MIRcon 2013 Day One overview
Richard Bejtlich (CSO) kicked off the Mandiant's MIRcon 2013. He talked briefly about the past year including overviews of two public incidents and introduced Kevin Mandia (CEO). The two incidents Bejtlich described are:
- The New York Times being infiltrated by Chinese attackers
- Data theft from The State of South Carolina
Kevin Mandia talked about the evolution of computer incidents from both the attacker and defender perspectives from when he started in security (1993) until today. Good stuff. He even talked a little about the old Air Force system that we used to use back in the 1990s, ASIM (Automated Security Incident Manager). I remember when they started rolling those out. If memory serves, it was around 1996 or so.
Two points that Kevin made stood out in my mind:
- Defenders should align vertically the way attackers tend to do. Bottom line: Share with like-minded folks in your industry or sector. He noted that attackers tend to align on sectors and build expertise on like companies.
- We need to reduce containment times down to ten minutes. Yes, that is aggressive. Is it fast enough? Kevin's simple answer: Yes. :-)
Grady Summers hosted a panel of folks that do real-world response for Mandiant. Keeping with my theme of two's. There were a couple of things I took away from this panel.
- Trends show a decrease in the use of malware for maintaining persistence in organizations. What this really means is that attackers are obtaining and using legitimate user credentials much more often. This really raises the complexity for incident responders.
- Attackers are using legitimate sites to get around domain blocking or blacklisting. Sure, this one is in the weeds, but it just struck a chord with me. The primary example they mentioned was using Google Translate or Babelfish to get C2 from online discussion forums. That is beautiful in it's simplicity and effectiveness. Our global economy requires language translation from time to time. Another reason it struck me, after the fact, is that Mike Siko blogged about this almost two years ago and I missed it! Bottom line: Make sure your web proxy is configured to look for URLs in GET requests.
There are two main tracks for the conferece: Management and Technical. I attended sessions from both tracks and will put out some thoughts from those sessions if anyone is interested.
Former FBI director, Robert Mueller gave a late afternoon keynote. His talk warrants a dedicated blog post. Lots of wisdom from him. It was a great way to close the day.