture is raised, but this time instead of checks, machines containing sensitive information change IP addresses and VLANS. The network is reconfigured to separate itself and require further authentication and authorization. We have created a Dynamic Security Posture (DSP). In a DSP we counteract the threat or perceived threat by altering our security posture to a point where the original open security layout no longer exists and additional controls are implemented automatically. Weve essentially moved all the goodies to the castles keepmaybe for one last stand. But to the end user, functionality occurs as normal, perhaps with additional authentication. The network structure, as we know it, tends to be pretty rigid. Network engineers like the idea of resilience but perhaps will not embrace the deliberate failure/reconfigurations of logical networks based upon perceived security threats. If we are to sit entrenched then we will be fighting security using world war one tactics. Let us not then be surprised by the wave after wave of attacks, with IPS and Firewalls replacing the machine guns and barbed wire. Surely the lessons must be learned that mobile assets, with security able to move these assets around, are the future. Let us fight the enemy by confronting him where he is, not by creating a Maginot Line style defense. As we have seen in the past, that old style of defense does not work.